Data Not Assertions

by David Mortman on December 10, 2009

There have already been a ton of posts out there about the Verizon DBIR Supplement that came out yesterday, so I’m not going to dive into the details, but I wanted to highlight this quick discussion from twitter yesterday that really sums of the value of the supplement and similar reports:

georgevhulme: I’m glad we have data to refute the “insiders conduct 80% of all attacks” mantra that has been repeated, ad nauseum for at least a decade

adamshostack: @alexhutton @georgevhulme yeah, but… Data, not assertions

This is so awesome, I can barely stand it. We’re actually starting to be able to make data based decisions as opposed to just asserting something is true because we believe it on faith or like the way it sounds.

“Data, not assertions” really sums up so much of what I was trying to get at in the the discussion on securosis last week about password changing time frames. Read the comments over there. It really shows how far we have yet to go.

12 comments

My gut tells me Adam is right.

by Chris on December 10, 2009 at 4:00 pm. Reply #

I don’t know, Adam was kind of wrong the last time.

by rmogull on December 10, 2009 at 4:17 pm. Reply #

I don’t know if the DBIR or supplement answers the question about prevalence of insider vs. outsider attackers.

The Verizon data set seems to be skewed to companies who have experienced breaches of financial data or PII. I didn’t see much related to intellectual property theft. This skew may just be the nature of demand for forensic investigation and also the nature of Verizon’s service portfolio. It may be that many companies who experience IP theft never go through full forensic investigation, or they use a professional services firm other than Verizon.

For a single data point at a large pharmaceutical company, see this post at Dark Reading: http://www.darkreading.com/blog/archives/2009/12/insider_threat.html?cid=nl_DR_DAILY_2009-12-09_h

This single case doesn’t prove anything about relative frequency, either, but if you believe his statement about financial losses and frequency, it doesn’t take many incidents for insider breaches to add up to big $$:

“I know of at least 15 other similar cases. The average monetary loss of the case I worked on was estimated at $350 million yearly”

by Russell on December 10, 2009 at 5:10 pm. Reply #

Appendix A, lends more credence to what Verizon has been finding as well. It may not be perfect, but it’s a much larger sample set that maps nicely, so it gives us what seems like a pretty good idea.

“I know of at least 15 other similar cases. The average monetary loss of the case I worked on was estimated at $350 million yearly”

The thing about IP loses is that they are usually claimed to be very high (c.f. Kevin Mitnick) and yet strangely you don’t see those loses showing up very often on 10-Ks. Makes those lose numbers seem a little suspicious don’t you think?

by David Mortman on December 10, 2009 at 5:44 pm. Reply #

Every professional service firm should publish their data in a standard format and then we could get to the bottom of this.

by Jon Robinson on December 10, 2009 at 5:31 pm. Reply #

@Jon Robinson

It only we had a standard model for sharing this data….

by David Mortman on December 10, 2009 at 5:35 pm. Reply #

@david I’m hoping a standard model will develop organically since the people publishing their data will want to compare it efficiently, as noted in the supplement appendix (methodology section).

by Jon Robinson on December 10, 2009 at 7:32 pm. Reply #

Absolutely my thought.

by David Mortman on December 14, 2009 at 5:44 pm. Reply #

Publishing in a standard format as in the report or the data sets?

Common Result Format (CRF) looks like someone started to tackle the problem, but it appears static since 2007.

CRF : http://makingsecuritymeasurable.mitre.org/crf/

by Dutch on December 12, 2009 at 6:09 pm. Reply #

Primary the report but in the long term both. CRF looks interesting, but that won’t really support the reporting format alas.

by David Mortman on December 14, 2009 at 5:44 pm. Reply #

CSI report shows 15% vs. 14% insiders vs. outsiders, respectively. This, of course, begs the question – what about the other 71%?

by Pete on December 14, 2009 at 3:03 am. Reply #

Pete,

Actually, it begs the question, why are you quoting the CSI report? 🙂

by adam on December 14, 2009 at 3:42 pm. Reply #

Leave your comment

Not published.

If you have one.