Amrit Williams, BigFix CTO, digs into the details of the Verizon Business 2010 Data Breach Report with Alex Hutton, Principal of Research and Intelligence at Verizon Business.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and today I am joined by Alex Hutton, Principal of Research and Intelligence with Verizon Business. Alex, thanks for joining me today.

Alex Hutton: Amrit, thanks for having me. How are you?

Amrit Williams: I am great. It’s great to hear you again, it has been a while; you have been on the podcast before. Actually, the last time you were on, I think you had just taken a position with Verizon and we didn’t get a chance to drill into some of the details of the last Verizon Data Breach Report. But now I have you back and I am really excited to talk about the details of the 2010 Data Breach Investigations Report from Verizon.

So why don’t we start with just a real quick overview, if you could provide the listeners, what is the Verizon Data Breach Investigations Report, what’s its focus, goal, and purpose.

Alex Hutton: Sure. Thanks. The goal of the Data Breach Investigations Report is basically to give people information they can us to better manage their risk, optimize their security program.

The background is this, Verizon Business, as you guys probably know, we do a lot of infinite response cases, where we go out on the client side when they have incidents. Our IR team has done a great job in the past, I don’t know, since 2004, of keeping detailed metrics about what the environments that they find.

So the first Data Breach Report was an attempt to basically take kind of the narratives that they capture; first the bad guys did this, then he did that, then he did the other thing, and really create risk management metrics out of them. This year’s report is kind of unique and different, because it also includes the Secret Services data for the past few years, about the incidents that they respond to and work.

Amrit Williams: This is the first year you guys worked in conjunction with the U.S. Secret Service, right?

Alex Hutton: Correct.

Amrit Williams: I got to tell you, those guys know how to party. No, I am joking. They are actually one of the most straight faced people I have ever met. How was it working with them, before we get into the details of the report?

Alex Hutton: It was really fantastic, it was very exciting. We had some internal champions there that I probably can’t name by name, but I do want to publicly thank them for their effort and their hard work that made this all come together. It was very exciting.

Wade Baker did a lot of work with those guys and getting this to fruition, training, and so forth. They have been extremely responsive and actually very eager to get metrics out of what they — and get them released and get people understanding what’s going on and managing better. So kudos to them.

Amrit Williams: It’s encouraging too, because there’s definitely more of an outreach from U.S. law enforcement, actually even worldwide law enforcement, to better coordinate with the private sector and businesses, so we can hopefully create an environment that makes it sacred for all of us to work and have fun online.

Alex Hutton: At Black Cat, I did meet the fed’s panels. It was amazing the amount of programs and the amount of information that the U.S. government is willing to go out and share and utilize. Programs that they have to utilize, that we can utilize to help people, manage their risk better, optimize their security programs, understand the threat landscape, and so forth; really fantastic stuff.

Amrit Williams: Well, maybe when guys show up in black helicopters, dark suits, and dark sunglasses, and they say, we are from the government, we are here to help, they actually really mean it.

Alex Hutton: We can only hope.

Amrit Williams: So let’s turn to the 2010 Data Breach Investigations Report. I find the report just fantastic. I love reading this thing once a year, because it has such a wealth of data. And what it helps to do a lot is it helps to either support some assumptions that people have or maybe change their ideas around some assumptions.

I know that I think last year’s report indicated that insider threats were not as great as I think people were stating that they were, especially those folks who sell insider threat capabilities as a vendor, but we see a proliferation in that. So talk a little bit about what are some of the major themes that you guys saw in 2010 that were different from 2009 and then we can sort of drill into what impact they are going to have on the enterprise.

Alex Hutton: Sure. Well, one of the things that came about from the cooperation with the Secret Service is that, we actually did get a more clear picture about what may not be reported, and a lot of that had to do with the insider.

If you have read the 2009 supplemental report that we put out, part of the work that — I was a part of the team that did the normalization with the data lost database information. It was interesting that once we took out like lost laptops and USB keys that are lost, that had a bunch of social security numbers and basically said, okay, these are the incidents that DoD covers that are very similar to the incidents that we work. Their percentage of insiders and outsiders was statistically similar to what we had been seeing. So that was kind of validation at that time; what is publicly reported and what is represented in the press, seems to match the percentages that Verizon works.

(00:05:09)

This year, we actually, because of the Secret Service data, we actually do see a greater frequency and incidence caused by internal agents. If you look at page 12 of the report, we show a 70% external agent representation, a 48% internal agent representation, and 11% partner representation. Those percentages add up to above a 100%, because many times you will have an external agent working with an internal agent on a case. So that’s why you get greater than 100% there. But we do see a significant rise there because of the Secret Service dataset.

