Verizon DBIR confirms we're rubbish, so let's do something about it

The DBIR also highlights the vast difference in perception between governments and the security industry

Verizon's latest Data Breach Investigation Report (DBIR) provides its usual comprehensive and witty overview of our infosec war against the bad guys. But we already know its core messages, or should do: we're rubbish at defending ourselves, we're not really getting any better, and we're concentrating on the wrong things.

The DBIR also highlights the vast difference in perception between governments and the security industry.

Governments are still banging on about the need to understand what's going on. The Australian government, for example, is building some sort of hand-wavey Australian Cyber Security Centre with this very goal.

"The centre will help develop a comprehensive understanding of the cyber threat to Australian Government networks and the Australian industry and business sector from the full spectrum of malicious cyber actors — from cyber criminals and lone hackers, through to nation states," Attorney-General Mark Dreyfus told the Critical Infrastructure Resilience Conference in Melbourne earlier this month.

Yet the industry is already awash with comprehensive understanding of the cyber threat, as William Hugh Murray from the US Naval Postgraduate School noted in the latest SANS NewsBites.

"Open source intelligence from Verizon, Mandiant, Kroll, Sophos, IBM, McAfee, Symantec, Microsoft, Google, Trustwave, Trusteer, SANS, and others almost too numerous to mention, has proved to be far more valuable than that promised, but grudgingly given, from the government," Murray wrote.

"That said, we may be reaching the limits of our bandwidth; my desktop is littered with reports that I have not found time to read."

I agree. We don't need yet another quarterly or monthly report to tell us that pharmaceutical spam has gone down three percentage points or whatever. But the DBIR gets onto my reading list because it's based on a proper analysis of actual data breaches, how they happened and how well the victims responded — not just an enumeration of bad things that might happen. It's clear up front about its methodology and its limitations. And it's eminently readable.

This year the DBIR has plenty on the current buzz-threat, "cyberespionage", how anyone could be a target, and how the profile of nation-stage actors differs fromnndmbnfgndfgndnrgnd... sorry, nodded off.

But I reckon the core message is conveyed by the "Timespan of events" chart, figure 41. It's the same as depressing reality ever. In most breaches the victim's network was compromised in a matter of hours, if not minutes or even seconds, and data exfiltration started a short time later — but the breach generally wasn't discovered for months or even years. And once discovered, the threat typically took days, weeks or even months to contain.

"We continue to view [the initial compromise to data exfiltration] phase in particular as a giant opportunity for improvement in our industry," the DBIR says.

"While it might be difficult to detect, positively identify, and respond to an intrusion within seconds or minutes, our ability to do so should ostensibly increase the longer they poke around our internal networks. But unfortunately, we're not really seeing that improvement."

Figure 42 highlights another depressing reality. After an apparent improvement between 2008 and 2010, things have been getting worse again.

"The majority of breaches take months or more to discover... We've lost any sign of forward progress and are back to where we were when we started this study," says the report.

"At least the large espionage-shaded region in the months column in figure 41 allows for casting off some of the blame for this. That pits the virtually unlimited resources of a nation against the very finite resources of a single company. Nobody can reasonably be expected to withstand THAT, right? Thank goodness for that 'get out of jail free' card. For a moment there it was looking like something would actually need to be done about this."

Sarcasm, obviously. It is obvious, right? Something does actually need to be done. But we knew this already. As I wrote in February, the information security industry is mostly screwed, and needs to admit it.

According to the DBIR, 76 percent of network intrusions exploited weak or stolen credentials; 75 percent were considered opportunistic attacks; 78 percent of initial intrusions were rated as low difficulty.

"Approximately 70 percent of breaches were discovered by external parties who then notified the victim," the report says, and fully a third of the total breaches were detected by some completely unrelated third party.

Meanwhile, things like network intrusion detection systems (NIDS), host intrusion detection systems (HIDS), log reviews, fraud detection, incident response teams or IT audits were each responsible for only around one percent of detections.

"We suspect organizations spend a lot more time and money on things that fall below the one percent mark... and do very little to hone and support the detection capability of their human resources," the DBIR says.

"Once again, end users represent the most effective means of detecting a breach internally... Typically, this involves a regular employee who, in the course of their daily responsibilities, notices something strange (e.g. slower system performance or an email that looks suspicious) and alerts IT or management. Let that fact and all its ramifications sink in."

This is exactly the security culture that Thales Australia's national security manager Jason Brown told us about last year. And it's exactly the point that IBRS security analyst James Turner made about the recently-revealed hack at the Reserve Bank of Australia.

But, to repeat, we know all this. As SANS Institute founder and director of research Alan Paller said, "Stop paying people to tell you what to do. Pay people to do it."

Disclosure: Stilgherrian has previously travelled to Singapore as Verizon's guest.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Attorney-GeneralGoogleIBM AustraliaIBRSKrollMcAfee AustraliaMicrosoftReserve Bank of AustraliaResilienceSANS InstituteSophosSymantecThales AustraliaTrusteerTrusteerTrusteerTrustwaveVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stilgherrian

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place