Every year around this time, Verizon releases its Data Breach Investigations Report, referred to in the trade as simply the “DBIR.” Verizon is one of two companies you call if you’ve been breached and you really want to get to the bottom of what happened and try to keep it from happening again. (Mandiant is the other.)
My CISO hates this year’s edition because of its Joy Division-inspired cover and some of the cutesy writing. But it still makes some valid points that I wish everyone would take to heart–and those points remind me why so many people in my field of work listen to Joy Division.
Keep in mind I live in the threat and vulnerability analysis space–I’m the guy tasked with keeping this kind of stuff from happening. It’s an uphill battle. If we got everything we wanted, this stuff wouldn’t happen, but we won’t, so we have to get as much as we can, and sometimes it’s enough.
1. In 2014, half the time it took 30 days or less from the release of a newly discovered vulnerability for an exploit to be developed. Patch Tuesday starts the clock ticking. If you’re not patched within 30 days, you’re vulnerable. You can win this race, but it takes buy-in from the entire organization, good tools, and a good process. I’ve worked in shops where I’ve had those things and I’ve worked in shops where I didn’t–but I can tell you that factoids like that can help you to get the buy-in and the tools if you lack them. You’ll probably be on your own for the process.
And the half that don’t appear in 30 days did appear within 48 weeks–less than a year.
2. Usually #1 doesn’t matter because 99.9% of breaches start with the exploitation of a vulnerability that’s at least a year old. I’ve been pricing patch management solutions and I know they aren’t cheap–the cheapest I’ve found runs about $5 per machine, and one of my teams is asking for a solution that costs $500 per machine. It’s expensive, and many companies don’t see the benefit, though I would advise them to turn to page 30, which discusses the cost of a breach. Spoiler: a breach of 100,000 records costs about half a million bucks to clean up. Unless the network is very small, it’s nearly impossible to update every machine manually, and even harder to adequately update them manually, so the work can be spotty or non-existant. Older, time-tested exploits tend to be more reliable than new ones, and since the opportunity is there, the attackers take them. In my mind, it makes sense to spend half a million bucks to make a breach much less likely rather than take unnecessary risks. I guess we’ll see in a year how many people read the DBIR, came to the same conclusions I did, and acted on them.
3. Breaches don’t cost $200 per record–always. The $200 figure gets you close in some industries but the math is actually harder than that. But they provide a handy table to let you estimate the cost of a breach whether it’s 1000 records or 100 million. When someone asks how big of a deal something is, you can ask how many records are on that server, or how many customers the company has, then look up the table and give a couple of estimates.
It’s a bit depressing, which is why the Unknown Pleasures album cover doesn’t bother me. Closer was the sadder of the two Joy Division records, so maybe that means Verizon doesn’t think all is lost. I hope so.