The surprise is that only 10% of the breaches were traced to network devices. And network devices represented only 11% of the actual records breached. The top vector was Remote Access and Management at 39%. Web Applications came in second at 37%. Even more interesting is that 79% of all records breached were the result of the Web Application vector!
Clearly there has been a major shift in attack vectors. While this may not be a total surprise, we now have empirical evidence. We must focus our security efforts on applications, users, and content.
The specific issue I would like to highlight now is the
section on methods by which the investigated breaches were discovered (Discovery
Methods, page 37). 83% were discovered by third parties or non-security employees
going about their normal business. Only 6% were found by event monitoring or
log analysis. Routine internal or external audit combined came in at a rousing
2%.
These numbers are truly shocking considering the amount
of money that has been spent on Intrusion Detection systems, Log Management
systems, and Security Information and Event Management systems. Actually, the
Verizon team concludes that many breached organizations did not invest sufficiently
in detection controls. Based on my experience, I agree.
Given a limited security budget there needs to be a balance
between prevention, detection, and response. I don’t think anyone would argue against
this in theory. But obviously, in practice, it’s not happening. Too
often I have seen too much focus on prevention to the detriment of detection
and response.
In addition, these
numbers point to the difficulties in deploying viable detection controls, as there
were a significant number of organizations that had purchased detection
controls but had not put them into production. Again, I have seen this myself
as most of the tools are too difficult to manage and it’s difficult to implement
effective processes.
I view Information Technology Security Management from a
business risk management perspective. After all, in the modern enterprise,
every significant business process depends on information technology. Therefore
any risk to the confidentiality, integrity, or availability of digital assets
is a risk to the business.
But what is risk really? A practical definition would be the
probability and frequency of bad things happening and the resulting loss to the
business. From an IT perspective, the bad things are the disclosure, alteration, or destruction of
information based assets like intellectual property, customer information,
trends and projections, and financial, health, and personnel records. The
impact includes the costs of recovering from the incident and also loss of
reputation which often translates into lost revenue and profits and a drop in
stock price.
While I am going
to be spending most of my time on IT Security Risk, it’s obvious that there are
other types of IT Risks not to mention the myriad other business risks that
must be identified and managed as part of an overall risk management effort. For
a comprehensive analysis of IT Risk, you might consider IT Risk by George
Westerman and Richard Hunter, Harvard Business School Press, 2007.