Wednesday, June 11, 2008

Verizon Business Report Speaks Volumes

This morning I attended a call discussing the new Verizon Business 2008 Data Breach Investigations Report. I'd like to quote the linked blog post and a previous article titled I Was an Anti-MSS Zealot, both of which I recommend reading in their entirety. First I cite some background on the study.

Verizon Business began an initiative in 2007 to identify a comprehensive set of metrics to record during each data compromise investigation. As a result of this effort, we pursued a post-mortem examination of over 500 security breach and data compromise engagements between 2004 and 2007 which provided us with the vast amount of factual evidence used to compile this study. This data covers 230 million compromised records. Amongst these are roughly one-quarter of all publicly disclosed data breaches in both 2006 and 2007, including three of the five largest data breaches ever reported.

The Verizon Business 2008 Data Breach Investigations Report contains first-hand information on actual security breaches...
(emphasis added)

That's awesome -- a study based on what Verizon's Incident Response Team found during their work. Next let's read some thoughts from one of Verizon's security team.

I used to think that Intrusion Detection Systems (IDS) and Managed Security Services (MSS) were a waste of time. After all, most attacks that I had worked on began, and were over, within seconds, and were typically totally automated...

But the Verizon Business 2008 Data Breach Investigations Report tells a very different story. The successful attacks were almost universally multi-faceted and the various timeframes are truly astounding. The series of pie charts in Figure 21 are the most interesting data.



The first chart shows that more than half of attacks take days, weeks, or months from the point of entry of the attack (the first successful attack step) to the point of data compromise (not simply system compromise, but the point at which the criminal has actually done material harm). 90% take more than hours and over 50% take days or longer. Clearly if an appropriate log was instrumented and being regularly reviewed or an IDS alarm occurred, you would notice and could stop the attack in the vast majority of our cases.

The second pie chart in the series reveals that 63% of companies do not discover the compromise for months and that almost 80% of cases do not learn of attacks for weeks after they occur. In 95% of cases it took the organization longer than days after the compromise to learn of the attack. There are hundreds of cases in which the inside team either didn’t look at the logs (in 82% of the breaches in the study, the evidence was manifested in their logs), or for some other reason (were frustrated, tired, overwhelmed by the logs, found them to be not-interesting, felt they were too noisy after a few days or weeks) simply quit looking...
(emphasis added)

That is amazing. Consider the following regarding patching.

[O]nly 22% of our cases involved exploitation of a vulnerability, of which, more than 80% were known, and of those all had a patch available at the time of the attack. This is not to say that patching is not effective, or necessary, but we do suggest that the emphasis on it is misplaced and inappropriately exaggerated by most organizations. For the sake of clarity, 78% of the breaches we handled would have still occurred if systems had been 100% patched the instance a patch was available. Clearly patching isn’t the solution to the majority of breaches we investigated.

How about the source of attacks?

While criminals more often came from external sources, and insider attacks result in the greatest losses, criminals at, or via partner connections actually represent the greatest risk. This is due to our risk equation: Threat X Impact = Risk

  • External criminals pose the greatest threat (73%), but achieve the least impact (30,000 compromised records), resulting in a Psuedo Risk Score of 21,900

  • Insiders pose the least threat (18%), and achieve the greatest impact (375,000 compromised records), resulting in a Pseudo Risk Score of 67,500

  • Partners are middle in both (39% and 187,500), resulting in a Pseudo Risk Score of 73,125


While these are rudimentary numbers, the relative risk scores are reasonable and discernable. It is also worth noting that the Partner numbers rose 5-fold over the duration of the study, making partner crime the leading factor in breaches. This is likely due to the ever increasing number of partner connections businesses are establishing, while doing little to nothing to increase their ability to monitor or control their partner’s security posture. Perhaps as expected, insider breaches are the result of your IT Administrators 50% of the time.
(Note the original blog post doesn't say 39%, although the report and briefing does.)

I think that's consistent with what I've said: external attacks are the most prevalent, but insiders can cause the worst damage. (The authors note the definition of "insiders" can be fuzzy, with partners sometimes considered insiders.)

This chart is one of the saddest of all.



Unfortunately, it confirms my own experience and that of my colleagues.

I'll add a few more items:



    • Three quarters of all breaches are not discovered by the victim

    • Attacks are typically not terribly difficult or do not require advanced skills

    • 85% of attacks are opportunistic rather than targeted

    • 87% could have been prevented by reasonable measures any company should have been capable of implementing or performing



    Sounds like my Caveman post from last year.

    I am really glad Verizon published this report and I look forward to the next edition in the fall.
  • 16 comments:

    Michael Janke said...

