Metrics, Interpretations, and Action Plans

It’s that time of year again! I just got my hands on the 2011 edition of the Verizon/SS Data Breach Report, and I figured I’d take a moment to share my thoughts.

First of all, note that the scope of the report now includes approximately 800 “incidents” from the year prior; last year’s report was comparable in size, covering 761 events. Next, I observe that this report is by no means “complete;” while a good deal of the year’s most significant incidents have been covered, there are likely thousands of noteworthy data points which have been overlooked or otherwise left out.

Now, the report:

Verizon has some good news and some bad news; the good news – only 76% of recorded data breach targets were servers in 2010, compared to much higher percentages in 2009 and 2008. However, this implies that the focus has shifted towards endpoint and social targets, which is very bad news, indeed. Probably nothing ground-breaking at this point, but this demonstrates the consistent challenge corporations face in raising enterprise-wide security awareness; we have erected multi-million dollar defense systems, and continue to monitor our logs for interesting traffic, but we cannot fix “people” problems with products. Additionally, note that – of the breaches reported – we continue to see a steady decline in those involving multiple parties, as well as business partner attacks. This is good news to corporations, as it indicates continued success in technical and business measures to control outsider access to enterprise resources.

Next, I’d like to take a look at some of the numbers which rose consistently between the three recent years. Specifically, I’d like to dwell on the “Employed Physical Attacks” metrics; over a 3-year window, this percentage has tripled (with little fluctuation in data set size in the prior 2 years), indicating a continued focus on technical security. While improved technical security may prevent a good deal of data breaches, it is not a holistic solution, and often results in “sore thumb” deficiencies.

Finally, I’d like to focus on the metrics provided which seemed to fluctuate between the reports issued in 2009, 2010, and 2011; note that, in 2010, the size of the breach “pool” increased tremendously with the inclusion of the US Secret Service data. Due to this, I would like to focus primarily on the metrics that rose between the 2010 and 2011 reports. Most specifically, I am concerned when I see the HUGE rise in percentage of breaches that have been discovered by a third party (+25% over a year, +17% over two years). While I’m sure corporate log monitoring initiatives have started to kick off, what is being done today is NOT enough. With “blended” attacks on the rise, there is a growing business case for event correlation and collective log management & review; if enterprise shops do not take action on this item, this number will rise exponentially. On a similar note, I observe that a steady (though slightly rising) portion of the reported breaches have been deemed avoidable, in retrospect, via simple or intermediate controls. These controls may include password policy enforcement, implementation of stateful packet inspection on firewalls, and security-focused Quality Assurance for web application content (among others). The effectiveness of such measures should be audited periodically.

Wrapping up:

• Shift in focus from Servers to Endpoints and Staff
• Shift to Physical Compromise, as opposed to Technical
• Social Compromise percentage consistent between 2009 and 2011 reports, although 2010 report indicates huge increase
• VAST majority of breaches are avoidable through simple controls
• Insider attacks are down, as are business partner breaches
• Third parties are disclosing breaches before first parties

Action Items:

• Know your assets
  • Accurate, comprehensive, and authoritative inventory is encouraged
  • Not just servers and endpoints, but identity assets as well
  • Pre-requisite to next item:
• Monitor your logs
  • Consider Event Collaboration & Correlation tools (not necessarily a product or a service, this can be a series of well-crafted scripts); note that the return presented by a product will be extremely limited, based upon organizational structure.  From my limited perspective, I see that most enterprise organizations should have comprehensive identity and asset inventory systems to get the most out of vendor SIEM products.  Even with SIM/SEM, individuals need to review their relevant logs frequently
• Invest in simple, easily monitored, controls (such as account usage policies, password complexity and refresh requirements, etc)
  • If they are already in place, audit your controls for effectiveness; more importantly, adjust accordingly
• Continue to raise enterprise awareness against breach indicators, consider random employee awareness drills
• Continue to raise enterprise awareness against physical security threats, enforce physical security policies (for example, laptops must be locked and docked within the office)
• Secure your endpoints, aggregate event logs, AV logs, etc. from workstations to a common environment for review

Original Blog Post