(This blog was originally published in May 2019.)
The 2019 Data Breach Investigation Report by Verizon is here! As a contributor to the report, we’re excited to see the DBIR published and read its conclusions. Our decision to contribute to this year’s report, as we have in the past, stems from our belief in knowledge sharing as a key way to combat today’s innovative threat actors. As this year’s DBIR states in its introduction, We all have wounds, none of us knows everything, let’s learn from each other. So, let’s take a look at we can learn this year.
Interset’s user and entity behavioral analytics (UEBA) is uniquely positioned to detect insider threats quickly and accurately. That doesn’t mean we only work to detect malicious or negligent employees; we also look for behavioral clues inside of your business that indicate someone on the outside might be trying to intrude and cause harm. The data we contributed to this year’s report that speaks to a range of suspicious activities—such as unauthorized, late-night print jobs, IP theft via email, account compromise, and more—which we’ve seen in the real world. As such, we are particularly keen to see the DBIR’s findings as they relate to these types of breaches.
According to the 2019 DBIR:
- 34% of data breaches involved internal actors
- 15% of data breaches were caused by misuse from authorized users
- Errors were causal events in 21% of data breaches
Misuse by authorized users is a key area of interest for us. Digging deeper into that statistic, we saw that the DBIR listed privilege abuse, data mishandling, unapproved workarounds, knowledge abuse, and email misuse as the top five types of misuse relating to the data breaches studies. These types of activities are compelling to read about because they are likely to manifest in some type of behavioral clue or footprint that indicates something is amiss.
Some stats also confirmed the frequency of breaches caused by outsiders but perhaps facilitated by an insider in some form. For example:
- 32% of data breaches involved phishing
- 29% of data breaches involved the use of stolen credentials
We can certainly attest to the fact that account compromise is a commonplace problem. We’ve seen this left and right in data breaches in news headlines as well as among customers. Compromised accounts are often facilitated by phishing or bad cyber hygiene, and they’re a prime entry point for a malicious actor to get access to a business and its high-value information. Once an account is compromised, serious damage can be done. If you’re interested in seeing an example of this, be sure to check out our blog, Most Wanted Insider Threats: The Tale of a Compromised Account.
Another area of interest for us is the speed of detection and, according to this year’s DBIR, it seems it’s a much-needed capability for most companies. According to the report, 56% of breaches took months or longer to discover. It’s important to be aware of this because the time-to-compromise in a data breach can be very quick. That means that it may take a matter of minutes for someone to infiltrate your business and steal data, but it may take months or even years to discover that there was a breach in the first place. By that time, the malicious actor (and your IP) will be long gone. As attack techniques become more sophisticated and allow for quicker action, it’s important for security teams and detection methods to keep pace.
Of course, these are just a handful of interesting tidbits from this year’s report. There’s a lot to dig into and hopefully a lot of fuel for discussion—both for organizations looking to better protect themselves and vendors looking to find better ways to offer protection. Be sure to take a look at the 2019 Data Breach Investigation Report by Verizon for yourself, and tell us what you think in the comments below.