Thursday, April 16, 2009

Latest Verizon Business Data Breach Report

I just wanted to let everyone know that Verizon Business has published the 2009 Data Breach Report. The breadth and depth of these reports are invaluable. Since there are very few solid sources of this type of information the release of this report dominates the availability of the few brain cells I have remaining.

Press Release Here: http://www.verizonbusiness.com/products/security/risk/databreach/
Actual Report Here: http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
Look for updates/comments from the authors/team at http://securityblog.verizonbusiness.com

From my first 5 minute glance at the report here are some of my favorite things:

Figure 31. Time Span of breach event by percent of breaches. This may be the best metric we as security professionals can look to improve. Seeking to reduce the time to Incident Identification and Mitigation

Figure 32. Breach Discovery methods by percent of breaches. Interesting observations about how things are detected, nearly 70% by third parties, only 7% by “active” internal teams.

Figure 34. Detective Controls by percent of breach victims. System and Application Logs are KEY (don’t just rely on security devices).

Many of the recommendations seem brain dead simple so I won’t cover them here, nor will I go into the pseudo risk calculations or PCI “Compliance” at this time. All in all a ton of food for thought in this report. I’m going to wait to post more comprehensive notes on this report to allow it all to sink in a bit more. Verizon obviously puts a lot of thought and effort into this report and I find myself spending hours dissecting it every time. To my friends over at Verizon Business - Thanks again for the information! Everyone else - I encourage you to take the time to review it thoroughly.

Originally published on blog.decurity.com on 14 April 2009.

No comments: