I read a lot of IT security reports, both to keep me informed for my job and also to discuss on the security podcast I co-host. These reports typically detail important attack trends which is useful to those of us who need to defend our employer’s systems by prioritizing the finite resources we have. We have to be careful, however, when we read these reports to understand their limitations and that some times reports are direct conflict with each other.
For example, we discussed DTex Systems Insider Threat Intelligence Report on episode 189 of the podcast. This report had an important finding:
People are the weakest security link — 60 percent of all attacks are carried out by insiders. 68 percent of all insider breaches are due to negligence, 22 percent are from malicious insiders and 10 percent are related to credential theft. Also, the current trend shows that the first and last two weeks of employment for employees are critical as 56 percent of organizations saw potential data theft from leaving or joining employees during those times.
60% of attacks are carried out by insiders. That matches the intuition many of us have about security threats to our organization. That sort of data is very helpful in prioritizing security investments. From this report, I might want to invest in systems to more closely monitor employee behavior, or implement new separation of duties controls into processes, or improve background checks. Even DTEX themselves coincidentally make a product that helps with monitoring employee activity.
Then the venerable Verizon Data Breach Investigations Report (DBIR) comes out. The DBIR includes this nice graphic:
That’s right, 75% of breaches are perpetrated by outsiders. How do I reconcile the two very different conclusions? I fear that it’s not possible. Both reports have biases. The DTEX report indicates their data comes from analyzing risk assessments from 60 companies. The data being analyzed appear to be limited to clients of DTEX. Possibly all or most all of those companies had a pervasive insider threat problem and brought DTEX in to help, and so the DTEX report is based on a pool of companies that self selected with higher than average insider threat problems. Or possibly it’s the “when you’re a hammer, everything looks like a nail” syndrome.
On the DBIR side, the opposite may be true. The DBIR data comes from CERTS and many other incident responders. It is possible that breaches that arise from insiders often may not be referred to outside help. That certainly has been my experience over the past few decades. Many firms do not want to air their internal dirty laundry, choosing instead to handle the investigation and any punishment as an internal matter, particularly if an employee improperly accessing data does not create a reportable breach. If this is true, then the DBIR data would be skewed toward external sources of breach. There are an array of other potential confounding factors to explain the differences. Another notable hypothesis is that credential theft is a common method of entry for external actors and that the DBIR is categorized by the actual actor, not the person whose credentials were stolen. If the DTEX report did not factor for this, then it’s possible that a percentage of the 60% of insider attacks are, in fact, outsiders using the credentials of an insider.
I am not intending to detract from either report. I believe that the more data we have the better off we will be so long as we understand the limitations of what the data can tell us. Hopefully you ask yourself questions about how much you can infer from the data when reading these reports, however sometimes it is not obvious that there is a problem until you compare two reports side by side and see the differences. The right way to read the DTEX report, in my view, is to add the words “Of DTEX customers, 60% of all attacks are carried out by insiders” and similarly for the DBIR “Of breaches investigated by participating partners, 75% of breaches are perpetrated by external actors.”
The cynic in me says that the widely divergent findings of these breach reports not unwelcome by IT security leaders. As it stands today, I can find a published report that can help me justify just about anything I may want to invest in. If I want to invest in additional malware controls, like whitelisting, I am going to reference the DBIR in my budget requests. If I want to invest in monitoring the activities of my employees, I’ll reference the DTEX report. And so it goes. There are dozens of reports from different vendors with different angles and with different findings.
For those of us who are looking for an unbiased view of the threat landscape to help with investment planning, the divergent findings of various reports make for a tough road.
Thanks for the post, and valid points (specifically, understand where the data came from before assuming validity).
On insider threats specifically, it’s been a subject of much academic work (the source of threats) for behavioural infosec researchers for a while, often by researchers trying to understand the reasons behind information security policy compliance (or non-compliance, as it were). There is a popular threat vector taxonomy that breaks down the thinking a little more, as it considers both intentional and unintentional (or malicious or non-malicious) threats, where non-malicious threats can be anything from not following policy and forgetting a usb drive with data somewhere to sharing credentials without malicious intent. Either way, the scope for “insider” can be pretty broad, and this often inflates the percentages given – as you’ve highlighted.
The interesting thing is the impact of these reports is broader than just private sector; take a look at much of the contemporary behavioral infosec research and you’ll find reports like the DBIR often cited as evidence of relevance for whatever research the paper concerns itself with. Bias everywhere 🙂
Indeed. To the credit of the DBIR authors, they include a lot of caveats and highlight the limitations of their data. Most other reports are not as forthcoming with those sorts of details – I am not sure that they are even aware those limitations exist, in some cases.