5 Steps to Keep From Being a Statistic in Next Year’s ReportThe 2016 Verizon Data Breach Investigations Report has been released, and as with prior years, it doesn’t disappoint. It continues to be the definitive – and entertaining – view of security incidents and data breaches. I’ll dispense with the blow-by-blow, so if you want a more complete write-up, please read Kelly Jackson Higgins’ Dark Reading article. Instead, I have summarized a few key takeaways here as they pertain to two of the most important solutions to mitigate data breach threats: privileged access and vulnerability management.
What are the Key Takeaways From This Year’s Report?Let’s take a look at a few themes that emerged from the data in this year’s report. Legitimate user credentials are more of a target We have known that Privilege Misuse has been among the most common patterns of behavior in data breaches, but this year the biggest storyline is credentials. Legitimate user credentials were used in most data breaches, with some 63% of them using weak, default, or stolen passwords. This really should not be a surprise for anyone. Our own study of privileged access management showed that more than a fourth of companies have no controls over privileged access. People and User Devices both represented a greater percent of breaches in 2015 Why? Phishing and malware infections still lure in users who in turn infect the systems and applications they interact with. How does it happen? 13% of people click on phishing attachments, with the median time to the first click on the attachment being 3 minutes, 45 seconds. These insiders then become compromised. From a Privilege misuse perspective we tend to focus on administrators and executives, however, the findings indicate that these two groups only represented 28%.
- Almost 1/3 were found to be end users who have access to sensitive data that they need to do their jobs.
- A smaller percentage (14%) were in executive roles or in high privilege jobs like admins.
- There were higher rates of collusion between internal and external parties in 2015. (see the Verizon chart below)
Recommendations – How to Use This Data to Improve SecurityYour head is swimming, right? All this data, what do you do with it? Let us give you 5 focus areas to help you mitigate the risks of insiders misusing their privileges, or outsiders seeking to become insiders. 1) Lock down all enterprise credentials in a password safe
- Scan, identify, and profile all users, accounts, and assets; automatically onboard systems and accounts under management
- Rotate each password automatically based on age or after each login by an administrator
- Provide context from workflow requests so you can granularly limit access based on hours, days, etc.
- Monitor sessions in real time, giving you true dual control over user activity
- Enforce least privilege on all end user machines and servers, controlling root and admin access
- Elevate rights to applications, not users, using asset vulnerability data to make privilege elevation decisions
- Aggregate and correlate users and asset data to centrally baseline and track behavior
- Identify potential malware threats buried in asset activity data
- Measure the types and velocity of asset changes to flag in-progress threats
- Isolate users and assets exhibiting deviant behavior
- Reduce false positives by viewing multiple perspectives across users, assets and network (command and control
- Generate reports to inform and align security decisions
- Patch asset and privilege vulnerabilities – remember, from a privilege perspective removing excessive privileges on Windows mitigates 85% of security incidents.
- Target vulnerabilities based not just on business impact but how they are being exploited “in the wild”. Most scanners can map findings to specific exploits and exploit toolkits that are packaged to use these vulnerabilities in the wild. (oh yeah – Retina does this!)
- Address systems that can’t be patched through isolation or config changes.