Now, that said, I have to qualify that. If we think of risk as being frequency and impact, if you take a look at our numbers, and this is on page 14 for those listeners who are kind of reading along with us, or want to take notes and look at the Data Breach Report themselves, what we do there is we kind of say, okay, now, we have got a frequency number in terms of representation in the caseload, what about actual impact? And if you look there, you are like 70 times more likely to have compromised records, compromised by an external agent than an internal agent.

So out of the nearly over 900 million records total in the dataset, that combine U.S. Secret Service and Verizon dataset, out of 900 million records that have been compromised, 800 million were from external agents, 28 million were from internal agents.

Amrit Williams: That’s actually pretty incredible. I have a quick question about this metrics that were caused by insiders. There is a similar metric here, almost exactly same numbers, 48% were caused by insiders, an increase of 26% over last year. Another part of the report says, how do breaches occur, 48% involve privilege misuse, and again, that 26% increase over last year. Have you been able to determine through the investigations which of these were negligence versus malicious activity?

Alex Hutton: Yeah, actually we have kind of breakdowns of what misuse means. If you go ahead and take a look at the Misuse section, that kind of starts on Page 33, we give a type of misuse that’s kind of broken down between embezzlement, skimming, and related frauds, versus say, what we would typically think of misuse as access in privileges. So you do kind of get a breakout by type of misuse there to answer that.

Amrit Williams: I am looking at this, this is quite interesting, because this implies that in the majority of cases where there was an internal breach, there was actually an attempt to breach. I mean, it wasn’t negligence or wasn’t an accident.

Alex Hutton: No, no, and that’s significant. One of the things — to get back to, I guess, what you are kind of driving at, there is a wonderful graph that we do, where we break out sort of the over time, the frequency or the representation in the dataset, and you see the shape of the Secret Services internal — representation of the internal agent between 2007 and 2009 on Page 13. It’s a little V shape, basically, that starts high in 2007, at near 90%, kind of bottoms out around 55% over 2008, and jumps back up towards 70% in 2009.

Now, to show you what kind of influence, misuse, and what you are talking about, and the Secret Service dataset has on our representation of misuse in the internal actor in the Data Breach Report, you go to Page 22 and you take a look at the dotted green line for misuse as a threat action there, and it is a same shaped curve, that same V shape is represented there.

So that just shows you that if you go to that representation of what types of misuse are represented with dataset, that’s almost same for same, kind of related to the frequency for the internal actor. So taking a look at abusive system access and privileges and embezzlement, and making sure you have controls around that, well, you are going to knock out a significant probability of internal actors being successful just by focusing on those sorts of threat actions. I think that’s the power of the Data Breach Report and the power of looking at data, is that optimization.

(00:09:49)

Amrit Williams: Well, I guess we want to touch on what organizations can do to better defend themselves, but before I go there, I do want to ask you a question about this concept of insider threat and misuse. I think over the years we have seen sort of negligence and accidental misuse. As this report is indicating, there is actually a targeted type of thing that’s going on, whether that’s for embezzlement or any number of things.

Do you think there is or have you — did the Secret Service itself or Verizon look at any correlations between the current economic conditions and people’s fear about either losing their jobs or being laid off that has driven this number up, or is this just opportunistic?

Alex Hutton: Yeah. The answer I should give you is, we don’t see that in the dataset, because you get this internal and misused representation actually dropping between 2007-2008. If I were to be able to say, oh, of course, the economy is causing bad people to do bad things, you would think that, that would actually have increased between 2007 and 2008. I think the long-term answer is, we don’t have enough data. I mean, the kind of statistician want to be in deep inside me says, well, I would really like to have several recessions worth of data to show you, but then again, I don’t want several recessions worth of data.

Amrit Williams: Very good point! And hopefully we won’t touch that dataset anytime in the near term, because I think 11:22 from some of the economic conditions that are going on.

Quick question, have you been able to do any correlation between a combination of external actors utilizing internal actors to compromise, is that anything that you have seen increased? Is there a proliferation of that, or are these still fairly independent entities, you have the external folks trying to gain access and you have internal folks trying to gain access and there is no real sort of combination?

Alex Hutton: There is actually a significant representation of combination of cooperation and combination in the dataset. If you look at Figure 7 on Page 14, we have got 27% of all breaches included Asians working together. A lot of times, especially with regards to what we see in the Secret Service dataset, that’s an insider using a skimmer or what have you in conjunction with an outsider, so that you have got an unsophisticated internal actor who is being approached by or utilizing a more sophisticated external actor who kind of acts as the laundryman for the data that they have breached and used.

