This week saw the launch of the annual Verizon Data Breach Investigations Report (DBIR), and among its pages were details on poor defences, enabled attackers and mobile malware was the great research on time to detect.
In particular, 79,690 security incidents with 2,122 events of data loss were surveyed and showed that attackers are able to compromise a victim a matter of days, and while the time to discover has risen, it has not matched the rise in time to compromise. In 60 per cent of cases, attackers are able to compromise an organisation within minutes.
With so much data to take in, we asked some of security’s finest minds to pick out their highlights of the report and let us know what they think of the 2015 DBIR’s findings.
Clinton Karr, senior security strategist at Bromium
“The Verizon DBIR demonstrates that five sectors are being attacked more than any other: public sector, finance, technology, manufacturing and retail. Logically, cyber attacks are following the money. Retail and finance hold valuable bank account and credit card information, technology and manufacturing hold proprietary intellectual property. Government organisations hold state secrets. Therefore, it follows that investments in information security must change the economics of an attack to discourage malicious actors; by making an attack more difficult, it becomes more expensive and deters attackers to seek different targets.
“The report highlights that historically, 71 per cent of known vulnerabilities had a patch for more than a year before breach. However, security teams and operations teams often find themselves at odds: a poorly implemented patch can cause more harm than good, yet waiting to implement a patch leaves an organisation to attack. The report underscores this dilemma since just 10 CVEs accounted for 97 per cent of exploits.
“Finally, multiple statistics in the report point to just how worthless signature-based detection has become. 70-90 per cent of malware samples are unique to the organization they attack, 75 per cent of attacks spread from victim zero to victim one in less than 24 hours, and the vast majority of attacks only exist for 24 hours; malware simply does not exist long enough for malware research to detect a sample, create a signature and disseminate it. “In fact, Verizon even notes ‘criminals haven’t been blind to the signature and hash matching techniques used by anti-virus products to detect malware. In response, they use many techniques that introduce simple modifications into the code so that the hash is unique, yet it exhibits the same desired behaviour’.”
TK Keanini, CTO of Lancope
“If you only read one page, or have one take away from the report, it will be the concept of the ‘detection deficit’ as it is appropriately named the primary challenge to all of our defence strategies against this advanced threat. The proportion of breaches discovered within days still falls well below that of time to compromise. Even worse, the two lines are diverging over the last decade, indicating a growing “detection deficit” between attackers and defenders. We think it highlights one of the primary challenges to the security industry.
“This is an architectural problem as many of the networks were built back when advanced telemetry was a nice to have and not mandatory to operations. There are just too many places for the attackers to hide and remain hidden as they carry out their objective across the attack continuum. If you are not detecting and remediating attackers on a weekly or monthly basis, chances are they are in your network, you just don’t know it yet.”
Andy Green, technical specialist at Varonis
“As in previous years, credentials – guessed or previously snatched – are still involved in the largest share of attacks. We also see familiar sectors (public, finance and technology) leading in the number of security incidents reported, with retail and hospitality trailing behind them. Also it’s yet again a safe bet to make that the time to discover a breach will be measured in months not days.
“But there are new emerging trends as well: phishing and more deadly APTs, like RAM scrapers are on the rise. Here’s an ominous fact that Verizon discovered as part of their own research: nearly 50 per cent opened emails and clicked on phishing links within the first hour! Bottom line: hackers are getting better and better at stealthy attacks where they can sneak around perimeter defences and remain undetected for long periods of time. It’s becoming increasingly important for companies to lock-down internal access controls and protect the data from inside.”
Kevin Epstein, VP of advanced security and governance at Proofpoint
“As if the past year’s breaches weren’t sufficient validation, the report provides still further proof that email is a dominant threat vector, and the gap between attackers’ data exfiltration and defenders’ detection times is widening, emphasizing the critical need for additional layers of security; advanced targeted attack protection and automated threat response systems.”
Mike Spykerman, vice president of product management at OPSWAT
“The latest Verizon report underlines that although attacks are becoming more sophisticated, many of the tactics that are being used are the same and that there is still a lot more that organisations can do to reduce their risk of data breaches. By properly covering their bases, such as centrally monitoring devices to ensure that they are safe and patched, deploying multi-scanning with multiple anti-virus engines on servers, web proxies, clients and email servers, and educating employees in cyber security, a company’s exposure can be greatly reduced.
“To help companies ensure that they are covering all their bases, we have put together a list of 10 tips for avoiding data breaches, and 10 things to include in your employee cyber security policy.”
Trey Ford, global security strategist at Rapid7
“This year’s DBIR shines a very bright light on the lack of information sharing across the industry. In the coming year, I hope to see a focus on the effectiveness on controls – what failed, what was missing, what was defeated. For example: after a major credit card data breach is identified, the PFI (PCI Forensic Examiner) does an investigation, and the findings are reported back to the Payment Brands.
“As a security professional, the travesty is that no practitioners outside the breached company or the payment brands have that data, however sanitised. Security is one of the only major industries that doesn’t have an information sharing policy in place. While the model might not yet be perfected, look to the FAA and NTSB as examples. In both cases, accidents and incident data are made available in an effort to prevent costly mistake being repeated.
“The same wisdom should prevail for cyber security: there is no sense in a company paying for the opportunity to learn a lesson they could have learned from a prior breach on their own dime. The walls we’re putting up between each other not only slows the maturity of our profession and damages consumer confidence, it also protects the attacker’s return on investment, and lowers the likelihood of their capture.”
