- Forrester Councils
- Councils Overview
- log in
Posted by Rick Holland on April 22, 2014
In a world where every single security vendor has their own annual threat report, the Verizon Databreach Investigations Report (DBIR) is the gold standard, and this year is no different. Last year I began blogging my initial analysis (Observations on the 2013 Verizon Data Breach Investigations Report), and I wanted to continue that again this year. Here are some of the high-level details on this year's report:
Before I move on, I wanted to point out one painfully shocking statistic. Figure 13 contrasts how long it takes the attacker to compromise an asset and how long it takes the defender to discover it. The trend lines "show that attackers are getting better/faster at what they do at a higher rate than defenders are improving their trade." Attackers are able to compromise assets in days or less well over 75% of the time while defenders struggle to detect in days or less at 25% of the time. Keep in mind, this is over the past decade; these are not encouraging data points.
HOW TO USE THE 2014 DBIR
Do you remember the Choose Your Own Adventure books from the '80s and '90s? I have fond memories of reading these books as a child. If you are not familiar with them, they are unique in that the reader becomes the main character and gets to actually guide the actions and outcome of the book. The book is customized to the reader. So what does this have to do with the DBIR? Let me explain. I started off the blog mentioning that every single vendor has some sort of annual report that they publish. If you are like me, you don't have time to read them all. Many of these reports are macro focused, and while some *might* be helpful in your day-to-day job most are not. Most of the reports lack relevancy to your organization. With the DBIR's pivot to attack patterns, you can now read the DBIR like a Choose Your Own Adventure book. Here is the obvious use case:
I am a big fan of the new structure of the DBIR; the 2014 DBIR has transitioned from a report to a tool. Other vendors should consider taking a similar approach. What would really be cool is if Verizon provided a web-based interface that allowed you to input your specifics and have a customized report generated for you. Speaking of suggestions for Verizon, last year I wrote:
"I would like to see Verizon break out of breaches and incidents that resulted from third parties. Using the Verizon threat actor definition, I’d specifically like to see data on external threat actors who compromised companies via third-party networks. For example, I want to know how many organizations were attacked via an extranet connection to a supply chain partner. Third-party risk is a top concern of Forrester clients."
My request around greater detail into third-party incidents/breaches stands. Third-party risk was a top concern before the Target breach, and anxiety around it has only increased since. You could even "Choose your own adventure" around a business partner and see what the most likely incident patterns are for that organization and then question them specifically around how they are mitigating that risk.
Finally, I have a question for you. Can you generate similar data for the incidents that have occurred in your organization? What are your top incident patterns? Are you tracking time to compromise and time to discovery? You don't have to use the VERIS format to describe incidents, but you need to use something.
Lead BT Transformation
Develop customer-obsessed strategies to drive growth »
Forrester's CX Index
Predict how actions to improve CX will affect revenue performance.
Measure the customer experiences that matter most »