Last year I posted Verizon Business Report Speaks Volumes, providing excerpts that resonated with me. Verizon released another edition last month, with plenty of commentary on their blog and elsewhere. I wanted to record a few highlights here for my own reference but also to counter arguments I continue to see elsewhere about the so-called prevalence of insider threats.
This is a polite way of trying to demolish the most deeply entrenched urban myth in security history.
This shows the 2009 results.
This is an historical way to look at breach source data.
The following chart is the one that insider threat proponents will try to use to justify their position. It shows that, on average, a breach caused by a single insider will result in many more records being stolen than one caused by an outsider. Incidentally, this is what I have said previously as well!
However, when looking at the problem in aggregate, outsiders cause more damage.
If the big red dot doesn't say it all, I don't know what will.
Verizon captures this scenario using a "pseudo-risk" calculation.
Pete Lindstrom makes an interesting point about this calculation, but I don't think it is necessarily without merit.
I'd like to briefly turn to the detection and response elements I found interesting.
The following shows someone from Verizon has been to the Best Single Day Class Ever. That big red dot shows "months" from compromise to discovery is dominant.
Detection methods continue to be pathetic.
This is probably because, although logs are collected, hardly anyone reviews them.
This is probably because only a third of companies have an IR team.
Most companies are probably relying on their anti-virus software to save them. This is too bad, because the explosion in customized malware means it probably won't.
All of this is why my TCP/IP Weapons School 2.0 class teaches students how to analyze data to detect and respond to intrusions, rather than rely on automated tools which fail.
Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.