Investigative Response Case Metrics Initiative Preliminary findings from 700+ data compromise investigations

Size: px

Start display at page:

Download "Investigative Response Case Metrics Initiative Preliminary findings from 700+ data compromise investigations"

Sharlene Washington
6 years ago
Views:

1 Investigative Response Case Metrics Initiative Preliminary findings from 700+ data compromise investigations GLOBAL CAPABILITY. PERSONAL ACCOUNTABILITY. Wade Baker MiniMetricon 2.5 April 07, Verizon. All Rights Reserved. PTEXXXXX XX/08

2 Agenda Investigative Verizon Business IR Case Metrics Initiative IR Statistics & Trends 2

3 3 Who am I?

4 4 About Me Hats I Wear

5 5 About Me Hat I d Never be Caught Wearing

6 About Me Hat I d Never be Caught Wearing r =

7 7 About Me Hat I m trying to Wear

8 8 About Me Hats I Wear

9 9 About Me Hats I Wear

10 About Me Hats I Wear Research 10

11 About Me Hats I Wear Intel 11

12 About Me Hats I Wear Innovate 12

13 About Me Hats I Wear Risk 13

14 About Me Hats I Wear Metrics 14

15 About Me Hats I Wear DSS 15

16 About Me Hats I Wear IR 16

17 About Me Hats I Wear Then why are you here talking to us about investigative response trends? 17

18 About Me Hats I Wear Investigative Response Metrics Products & Services 18

19 About Me Hats I Wear Metrics 19

20 About Me Hats I Wear IR 20

21 21 Investigative Verizon Business

22 Investigative Verizon Business IT Investigative Support (On-demand) Guaranteed Response (Retainer-based) Incident Response Training (CIRT) Computer Forensic Training Electronic Data Recovery / Destruction Services Expert Witness Testimony Mock-Incident Testing Corporate IR Program Development Litigation Support & ediscovery Tactical Management Briefings 22

23 Investigative Verizon Business 230 cases in 2007 (1/4 of disclosures*) 185 cases in 2006 (1/4 of disclosures*) 166 cases in 2005 (1/3 of disclosures*) 130 cases in *Source:

24 Investigative Verizon Business 3 of the 5 largest data breaches 24

25 25 Overview: IR Metrics Initiative

26 Overview: IR Metrics Initiative 2004 Q3 2007: Some high-level statistics & trends; some diffusion of insight and data Q Present: Hundreds of case metrics defined & operationalized; systematic collection for all previous cases Near Future: Diffusion of data internally and externally; Reoccurring public report of findings 26

27 Overview: IR Metrics Initiative What s the current status of this effort? What s the dataset for this talk? 27

28 Overview: IR Metrics Initiative Sampling of cases from 2004-Present High-level caseload statistics and trends from each investigator Data collection on case backlog: Mostly complete for 2007, Majority for 2006, Partial for 2005 &

29 Overview: IR Metrics Initiative Bottom Line: This is a work in progress but there is more than enough data to support these findings 29

30 Overview: IR Metrics Initiative just add -ish to the end of all numbers 30

31 31 IR Case Metrics: Statistics and Trends

32 IR Case Metrics: Statistics and Trends Industry 32 Note: 2007 cases only

33 IR Case Metrics: Statistics and Trends What is the source of breaches? 33

34 IR Case Metrics: Statistics and Trends Source 34

35 IR Case Metrics: Statistics and Trends Source: External 35

36 IR Case Metrics: Statistics and Trends Source: Internal 36

37 IR Case Metrics: Statistics and Trends Source: Partner 37

38 IR Case Metrics: Statistics and Trends Source Geo 38 Note: 2007 cases only

39 IR Case Metrics: Statistics and Trends How do breaches occur? 39

40 IR Case Metrics: Statistics and Trends Methods, Top 10 40

41 IR Case Metrics: Statistics and Trends Methods, Continued Deceit - Social Engineering 13% Misuse - Non-malicious misuse of corporate resources 13% Malcode - Worm or Virus 13% Error - User error 13% Physical - Wiretapping / Sniffing 12% Misuse - Malicious misuse / abuse of access or privilege 12% Error - Inadvertent disclosure of sensitive data via web 10% Physical - Theft from external location 8% Error - Technical / system failure 8% Physical - Loss or misplacement of asset 7% Physical - System access or tampering 7% 41

IR Case Metrics: Statistics and Trends Difficulty High - Advanced skills and/or extensive resources were used Moderate - The attack involved skilled attacks and/or significant

42 IR Case Metrics: Statistics and Trends Difficulty High - Advanced skills and/or extensive resources were used Moderate - The attack involved skilled attacks and/or significant resources Low - Low-level skills and/or resources were used. Automated tools and Script Kiddies 42 None - No special skills or resources were used. The average user could have done it

43 IR Case Metrics: Statistics and Trends Targeted vs Opportunistic 43

44 IR Case Metrics: Statistics and Trends Vector 44

45 IR Case Metrics: Statistics and Trends Compromised Asset 45

46 IR Case Metrics: Statistics and Trends Compromised Data 46

47 IR Case Metrics: Statistics and Trends Time Span Point of entry to compromise = ~Hours Compromise to discovery = ~Months Discovery to mitigation = ~Weeks 47

48 IR Case Metrics: Statistics and Trends How are breaches discovered? 48

49 IR Case Metrics: Statistics and Trends Incident Discovery 49

50 IR Case Metrics: Statistics and Trends Anti-forensics Q = 14% of cases Q = 67% of cases 50

51 IR Case Metrics: Statistics and Trends Can breaches be prevented? 51

52 IR Case Metrics: Statistics and Trends Yes. 87% of incidents could have been avoided through the use of "due diligence" or "reasonable" security controls. 52

53 IR Case Metrics: Statistics and Trends Unknown Unknowns 53

54 IR Case Metrics: Statistics and Trends Asset / Data discovery & classification 70% Software / App development standards 57% Minimization or removal of replicated data 52% Identity Management 50% % of cases that would likely have been prevented (or at least substantially mitigated) if the control had been in place (or of better quality) at the time of the attack More restrictive access privileges 50% Firewalls / Routers configured for default-deny 47% Network segmentation or zoning 47% More consistent vulnerability patching 47% System hardening / minimal config 47% Disk Encryption 47% IDS / Network monitoring 43% 54

55 IR Case Metrics: Statistics and Trends Intrusion Prevention System 40% User awareness & training 40% Checks to identify technical non-compliance 40% Data Loss Prevention / Content filtering 30% % of cases that would likely have been prevented (or at least substantially mitigated) if the control had been in place (or of better quality) at the time of the attack Client / personal firewall 30% Antivirus software 23% Physical security controls 13% Anti-Spyware 13% USB Blocking 8% More frequent vulnerability patching 2% 55

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client