    My experience with investigating a fairly large number of breaches jives pretty much with the report - if I exclude common desktop bots & malware. Those are a different animal as far as I am concerned.

    We typically see days, weeks or months from exploit to detection, which drives us toward long retention on netflow & firewall logs.

    The breaches could have been detected in logs, if the signal to noise ratio were reasonable.

    The more recent exploits tend to be non-patch related, I suspect simply because computers tend to be better patched now than they were 5 years ago.

    The partner risk is interesting & worthy of attention.

    Interestingly - the last few breaches I looked at have been bandwidth & SEO related. The systems were targeted because they had either lots of free bandwidth for serving up warez/pornez, or because they had very high search engine placement, making links to illicit pharmaceuticals the end goal.

    Rocky DeStefano said...

    This report is full of juicy nuggets, here is one of my favorites...

    On Page 23 of the report buried in the bottom paragraph is an interesting statistic and analysis note....

    In 82% of the cases the victim possessed the ability to discover the breach had they been more diligent in monitoring and analyzing event-related information available to them!

    They indicate that the breakdown is in the process, that organizations lack procedures for collection, analysis and reporting on event information.

    Anonymous said...

    Interesting spin on the report

    http://www.verizonbusiness.com/about/news/displaynews.xml?newsid=25135&mode=vzlong&lang=en&width=530

    Verizon Business Releases Trailblazing Data-Breach Study Spanning 500 Forensic Investigations

    Key Findings Indicate 87 Percent of Breaches Avoidable through Reasonable Security Measures Businesses Urged to Be Proactive

    June 11, 2008

    Highlights:
    Key Findings Examine Basic Security Tenets
    Growing Worldwide Black Market for Stolen Data
    Recommendations for Enterprises

    Russ Cooper said...

    Hey Rocky, how ya doing? Long time no see.

    Richard, thanks for pointing out my mistake in my blog post (73 instead of 39), that's what happens when you do a copy/paste! I've corrected it now.

    Your post is a good read. Its interesting to see which numbers are jumping out to various people.

    Cheers,
    Russ

    Ben Wright said...

    Richard: Legally speaking, what is "reasonable security?" FTC punished TJX for not having it, but FTC was wrong. Verizon says 9 of 10 data breaches could have been avoided if "reasonable security" were present. That implies 9 in 10 breach victims were in violation of law. The study's outlook is that the solution to identity theft is locking down corporate data. But a security consultant/solution provider like this Verizon unit naturally sets a high bar for what is reasonable. And when Verizon evaluates if reasonable security could have prevented a break-in, it does so with benefit of hindsight. Yet the study goes on to say that in modern systems knowing where all your data reside is "an extremely complex challenge." In other words, the shere problem of locating data (so you can apply security) is very expensive, and mistakes by data-holders who act in good faith are easy. The reasonable measures expected by FTC and Verizon are extravagantly hard to implement in practice. Hence, the portion of incidents preventable by FTC/Verizon's reasonable procedures is much lower than 90%. We need to focus more attention on other solutions to identity theft. --Ben http://hack-igations.blogspot.com/2008/03/ftc-treats-tjx-unfairly.html

    WHB said...
    This comment has been removed by the author.
    WHBaker said...

    For an explanation of what we mean by "reasonable controls," please visit the Verizon Business Security Blog post referenced below.


    What do we mean by "Reasonable Controls?"

    Business Pens said...

    Although excellent reports like this gives us insight into breaches that are found, one wonders the number of additional breaches that are NEVER detected.

    -Rob L

    zang said...
    This comment has been removed by a blog administrator.
    petertparker said...
    This comment has been removed by a blog administrator.
    Anonymous said...

    This report is highly misleading.

    Every other security report shows you that the majority of breaches are the result of insiders who accidentally lose their laptops, memory sticks.

    I work for my state government and even though it may not be a significant sample size to speak for the entire country but I've seen enough newspaper articles to know that that majority of breaches aren't from external.

    I can't explain why there is a discrepancy with this report but I highly recommend reconciling this report with another report such as http://www.darkreading.com/security/government/showArticle.jhtml?articleID=211201426

    WHBaker said...

    @Anonymous

    By "reconciling", I assume you want us to ignore our 5 years of data from 600 cases and just go with what others are reporting? Unlikely.

    We've reported what we found - what else can we do? I've always been straightforward about our dataset and it's limitations. Maybe govs are different (we don't work many cases in that sphere so I don't have a data-based opinion) but as for me and any organization I steer or advise...I'll continue to follow the data.

    Annuity said...

    I can feel that you have put in hard efforts. Good job!!

    SCORPIO said...
    This comment has been removed by a blog administrator.
    SCORPIO said...
    This comment has been removed by a blog administrator.
    Alex said...
    This comment has been removed by the author.