- Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Verizon DBIR 2015 tackles data breach cost predictions

In its 2015 Data Breach Investigations Report, Verizon debuts data breach cost estimates based on newly available data, and also advocates for better threat intelligence sharing among different industries facing common threats.

Enterprises have long strugged to accurately estimate the cost of a data breach because of the many variables involved,...

but in its new Data Breach Investigations Report, Verizon is confident enough in its newly gathered data to offer predicted data breach cost ranges for the first time.

Even more surprisingly, in some instances breached data may cost a company less than anyone thought.

The 2015 Data Breach Investigations Report (DBIR), released today, is Verizon's eighth-annual benchmark report, offering an unparalleled analysis of the previous year's data breaches and advice for enterprises on how to avoid future breaches.

This year's report includes breach incident data contributed by a record 70 organizations, up from 50 contributors last year, including 31 new contributors (see sidebar).

As in years past, all the incident data in the report is standardized using the VERIS incident-sharing framework, Verizon's own schema for analyzing security incident data using common categories, including threat actor, incident type, discovery and mitigation, and impact.

In an overview of its 2014 data set, Verizon saw confirmed data breaches rise 55% year over year to 2,122, and security incidents (defined by Verizon as any event

that compromises the confidentiality, integrity or availability of an information asset) rose almost 26% to 79,790.

Closer to pinning down cost per breach

In a new twist to this year's report, Verizon has endeavored to pin down the cost per breached record, creating what may be the first data-based average data breach cost ranges for enterprises.

Verizon DBIR 2015, Figure 22: Expected average loss by records lost
Colored region representsthe estimated average loss with 95% confidence.

For example, a small data breach where only 100 records are lost would most likely cost an organization anywhere from $18,120 to $35,730, but could cost as much as $555,660. Meanwhile, a mammoth breach of 100 million records would have an average cost between $5 million and $15.6 million, with a maximum estimation close to $200 million.

Perhaps most surprisingly, as part of an exercise to illustrate both the many factors involved in estimating the cost of a breach and the flaws associated with the existing cost-per-record models, Verizon said the traditional process of dividing a sum of all loss estimates by total records lost against its data set resulted in an average cost per breached record of just $.58.

Verizon DBIR 2015, Figure 23: Ranges of expected loss
Verizon says its ranges of expected loss show there is definitely some opportunity for improving the estimate of loss from breaches.

Verizon noted that the major new data point supporting its ability to make these calculations for the first time was the addition of data from a study by Gladwyne, Penn.-based NetDiligence, which analyzed insurance claims for security breaches.

Bob Rudis, security data scientist for Verizon's Enterprise Solutions division, said that Verizon looked at many common types of data that would be compromised in a breach -- like card data, Personally identifiable information and medical data -- but could not get information on trade secret data losses.

Rudis admitted the data isn't perfect, and no matter how the data was processed and analyzed, the best model created could only describe about half of the total variance in the data.

"We did the classifications that we would do for any incident and tried to refine the model many ways," Rudis said, "but we're as disappointed as anyone to say that there are a lot of things contributing to the cost of breaches that we can't account for yet."

Rick Holland, principal analyst for security and risk management at Cambridge, Mass.-based Forrester Research Inc., was unconvinced that the data needed to complete the prediction model would ever be available, because it may be rooted in how data is valued.

"Predicting breach costs is much easier to do in a world where you're talking about lost records, but the missing piece is how you value the intellectual property and potential future losses," Holland said. "It's much easier for insurance companies to value structured data, and even insurance companies will have difficulty evaluating potential future losses."

Attack patterns and threat intel sharing

Verizon found that, like last year, the vast majority of reported data breaches (96%) can be categorized by one of nine basic attack patterns.

Last year's DBIR highlighted how the top three attack patterns combining to account for more than two-thirds of confirmed data breaches; in the 2015 report, the top three combined for just under two-thirds of confirmed breaches.

The difference this year is that while cyberespionage and point-of-sale (POS) intrusions remained in the top three, Web application attacks was replaced by what Verizon labels as crimeware (defined as malware that is not associated with more specialized classification patterns such as espionage or POS), jumping up to second on the overall list of common attack patterns.

As in years past, Verizon once again detailed the top attack patterns within specific industries, but also found that there can be quite a bit of overlap across in attack patterns across industries, specifically in regard to key VERIS characteristics such as threat actors, actions and compromised assets.

When looking at the frequency of data diclosures by incident pattern and industry over the past three years, enterprises within certain industries might take away the idea that focusing on specific attack patterns will offer a leg up on security. Logically, for instance, accommodation, entertainment and retail industries were among the hardest hit by POS attacks.

Verizon 2015 DBIR, Figure 29: Frequency of data disclosures by incident
According to Verizon, a lot of threat patterns didn't reveal major changes in its 2015 report, so some may wish to refer back to the 2014 DBIR for a primer on incident patterns.

In other instances, trends are harder to interpret, like manufacturing seeing 60% of breaches through cyberespionage and 34% via crimeware, because Verizon's data shows that more specific industry subsectors within the manufacturing vertical often have less in common with each other and more in common with other industries like public courts in terms of security incident characteristics.

"There are a few closely grouped subsectors but by and large, the colors/numbers intermingle in melting-pot fashion," Verizon said in the report. "It means that many subsectors in different industries actually share a closer threat profile than do subsectors in the same overall industry."

Verizon in the report suggested that limiting threat intelligence sharing to broader industries may not be the best idea, nor is having compliance and regulatory standards imposed on an industry level. Verizon said that a better option could be to regulate common "risk activities" across industries, similar to how the PCI DSS applies to all industries that process payments.

Without having seen the report, Holland said that the idea of more commonality of threats across industries seemed counterintuitive, but saw potential reasons for such overlap to occur.

"As you see threat actors targeting different verticals," Holland posited, "you may see components of an attack reused in new attacks on similar systems."

Regardless of the industry and type of threats faced, Verizon also put forth that better threat intel sharing could help the overall weak data breach response speed for enterprise. This is in part due to malware becoming more unique to each organization.

Verizon defined "unique" in terms of a signature/hash identifier, because it found that 70% to 90% of malware samples are unique to an organization when looking at these signatures. Verizon was clear to note that this doesn't necessarily mean that antivirus is no longer a viable piece of a security portfolio, but warned against relying solely on signature-based blocking.

"'Signatures alone are dead' is a much more appropriate mantra," Verizon said, "that reinforces the need for smarter and adaptive approaches to combating today's highly varied malware."

Verizon indicated that while 2014 had the smallest deficit ever recorded between the time to compromise for an attack and the time for IT to discover the attack, the overall 10-year trend line shows the deficit growing larger.

Verizon DBIR 2015, Figure 5: The Defender-Detection Deficit
According to Verizon, the proportion of breaches discovered within days still falls well below that of time to compromise.

Verizon said that the lengthy amount of time it takes for an enterprise to discover a breach event once it begins is among the primary challenges facing the security industry, especially in the face of related data regarding the speed at which attacks spread and change. Verizon found that 40% of attacks spread from "Victim 0" to "Victim 1" in less than one hour, and 75% spread within the first 24 hours. Additionally, most IP addresses used in an attack were found to change within one day.

This kind of speed in attacks makes both detection and response much more difficult, according to Verizon, and it puts pressure on enterprise to employ better indicator-based intelligence sharing in order to "maximize our collective preparedness."

"It's almost impossible to suggest that an organization can ingest everything and apply it anywhere," said Rudis. "However, you can build that community to share threat intelligence, which is very important."

Holland agreed that better threat intelligence sharing is a good idea on the whole, but said that many organizations still don't have the capability for quality threat intelligence sharing.

"It's a nice idea, but many companies don't have the infrastructure in place to share threat intelligence or act on shared intelligence," Holland said, "because there is still a lot of manual processing to be done on intel feeds."

POS security evolution

Verizon's 2015 DBIR data on attack patterns shows POS attacks worsening significantly from the previous year, with a jump from 14% of breaches that included data disclosures to 28.5% this year. Jay Jacobs, a data scientist at Verizon, said that because of the way data is collected, enterprises shouldn't try to read too much into that proportional data.

"Security incidents are dominated by the US-CERT data for federal agencies because they have mandatory reporting," Jacobs said, "so we have an enormous number of things that explode the proportion of POS and security incidents."

However, Jacobs noted that in terms of pure numbers, POS attacks did rise last year, and Verizon suggested that part of the reason for this jump is the evolution of POS techniques. Whereas POS attacks have traditionally used simple storage scraping, modern attacks include more active RAM scraping.

Verizon noted that the purpose of attacks targeted at POS systems can differ based on the size of the organization involved.

"For small orgs, the POS device is directly targeted, normally by guessing or brute-forcing the passwords," Verizon said in the report. "Larger breaches tend to be a multi-step attack with some secondary system being breached before attacking the POS system."

Holland said that while POS techniques may be evolving, so too are defenses against POS attacks because of high-profile breaches like that with Target Inc.

Verizon also found more instances where vendors providing POS services were the targets of attack, and in those cases all breached POS vendors also had remote access credentials compromised. Verizon said that the danger with this is that it would give attackers access to customer environments and potentially payment information, and warned that this could show a trend of more varied attacks on POS systems.

Holland was not surprised by this finding, and noted that it is becoming more common across industries to see third-party providers being targeted as a way to gain access to other organziations.

