Verizon Enterprise Data Breach Investigations Report: Lessons To Be Learned


Data Breach Statistics You Can’t Ignore.

The 2015 Data Breach Investigation Report by Verizon Enterprise is a wealth of knowledge. In the extensive and detailed report we learn the current trends and expansive breadth of attacks, how they can come at you, where they come from and how they infiltrate your domain. The report encapsulates information collected from 70 contributing organizations, including 79,790 Security Incidents, with 2,122 Confirmed Data Breaches, from 61 Countries.  The estimated financial loss of $400 Million from 700 million compromised records shows the absolute necessity of managing data breach risks. 


In 70% of the attacks where we know the motive for the attack, there’s a secondary victim.

RAM scraping has grown in a big way. This type of malware was present in some of the most high-profile retail breaches. (RAM Scraping is a type of malware that helps hackers to find personal data. It examines memory to search for sensitive data that is not available through other processes.)


Screen Shot 2015-04-27 at 10.01.26 AM

From Verizon Enterprise Data Breach Report.

Significant threat actions over time by percent.



In just minutes. That’s a sobering statistic. How can we begin to combat this? By sharing information with our peers.

Sharing intelligence should lead to a form of “herd alertness,” similar to the way plains animals warn each other when predators are nearby. Which means intelligence must be shared at a faster rate than the spread of attack in order to successfully warn the rest of the community.

Over 40% hit the second organization in less than an hour. That puts quite a bit of pressure on us as a community to collect, vet, and distribute indicator-based intelligence very quickly in order to maximize our collective preparedness.

75% of attacks spread from Victim 0 to Victim 1 within one day (24 hours). That means these threats move fast, and if you don’t have a heads up warning, you can’t be on complete alert. “Ultimately, the data speaks to a need for urgency: The faster you share, the more you (theoretically) will stop.”



For two years, more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing.

According to the report, the user interaction is not about eliciting information, but for attackers to establish persistence on user devices, set up camp, and continue their stealthy march inside the network.

How long does an attacker have to wait to get that foot in the door? Verizon aggregated the results of over 150,000 e-mails sent as part of sanctioned tests by two of our security awareness partners and measured how much time had passed from when the message was sent to when the recipient opened it, and if they were influenced to click or provide data (where the real damage is done). The data showed that nearly 50% of users open e-mails and click on phishing links within the first hour.

The reality is that you don’t have time on your side when it comes to detecting and reacting to phishing events.

There is obviously no one-shot antidote for the problem at hand. The general areas of focus are three-fold:

• Better e-mail filtering before messages arrive in user in-boxes

• Developing and executing an engaging and thorough security awareness program

• Improved detection and response capabilities.Taking measures to block, filter, and alert on phishing e-mails at the gateway.


Lance Spitzner, Training Director for the SANS Securing The Human program, notes that “one of the most effective ways you can minimize the phishing threat is through effective awareness and training. Not only can you reduce the number of people that fall victim to (potentially) less than 5%, you create a network of human sensors that are more effective at detecting phishing attacks than almost any technology.” Training your employees is a critical key to preventing these infiltrations. Share the information as soon as you’ve become aware to cut down on the attacks.

There were numerous large scale attacks in the news, but there are so many that don’t even get mentioned.  “If a vulnerability gets a cool name in the media, it probably falls into this “critical vulnerability” label.15 (what is this number?) As an example, in 2014, Heartbleed, POODLE, Schannel, and Sandworm were all observed being exploited within a month of CVE publication date.” But how many went unnoticed?

Although mobile breaches are important in other ways, there is some good news here, as Verizon puts it, “I Got 99 Problems and Mobile Malware Isn’t Even 1% of Them” Their data-driven conclusion: Mobile devices are not a preferred vector in data breaches. At least we can breathe a sigh of relief there.

But that’s about the only time you can let your guard down.

“Looking at just the total number of malware events (around 170 million) across all organizations, we can perform some egregiously simple math to determine that five malware events occur every second.” Five malware events every second. That is incredibly alarming.

So what can you do?

SLPowers has been saying it for ages, and Verizon’s report confirms it…With security, there is no “one size fits all” approach. You need to have a tailor made approach to your network’s security that is actively monitored and managed.


Are you willing to risk your business on that hand of cards?

As for WebApp Attacks– Pulling back from a single industry view, we find that most of the attacks make use of stolen credentials. 95% OF THESE INCIDENTS INVOLVE HARVESTING CREDENTIALS STOLEN FROM CUSTOMER DEVICES, THEN LOGGING INTO WEB APPLICATIONS WITH THEM.

If you have a web presence (e-commerce or otherwise), you should be tracking user behavior and using some form of fraud detection to get an early warning on suspicious behavior. Load balancer logs, web application logs, and database transaction logs can all help identify malicious activity before your last bit of sensitive data is fully exfiltrated. And event correlation will allow you to analyze the data and find relationships between any of these events.

A message for service providers: Secure your services. Block access to known botnet C2 servers and patch your systems. To understand how your organization would react to a DDoS attack, conduct regular drills/ exercises to see where you need to shore up processes and, perhaps, add technology or external mitigation services to help maintain or restore services.

The Verizon report makes it very clear:  You can’t set it and forget it.  You can’t try a one-size-fits all approach. You can’t play ostrich. You have to be proactive, stay ahead of the game, and take your network security very seriously.

Here is a recap of just the big name breaches we heard about last year.

2014 Year in review…

  • January– SNAPCHAT 4.5 million compromised names and phone numbers
  • February– KICKSTARTER 5.6 million victims
  • March– KOREAN TELECOM One of the year’s largest breaches affected 12 million customers
  • April– HEARTBLEED First of three open-source vulnerabilities in 2014
  • May– eBAY Database of 145 million customers compromised
  • June– PF CHANG’S Most high-profile data breach of the month
  • July– ENERGETIC BEAR Cyberspying operation targeted the energy industry
  • August– CYBERVOR 1.2 billion compromised credentials
  • September– iCLOUD Celebrity accounts hacked
  • October– SANDWORM Attacked a Windows vulnerability
  • November– SONY PICTURES ENTERTAINMENT Highest-profile hack of the year
  • December– INCEPTION FRAMEWORK Cyber-Espionage attack targeted the public sector

As you can see, there is no downtime or lull in cybercrime. Don’t let your defenses lag even a minute longer. The best defense is a fortified offense. Trust your network security to a proven, flexible solution backed by industry-leading expertise: Guaranteed Networks-Secure. 

Categories: Current News and Events, Data Loss Prevention, Data Security, Hackers, Internet Security, Malware, Security Breach

Tags: , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: