Ripped from the Headlines

Transcript

1. Ripped from the Headlines What the news tells us about

   information security incidents Suzanne Widup @SuzanneWidup Kevin Thompson @bfist

2. WHO ARE THESE PEOPLE And what are they talking about?

3. About us Suzanne Widup Kevin Thompson •  Data breach geek

   • Incident Analyst • Author • Data Alchemist • Incident Librarian • Burly Northman

4. •  Research Question •  Methodology •  Assumptions & Limitations • 

   Findings & Recommendations •  Practical Application •  Call for Volunteers Agenda

5. WHAT’S THIS VCDB? What’s the point of the research?

6. Data Breach Investigations Report •  DBIR is our analysis of

   a sample •  Sample provided by partners •  Data is under NDA

7. •  Is there another data source? •  Can we apply

   DBIR methodology to that source? •  Can the raw data provide decision support for organizations? Research Questions

8. VERIS Community Database •  Repo of incident data •  Coded

   in VERIS •  Sample comes from public sources •  Free and Open-Source

9. What do we know of Data Breaches?

10. DBIR Data

11. DBIR + VCDB

12. • Incomplete – What kind of hacking? •  Mislabeled – Everything is hacking

    •  Inaccurate Why VCDB Data is Blurry

13. METHODOLOGY How did you get that data?

14. •  Google Alerts •  HHS Breach Tool •  Trolling the

    AGO •  Partnerships •  FOIA Requests •  Asking nicely First – Get a list of incidents

15. First – Get a list of incidents

16. 2nd – Decide on a schema

17. INCIDENT REPORT “An external attacker sends a phishing email that

    successfully lures an executive to open an attachment. Once executed, malware is installed on the exec’s laptop, creating a backdoor. The attacker then accesses the laptop via the backdoor, viewing email and other sensitive data. The attacker then finds and accesses a mapped file server that an internal admin failed to properly secure during the build/deployment process. This results in intellectual property being stolen from the server…” 2nd – Decide on a schema

18. 2nd – Decide on a schema

19. 2nd – Decide on a schema

20. 3rd – Make a collector

21. 4th – Publish the data

22. 5th – Analyze it

23. ASSUMPTIONS & LIMITATIONS Because we might be wrong

24. • We assume (for now) that – Mistakes in a single report

    are made insignificant by the size of the sample The Data is Good Enough

25. • We assume (for now) that – If the sample grows large

    enough we’ll have enough data to make up for missing information. The Data is Good Enough

26. English-speaking Bias?

27. Industry Representation Health care & Gov make up 42% of

    the data set.

28. Years in the Sample These tend to be large breaches

    and are less randomly distributed

29. •  Duplicates still sneak in •  Internal consistency •  Inter-rater

    consistency Other Challenges

30. FINDINGS And recommendations

31. BREACHES ARE NOT UNIFORM Different industries experience breaches differently

32. Breach Patterns by Industry

33. Use industry-specific breach information to prioritize security controls Industry Recommendations

34. LOSS AND THEFT STILL DOMINATES!

35. Loss and Theft

36. • Double check laptop encryption • Test a sample • Document your results

    Loss/Theft Recommendation

37. MISTAKES ARE COSTLY

38. Errors in VCDB Ermahgerd! Errerrs!

39. • User Awareness Training is not likely to help • Check Sample

    of Mass Mailings • Change Management on Web Servers Error Recommendations

40. DISCOVERY IS HARD And it takes a long time

41. Time to discovery

42. How breach was discovered

43. • Think about common loss scenarios for your industry. • Ask –

    how would I know if that was happening? Discovery recommendations

44. BREACHES MIGHT FOLLOW COMMON DISTRIBUTIONS Might is the key word

    there

45. • Natural phenomenon • City size, earthquake power, size of craters on

    the moon • Maybe the size of breaches? Power Law Distribution

46. Straight for small breaches

47. Power Law Distribution Courtesy: Douglas Hubbard, The Failure of Risk

    Management

48. • Keep detailed records • Estimate probability of mega- breach • Estimate frequency

    of breaches Power Law Recommendation

49. • Used for estimating frequency – Calls coming to a call center

    – People coming in the door • Large breaches in a month? Poisson Distribution

50. Pretty Close Breaches of 1 million+ records from 2011 to

    present.

51. 2014 Security Prediction from Trend Micro Wow Such Predict Much

    duh

52. PRACTICAL APPLICATION Please try this at home

53. • You have a unique view – Non-public incidents – Near misses Another

    sample

54. •  Interactive Tableau •  Filter by industry, size, etc. • 

    Identify scenarios most relevant to your organization. •  http://public.tableausoftware.com/views/vcdb/ Overview Simple Analysis

55. Simple Analysis

56. •  Updated quarterly •  Limited complexity •  Quick view of

    the data •  Nicer looking than Excel Simple Analysis is Simple

57. But I like Excel!

58. • Lots of updates between quarters – Quality improvements – Incidents get added

    – Tools get updated I want the fresh data

59. • Clone the repo – Do whatever with the data – Will require

    programming skill – Need to use a tool like R to examine – Kevin uses python and d3.js. I want the fresh data

60. I want the fresh data https://github.com/jayjacobs/verisr

61. I want the fresh data https://gist.github.com/blackfist/8909836

62. I want the fresh data

63. • Combine your own incident data with VCDB! – Compare – Contrast – Support

    decision making You know what’s even cooler?

64. DBIR + VCDB + Your Org Data

65. •  Answer questions –  What are the highest risks in

    my industry? •  Drive decisions –  Where should I concentrate my efforts? •  Prioritize controls –  I’m in Healthcare and our laptops aren’t encrypted. Should I look at that? •  Informing risk management – frequency/impact –  Including your own real world data, you can tell a powerful story of why your plan makes sense and should be funded. How Can I Use This?

66. I’D LIKE TO CONTRIBUTE! Send email to [email protected]

67. Your gift of a few contributions Can help a starving

    data scientist.

68. • Add to the list of Incidents – Create github account – Check

    for duplicates – Create new issue Contributing to VCDB

69. • Coding Incidents – Contact us via email – We make you an

    account – Claim issues in GitHub – Code incidents in our tool – Ask Questions on mailing list Contributing to VCDB

70. What do we want? MOAR DATA!!!

71. Suzanne Widup @SuzanneWidup Kevin Thompson @bfist DBIR: www.verizonbusiness.com/databreach VERIS: https://veriscommunity.net

    VCDB: https://github.com/vz-risk/VCDB Email: [email protected] VCDB Graphic: http:// public.tableausoftware.com/views/vcdb/ Overview Volunteer: [email protected]