Verizon DBIR confirms we're rubbish, so let's do something about it

Verizon's latest Data Breach Investigation Report (DBIR) provides its usual comprehensive and witty overview of our infosec war against the bad guys. But we already know its core messages, or should do: we're rubbish at defending ourselves, we're not really getting any better, and we're concentrating on the wrong things.

The DBIR also highlights the vast difference in perception between governments and the security industry.

Governments are still banging on about the need to understand what's going on. The Australian government, for example, is building some sort of hand-wavey Australian Cyber Security Centre with this very goal.

"The centre will help develop a comprehensive understanding of the cyber threat to Australian Government networks and the Australian industry and business sector from the full spectrum of malicious cyber actors — from cyber criminals and lone hackers, through to nation states," Attorney-General Mark Dreyfus told the Critical Infrastructure Resilience Conference in Melbourne earlier this month.

Yet the industry is already awash with comprehensive understanding of the cyber threat, as William Hugh Murray from the US Naval Postgraduate School noted in the latest SANS NewsBites.

"Open source intelligence from Verizon, Mandiant, Kroll, Sophos, IBM, McAfee, Symantec, Microsoft, Google, Trustwave, Trusteer, SANS, and others almost too numerous to mention, has proved to be far more valuable than that promised, but grudgingly given, from the government," Murray wrote.

"That said, we may be reaching the limits of our bandwidth; my desktop is littered with reports that I have not found time to read."

I agree. We don't need yet another quarterly or monthly report to tell us that pharmaceutical spam has gone down three percentage points or whatever. But the DBIR gets onto my reading list because it's based on a proper analysis of actual data breaches, how they happened and how well the victims responded — not just an enumeration of bad things that might happen. It's clear up front about its methodology and its limitations. And it's eminently readable.

This year the DBIR has plenty on the current buzz-threat, "cyberespionage", how anyone could be a target, and how the profile of nation-stage actors differs fromnndmbnfgndfgndnrgnd... sorry, nodded off.

But I reckon the core message is conveyed by the "Timespan of events" chart, figure 41. It's the same as depressing reality ever. In most breaches the victim's network was compromised in a matter of hours, if not minutes or even seconds, and data exfiltration started a short time later — but the breach generally wasn't discovered for months or even years. And once discovered, the threat typically took days, weeks or even months to contain.

"We continue to view [the initial compromise to data exfiltration] phase in particular as a giant opportunity for improvement in our industry," the DBIR says.

"While it might be difficult to detect, positively identify, and respond to an intrusion within seconds or minutes, our ability to do so should ostensibly increase the longer they poke around our internal networks. But unfortunately, we're not really seeing that improvement."

Figure 42 highlights another depressing reality. After an apparent improvement between 2008 and 2010, things have been getting worse again.

"The majority of breaches take months or more to discover... We've lost any sign of forward progress and are back to where we were when we started this study," says the report.

"At least the large espionage-shaded region in the months column in figure 41 allows for casting off some of the blame for this. That pits the virtually unlimited resources of a nation against the very finite resources of a single company. Nobody can reasonably be expected to withstand THAT, right? Thank goodness for that 'get out of jail free' card. For a moment there it was looking like something would actually need to be done about this."

Sarcasm, obviously. It is obvious, right? Something does actually need to be done. But we knew this already. As I wrote in February, the information security industry is mostly screwed, and needs to admit it.

According to the DBIR, 76 percent of network intrusions exploited weak or stolen credentials; 75 percent were considered opportunistic attacks; 78 percent of initial intrusions were rated as low difficulty.

"Approximately 70 percent of breaches were discovered by external parties who then notified the victim," the report says, and fully a third of the total breaches were detected by some completely unrelated third party.

Meanwhile, things like network intrusion detection systems (NIDS), host intrusion detection systems (HIDS), log reviews, fraud detection, incident response teams or IT audits were each responsible for only around one percent of detections.

"We suspect organizations spend a lot more time and money on things that fall below the one percent mark... and do very little to hone and support the detection capability of their human resources," the DBIR says.

"Once again, end users represent the most effective means of detecting a breach internally... Typically, this involves a regular employee who, in the course of their daily responsibilities, notices something strange (e.g. slower system performance or an email that looks suspicious) and alerts IT or management. Let that fact and all its ramifications sink in."

This is exactly the security culture that Thales Australia's national security manager Jason Brown told us about last year. And it's exactly the point that IBRS security analyst James Turner made about the recently-revealed hack at the Reserve Bank of Australia.

But, to repeat, we know all this. As SANS Institute founder and director of research Alan Paller said, "Stop paying people to tell you what to do. Pay people to do it."

Disclosure: Stilgherrian has previously travelled to Singapore as Verizon's guest.