As the Principal on Verizon’s RISK team, Jay Jacobs utilizes the VERIS (Vocabulary for Event Recording and Incident Sharing) framework to collect, analyze and deliver risk data to the information security industry. He is a contributor and co-author of Verizon’s Data Breach Investigations Report series. Jay is a co-founder of the Society of Information Risk Analysts and currently serves on the organization’s board of directors. He is also one of the primary authors of the OpenPERT project, an open-source Excel plug-in for risk analysis. He is an active blogger as well as a published author and a co-host on the Risk Science podcast.
– Chinese espionage is a buzzword now. Have members of the RISK team communicated with or been approached by any Chinese entity regarding this matter? Will we see any Chinese contributors to DBIR in the future?
– I am not sure I’d label it as a buzzword, we were able to collect and analyze 120 cases that we were able to tie back to threat actors within China and the tactics used and patience displayed by the attackers was very real and significant to the victims. We have not been approached by any official Chinese entity about this, but we have reached out to the Chinese CERT organization to discuss participation in the future. We definitely are not exposed to all the breaches that occur and adding more perspectives and partners will help increase the confidence in our data.
– The number of your contributors increased to 19 last year. Can we attribute it to your active recruiting or did new contributors offer their help themselves?
– There is a mix, but we are always looking for more partners and actively reaching out to organizations.
– What can we anticipate next year in terms of new types of contributors, new countries?
– It’s hard to say, in the 2012 report we had 5 partners and we increased that to 19 for the 2013 report. If things go well we’d like to continue expanding our partner list and we are actively pursuing partners outside of the US to improve international representation.– Most breaches are discovered by unrelated 3rd parties, like ISPs, ISACs and others. Can you share the exact breakdown? If ISPs are the best in detecting – what can we do to increase their effectiveness?
– Figure 44 shows the breakdown of discovery method. Unfortunately we do not record a layer of detail beneath what you see in the report. ISPs were not well represented.
– What about attracting more ISPs to you report?
– We haven’t worked directly with ISPs concerning specific breach data but it’d be something we’d be interested in pursuing. We are very focused on gathering data to represent the threat landscape and ISPs certainly see their fair share.
– Why don’t we see any NGO or NPO coverage in your report?
– We use the NAICS system to classify industry and they do not distinguish between for or non-profit entities. Though, we generally don’t see a lot of non-profit entities in our data which may be in part to our collection method more than the non-profits themselves.
– Is it possible and are you planning to collect data on successes?
– I assume success means breaches that are stopped. We do have quite a few of these cases in our data. Organizations know something happened and bring in law enforcement or a forensic investigator. Typically what they’ll find is a lack of evidence of a successful breach, but they very rarely find evidence that the attacker failed. At that point attributing a cause or correlating why the defender may have been successful becomes a challenge. But this is something we are looking into collecting more data at least internally with our investigators.