In Search of Breach and Security Reports

Part of  a security professional’s job is to do research on possible breaches and attacks. Some try to do this in a vacuum, others share data and information, and still others read reports generated by companies in the know. The granddaddy of such reports is the Verizon DBIR. Where are the reports related to our industries? Do they exist? What other reports exist?

Other reports do exist from various companies:

And the list goes on. There are many reports out there, and these are just a few. The question you should ask yourself when looking at a report, given the report, threat, and breach landscapes, is:

Does this report apply to my situation now or in the future?

For example, if you are in the retail industry, would a report specific to banks apply to you? In some cases it may, but in general such a report would not. If you are not moving to the cloud or do not use cloud resources, some of the other reports may not apply. Previously, there was a dearth of reports and information sharing, but now we have an overabundance of both.

As more reports become available, the parsing, picking, and usage of these reports becomes suspect. Why? Because we now have information overload. Before, we would only look at one or two reports, but now we can look at dozens of reports. Which report has the grain of truth about the environment to protect? This now becomes a major issue. As we increase visibility, we also have to increase observability, of which I have written before.

This implies that we need tools or teams that can understand the contents of a report, parse it, and apply the learning to our own environments. We also need tools that can share the attacks across a wide range of organizations based on organization types, requirements, futures, regions, etc. For example, if thousands of attacks against banks are occurring in one state of the union but not in other states, it would be very nice to warn, share, and raise awareness of the attacks among all banks in the region and surrounding regions while having the data available for others as needed.

Without the tools, we must rely on our own means to implement security. We much check to see if we are subject to attacks and breaches within our own organizations. To address this need, even more managed security providers have stepped in, ones who have the security expertise we require to meet security and compliance needs, to reduce breaches, and to gain observability within the mass of visible data we now have.

A growing number of companies have been peering into that mass of visible data using analytics. “Analytics” is one of the buzzwords for 2016, along with visibility,” breach detection,” and sharing.” Actually, those have been the buzzwords for the last few years, but we are still looking for solutions: not just narrow, focused solutions, but broader ones. Tools like Splunk, Prelert, and others are a great start.

Over the next few years, we will see the number of reports to read increase, the number of things to detect increase, and the number of tools that claim to do everything increase. Vendor-produced reports are about findings related to their products and to back up their products. As such, this should be considered well before jumping on the bandwagon, so to speak. Reports by managed security providers are clearly about their services as well, yet they do apply to all the forms of managed security providers out there. However, the granddaddy report of all, the Verizon DBIR, is still the first one that most people consider when thinking of a report to read. It was the first, it is comprehensive, and it is based on what Verizon was asked to look at by its customers.

I start with the Verizon DBIR and go from there based on my needs. I am still searching, however, for tools that can take the reports and look for those attacks within my environment: tools that don’t just report but provide something usable today. Does anyone know of any such tools?

Posted in Security, Transformation & AgilityTagged , , , ,