Inside the 2011 Verizon Breach Report

Investigator Bryan Sartin on the Hot Trends and Targets
Inside the 2011 Verizon Breach Report
The latest Verizon Data Breach Investigations Report is out, and the good news is: The number of compromised records is down. The troubling news is: The number of breaches is up. Bryan Sartin, one of the report authors, explains why.

When it comes to picking a target these days ... criminals realize it makes more sense to target rabbits than it does to target elephants," Sartin says. "If you think of yourself being in the jungle, if you bring down an elephant, you can feed off that thing for months. But what if you get hurt bringing down the elephant, and what are you going to do with the carcass when you're done?

"More and more smaller breaches have been the big story, and certainly, those smaller organizations - the rabbits, so to speak - they don't offer much meat to the perpetrator."

Discussing the top headlines of this year's report, Sartin says there is good news for information security professionals.

"We're seeing evidence in certain sectors that security is becoming more effective, that people are getting the message," he says.

Another headline is that the face of cybercrime really isn't all about nation states and advanced persistent threat - incidents that have dominated recent news. "In reality, when you look at real electronic crimes, the ones that actually affect public, private sector companies around the globe ... at the end of the day, the very, very vast majority of crimes are still financially motivated, just like they were in the old days."

In an exclusive interview offering color commentary on Verizon's 2011 report, Sartin discusses:

  • Why fraudsters are targeting smaller targets;
  • Breach trends globally;
  • How organizations can protect themselves and their customers.

With more than 15 years experience in the security arena providing industry-leading services and support for commercial and government organizations, A. Bryan Sartin heads up the investigative response team at Verizon. As a senior forensics examiner, Sartin has taken the lead in many high-profile data compromise investigations in the Americas, Europe, and Asia-Pacific.

In addition, Sartin is well-versed in both criminal and civil computer forensic procedures, is a certified expert witness, and is a frequent course instructor and speaker on the topics of incident response planning, computer forensics, and regulatory compliance.

Sartin joined Verizon from Cybertrust, a leading security solutions provider acquired by Verizon in 2007. At Cybertrust, he served as vice president of investigative response. Prior to joining Cybertrust, Sartin was director of technology at Ubizen, which was acquired by Cybertrust.

Sartin received his education at Rensselaer Polytechnic Institute.

TOM FIELD: So, Bryan, as I look through the summary of this, I see the number of breaches is up dramatically, but the number of compromised records is even more dramatically down. How can this be?

BRYAN SARTIN: Well, the biggest reason for that -- I think that it certainly surprises most people -- but today, a lot of the best criminals, the most effective ones ...those guys are behind bars these days. We've seen it in the U.S. last year with the Albert Gonzalez arrest and prosecution, the largest electronic crime successful prosecution in history.

If you Google Dutch High Tech Crime, for example, you'll find press release after report after report of successful prosecutions. And, in reality, these days our threats are not necessarily stemming from hackers inasmuch as they are crackers, to put it in very basic terms. It's not organized criminals as much as it is frequently more disorganized crime. And in fact today, I think, criminals have realized already that when it comes down to the hacking and organizations, if especially when they take down big organizations, they're classical targets. They tend to leave a footprint behind, and that footprint leads to arrest.

And I think a Secret Service person summarized it the best: When it comes to picking a target these days, with those lessons learned, criminals realize it makes more sense to target rabbits than it does to target elephants. And if you think of yourself being in the jungle, if you bring down an elephant, you can feed off that thing for months. But what if you get hurt bringing down the elephant, and what are you going to do with the carcass when you're done? But more and more breaches, more and more smaller breaches have been the big story, and certainly, those smaller organizations - mthe rabbits, so to speak - they don't offer much meat to the perpetrator.

Good News or Bad?

FIELD: From your perspective, Bryan, as an investigator, do you take this as good news or bad news?

