Highlights from the 2015 Verizon Data Breach Investigations Report

Verizon’s annual Data Breach Investigations Report (DBIR) is now in its eleventh year. It has become one of the most anticipated information security industry reports as it goes into detail about thousands of confirmed data breaches and security incidents from around the globe into emerging and shifting trends.

DFM is pleased to present comments on and highlights from the report by industry experts.

Clinton Karr, senior security strategist, Bromium;

“The Verizon Data Breach Incident Report demonstrates that five sectors are being attacked more than any other: public sector, finance, technology, manufacturing and retail. Logically, cyber attacks are following the money. Retail and finance hold valuable bank account and credit card information, technology and manufacturing hold proprietary intellectual property. Government organizations hold state secrets. Therefore, it follows that investments in information security must change the economics of an attack to discourage malicious actors; by making an attack more difficult, it becomes more expensive and deters attackers to seek different targets.

The Verizon report highlights that historically, 71 percent of known vulnerabilities had a patch for more than a year before breach. However, security teams and operations teams often find themselves at odds: a poorly implemented patch can cause more harm than good, yet waiting to implement a patch leaves an organization to attack. The report underscores this dilemma since just 10 CVEs accounted for 97% of exploits.

Finally, multiple statistics in the Verizon report point to just how worthless signature-based detection has become. 70-90 percent of malware samples are unique to the organization they attack, 75% of attacks spread from victim zero to victim one in less than 24 hours, and the vast majority of attacks only exist for 24 hours; malware simply does not exist long enough for malware research to detect a sample, create a signature and disseminate it.

In fact, Verizon even notes “criminals haven’t been blind to the signature and hash matching techniques used by antivirus (AV) products to detect malware. In response, they use many techniques that introduce simple modifications into the code so that the hash is unique, yet it exhibits the same desired behavior.”

Ultimately, Verizon concludes that “it may not be obvious at first glance, but the common denominator across the top four patterns accounting for nearly 90% of all incidents—is people. Whether it’s goofing up, getting infected, behaving badly or losing stuff, most incidents fall in the PEBKAC and ID-10T über-patterns.” End users are the weakest link in the security chain, but signature-based detection can no longer serve the purpose of protection. The security industry must adopt a new model of endpoint protection based on isolation.”

TK Keanini, CTO, Lancope;

“If you only read one page, or have one take away from the report, it will be the concept of the ‘detection deficit’ as it is appropriately named the primary challenge to all of our defense strategies against this advanced threat.

Figure 5 called the Defender-Detection Deficit – “…the proportion of breaches discovered within days still falls well below that of time to compromise. Even worse, the two lines are diverging over the last decade, indicating a growing “detection deficit” between attackers and defenders. We think it highlights one of theprimary challenges to the security industry

This is an architectural problem as many of the networks were built back when advanced telemetry was a nice to have and not mandatory to operations.  There are just too many places for the attackers to hide and remain hidden as they carry out their objective across the attack continuum.  If you are not detecting and remediating attackers on a weekly or monthly basis, chances are they are in your network, you just don’t know it yet.”

Andy Green, technical specialist, Varonis;

“As in previous years, credentials—guessed or previously snatched— are still involved in the largest share of attacks. We also see familiar sectors– public, finance and technology– leading in the number of security incidents reported, with retail and hospitality trailing behind them. Also it’s yet again a safe bet to make that the time to discover a breach will be measured in months not days.

But there are new emerging trends as well: phishing and more deadly APTs, like RAM scrapers are on the rise. Here’s an ominous fact that Verizon discovered as part of their own research: nearly 50% opened e-mails and clicked on phishing links within the first hour! 

Bottom line: hackers are getting better and better at stealthy attacks where they can sneak around perimeter defenses and remain undetected for long periods of time. It’s becoming increasingly important for companies to lock-down internal access controls and protect the data from inside.” 

Mike Spykerman, Vice President of Product Management at OPSWAT;

“The latest Verizon report underlines that although attacks are becoming more sophisticated, many of the tactics that are being used are the same and that there is still a lot more that organizations can do to reduce their risk of data breaches. By properly covering their bases, such as centrally monitoring devices to ensure that they are safe and patched, deploying multi-scanning with multiple anti-virus engines on servers, web proxies, clients and email servers, and educating employees in cyber security, a company’s exposure can be greatly reduced.