The yearly Data Breach Investigations Report (DBIR), conducted by Verizon with contributions by over 70 organizations from around the world, has become an important yearly marker on the state of enterprise security. We consider this report to be one of the most actionable of its kind because of the rigor put into the analysis as well as the collaborative approach to collecting and analyzing the data. Data comes from forensic investigations into 79,790 incidents, with a focus on those that that had confirmed data disclosure (2,122 confirmed breaches).
One of the most important conclusions I take from the 2015 DBIR is this: The threats facing us may at times seem infinite in variety and impossible to understand, but the reality, as shown by the statistics in the DBIR, is that they are knowable. Enterprises can learn a great deal about the threats that face them and the attack patterns used by adversaries to get in and this can inform your defense. For example, the chart below captures the primary attack pattern found in data breach investigations:
Data shows many other things, including:
- Most attacks that result in data breach come from external sources (over 80%). This is consistent for years.
- In most all attacks resulting in breach, the attackers get in fast, under an hour. In 60% of the cases attackers got into an organization within minutes. However, it takes far longer to detect an adversary and pushing them out can take months.
- Analysis of information sharing underscores the need to share indicators faster for our collective defense. 75% of attacks spread from the first victim to the second within 24 hours. 40% hit the second organization in less than an hour. So sharing of indicators of attack must be faster.
- Data shows an amazing number of attacks involving social engineering, especially phishing. Odds are that someone in your organization is clicking on a link they should not be clicking on right now. It is pretty clear that user training to change this behavior remains important.
- When it comes to vulnerabilities, 99.9% of the exploited vulnerabilities were compromised over a year after details on the vulnerability were published to the security community. This means you have to patch your systems!
- Attacker motives are increasingly complex and compounded, with more than one motive and method of attack. For example, attacks set up to create a "watering hole" on a popular website in order to get malicious code onto the computer of another organization, or DDoS attacks done as a diversion to cover an extraction of user information.
- Malicious code that pulls data from the RAM of a computer is on the rise. Right now this is a concern to anyone who processes payment cards but the threat is evolving fast and will soon be a concern to anyone who processes data in RAM (all of us).
The report underscores for us all some very important points. Our firm, Cognitio, believes all enterprise IT professionals should:
- Understand that you can significantly reduce your risk and mitigate the impacts of cyber attacks. Do this by knowing the facts and learning and implementing best practices.
- Know that you can protect your data, the data of your partners and customers and you can do that while continuing to modernize your infrastructure in innovative ways. Experienced enterprise technology leaders and security professionals know how to do this.
- Know the threat and track the latest on how to defend by signing up for the Daily Threat Brief, our focused review on the threat designed to inform executives, technologists and cybersecurity professionals on what matters most. Make this the first thing you read every morning.