I used to work in the security practice at Verizon Business in the mid 2000s. I was there when Verizon bought Cybertrust, and inherited the forensics team from whose efforts the Verizon Data Breach Investigations Report (DBIR) data is derived.
When they put out the initial report in 2008, it was the first time someone in the security industry had analyzed and published real data from real breaches. Previously, and today, most annual security “threat” reports use vulnerability data, malware counts and behaviors, surveys of customers, or general threat activity, but not the root causes of those ills as their source. Early on, the DBIR was biased towards the financial industry since many of the cases The Verizon Forensics team had analyzed were credit card breaches. But they had a good vantage point to see what was really being affected, not just speculation on trends from what customers say, or numbers of new malware in the wild.
Today the DBIR has dozens of other contributors from law enforcement, federal, state, and international governments, and other partners from around the world. The sample now represents a wider swath of victims and methods and that is why the DBIR is regarded as the most relevant and quotable document produced in our industry each year. It’s rare to watch a security briefing from anyone without including statistics from the DBIR.
So what is interesting in this year’s report?
Of all the good data, statistics and stories, the two charts that really illustrate the current state of the market are Figures 13 and 14 (on page 12); Percent of Breach time to compromise compared to time to discovery; and Breach discovery methods over time respectively. Ironic that the breach time slide is number 13, because it shows the unfortunate fact that it takes very little time to compromise, and a LOT of time to discover. But more unfortunate is the fact that this gap has continued to WIDEN over the last 9 years. So essentially, the bad guys are getting better and we are slipping up. Even with all the new technology, regulations, standards, University programs, certification and training classes, we spend more and more money, but are less effective. My rant in my last blog describes my opinion of why I think that is. I suggest you read that.
The second chart gives us mixed news: of the 4 ways to discover a problem, Fraud Detection (financial), Law Enforcement, Internal, and Third Party, we still see SOMEONE else is alerting organizations that they have a problem. However, the Internal discovery is rising, and the Fraud Detection is dropping significantly. We also see Law Enforcement continuing to improve their identification. But in the end, we still rely on Third Parties to tell us we have a breach. Of all the statistics, if we can start to improve on these two charts, we’ll finally show real progress. We’ll have to wait until next year’s report to see if folks finally start to get it.
– Rick Doten, DMI Chief Information Security Officer (CISO)