Looking Before & Beyond a Breach: Lessons from a DBIR Featured Contributor

Michael Roytman    April 16, 2015

As you may know, the 2015 Verizon Data Breaches Investigations Report was recently released. This is the “gold standard” research document for information security, and we’re proud to say that Risk I/O was a featured vulnerabilities contributor, providing a rich correlated threat data set that spans 200M+ successful exploitations across 500+ common vulnerabilities and exposures from over 20,000 enterprises in more than 150 countries.

With our data set in hand, Verizon focused on identifying patterns within the successful exploits of prioritizing remediation and patching efforts for known vulnerabilities. A sample of their findings using Risk I/O data:

  • A patch strategy focused on coverage & consistency is far more effective at preventing data breaches than “fire drills.”

  • Just because a CVE gets old, doesn’t mean it goes out of style with the exploit crowd (they have a reputation for partying like its 1999).

  • It’s important to prioritize remediation of exploited vulnerabilities, beyond the top ten or so CVEs.

  • Whether a vulnerability should be patched quickly, or if it can just be pushed with the rest.

Probably the most interesting statistics that came from our research is that attackers aren’t just going after the flashy, media-cumulative percentage of exploited vulns by weeks from cve publish datesworthy vulnerabilities. An astonishing 99.9% of vulnerabilities that become exploited are at least a year old. It’s not the newest ones that attackers are using, it’s some of the oldest ones on record.

Of all of the risk factors in information security, vulnerabilities are probably the most controversial. Which vulnerabilities should be patched? And more generally, what can we all do before a breach to improve vulnerability management programs? Many more data-driven recommendations for improving your remediation strategy can be gleamed from this year’s report.

The Verizon Data Breach Investigations Report is a must-read for InfoSec professionals, and Risk I/O is proud to have participated. A special thanks to Bob Rudis and Jay Jacobs for their help and patience.

Leave a Reply

Your email address will not be published. Required fields are marked *