Verizon Breach Report: Lessons for AsiaAshish Thapar Provides Breach Prevention Insights
A good way to mitigate data breach risks is to make it more costly for hackers to wage a successful attack, says Ashish Thapar, managing principal, risk services, APAC, at Verizon Enterprise Solutions.
"If the cost and risks to the attackers can be increased significantly, this will affect their return on investment," he notes. "If you break this chain by prioritizing your controls, relevant to your industry, risk and assets, this chain can be disrupted."
In an interview with Information Security Media Group (see edited transcript below), Thapar provides insights for the Asian market on the new 2016 Verizon Data Breach Investigation Report. He discusses:
- Prominent trends in the report;
- The increase in cyber espionage and financial cybercrime;
- Recommendations for better protecting the enterprise in the present threat landscape.
Thapar is the managing principal, risk services, APAC, at Verizon Enterprise Solutions. His experience includes designing, implementing and managing information security management systems. Thapar has written several white papers and articles on information security topics. He also has been a featured speaker industry events addressing IT and information security.
VARUN HARAN: What are some of the trends that stand out to you in this year's Data Breach Investigation Report from an Asian perspective?
THAPAR: In terms of the prominent trends this year, I can say that the detection gap is increasing in terms of time to compromise vs. time to discovery. The figures for this in the last two years were better. This gap is worsening, which is not good news.
This can be attributable over the last year to the increase in attacks using ransomware and banking Trojans. While these attacks are not very sophisticated in nature, they are proving hard to detect, which has resulted in the declining graph that we see this year when we look at detection.
The other major piece this year is that 89 percent of the attacks studied involved financial and espionage motivation. In spite of nation-state actors jumping into the fray, financial motives have weighed very heavily in the data set we have this year.
For some context, this is the ninth edition of the DBIR report, and this year the data set has significantly changed. The number of incidents that have been analyzed are up to 100,000 from around 80,000 last year. We have more countries in the report this time, from 61 last year to 82 this year.
HARAN: What is in this report that stands out to you, compared to the previous editions?
THAPAR: The financial and online retail segments have taken center stage in the representation they see in the report this year, and we are seeing a very well-oiled industry that is surviving on monetization of stolen data. We are seeing an organized cybercrime market for compromised records; we are seeing very clear wholesale and retail relationships in the post-compromise frauds. We are also seeing a trend where attackers are pivoting from their primary motives and trying to further compromise other organizations through the first compromise. The main types of data that are being stolen and traded, are PII, PHI and non-card financial information and cardholder data, as well.
The other trend this year is that the top 10 known vulnerabilities accounted for 85 percent of successful exploits. So this disturbing trend has worsened from last year. What we are seeing is that the attackers want to go after the easiest targets to make the most amount of money with the lowest risk.
This brings to the front the aspect of attack-defense economics. I think what we are seeing is that because the budgets are so limited, it is impossible to defend everything. In such a scenario, organizations need to determine what can be effectively defended and try to increase the cost and risk to an attacker to compromise an infrastructure.
I think the theme overall is all about the attacker's economics and that of the defender, and how a defender can really affect the attacker's economics. If the cost and risks to the attackers can be increased significantly, this will affect their return on investment. If you break this chain by prioritizing your controls, relevant to your industry, risk and assets, and see where this chain can be disrupted, you would be better off in the game.
HARAN: Overall, the picture seems to be that security has deteriorated. Is this the case? What is your take on what is going on and what can be done about it?
THAPAR: Some sectoral industries are definitely doing better than others. But that said, there is huge amount of gaps we are seeing in terms of the response pillar of security. You have the preventive controls, the detection controls, and then you have the response controls. While organizations have huge investments in these kinds of controls, enough hasn't been done as far as response is concerned.
We think, based on this data, that it is basically going to boil down to the people and the endpoints as the next level in this game. This is because we see that hacking and malware are zooming far ahead of every other type of compromise, and if we look at the kinds of assets being compromised, it becomes clear that attackers are increasingly targeting individual endpoints.
If enough can't be done on this side, then an effective response mechanism is not going to be possible. Attackers are going after the soft targets - it is easy to conduct spear phishing on an individual or deliver malware through drive-by kinds of attacks. If an organization can address the mix of phishing, malware and stolen credentials - if this chain can be broken in whatever way possible - then there is a better chance at success in the current landscape.
This could be done using security awareness, endpoint detection and response, using strong incident response capabilities, or using anomaly behavior detection, whitelisting, file integrity monitoring - whatever can be done to break this chain is going to help.
Role of Awareness
HARAN: Since the human element is so prominent in these conversations, what role is awareness going to play?
THAPAR: The human element is extremely important, and not just in terms of awareness. From the conversations we have had with organizations in the IT/ITES and BPO sectors, entities are not just looking at data analytics for their systems and security posture, but also for human behavior to address the insider threat aspect.
Awareness needs to be addressed at three levels - the board/management level, for IT administrators and privileged users, and for the end user at large. But awareness is not enough without strong deterrence controls, to make sure and demonstrate to the users and fraternity at large that things are being analyzed and monitored.
HARAN: I notice that cyber espionage is a prominent feature in this report. What do you think can be done from a legislative or regulatory point of view in the APAC region that can act as a deterrent to this kind of activity?
THAPAR: If we talk about APAC, I think organizations are bringing a huge amount of focus in terms of enhancing their cybersecurity strategy. Australia, for instance, released their cybersecurity strategy on the 21st of April. The Singapore government is going to launch their cybersecurity law in 2017. So there is a huge amount of focus in some regions. And countries like India need to learn from this and really up their game. I saw NASSCOM's report on cybersecurity professionals in India, but all I am seeing so far is words. This needs to change, and soon (see: The Evolution of Cyberlaw).
Coming to deterrence at the level of governments, this will be in the form of legal statutes. It basically comes down to having a very strong body of focused laws - both for data security as well as data privacy. Already, countries are considering removing security from wider technology legislation, and a similar route needs to be looked at in India, because cybersecurity is a much wider topic nowadays.
From an organization's perspective, we don't encourage organizations to adopt an offensive cyber strategy, because you can never be sure when you cross the thin line that separates what is legal and what isn't. Organizations need to really invest heavily into analytics, and possibly look at setting up honeypots to gather info on the kinds of threat actors coming after them and the different kinds of attacks being launched against them.