The Verizon Data Breach Investigations Report and Ponemon Institute Cost of Data Breach survey, which I wrote about this week, are rich with guidance and actionable information for enterprises. Let’s be clear: the value of both these annual reports is not as statistically valid samplings from which we can extrapolate broad, general conclusions. Rather, their value lies in the depth of their research and methodology used to assess each organization covered in the reports, and the insights we can draw and apply going forward.
The Ponemon survey, sponsored by Symantec, involves a relative handful of enterprises (49 in 2011), but applies its rigorous methodology in 400 interviews to assess the total cost of each data breach based on the cost of detection and discovery; escalation (reporting up to the appropriate parties within the organization); notification of victims via email, calls, etc.; and ex-post response (addressing follow-up questions from victims, helping with remediation and preventive measures, credit report monitoring, etc.).
The more profound costs are the impact on the customer base: temporary or permanent loss of customers and the cost of additional customer acquisition initiatives. This is far and away the largest cost of a breach, and accounted for the startling drop in the average cost of a breach in this year’s findings (from$7.2 million to $5.5 million per breach).
But the take-away from the Ponemon survey is not a celebration that the average cost is down. We have to be cautious in generalizing conclusions from the findings. And, even if the findings are representative of what is happening across the business world, $5.5 million dollars is still $5.5 million.
The value of the survey is the insight into how an enterprise can accurately calculate the loss associated with its own data breaches so it can better understand the associated risk and determine the appropriate preventive measures based on a cost vs. risk assessment. The report includes a good description of Ponemon’s methodology, which can be used as a starting point. Symantec has also made available a data breach risk calculator to help estimate the likelihood and impact of a potential breach.
The Verizon report’s secret sauce is its Verizon Incident Sharing (VerIS) framework, which its investigators use in all their cases to apply a common methodology and reporting standard. The framework returns detailed information on what systems were compromised , how they were compromised, the type of agent responsible (e.g., external hacker, insider, partner), what weaknesses were exploited and type of data stolen. Verizon characterizes this as the A4 Threat Model for describing each incident:
- Agent: Whose actions affected the asset
- Action: What actions affected the asset
- Asset: Which assets were affected
- Attribute: How the asset was affected
In addition to the Verizon cases, each of the contributing agencies (the United States Secret Service, the Dutch National High Tech Crime Unit, the Australian Federal Police, the Irish Reporting and Information Security Service and the Police Central e-Crime Unit of the London Metropolitan Police) applied the VerIS framework to gather case data for the report.
The framework enables the investigators to very precisely identify and cross reference each characteristic of each incident, which produces detailed and highly useful data. Verizon chose to share this framework with the world a couple of years ago and also offers an incident analysis service based on its use.
The methodology has great practical value to the enterprise security program. The George Santayana adage that “Those who cannot learn from history are doomed to repeat it” applies here. Eight years of investigations show how little has really changed. There have been trends in the nature of attacks and ebbs and flows in the number of data records stolen, etc., but the distressing news is that most victim organizations continue to be compromised through very avoidable errors and fixable vulnerabilities. All our technology, emphasis on log review, etc., notwithstanding, data breaches typically go weeks, months, even years without being detected. And then, in most cases, the organization learns about the breach from outside parties. It makes one wonder how many organizations are breached and continue to be unaware.
I thought of this as I read the how the overwhelming number of attacks are perpetrated by external agents, mostly against smaller, less secure organizations and yielding relatively small, albeit valuable amounts of information, in contrast to the sudden burst of massive data thefts executed by hacktivists against large organizations. How many companies don’t know that that an attacker may have stolen and continues to steal intellectual property? A large breach may be discovered by a third party that notices a spike in fraudulent credit card activity, for example, or targeted spam. But IP theft may go undiscovered until pirated software or your manufacturing control systems suddenly appear on foreign markets. In the report, in fact, Verizon speculates that the low incidence of insider and partner breaches may be somewhat misleading, as these folks are more able to easily operate under the radar.
Getting back to Santayana, once they know they have been breached enterprises can apply the VerIS framework (or whatever custom adaptations they choose) to get a firm grasp on where they are vulnerable, which policies, practices and processes need to be shored up and gain some insight into who is likely to attack them, why and incorporate all this into their business risk assessment.