Insights from the Verizon 2018 Data Breach Investigation Report

The 2018 Verizon Data Breach Investigation Report (DBIR) was published in early April, reporting on 53,308 security incidents and 2,216 data breaches from 67 contributors in 65 countries.

It’s an important read for organizational leaders, and cyber professionals to find data-driven evidence of industry-specific incident patterns. It’s also important to distinguish incidents from breaches. A breach is an incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party. The remainder of this article will discuss data breaches.

The following quote from Robert Novy, Deputy Assistant Director at the US Secret Service, is a good summary of the DBIR:

“Cybersecurity risks are products of three elements: threat, vulnerability, and impact. Whereas other reports on cybersecurity risks look at a single component of the risk landscape, the DBIR is an annual opportunity to consider the holistic risk picture based on evaluating actual incidents, rather than viewing single elements of cybersecurity risk in a vacuum. This enables organizations to prioritize and align their resources to reduce their cybersecurity risks.”

While the report describes numerous vulnerabilities that threat actors target to gain access to sensitive and valuable data, the number one attack vector remains compromised credentials.

2018 Report Highlights

Most attacks are opportunistic and target not the wealthy or famous, but the unprepared.
76% of breaches were financially motivated, with 13% involving espionage.
Almost three-quarters (73%) of cyberattacks were perpetrated by outsiders.
Members of organized criminal groups were behind half of all breaches, with nation-state or state-affiliated actors involved in 12%.
Over a quarter (28%) of attacks involved insiders, with healthcare the only industry where insiders cause more damage than outsiders.
Errors were at the heart of almost one in five (17%) breaches. That included employees failing to shred confidential information, sending an email to the wrong person, or misconfiguring web servers. While none of these were deliberately ill-intentioned, they could all still prove costly.
Phishing and pretexting represent 98% of social incidents and 93% of breaches. 78% of people don’t click on a single phish all year, however, 4% of people will click on any given phishing campaign.
Ransomware is the top variety of malicious software.
Cryptocurrency cybercrimes, from outright theft to hijacking the processing cycles, increased by more than one order of magnitude.
A number of breaches by industry highest to lowest: Healthcare, Accommodation, Public, Retail, Financial, Professional, Education.
Breaches by pattern: Web-apps, Misc, POS, Everything Else, Privilege misuse, Cyber Espionage, Lost and Stolen assets, Crime-ware.

Data Breach Patterns

The industry-specific research provides insight into attack patterns, threat actions, and incidents.

Verizon first identified the 9 patterns that categorize security incidents five years ago. Today, 333,000 incidents and over 16,000 data breaches later, 90% of data breaches continue to find a home within one of the original nine patterns.

These patterns reflect the type of underlying assets that are the criminal’s target and motivation.

For example, Privilege Misuse attacks resulting in breaches in Accommodation dwarf other attack modes, whereas in Manufacturing and the Public Sector cyber espionage is the top attack pattern.

What this shows is that criminals are most likely to stick to the tried and tested tools and methods that have proven effective in the past.

It’s not just Equifax, Uber, Yahoo! and other high-profile organizations that must learn from the DBIR. The profusion of attacks in the SMB market has proven that every organization, public or private, is at risk.

Vendor Overload and Complexity

Anyone who attended this year’s RSA Show in San Francisco could clearly see the security business is healthy from a vendor perspective. Paradoxically, however, not one of the vendors exhibiting could guarantee to their customers that they would not be breached while using their software or service.

Indeed, the security industry has always operated from a product-centric approach to protecting various aspects of vulnerability. Unfortunately, this product-driven marketing approach has caused a proliferation of products and solutions that do not integrate, require massive amounts of training and support, incur high support and maintenance costs, and add complexity.

Organizations spent a combined $150 Billion on cybersecurity in 2015 and 2016, according to Forrester, but during that same period, 66% of organizations reported five or more data breaches.

The traditional perimeter security model depended on firewalls, VPN’s and web gateways to separate trusted from untrusted users. While these solutions are still important, they are no longer as effective in a cloud, mobile, and IoT-centric world.

We need a new identity and data-centric approach. It’s called “Zero Trust Security,” and leading analysts and industry leaders are embracing it. Zero Trust security is a paradigm shift in thinking about security – and identity is the foundation of this new approach.

Applying Zero Trust Security Concepts to Reduce Risk

Zero Trust Overview

What is Zero Trust and why is it important in reducing breaches?

As this year’s DBIR states, despite all of the reported vulnerabilities, the number one attack vector is still compromised credentials. The traditional "Shore up the network" approach to security isn't working, because it doesn’t prevent legitimate identities from being used to compromise your data.

The Zero Trust model centers on the concept that the user inside the network perimeter is no more trustworthy than users outside a network. The bottom line is “never trust, always verify” prior to granting access.

The Zero Trust Identity and Access Model

Analyst firm Forrester has long been an advocate of Zero Trust, stating that, “CIOs must move toward a Zero Trust security strategy, as it’s the only approach to security that works.”

The bottom line is that all access, regardless of user type (employee, customer partner, admin, customer), application or infrastructure access, MUST be verified with Zero Trust.

The Zero Trust Security model is built on four pillars:

First, verify the user at a level of assurance that factors in context and risk, and ties to industry assurance levels such as NIST 800-63, leveraging Multi-Factor Authentication (MFA) at all touchpoints.

We must also validate their device — what do we know about their device? Is it jailbroken? Is it their normal PC? Are they accessing from public Wi-Fi? What is the current device security posture?

After validating the user and their device, we must limit access and privilege. This ensures the user has the rights to perform the task at hand but limits unnecessary access and constrains lateral movement within the organization.

Lastly, the system must learn and adapt. Modern machine learning and behavioral analytics can now be applied to perform risk-based access decisions. This approach enables real-time, automated response to an evolving threat landscape, to balance security with productivity.”

Applying Zero Trust Principles to the Top-5 Verticals

The healthcare vertical is the only industry where insiders cause more breaches than outsiders. While the majority of breaches are caused by curiosity or accidental errors, financial gain is featured in 40% of internal misuse breaches.

The following Zero Trust concepts combine to counter and reduce external and insider threats in healthcare, financial services, accommodation, public sector, retail across applications, end-points, and infrastructure for all users.

Single identity
Least access and least privilege policy
Workflow-driven just-in-time privilege elevation
Single sign-on and lifecycle management
Adaptive multi-factor authentication, everywhere
Session recording and auditing,
Removing admin privileges from trusted end-points.
Minimizing the use of VPN

Session recording and auditing are important in countering insider threats in all industries as well as for training and forensics. If insider security mindsets shift from believing they can get away with it, to knowing they will get caught for unauthorized data access, then the insider threat will be substantially contained.

As with all industries, Zero Trust does not just mean protecting identity. Data encryption, establishing access zones, using policy and network segmentation, anti-malware, anti-virus as well as data loss prevention software is required.

Conclusion

The 2018 DBIR provides a wealth of insight for cybersecurity practitioners. The question is what can you do to break the pattern of attack by eliminating or substantially reducing your vulnerabilities?

Forrester’s response is simple:

“CIOs must move toward a zero trust approach to security that is data- and identity-centric – and in our view is the only approach to security that works.”

This approach must be implemented across the entire organization. Whether you are giving users access to apps or administrators access to servers, it all comes down to a person, an endpoint, and a protected resource. That’s Zero Trust Security through the power of Next-Gen Access.