Video: Inside the Verizon Data Breach Investigations Report 2011

To preview the Verizon Data Breach Investigations Report 2011 edition, SearchSecurity.com sits down with Wade Baker, Verizon's director of risk intelligence.

In this interview, Baker briefly discusses Verizon's recent acquisition of data center operator Terramark, plus offers in-depth insight on the frequently-asked-questions and methodology behind the report, the surprising takeaways from the 2010 report -- including why frequent password changes and patch implementations may not always prevent breaches -- and highlights changes in how the 2011 report is being developed.

Read the full transcript from this video below:  

Inside the Verizon Data Breach Investigations report 2011

Eric Parizo: Hi I'm Eric Parizo from SearchSecurity.com. It's great to have you with us. Joining us today is Wade Baker, Director of Risk Intelligence for Verizon. Wade, thanks so much for being with us today.

Wade Baker: Absolutely, glad to.

Eric Parizo: Let's start by talking about Terramark. Verizon recently announced a $1.4 billion acquisition of the data center operator. I know for obvious legal reasons you can't talk about the specifics of the deal, but the
combined company would have a huge footprint, nearly 250 data centers worldwide. What does that mean to have an expanded footprint in terms of availability, business continuity, and ultimately security?

Wade Baker: Well, I think it's a good thing. It certainly fits with where media and real trends are going. I did a little word cloud of RSA last year, RSA this year of all titles and this year security's the biggest word cloud is
next biggest word. So everybody is thinking about it and its top of mind. So certainly it helps with that and for Verizon, it's going the direction we want to go. We have great networks, great wireless networks, and it's
really about the services that are layered on top of the network.

Eric Parizo: Let's talk about the Verizon breach report. In a nutshell for those who aren't familiar with it, what is the Verizon Data Breach Investigations report? Tell us about it.

Wade Baker: It started in 2008 and it is us combing through all the forensic evidence that we collect when we go. We do breach investigations; they are paid engagements that we have a service team that does that. We collect all that together, we analyze it, and we publish these trends in various categories about what happened the year before. The first two years of that it was just Verizon's IR team, and in 2010 the Secret
Service, who also has a breach investigative arm too because of the financial fraud that's tied into that. It's a big collection of hundreds of security incidents and what happened and who did it and what it
affected, all of those kinds of things.

Eric Parizo: The most recent report was issued last July. One of the key takeaways was that stolen credentials, stolen through a variety of ways, are the most common method that attackers use to gain access to enterprises. Tell us about that.

Wade Baker: This happens in many different ways. The most common, really, that we've seen in the last couple years is stolen through malware, largely key loggers. It can also be stolen through a SQL injection attack, that they query usernames or passwords out of a database. It could be through phishing, it could be through social engineering. So there's many ways that people can get your credentials. The reason they want to do this is obvious, because if they look like you when they log in they're allowed to access what you are allowed to access. And of course they don't have nice intentions like you do. And so they misuse your access to steal data, to whatever nefarious purposes they have in mind.

Eric Parizo:  So what controls should enterprises put in place to respond to the threat of stolen credentials. Frequent password changes, two factor authentication? What's the best practice?

Wade Baker: Yea, it's an interesting thing. Take password changes for instance, a lot of people recommend frequent password changes. From the data that I've seen, I'm not sure how much difference that really makes. It's counter-intuitive when you think about it. But, a lot of times, if they get your credentials, there's 90 plus 99% chance they are going to use them to gain unauthorized access before it would be a change window. It's one of those things, it's not like they steal your credentials and then a year down the road they try to get in, and so, oh it's no longer the right password. It's one of those things, just keeping malware out. I mentioned that malware is the number one method by which they obtain your credentials. So, if we can keep malware off systems and keep insiders from visiting sites where they get infected with malware and those kinds of things that does a huge positive benefit there. There are other things like, notifying you of login times. We can restrict where, so if you live in North America and you log in to your company though a North American IP address and all of the sudden your credentials are used from Russia or China. That could set off an alarm. We
can restrict those kinds of things. So there are lots of different ways of, at least, reducing the risk.

Eric Parizo: So it sounds like the most important thing is to simply be aware that that's a significant issue that every enterprise needs to.

Wade Baker: Absolutely, and thinking how much can we trust just a username and a password is something as well. What else can we do?

