Lessons Learned from 2,000 Data Breaches and 80,000 Security Incidents

Since 2008, Verizon has teamed up with research institutions, private security firms, and law enforcement agencies from around the world to create the annual Data Breach Investigations Report. The report is an in-depth analysis of more than 2,000 confirmed data breaches and 80,000 security incidents.

For some IT professionals, the transition to the cloud is a scary proposition. There is a legitimate fear their organization will fall victim to a breach. Yet, there are several areas organizations can address to help reduce security risk and exposure. The 2015 Data Breach Investigations Report highlights many of them, but I found three areas particularly interesting.

Context is Key: Breach Discovery and Indicators of Compromise

In 60% of cases, attackers compromise an organization within minutes. Unfortunately, companies don’t notice for days, weeks, months, or even longer.

Why is there such a delay between compromise and discovery?

Many times, the delay is a result of a lack of available and relevant data. Monitoring, let alone identifying breaches, can often feel overwhelming given the increasing number of risk areas.

“Ultimately, what is presented here is good news (organizations are indeed sharing). However, we’d like to recommend that if you do produce threat intel, focus on quality as a priority over quantity. Where an opportunity for detection presents itself, seize it in the way that offers the greatest longevity for your efforts. Certainly, anything that leads to the discovery of an incident is worthwhile, but in most cases, context is key.” – 2015 Data Breach Investigations Report

The quote above is spot on. Context is key, and you can’t manage what you can’t measure. As with any breach, you must understand the context behind the data to reduce exposure risk and securely manage your environment.

For example, a corporate directory login failure rate of 10% may appear acceptable on the surface. But what if high-volume login failures originate a continent away, in high-level management accounts, where critical data is at risk?

Protect Obvious Targets: Defending Against Phishing Attempts

Phishing is a tactic hackers use to gain access to sensitive information. Over the years, phishing has become more targeted–focusing on susceptible areas of an organization. In fact, specific departments in your organization are more likely than others to open a phishing email, according to the Verizon report.

“We looked at organization demographics to see if one department or user group was more likely than another to fall victim to phishing attacks. Departments such as Communications, Legal, and Customer Service were far more likely to actually open an e-mail than all other departments. Then again, opening e-mail is a central, often mandatory component of their jobs.” – 2015 Data Breach Investigations Report

Security measures like temporary access controls and multi-factor authentication should surround these departments to prevent incidents.

Mistakes Happen: Recognizing Insider Misuse and Miscellaneous Errors

Insider misuse occurs when an employee abuses his or her access level. While often accidental, there are cases of malicious insider misuse. Regardless of intent, this is a huge problem for many organizations.

“As with prior years, the top action (55% of incidents) was privilege abuse—which is the defining characteristic of the internal actor breach. We see individuals abusing the access they have been entrusted with by their organization in virtually every industry.” – 2015 Data Breach Investigations Report

Mistakes will happen, so companies must identify risk areas and manage change to reduce potential exposure. I recommend:

• Establishing a baseline of user activity and application settings.
• Actively managing that baseline.
• Reducing the number of mistakes by leveraging automation tools.

4 Best Practice Examples for Reducing Security Exposure

Disclaimer: The following examples are hypothetical to illustrate best practices for reducing security exposure.

1. Use Security Setting Notifications to Protect Against Email Exposures

A mid-size company, Global Shifters, is moving to Office 365 from on-premises Exchange and SharePoint. The Global Shifters team liked the granularity in on-premises Exchange, but the shift to Office 365 requires more Exchange admins than before. This can get confusing.

To reduce change, Global Shifters establishes a baseline for all the Exchange Online security settings, then sets up a notification for any time a setting changes. By tracking setting changes in near real time, the Global Shifters IT team, can reduce potential email exposures.

2. Take Advantage of Regular Expression to Lock in On PII

A public company, MegaCorp., has personally identifiable information (PII) stored in their cloud-based HR and CRM systems.

Using regular expression policies, MegaCorp., monitors Google Drive for PII data stored in documents shared outside the organization. MegaCorp. will revoke sharing permissions and notify the user of a violation when PII is externally shared.

3. Use Automation to Limit Risk in Cases of Mass Employee Churn

A retailer, SHOPTOP, has tremendous employee churn during the holiday seasons. It’s common to hire / let go of 500 people in a single month.

SHOPTOP doesn’t want to give employees their credentials any sooner, or later than need be.

So, SHOPTOP automates the provisioning and deprovisioning process of all identities in their Google Apps domain–and other cloud services–to save time. Once an employee is “enabled” in their cloud HR system, an automation engine creates the user in Google Apps and grants the appropriate access for their job role. When an employee is “disabled,” the automation engine revokes access and deletes the user 30 days later.

SHOPTOP automates repeatable tasks to minimize risk and prove to auditors that the processes reduce human error.

4. Leverage an Automation Tool to Execute Group Membership Changes

A large enterprise, Ultra Z Systems, secures data in their cloud storage systems based on group membership. Groups are automatically populated based on an employee’s job title and office location.

An automation engine adjusts group membership as users’ attributes change. For example, if a user moves from sales to marketing their group membership automatically changes and their access rights get updated as well.

Three Key Takeaways

There are many IT threats in the world today, the 2015 Data Breach Investigations Report describes what they look like and where they’re coming from.

Remember these three takeaways to cut your security exposure and reduce risks:

• Context is Key: Strive to better understand your environment and the data inside through regular auditing and monitoring. You must understand when, where, and how breaches occur to prevent future exposure.
• Recognize Risk Areas: Are certain departments handling more sensitive data than others? Which departments are commonly subjected to phishing attempts? Identifying organizational weaknesses can protect against future attacks.
• Errors Happen, But Manage Misuse: Mistakes will happen, but limit them through automation and security baselines.