A year of breaches: lessons from Verizon’s latest Data Breach Investigations Report

For more than a decade the Verizon Data Breach Investigations Report (DBIR), which covers the types and frequencies of security incidents globally over the previous year, has been a bellwether on how enterprise network security is performing, providing valuable insights on how to enhance an organization’s security postures. Now in its 11^th year, here are some of the 2018 report’s key takeaways.

Ransomware rises, so segmentation is essential

According to the report over 40% of all malware-related incidents are ransomware. Moreover, ransomware is now having a greater impact on organizations than every before because attacks are no longer focusing on the first device they infect. Instead they are moving laterally deeper inside the network to target more vital systems – ones that victims will pay dearly and quickly for.

It’s therefore critical that organizations implement intelligent network segmentation that will contain the damage an attack can wreak as much as possible, instead of attempting to create an impenetrable network perimeter that guards against all intrusion types (which is near impossible).

In addition to network segmentation organizations should perform regular network health checks to check for security policy misconfigurations that could leave them vulnerable to ransomware or indeed any type of cyber attack. You can read more about how to do this here.

Improving detection times

In addition to examining how intruders are compromising enterprise networks, the DBIR looks at how long it takes for companies to discover a breach, and how long it actually takes to exfiltrate data.  The report found that in 87% of breaches, data had been compromised within minutes, or even seconds, of the attack taking place, yet 68% breaches weren’t discovered by organizations for months or more. So what can organizations do to address this?

Part of the problem is that the SIEM solutions that organizations use to detect and respond to security events typically collect alerts and logs from a broad range of security sensors, often generating tens of thousands of alerts per day.  In attempting to solve one problem this inadvertently creates another challenge for security teams: how to identify which alerts are genuine incidents, which are false alarms, and which incidents should be prioritized for remediation.

As we have previously blogged security teams must be able to apply business context to its security incident response processes, so that they can identify and prioritize the incidents that present the biggest threat to the business.

Phishing must be countered with security basics

The DIBR found that phishing was utilized in 93% of breaches, with an average of 4% of enterprise employees clicking on a link in any given phishing campaign.  Two-factor authentication (2FA) helps organizations protect access to data, and egress filtering helps identify and restrict outbound traffic to make it difficult for attackers to exfiltrate data. Furthermore, it’s important to implement ‘least privilege’ policies whereby employees can only access the data they need to do their jobs. So if one lower-level employee’s credentials are compromised, the attacker doesn’t gain access to all company data by default.

DDoS storm strength downgraded

According to the DBIR, the average strength of distributed denial of service (DDoS) attacks weakened in the last year, with attacks tending to last for minutes rather than hours or days. Despite this, most companies experienced an average total of three days of attack over the course of the past year. The report therefore recommended that organizations retain DDoS mitigation services. In addition, there are a number of tactics that organizations can use to defend against DDoS including ISP blocking and scrubbing, blackholing, and using a content delivery network. You can find out more about how to defend against DDoS here.

The Verizon report concluded that, “criminals are, as a rule, most likely to continue to use the tools against you that have been most effective in the past.  Knowing where your organization is in the food chain for criminals gives you an advantage, so be sure to use it”.