Eric Parizo: Perhaps the most surprising finding of the 2010 report was that attackers aren't targeting what's called patchable flaws instead it's SQL injections, stolen credentials, back doors, etc. Does that mean the
focus should shift away from patch management toward things like intrusion detection, log analysis, and code review?

Wade: In the short term, I think probably so. I want to caveat that because we get a lot of questions about this. "You told me I'm wasting my money on patching," and we're not saying that at all. What we're saying is
that most companies have a patch management program, and most companies patch within a reasonable time frame. They are pushing patches every month or some are two weeks and some are less than that. Rarely do we ever see breaches that occur because something wasn't patched in a shorter time frame than that. So, the message in other words is not you really need to speed up your patch management programs and spend 5X money to get all those patches deployed tomorrow night. It's really, when breaches occur, and patches have not been deployed, it's because these machines are outside, they've fallen out. Somehow they've not been patched for a year or two and those are the ones that are found by the hackers and infiltrated and that's
where a lot of breach, that's the first toehold into your organization. So, it's about breadth comprehensiveness instead of speed.

Eric Parizo: 2010 was a significant year for the report, because it was the first time that data from the Secret Service was included. How did you work out an arrangement to use that data, and what does it mean for the validity of the report itself?

Wade: That's a good question. We worked with the Secret Service for a long time before. If you kind of remember the publication time frame like you mentioned, it was published in July. We like April, is a good publication time frame. So part of that delay was working out all those details. It took a significant amount of time. You're working with another organization, you're talking about sensitive data, and you're talking about
a secretive government organization. We started, from just the premise that we're interested in that, they are interested. The government is interested in public private partnerships and especially when we could discuss, this information can be shared, without the Secret Service releasing any of their client names. We don't know who they did those cases with; all of that information is scrubbed. We just know the basic elements of what we publish in the report. So once we worked out that mechanism it was just a matter of time of collecting the data and all of this kind of things. Every discussion I've had with them is they've been pleased and we've been pleased. So, about your question of the validity of the report, I was thrilled to be able to do that last time. Because a lot of people rightly ask, "How much should I trust your sample? Does Verizon see all of the world's breaches, or are you just in some little niche and yeah that's great, but how is that relevant to me?" So, as far as I'm concerned the larger we can make that sample and the more people we can get contributing data I think the more we can trust and really think that what we see in here is way the actual, these are the real problems in the real world.

Eric Parizo: The methodologies used to assemble the report from time to time come into question. What are the most common questions that you hear and how do you respond to them?

Wade: Yeah, so when we started this we had the issue of, we've got three or four years of data to go back over and how in the world do we look through all of these cases and publish that. So we took a method that was a little bit lower, less deep, and had a larger breadth and we collected data, we talked to the investigators, we looked at old case reports. It was a very manual process if you will, but we still collected that, we analyzed it and publish those results. And like, for instance, this past year we used an application. We've moved into the application world and it's more ongoing in nature. So when we do a case there's submission of those results stored in the database. We get that and the methodology behind that is improving in many ways. As far as the tools the investigators themselves use, that's been fairly stagnant during the whole time. They use different software to actually collect the evidence and do their investigation. It's just the transfer over for the post analysis of those things is getting better, more efficient.

Eric Parizo: And finally, what's the plan and the timeline for Verizon's 2011 report?

Wade: The plan is we're actively doing analysis on that right now speaking of the methodology and analysis. It takes a fairly long time to actually go through this, so we've had a few surprises. Secret Service is with us
again for the 2011. They submitted to us over 500 cases, so a lot more data than we even had last year. We're busy combing through that, so it's a good problem to have. So they are with us, we have a European law
enforcement agency that's going to be with us as well. And we'll talk a little more about that in the coming weeks, we're not naming any names yet. But that will give an interesting perspective that's non US based. So,
I'm looking very forward to that. But its publication late April is what we're targeting, so we're in the midst of it as we speak.

Eric Parizo: Wade Baker, Director of Risk Intelligence for Verizon. Thank you so much for joining us today.

Wade: Glad to.

Eric Parizo: And thank you for joining us as well. For more videos, remember you
can always visit SearchSecurity.com. I'm Eric Parizo, stay safe out
there.