I was very excited to finally get a copy of the much-anticipated 2013 Verizon Data Breach Investigations Report (DBIR.) I have found the report to be valuable year after year. This is the 6th iteration and this year’s report includes 621 confirmed data breaches, as well as over 47,000 reported security incidents. 18 organizations from across the globe contributed to the report this year. The full report is 63 pages, and I have to say that Wade Baker and company did a great job making it an enjoyable read. I enjoyed the tone, and I found myself laughing several times as I read through it (Laughing and infosec aren't commonly said in the same breath.) There are tons of great references as well, ranging from NASCAR, to Biggie Smalls, the Violent Femmes and more. The mantra of this year’s report is “Understand Your Adversary’ is Critical to Effective Defense and Response.” Here are a few observations:
The focus on the adversary answers customer questions. Who is the adversary? This is a frequent question from Forrester clients. The Mandiant APT1 report stirred up much debate on state sponsored actors and Verizon's data and analysis gives us more perspective on this class of threat actor. The first table in the report profiles the threat actors that are targeting organizations. It provides a high level view that I suggest you include in any type of executive engagement activity you participate in. This 3rd party snapshot of the threat actors should resonate with a wide degree of audiences.
"My master made me this collar. He is a good and smart master and he made me this collar so that I may speak. Squirrel!"
In the Pixar film Up, squirrels frequently distract Dug the talking dog. In our space, we are frequently distracted by technology. "I am a good and smart security professional; I must protect my enterprise so that we are secure. APT defense in a box!"
The expo floors at industry events such as the RSA Conference and Blackhat contribute to this. Signage touts the next great piece of technology that will solve all of our security problems. We allow Big Data, security analytics, threat intelligence, and APT defense in a box to distract us. It is easy to do; there is no shortage of challenges for today’s security and risk professional. The threat landscape is overwhelming. We have problems recruiting and retaining the right staff. Day-to-day operational duties take up too much time. Our environments are complex, and we struggle to get the appropriate budget.
These “security technology du jour” solutions are very appetizing. They compel us much like IDS, IPS, and SIM did in the past. We want and need the “easy” button. Sadly, there is no “easy” button and we must understand that threat protection doesn't equal a product or service; there is no single solution. Technology alone isn't the answer we are looking for.