Choose Your Own Adventure With The 2014 Verizon DBIR

Rick Holland

In a world where every single security vendor has their own annual threat report, the Verizon Databreach Investigations Report (DBIR) is the gold standard, and this year is no different. Last year I began blogging my initial analysis (Observations on the 2013 Verizon Data Breach Investigations Report), and I wanted to continue that again this year.  Here are some of the high-level details on this year's report: 

  • Fifty organizations representing 95 countries were included in the data set. This included 1,367 confirmed data breaches. By comparison, last year’s report included 19 organizations and 621 confirmed data breaches.
  • In a significant change, Verizon expanded the analysis beyond breaches to include security incidents. As a result, this year’s dataset has 63,437 incidents. This is a great change, recognizes that incidents are about more than just data exfiltration, and also allows for security incidents like DoS attacks to be included.
  • The structure of the report itself has also evolved; it is no longer threat overview, actors, actions and so on. One of the drivers for this format change was an astounding discovery. Verizon found that over the past 10 years, 92% of all incidents they analyzed could be described by just nine attack patterns. The 2014 report is structured around these nine attack patterns.  
Read more

Kicking Off Forrester's "Targeted Attack Hierarchy Of Needs" Research

Rick Holland

I am about to kick off my next Forrester research on targeted attacks.  Here is the short abstract: "The threat landscape has evolved but organizations haven't. Leveraging concepts of Zero Trust, this report will detail strategies for protecting against targeted attacks against your organization. We will focus on the pros and cons of various strategies and provide suggestions for maximizing your investments." If you'd like a preview to the tone of this research please see one of my previous blogs: "Kim Kardashian and APTs."

  • Vendors:  The focus of this research is on overall strategy and NOT on specific vendor capabilities. We look forward to detailed vendor conversations when we do follow on Waves or Market Overviews in the future. 
  • Enterprises:  If you would like to provide us feedback on your experience with defending against targeted attacks, we would love to hear from you.  If you purchased a magic anti-APT box and it is/isn't living up to your expectations, let us know.  We are currently scheduling research interviews.  Research interviews are open to more than just Forrester clients.  If you aren't a client and would like to participate, we will provide you a complimentary copy of the final research upon completion. 
Read more