Comments on: Data Not Assertions

By: David Mortman

David Mortman — Mon, 14 Dec 2009 17:44:40 +0000

Primary the report but in the long term both. CRF looks interesting, but that won’t really support the reporting format alas.

By: David Mortman

David Mortman — Mon, 14 Dec 2009 17:44:01 +0000

Absolutely my thought.

By: adam

adam — Mon, 14 Dec 2009 15:42:46 +0000

Pete,

Actually, it begs the question, why are you quoting the CSI report?

By: Pete

Pete — Mon, 14 Dec 2009 03:03:54 +0000

CSI report shows 15% vs. 14% insiders vs. outsiders, respectively. This, of course, begs the question – what about the other 71%?

By: Dutch

Dutch — Sat, 12 Dec 2009 18:09:47 +0000

Publishing in a standard format as in the report or the data sets?

Common Result Format (CRF) looks like someone started to tackle the problem, but it appears static since 2007.

CRF : http://makingsecuritymeasurable.mitre.org/crf/

By: Jon Robinson

Jon Robinson — Thu, 10 Dec 2009 19:32:14 +0000

@david I’m hoping a standard model will develop organically since the people publishing their data will want to compare it efficiently, as noted in the supplement appendix (methodology section).

By: David Mortman

David Mortman — Thu, 10 Dec 2009 17:44:15 +0000

Appendix A, lends more credence to what Verizon has been finding as well. It may not be perfect, but it’s a much larger sample set that maps nicely, so it gives us what seems like a pretty good idea.

“I know of at least 15 other similar cases. The average monetary loss of the case I worked on was estimated at $350 million yearly”

The thing about IP loses is that they are usually claimed to be very high (c.f. Kevin Mitnick) and yet strangely you don’t see those loses showing up very often on 10-Ks. Makes those lose numbers seem a little suspicious don’t you think?

By: David Mortman

David Mortman — Thu, 10 Dec 2009 17:35:36 +0000

@Jon Robinson

It only we had a standard model for sharing this data….

By: Jon Robinson

Jon Robinson — Thu, 10 Dec 2009 17:31:24 +0000

Every professional service firm should publish their data in a standard format and then we could get to the bottom of this.

By: Russell

Russell — Thu, 10 Dec 2009 17:10:33 +0000

I don’t know if the DBIR or supplement answers the question about prevalence of insider vs. outsider attackers.

The Verizon data set seems to be skewed to companies who have experienced breaches of financial data or PII. I didn’t see much related to intellectual property theft. This skew may just be the nature of demand for forensic investigation and also the nature of Verizon’s service portfolio. It may be that many companies who experience IP theft never go through full forensic investigation, or they use a professional services firm other than Verizon.

For a single data point at a large pharmaceutical company, see this post at Dark Reading: http://www.darkreading.com/blog/archives/2009/12/insider_threat.html?cid=nl_DR_DAILY_2009-12-09_h

This single case doesn’t prove anything about relative frequency, either, but if you believe his statement about financial losses and frequency, it doesn’t take many incidents for insider breaches to add up to big $$:

“I know of at least 15 other similar cases. The average monetary loss of the case I worked on was estimated at $350 million yearly”