The power of patching

A big addition to Verizon's DBIR data set this year in terms of vulnerabilities exploited was thanks to Chicago-based Risk I/O Inc. Verizon said that Risk I/O aggregated vulnerability exploit data from over 20,000 enterprise threat feed partners in more than 150 countries beginning in late 2013.

The data set included more than 200 million successful exploitations across over 500 vulnerabilities, determined by "correlating SIEM logs, analyzing them for exploit signatures, and pairing those with vulnerability scans of the same environments to create an aggregated picture of exploited vulnerabilities over time."

Verizon said that in its first DBIR from 2008, it had found that 71% of vulnerabilities had a patch available for at least a year, but were still breached because the patch was never installed. This is a trend that has not changed according to the new data, as Verizon said that in 2014, 99.9% of vulnerabilities were exploited more than one year after the corresponding CVE was published.

Jacobs noted that this doesn't necessarily mean that there was a patch released for the published vulnerability, but said that it is common for patches to be released along with the publishing of the CVE listing.

The most telling data point in regards to enterprises' patching struggles is that 97% of exploits observed in 2014 could be traced back to 10 CVEs. Only one of the 10 was a CVE published in 2014, one more was from 2012, and the remaining eight were all CVEs published between 1999 and 2002.

Jacobs said that the top two of these CVEs, both published in 2002, are always exploited in tandem and make up almost half of all exploits for the year.

Verizon DBIR 2015, Figure 11: Cumulative percentage of exploited
About half of the CVEs exploited in 2014 went from publish to pwn in less than a month.

Verizon warned that enterprises still need to focus on the other 7 million exploited vulnerabilities, but said that this data could help with prioritizing the patching workload. Another aid in prioritizing patches is to keep watch of what CVEs are being added to Metasploit, Verizon and Risk I/O said, because this might be "the single most reliable predictor of exploitation in the wild."

Holland said that this data was notable given the recent news regarding old vulnerabilities resurfacing, including companies still being at risk to Heartbleed, and warned that the issue may get worse.

"If this is a problem for Windows machines and regular workstations, just imagine how much bigger the problem will be with IoT devices and point-of-sale systems that can't be patched as easily," Holland said. "It shows the failure of patching processes."

Sidebar: 2015 DBIR contributors

The following organizations contributed to the 2015 Verizon DBIR (* indicates new contributor):

ACE Group*
Akamai Technologies
Anti-Phishing Working Group (APWG)*
Arbor Networks*
AsTech Consulting*
Australian Federal Police (AFP)
Center for Internet Security
Centre for Cyber Security, Denmark
Centripetal Networks, Inc.
CERT Insider Threat Center
CERT-EU European Union
Champlain College’s Senator Patrick Leahy Center for Digital Investigation*
Computer Emergency Response Team of Ukraine (CERT-UA)
Computer Incident Response Center Luxembourg (CIRCL), National CERT, Luxembourg
Council on CyberSecurity
Cybercrime Central Unit of the Guardia Civil (Spain)
CyberSecurity Malaysia, an agency under the Ministry of Science, Technology and Innovation (MOSTI)
Defense Security Service (DSS)
Deloitte and Touche LLP
Dutch Police: National High Tech Crime Unit (NHTCU)
EMC Critical Incident Response Center (CIRC)*
G-C Partners, LLC
Guidance Software
ICSA Labs*
Identity Theft Resource Center
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
Interset (formerly FileTrek)*
Irish Reporting and Information Security Service (IRISS-CERT)
Japan Computer Emergency Response Team (JP-CERT)*
Kaspersky Lab
Lares Consulting*
Malicious Streams
Mishcon de Reya
MWR InfoSecurity*
National Cybersecurity and Communications Integration Center (NCCIC)
One World Labs*
Palo Alto Networks*
Policia Metropolitana, Ciudad de Buenos Aires, Argentina
Recorded Future*
Research and Education Networking Information Sharing and Analysis Center (REN-ISAC)
Risk I/O*
SANS Securing the Human*
United Kingdom Computer Emergency Response Team (UK-CERT)*
U.S. Computer Emergency Readiness Team (US-CERT)
U.S. Secret Service
Verizon Cyber Intelligence Center
Verizon DoS Defense
VCDB Project*
Verizon Wireless
Verizon RISK Team
WhiteHat Security
Winston & Strawn
Wombat Security Technologies*

Holland said that this data was notable given the recent news regarding old vulnerabilities resurfacing, including companies still being at risk to Heartbleed, and warned that the issue may get worse.

"If this is a problem for Windows machines and regular workstations, just imagine how much bigger the problem will be with IoT devices and point-of-sale systems that can’t be patched as easily," Holland said. "It shows the failure of patching processes."

Next Steps

Find out if cyberinsurance is worth the risk

Learn how emerging threat intelligence tools affect network security

Dig Deeper on Security industry market trends, predictions and forecasts