dbir-italian media event (without notes) event.… · netflow honey nets, honey pots ......
TRANSCRIPT
Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Security Event
Milan, Italy
November 6, 2008
Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Welcome
Introductions:• Massimo Peselli, country leader, Verizon Business• Matthijs van der Wel, manager principal forensics EMEA, Verizon
Business Security Solutions • Pietro Riva, sales manager Southern Europe, Verizon Business
Security Solutions
Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
2008 Data Breach Investigations Supplemental ReportIndustry Focus. More Analysis. Greater Insight.A comparison of risk factors among the finance, food, retail, and tech industries
4Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
PROPRIETARY STATEMENT
This document and any attached materials are the sole property of Verizon and are not to be used by you other than to evaluate Verizon’s service.
This document and any attached materials are not to be disseminated, distributed, or otherwise conveyed throughout your organization to employees without a need for this information or to any third parties without the express written permission of Verizon.
The Verizon and Verizon Business names and logos and all other names, logos, and slogans identifying Verizon’s products and services are trademarks and service marks or registered trademarks and service marks of Verizon Trademark Services LLC or its affiliates in the United States and/or other countries. All other trademarks and service marks are the property of their respective owners.
5Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Securing the Securing the Extended Extended EnterpriseEnterprise
Security Solutions that Answer the Extended Enterprise Challenges
Securing the Securing the InfrastructureInfrastructure
• Ongoing monitoring and management
• Security log data handling• Business continuity• Consumer / employee
mobility
Securing the Securing the InformationInformation
• Application security• Data protection / data loss
prevention• Information access control
Governance, Governance, Risk, and Risk, and
ComplianceCompliance
• Measuring against risk• Meeting against multiple
compliance requirements • Third party security due
diligence
6Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
The RISK TeamResponse, Intelligence, Solutions, Knowledge
1 Threat & Vulnerability IntelTrack and analyze new software vulnerabilities and related attacks
2 Underground IntelWatch discussions, code sharing, planning,... Histo rically BBS, then Usenet, now more IRC and Cons...
3 ICSA Labs IntelSecurity product testing and security consortia ope rations. 400+ products
4 Forensics IntelData and Intel from forensics investigations (200+ cases per year).
5 MSS IntelData from IDS, FW, IPS, Applications… Management & M onitoring SOC operations
6 Net IntelData from backbone. Sensors on more than 1 Millio n VzB addresses. Netflow Honey nets, Honey Pots…
7 Studies & Surveys VZB Studies, surveys (10+/yr), Others published dat a to drive Risk Models, equations & methodology
7Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.7
More than 500 Data Breach Investigations Past 4 Years
From more than 700 Investigations performed by the Verizon Forensics IR Team during these 4 years.
Study Caseload includes only cases where:
1.Company was Attacked2.Attack was Successful3.Data was Breached4.Breached Data was Exploited
Caseload includes 3 of the 5 largest data breaches on record
Caseload includes between 1/4 and 1/3 of publicly
disclosed breaches between 2005-2007*
*Source: http://www.idtheftcenter.com/
8Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.8
Take Home
1.All aspects of Risk vary by company, group2.No Cookie-Cutter Approach 3.Risk Basis can significantly Simplify GRC efforts4.Rise above Standards (HIPPA, PCI, SOX)5.Compliance needs to be based on Risk (not checklists)6.Verizon has better services based on real data
1. Simpler2. More effective3. More efficient
*Source: http://www.idtheftcenter.com/
Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Results & Analysis
10Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Demographics
Industries
11Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Breach Sourcesby Industry
12Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
1,090,909 6,000,000 18%Partner
436,314 1,107,600 39%Internal
272,727 500,000 55%External
Tech
40,278 112,500 36%Partner
27,778 250,000 11%Internal
37,778 45,000 84%External
Retail
86,957 125,000 70%Partner
8,696 200,000 4%Internal
24,130 30,000 80%External
Food
61,445 151,250 41%Partner
65,625 175,000 38%Internal
2,250 4,000 56%External
Financial
73,404 187,500 39%Partner
68,617 375,000 18%Internal
21,830 30,000 73%External
All
Risk (Pseudo)Impact (# of Records)LikelihoodSourceIndustry
