Verizon Dabbles in Security Reporting
Verizon tried on security reporting for size -- and it didn't fit. Its sketch of trends over the past 10 years, based on a smattering of incidents, attempts to guide companies to figure out which threats they're most vulnerable to among 10 types it identifies. Using the tool it provides actually "could lead to a false sense of security," suggested RedSeal Networks CIO Steve Hultquist.
Apr 23, 2014 6:05 AM PT
Ninety-two percent of more than 100,000 incidents reported by 50 companies over the past 10 years fall into nine basic patterns, according to Verizon's 2014 data breach investigations report. An advance copy was released to the media Tuesday.
Point-of-sale intrusions, Web app attacks, cyberespionage and card skimmers cause the most concern for data disclosure, it says.
The patterns of attack affect some companies and industries more than others, it notes, and companies can use matrix it supplies to discover what they are most vulnerable to.
However, the report leaves many questions unanswered. What about the cloud? What about newer vectors of attack? What about poorly written code and zero-day vulnerabilities?
"This is a non-security company issuing a security report, and the McAfees of the world are scratching their heads over it," Rob Enderle, principal analyst at the Enderle Group, told the E-Commerce Times. "There are 80 billion ways to attack a system and they've found nine ways."
Cyberattacks are "changing on a daily basis," Enderle pointed out. The Verizon report "is like doing a military study that goes back 1,000 years and talks about spear placement and how to set ballistas."
Verizon's figures show that in 2013, Web app attacks accounted for about 40 percent of incidents, point-of-sale intrusions and cyberespionage 20 percent each, and card skimmer attacks and insider misuse for about 10 percent each.
The other four categories are theft/loss, miscellaneous errors, crimeware, and denial of service. There is a 10th category titled "everything else."
Verizon's matrix lays out the type of industry against the frequency of the 10 incident categories. For example, the industries most affected by PoS attacks are retail, accommodation and food services. Right now, up to 110 million consumers may be reeling from the Target data breach, while 3 million may have been hit by a data breach at Michaels Stores.
Is the History Lesson Useful?
Contrast the Verizon Report with the 2014 State of Cloud Security Report from cloud security vendor Alert Logic, which shows an increase in attacks on both cloud and on-premises IT environments. Between April 1 and Sept. 30, 2013, Alert Logic observed one billion security events and verified more than 232,000 as valid threats.
Could old-style security detection be missing out on new threats? How useful is Verizon's report, really?
Looking at trends around any sort of crime "is always good" because "it might not matter for the biggest categories but looking at the growth of smaller ones gives an idea of where things might shift in the next couple of years," contended Jeremy Demar, director of threat research at Damballa.
"At a minimum, [the Verizon report] helps find areas where you may be weak or overspending," Demar told the E-Commerce Times. "It's a good idea to understand the whole picture to figure out how to allocate your staffing and funding resources."
That could be critical to IT, which is understaffed, overworked and is chronically short of funds for security.
Gotta Keep Moving
On the other hand, just going by the matrix "could lead to a false sense of security, since it is likely that an attacker will move to other weaknesses if the first few are addressed," warned RedSeal Networks CIO Steve Hultquist.
"Those who focus only on what they can easily understand -- such as [security] control points in isolation -- are living with blinders on, and are likely to find themselves responding to attack," Hultquist told the E-Commerce Times.
"We can turn the tide [against cybercriminals] by using what we have to respond well," Hultquist said. "We cannot [do so] by using what we have always used."
Companies "need to look at the challenges holistically rather than in isolation, understand the complex interdependency of business needs and security controls, and use automation to monitor and audit that overall infrastructure," Hultquist said.
Verizon did not respond to our request for further details.