Amrit Williams: One of the things that I am also curious about is, the word sophistication is used a lot, and I know that we have talked about the movement from hobby-based malware and cyber-vandalism, to fairly sophisticated and stealthy attacks driven by financial gain. Are you seeing that level of sophistication required in exploiting companies, or are folks still falling prey to the very basic stuff, that if they just simply implemented better controls that they wouldn’t fall prey to this, at least, they would fall prey to something different, but are the external actors or even the internal folks, they are just still taking advantages of some pretty basic stuff, right, we are not seeing a huge increase in some highly sophisticated attacks, are we?

Alex Hutton: When I was first exposed to the Verizon dataset, I said no, no, no, none of this is sophisticated at all. But the fact that for five years running the dataset shows what I would consider simple things like SQL injection to be represented, I would have to say, well, maybe that is sophisticated, right?

The attackers, I think, from looking at the dataset and understanding what’s going on, especially when you kind of mentally correlate that to what we are being sold as an industry in terms of products and so forth, the attackers are very economically focused, they will expend only the energy they need to in order to make the data breach happen.

So if we are giving them access through SQL injection and we are giving them access through simple malware and drive-bys and so forth, and what you and I from the technical standpoint might consider unsophisticated attacks, they are going to use unsophisticated attacks.

That said, we still can’t manage these things. So maybe the technical concept is simple, maybe it’s actually a complex management problem, I don’t know. But whatever it is, I think every reader out there would say, looking at the dataset, we have got fairly unsophisticated attacks still being the majority representation in the dataset.

Amrit Williams: That makes sense. I think maybe I stated this wrong. I think the use of the word sophistication requires context, because you and I have an understanding of something that’s the average IT person may not. Maybe a different way to state this is, have the initial compromises into an organization evolved to a point that traditional mechanisms or traditional controls would be easily bypassed?

(00:15:02)

And I think what you are stating is that, no, we are still falling prey to the same stuff we fell prey through yesterday, even though the malware that might be stuck on these machines to store passwords or data may be becoming more sophisticated. The attackers today are still enjoying the ability to crack our systems the same way they cracked them five, ten years ago.

Alex Hutton: Yeah, exactly, and I think what the dataset says, and you can look at this in the latter pages, Page 50 on, if you are interested in reading about it, is basically, it’s relatively unsophisticated. Mitigation is usually 64% of the time simple and cheap. These are not new trends; these are things that you will see in the previous two Data Breach Investigations Reports as well. 90% of the time the information about a breach is in the logs, that sort of thing.

So that evidence points to, it’s there, we just are overwhelmed by mountains of information, overwhelmed by a lot of noise, in the signal to noise ratio. Basically, it is the fundamental things that lead to data breaches.

That said, there are representation of sophisticated attacks, and many times a targeted attack is going to have sophisticated means utilized. But the vast majority of attacks just don’t cost the attackers that much in terms of skills and resources.

Amrit Williams: That’s troubling to me. That’s a very troubling statement. The Verizon Data Breach Report has been coming out for a couple of years. We have all this data that comes out from vendors themselves that talk about the type of attacks that are out there. It’s not a surprise that security is an issue for people and they need to increase the level of control that they allow access into systems, as an example. But it doesn’t look like the industry as a whole is doing a very good job of taking care of the basics. And that’s unfortunate, that’s troubling.

Alex Hutton: Let me back up and state one thing though, in terms of kind of correlating, you remember we talked about internal and external and frequency versus impact, and throughout the Data Breach Report we kind of use percent of records breached as a notion of impact, because let’s face it, that’s a pretty good shadow indicator of true impact to a company.

One of the things that was interesting is that, even though, a very subjective notion, but advanced methods were required to perform the attack, only 15% of the aggregate total dataset out of 900, only 15% of those really represented a sophisticated attack. Those sophisticated attacks accounted for 87% of 900 million records breached. So again, you have to balance frequency with impact, and I want to make sure I do that.

Amrit Williams: Oh, that’s a very good point, and well stated. I mean, I think most people can probably understand that an insider, a sophisticated insider, is going to have a far more damaging impact, or even a sophisticated external actor with a lot of support and resources behind him, is a much more devastating attack than unsophisticated folks using traditional methods. But good, very well stated.

So Alex, assuming that there are people out there that don’t know how to use Google, where can we get a copy of the Verizon’s Data Breach Investigations Report?

Alex Hutton: The best place is Verizonbusiness.com/products/security. There will be a link right onto your right there.

Amrit Williams: Alex, I really appreciate you joining us today.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.