Big ValleyBig ValleyBig ValleyBig Valley
  • People
  • SERVICES
  • WORK
  • INSIGHT
  • CONTACT

Big Valley Q&A with 2022 Verizon Data Breach Investigations Report Contributing Author Gabriel Bassett

    Home Story + Content Big Valley Q&A with 2022 Verizon Data Breach Investigations Report Contributing Author Gabriel Bassett
    NextPrevious

    Big Valley Q&A with 2022 Verizon Data Breach Investigations Report Contributing Author Gabriel Bassett

    By Karen Burke | Story + Content | 0 comment | 31 May, 2022 | 0

    Gabriel Bassett is the lead data scientist and a contributing author on the Data Breach Investigations Report team at Verizon Enterprise Solutions, specializing in data science and graph theory applications to cyber security (including VERIS and Attack Flow).  He supports several information security data science conferences, is game architect for the Pros vs Joes Capture the Flag series, and has previously held cyber security risk management, testing, intelligence, architect, and program management positions at the Missile Defense Agency and Hospital Corporation of America. 

    What should be the top three security priorities for CISOs and other security practitioners based on the findings in the 2022 Verizon DBIR?  

    In the DBIR last year, we talked about engineering for the expected and operations for the exceptional.  The 2022 DBIR expands on this by discussing the four key access methods to the estate: Credentials, Phishing, Exploiting Vulnerabilities, and Botnets.  These represent the expected attacks and places where CISOs can target engineering through two-factor authentication and password managers, mail and web filters, asset management, consistent patch processes, and minimized internet attack surface, and finally anti-virus to catch latent malware.  If the expected is priority one, priority two is the human element.  We found that 82% of breaches involved the human element.  Finding mitigations for it and measuring the effectiveness of those mitigations (something addressed in Appendix C: Changing Behavior) is critical to the human element.  The third priority should be operations.  As we note on page 15 of the report, “The category of “Other” has stealthily crept into one of the top three spots (of Figure 19) this year as well. This is largely due to the dataset being long “tailed” and diverse. In other words, there are a lot of different things that aren’t in the top 10, but are still “noteworthy.”  To address the long tail, an organization needs security operations, no matter its size.  Large organizations can have a dedicated Security Operations Center.  Medium-sized organizations can have a managed security services provider.  And small organizations can buy IT services, like email, payment processing, or desktop management, that have security built in. 

    Ransomware attacks continue to rise (a 13% increase from 2020 to 2021). Yet the report also states that a large portion of ransomware incidents resulted in little or no profit at all. What motivates attackers to continue to use ransomware?     

    We had similar questions that resulted in Appendix E to the report this year.  In Appendix E, we model ransomware from an attacker’s point of view.  It models an attacker who’s more of a business person than a tech savvy type.  Our simulated attacker buys access on a criminal forum and then monetizes that access through Ransomware as a Service.  What we expected was to see something more like a business.  Invest a little money, get a little return.  Instead, it looks more like a lottery.  It’s very inexpensive to ‘play’ (attempt to access an organization) and while many plays don’t pay out, the ones that do can still make a tidy profit.  In our simulation of 500 ransomware actors, each with 300 simulated ransoms, the median profit was $178,465.  The maximum was $3.6 million while only 1.4% of simulated actors lost money.  It’s like going to a casino where you mostly lose, but when you win, it more than pays for your losses.  In that case, the best bet is to play as much as you can.  And so as long as there is easy access to be had, attackers will continue to prey on it. 

     What progress, if any, have organizations had in reducing attacker dwell time? 

    In the timeline section we note that while detection times of days or less have continued to improve, it’s often driven by “Actor Disclosure”.  That often means Ransomware.  In other words, even though we’re detecting faster, it’s because the attackers are finishing their attack faster.  We’re still behind.  On the other hand, I do think that we’re driving most attackers to faster attacks.  Attacks with more actions may potentially have bigger payoffs, but, for most attackers, the extra work and risk isn’t worth it.  We’re driving attackers to shorter, more repeatable attacks.  That’s good news for the organizations that mitigate the subset of actions attackers are taking most often.  It’s bad news for organizations who are not making data-driven security decisions. 

    According to the report, 82% of breaches involved the human element. Based on that finding, what should practitioners – and security vendors – keep in mind as they head to the RSA Conference next week? 