Simplified Risk Calculationby Industry
13Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
External Breach Sources By Industry
14Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Internal Breach Sources by Industry
0%0%8%2%Agent/Spy
0%11%0%2%Executive
77%45%31%50%IT Admin
23%33%53%41%End-User
0%11%
Insufficient number of cases for statistical analysis
8%5%Anonymous
TechRetailFoodFinancialAll
15Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Partner Breach Sourcesby Industry
66%74%31%57%Partner Asset or Connection
0%0%8%3%Onsite Partner
17%13%15%16%Remote IT Admin
0%0%15%3%Remote End-User Insufficient number of cases for statistical analysis
17%13%31%21%Anonymous
TechRetailFoodFinancialAll
16Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Threat CategoriesBy Industry
17Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Threat CategoriesBy Industry
18Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
0%2%0%0%1%Technical failure
0%3%0%5%2%User error
4%3%0%5%3%Inadvertent disclosure
8%16%21%20%15%Misconfiguration
88%76%79%70%80%Omission
TechRetailFoodFinancialAll
Threat Categories: ErrorBy Industry
19Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Threat Categories: HackingBy Industry
20Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
64%65%46%59%Planted by attacker
14%0%0%2%Physical installation
7%13%8%13%Downloaded via web
7%6%31%13%Network propagation
7%16%15%
Insufficient number of cases for statistical analysis
14%E-mail
TechRetailFoodFinancialAll
Threat Categories: MalcodeBy Industry
21Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Attack PathwaysBy Industry
22Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Attack PathwaysBy Industry
23Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Attack DifficultyBy Industry
24Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Targeted vs Opportunistic AttacksBy Industry
25Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Compromised AssetsBy Industry
9%6%0%5%4%End-User Devices
11%5%0%5%7%Networks and Devices
7%2%2%16%7%Offline Data
73%87%98%74%82%Online Data
TechRetailFoodFinancialAll
26Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Compromised DataBy Industry
27Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Compromised DataBy Industry
28Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Time Span of Breach EventsBy Industry
29Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Time Span of Breach EventsBy Industry
30Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Breach Discovery MethodsBy Industry
31Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Breach Discovery MethodsBy Industry
32Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Breach Discovery MethodsBy Industry
9 out of 10 breaches involved at least one
of these
Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Conclusions & Recommendations
34Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Conclusions & Recommendations
Align process with policy - In 59% of breaches, security policies were established but not enacted through actual process.
Achieve “essential” then worry about “excellent” - 83% of attacks were not considered to be highly difficult and 85% were opportunistic. Identify essential controls and ensure implementation across the organization then move to advanced measures where appropriate
Secure partner connections - 39% of breaches involved business partners. Standard controls must encompass the data, systems and connections used in partner relationships.
Create a data retention plan - 66% of breaches involved data not known to be on the system. Efforts to locate, catalogue and track sensitive data and assess risk are highly beneficial.
35Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Conclusions & Recommendations
Control data with transaction zones - Zones provide a foundation for granular control measures around data, additional layers of accountability and more pointed event monitoring.
Monitor event logs - Evidence of events leading up to 82% of breaches was available to the victim but this information was neither noticed or acted upon.
Create an incident response plan - An incident response plan should detail effective handling of attacks, post-breach procedures, evidence collection, freeze points, relationships with 3rd parties (i.e., law enforcement, legal counsel), and disclosure/notification policies.
Conduct mock incident testing - A periodic step-by-step walkthrough of procedures during a simulated breach event is a valuable learning experience and critical to vetting the response plan.
36Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Confidential and proprietary material for authorized Verizon Business personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Thank you