I remember sitting down to "crack the cover" of the very first Verizon Data Breach Investigation Report (DBIR) a lifetime ago. I was the security manager of a small hosting company and the report was the first time I'd ever seen a real, data driven effort to quantize breaches and the security problems we were facing daily. It was the first time we had real data, rather than theories, opinions and anecdotes.
Today's release is the 13th iteration of the DBIR, and for the last five years, Akamai has been contributing DDoS data, feedback, and support. Since that first report, I've had the opportunity to meet, interview, and make friends with many of the people making this effort happen. People like Wade Baker, Alex Hutton, Bob Rudis, Jay Jacobs, Dave Hylender, Gabe Bassett, and Alex Pinto, just to name a few of the many people who've contributed over the years. I even had a small part to play in the report when I worked at Verizon for two years.
Most modern security reports owe some level of respect to Verizon's DBIR, including Akamai's State of the Internet Security Report. Each year the DBIR shows us why data driven reporting is so important and gives security professionals across the globe real information about attacks and helps us understand the landscape a little better. At Akamai, our team is proud to support this effort and sees the DBIR as a report to aspire to, and some day, surpass.
- Martin McKeay, Akamai Editorial Director
This year's report is not a light read. At 119 pages, this is not a report to consume in one sitting. The team started the report with a cheat sheet, aimed at explaining the verbiage and data visualizations contained in this year's report. The cheat sheet is highly recommended reading, before skimming the rest of the report for the bits and pieces that apply to your organization.
One of the most encouraging statistics is that 81% of breaches were contained within one day or less. This is a huge improvement over years past and shows that we're getting better at detecting and responding to attacks. It wasn't too long ago we were measuring response times in weeks and months, not days and hours.
Less encouraging is the fact that organized crime and nation state actors are being recognized as two of the largest sources of compromises. Though this shouldn't be a surprise, to see it officially recognized as part of this report is somewhat chilling.
As one of the contributors of DDoS data, Akamai understands that DDoS is, and probably always will be, one of the easiest and most common (nearly 60%) methods of impacting businesses and organizations on the internet. Law enforcement organizations, such as Europol, are constantly fighting to close down DDoS for hire sites, but it's hard to play 'whack a mole' with these criminals.
There's too much in this report to highlight everything, so I want to close with another observation near and dear to the State of the Internet Security research: credential abuse. According to Verizon, over 80% of breaches involve brute force attacks using stolen credentials. If this isn't an indicator that we need to prioritize teaching everyone to use unique passwords for every site, nothing is. It's also an issue too many security professionals are guilty of committing themselves.
As it has been since the beginning, the DBIR is an exemplar of data rich research that goes far beyond the text of the report. While the information Verizon's researchers and data scientists have highlighted in their analysis is vitally important, there's so much more hidden in the twists and folds of the visualizations than can be easily consumed in one, or even several, readings. The information on Small to Medium Business (SMBs) is just one example of a topic that needs significant consideration beyond what's contained in the text.
If you've never read the DBIR before, find a quiet spot, turn off your phone and all other applications on your laptop, and start taking notes for your second review. If you've read the report before, everything you're familiar with is there, as well as a whole lot more. Find the bits and bytes you need to understand your own environment better. Make a point of highlighting the data your management needs to read and understand. It's worth the effort.