    The bad news is there is currently no perfect mitigation for the human element.  That said, I’m encouraged by the fact that we see many companies trying new mitigations: improvements in training, testing (such as phishing), security quizzes, simulations, and things we’ve never even thought of.  The next step is to consistently test what works and what doesn’t.  That’s where Appendix C of the DBIR, Changing Behavior, comes in.  It lays out what to expect from a test that shows whether human element mitigations are working or not.  This can be something organizations run themselves or request from their vendor.  It’s our way of helping the process of finding mitigations to the human element. 

      The report does include some good news such as the dramatic decrease in incidents in the Accommodation and Food Services market. What other progress can you highlight? What are organizations doing right when it comes to security?   

    I think a big, good news story from the DBIR this year is a second year of improvements in misconfigurations.  In 2019, misconfigurations were at their highest point leading to breaches of data from cloud storage services.  Since then, the cloud providers have put in a lot of effort to make the security impacts of configuration decisions clear, which gives us hope that the drop is due to folks maintaining cloud systems, better configuring their services and exposing less data. 

    In general, though, no one should walk away from the DBIR disheartened.  It explicitly looks at the areas in which we falter in security without acknowledging the multitude of organizations succeeding.  As we say in the DBIR, “nothing is perfect. Not people, not processes, not tools, not systems. (Not DBIR authors.)”  But that doesn’t mean we should give up.  Security is more like a season than a championship game. There will be mostly wins.  A few losses.  And almost always, another round on the field. 

     

    b2b tech, CISO, cybersecurity, leadership, ransomware, RSA, security, Technology Marketing

    Karen Burke

    More posts by Karen Burke

    Related Post

    • RSA Conference 2022: Top Conversations in Security

      By Inga Starrett | 0 comment

      Welcome to the special RSA Conference edition of Top Conversations in Technology. In this analysis, we break down the rankings and trend lines for 33 security topics driving news and blog conversation over the past three-plusRead more

    • RSA Conference 2022 Event Signage

      The Show Goes On: RSA Conference 2022

      By Josh Swarz | 0 comment

      As the curtain goes up on the first in-person RSA Conference since 2020, this year marks something special.    It feels like a lifetime ago since the last show, and a lot has since happened inRead more

    • Client Partner Michael Lane with Media and Influencer Leads Andy Shane and Joshua Swarz photographed standingin front of the RSA Conference 2022 sign at the Moscone Center.

      From Vaccines to Nation-State Attacks: Takeaways from RSA 2022

      By Andy Shane | 0 comment

      Co-written with Joshua Swarz.  More than 26,000 attendees, including 600+ speakers, 400+ exhibitors, and over 400 members of the media made their way to San Francisco’s Moscone Center and surrounding hotels for the first in-personRead more

    • Why Cybersecurity Must be a Top Priority in 2022

      By Josh Swarz | 0 comment

      2021 was a record year for cybersecurity. From SolarWinds, which the President of Microsoft called “the largest cyberattack ever,” to Colonial Pipeline and the log4j vulnerability – it seemed like there was a new headlineRead more

    • RSAC 2023: Notable Sessions at This Year’s Show

      By Karen Burke | 0 comment

      I attended my first RSA Conference in 1997. While sessions have changed over the years, the reason why I attend remains the same – I want to learn, but also want to be challenged onRead more

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    NextPrevious

    Big Valley Marketing

    Data-Driven Consulting for
    Technology Marketers

    We support the 1% Pledge for
    early-stage corporate philanthropy

    Contact

    Founder & CEO
    Tim Marklein
    tim@bigvalley.co
    m: 415-999-2006
    @tmarklein

    Talent + Culture
    workwithus@bigvalley.co

    New Business
    hireus@bigvalley.co

    Recent Posts

    • RSAC 2023: Notable Sessions at This Year’s Show

      I attended my first RSA Conference in 1997. While sessions have changed

      21 March, 2023
    • RSAC 2023: Tips for In-Person Conferences and How to Make the Biggest Splash

      The Roads Most Traveled Take Us to RSA 🚗 For Josh Swarz,

      15 March, 2023
    • Top Conversations in Tech Jan’23: The Matrix was a documentary

      Welcome to the January 2023 edition of Top Conversations in Technology, where we

      10 March, 2023
    Copyright 2023 | All Rights Reserved
    • People
    • SERVICES
    • WORK
    • INSIGHT
    • CONTACT
    Big Valley