Thursday, May 07, 2009

Highlights from 2009 Verizon Data Breach Report

Last year I posted Verizon Business Report Speaks Volumes, providing excerpts that resonated with me. Verizon released another edition last month, with plenty of commentary on their blog and elsewhere. I wanted to record a few highlights here for my own reference but also to counter arguments I continue to see elsewhere about the so-called prevalence of insider threats.

This is a polite way of trying to demolish the most deeply entrenched urban myth in security history.

This shows the 2009 results.

This is an historical way to look at breach source data.

The following chart is the one that insider threat proponents will try to use to justify their position. It shows that, on average, a breach caused by a single insider will result in many more records being stolen than one caused by an outsider. Incidentally, this is what I have said previously as well!

However, when looking at the problem in aggregate, outsiders cause more damage.

If the big red dot doesn't say it all, I don't know what will.

Verizon captures this scenario using a "pseudo-risk" calculation.

Pete Lindstrom makes an interesting point about this calculation, but I don't think it is necessarily without merit.

I'd like to briefly turn to the detection and response elements I found interesting.

The following shows someone from Verizon has been to the Best Single Day Class Ever. That big red dot shows "months" from compromise to discovery is dominant.

Detection methods continue to be pathetic.

This is probably because, although logs are collected, hardly anyone reviews them.

This is probably because only a third of companies have an IR team.

Most companies are probably relying on their anti-virus software to save them. This is too bad, because the explosion in customized malware means it probably won't.

All of this is why my TCP/IP Weapons School 2.0 class teaches students how to analyze data to detect and respond to intrusions, rather than rely on automated tools which fail.

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.


A. Thulin said...

Well, without an authoritative statement of the myth, there's little point in trying to demolish it.

It could be a simple case of confusing damage costs and nr of incidents: insider incidents tend to produce larger damage costs, while outsiders produce a lot of incidents. (I think an IBM study in the 90s made that point: they found insider incidents are more costly.)

Then, it may simply be a question of accounting: insider incidents may go through a more thorough investigation, which possibly may be charged to the department or unit, and so are easy to sum up. While outside incidents (say, a simple port scan) may simply be chalked up as statistics and ignored, and so produce minimal damage costs.

And that big red dot you refer to doesn't really settle the matter: it only emphasizes the question if damage is measured in records compromised or in costs to restore normal state of affairs? After all, a compromised data base server may easily produce millions of compromised records (but easily reastored from trusted backups), while one major embezzlement only compromises one record/account.

Figure 8 really needs to be complemented by one showing the damage costs for the same data.

Anonymous said...

Just a little nit-pick ... those red dots are so big because are scaled by dimension, not by area. In other words, if stat X is 4 times larger than stat Y then it gets a dot 16 times bigger. I'd have expected better visualisation from Verizon given that the rest of the charts are pretty good.

Anonymous said...

My take on the Verizon study is that you need to be equally concerned about internal, external and partner breaches. The internal ones lost far more records than external. And of course the sample is only of cases where Verizon was involved - internal breaches might not be detected, or might be covered up.

rwuiuc said...

Does it really matter? Attacks come from the outside. Attacks come from the inside. Sometimes attackers user insider credentials to look like insiders and insiders use external credentials\methods to look like outsiders.....

Either way the damage is done. The data is compromised and the company has to deal with the effects either way.

Implementing effective monitoring, logging, detection, analysis, documentation, battlefield assessment, and proactive response ( all the things you talk about Richard) can help solve the problem whereever it comes from.

All I know is that when I deal with clients..... I have to investigate the damage and\or the loss of data however it happens.
And the proper monitoring techniques apply to both.

Richard Bejtlich said...

rwuiuc, it absolutely matters. If we stopped focusing on vulnerabilities and looked at threats, we would help reduce the problem instead of deal with the mess. Please see Of Course Insiders Cause Fewer Security Incidents and How Many Spies? for background.

rwuiuc said...


I guess I was not clear enough......... I was saying we should focus on the threats! Whether they are outsiders or insiders........... either way you have to investigate. If the appropriate monitoring, analysis,and IR functions are in place an organization should be able to respond to either.

I do think a lot of business underestimates outside attacks........ but I see them underestimate inside attacks as well.

Richard Bejtlich said...

rwuiuc, what I mean is that if we want to STOP this problem we need to properly identify the culprits.

Anonymous said...

Folks, you should focus on RISK. On what is important, then segment the infrastructure, never rely on one control, and do not use inductive logic.

Alex Hutton said...

@anonymous3: ET Jaynes pretty much proved that there is no significant difference between inductive and deductive in 'Probability Theory: The Logic of Science'.

@rwuiuc: I'd have a tough time saying that we should focus on one particular aspect of the risk landscape. Focusing on threats without looking at asset, control, and impact gives you a rather myopic perspective.

@A. Thulin: The IR teams don't usually stick around for the duration of incident impact (it can take several quarters to really get just a rough estimate of actual $ impact). So we use # of records as a "pseudo-risk" component to describe impact. Yes, that makes certain assumptions, but I don't think it's non-informative as long as you're wise to the limitations of the information (which, like yourself, most folks seem to be).

FWIW - we'd *love* to have real impact values. But even then, I would suggest that most organizations can develop significantly informative $ based impact values internally by bringing other lines of business into the room (doughnuts help).

@anonymous2: I hope we've been pretty forthright about the types of incidents we get asked to help with vs. an aggregate taxonomy of incidents you might use internally at an organization. As I believe you are suggesting, there are some "internal" frequency of occurrence numbers that just aren't represented - those incidents that don't require an external IR team (those that might not require disclosure, those that do require disclosure but don't require an external IR team like lost or stolen laptops, for example), etc. just aren't represented in the DBIR.

That said, the information represented should be useful in putting the "myth" in context. If you're talking about those incidents that tend to fit our case-load profile, there's a significant gap between our experience and the "fact" bandied about in trade press.

Bottom line, VZDBIR is not meant to be some sort of biblical authority, just (hopefully significantly) informative within context.

Anonymous said...

I will grant you that the myth exists. One cannot find the source because we never said it.

What we said was that insiders represented the biggest RISK, not "threat." Insiders attack less often but do more damage. What we said was that outsiders damage the brand, insiders bring down the business.

Two caveats: 1) In the origins of the myth, before most of you were born, insiders were also the biggest threat. Before the Internet, outsiders simply had too little access to do much damage. Dial-in to time-share systems allowed people to steal computer time but there was little data leakage and almost no fraud (except that used to get IDs and passwords). 2) Until Cardsystems, last year, we had not had a business brought down by outsiders. (Given the management failures at Cardsystems, even that one is questionable.)

A great portion of the problem rests with security pretenders who cannot distinguish between threat, attack, vulnerability, and risk, much less use them in a consistent and mutually exclusive way. Last year everything was a "vulnerability" and this year everything is a "threat" but it is still risk that counts.

William Hugh Murray, CISSP

Richard Bejtlich said...

Mr Murray, maybe you'll care to cite some documentation for your claim? I just posted mine here.