SARTIN: Well, we do see some good news. The good news is we're getting better. The good guys get better, and especially where we're getting more effective is in business intelligence. Sharing in intelligence today between government regulators or federal regulators, industry regulators, law enforcement groups and private investigation companies like ourselves, sharing things like customized malcode signatures, things that have never been seen before, and once it's seen in, you know, Guatemala, for example, today, everyone around the world knows what that looks like and how to detect it. Pooling indicators of compromise or indications of crimes in motion, all those little facets make us more capable of not only recognizing crimes more quickly during an investigation, moving more quickly toward containment, but I think more importantly, they allow us to tie basic patterns, tools and methods, sources and assets like that, across multiple investigations back to known organized crime groups and known criminals.

I guess what I'm saying is it better sets the stage today for arrest and prosecution better than ever before. And you might not know this - the public certainly doesn't see this - but right now today, more and more often than not, investigations actually lead to arrest and prosecution even before image number one is taken. So that old adage of the conventional digital forensics investigation taking 50 images and bringing it all back to the lab, analyzing it and figuring out what happened, producing a report 120 days later and turning that over to law enforcement, that's long since gone. Oftentimes, the best findings are done before we show up on site, really because of a lot of cloud based technologies that we're able to bring to bear. And these days, a lot of times we can find the scope of the investigation remotely without sending people onsite, and when we do arrive, you might take one or two images simply to confirm what you could find in remote investigations.

2011 Headlines

FIELD: So we talked about one element of the report. What would you say are the key headlines of this year's study?

SARTIN: Well, in my mind, the key headlines are we're seeing evidence in certain sectors that security is becoming more effective, that people are getting the message. Another headline, and I think it perhaps even more important, is that crimes are, in fact, nothing like what people read about. If you just rely your IT intelligence around electronic crimes off what you read about in the newspapers and the blogs these days, you'd think it's all about the Chinese government trying to steal things and nation state crimes and advanced persistent threat. In reality, when you look at real electronic crimes, the ones that actually affect public, private sector companies around the globe, government agencies and critical infrastructure, in fact, it looks nothing like that. It's the same basic crime still over and over again. And despite all this nation state hoopla, at the end of the day, it's still the very, very vast majority of crimes are still financially motivated, just like they were in the old days.

But one last takeaway for you is there is a general perception amongst the security space around the globe that, hey, I'm in Singapore, for example, or I'm in Germany, and I don't want to hear about what happens in the U.S., or I don't want to hear about credit cards or whatever because that's not my business. And where I am in the world or what kind of data I handle makes risks and threats different for me. I want to hear only about what affects me. In reality, that sounds so walleyed to me as an investigator, and I hope with Dutch High Tech Crime, with the U.S. Secret Service, totally different, almost opposite law enforcement angles on electronic crimes coupled with ours, you know, as perhaps the largest private investigation company's perspective on electronic crimes the world over - when you put these three disparate caseloads together from completely different parts of the world, what you suddenly see is it doesn't matter where you are. It doesn't matter what business, public, private sector, what data type you handle. Risks and threats are basically static around the globe.

Changing Trends

FIELD: Bryan, what do you find has changed the most since last year's report?

SARTIN: Caseload bias. I'd say that in the past, when we used to produce the reports with just Verizon data, caseload bias certainly was a factor. And sometimes certain parts of our findings, when they were pressed, the end result would be, well, companies like us tend to handle a certain kind of cases, tend to get hired by certain organizations in only certain parts of the globe. And that resulted in a little bit of bias in our data, admittedly. And that was one of the impetus behind introducing a third party and third party data, is now suddenly we have two different angles on electronic crimes. We have more data and less caseload bias, thus our conclusions become more relevant for a broader audience. And in here, in this year's study, I'm very pleased to report that we have even less caseload bias. In this case, the Dutch High Tech Crime has a very unique caseload, really centered very much around malcode botnets, and they have tremendous capabilities in those areas that really law enforcement groups elsewhere just simply don't have. And we saw a lot of that in the role in the WikiLeaks attacks and some of the other big successes they've had in the public eye lately.

Top Threats

FIELD: Given this broader perspective, what do you see as the top threats to organizations, and how do these differ, if at all, in the global regions you look at?

SARTIN: Well, you know, the top threats, I would say that still today we're seeing a lot of the same data types being targeted. We're still seeing a lot of those threats being tied back to known organized crime groups and known individuals. Hacktivism has certainly become a bigger piece of the pie than it has before, and, you know, hacktivism is a little different. It proves a point as opposed to stealing data. But at the end of the day, I would say there has been a major transition in terms of threats, and to look at it geographically speaking, historically, most of the attacks we saw targeted consumer records - credit cards, debit cards, wire transfer, you know, ACH fraud, and aspects like that. And much of those crimes, historically, were, in fact, sourced in Eastern Europe, the former Soviet Union, you know, Belarus, Romania, Bulgaria, the Ukraine. But that's, believe it or not, it's still in the number one spot for us, but it's a rapidly declining category. And what we see really now today, if you add up Asia East, Asia South, Southeast, and also Oceania, Australia, New Zealand - Asia Pacific, as a region is the number one source of electronic crimes, but yet, interestingly, it's also the number one source of demand for us, IT investigatively speaking.

Top Solutions

FIELD: From that perspective, Bryan, what do you find is working to both detect and prevent the threats that you're seeing?

SARTIN: Well, what's working, I think the first thing is certainly find the data. I hate to seem like a broken record when I talk about this, but why is it still today that almost 90 percent of all the data stolen comes from sources of data these companies don't know they had? And it points to something very interesting. If we had to rely, especially in big crimes, on our customers' perception of what systems were and were not in scope in the course of that data breach investigation, nine times out of 10, we'd be looking in the wrong place.

And why is it after all these years of harping on the concept of know what data is sensitive and what can't leak out - figure out conclusively where that is - why doesn't anyone get the point? That's not a public sector or private sector problem only. It's global.

But more importantly than that - and this is something we're seeing; this is one of these intelligence pieces we've been able to bring to bear in investigations lately that is really turning the tide and I firmly believe is changing the nature of IT investigations - is indications of crimes in motion. The old adage, when it came to IT, almost the holy grail of security event management was - we've all heard this; I'm sure you've heard this 100 times in the past from IT people - how do I find the needles in the haystacks? I have firewall logs. I have IDS and intrusion prevention. I have all these other sources of data, and I have all this nuisance events, these false positives. How am I supposed to weed through all this stuff and find the real needles, the interesting events? In reality, if you know exactly what electronic crimes really look like at the end of the day and you know what they don't look like, in fact, there's a smarter way to do it. It's not about finding needles in haystacks; it's about finding the haystacks.

So looking at it from 10,000 feet, what we've been doing is employing our technologies. If we say, when it comes to pre-attack research, when it comes to points of entry, when it comes to data exfiltration, there are, in fact, combinations of events - not just one or two, but many events - combinations of TCP sequences and blended threats that together completely signify, substantially signify, a crime in motion or crime in progress. And we can retune our event monitoring systems and employ some different types of technologies to help identify those crimes in motion. Instead of identifying suspicious activity and trying to quantify and classify risk, isn't it a lot easier to identify real elements of risk and crimes in motion like that and rapidly recognize and react to them, limiting the impact of security breach before they blow up and become something insidious?

Recommendations

FIELD: Bryan, a final question for you. What are some of your top recommendations for organizations to be able to better detect and prevent these breaches that we're talking about?

SARTIN: I'd say the top recommendations go to what I was just saying. Again, stop looking for those needles. Stop trying to look at all those disparate sources of suspicious activity. Even the concept of classical security event monitoring and correlating all these logs and bringing these disparate source event logs together to a single place and trying to facilitate alerting from that is still today, that's old hat. It's quickly become an old-fashioned way to do it.

Again, we're trying to do this in a data breach report. This is not just about a study to give organizations insight into how these crimes happen, what the hard lessons are. Yeah, it's a study about security failures and not successes and what people can take away from it. But in reality, we're trying to provide, based upon the current electronic crimes landscape - again, real world crimes - what that recipe for success is on how to stay out of the headlines.


About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.