One of the security industry reports most-cited in sales calls, vendor pitches and marketing collateral is at it again this year, with more ammunition for managed service providers selling security services. This year's Verizon Data Breach Investigation Report (DBIR) shows yet again how much opportunity there is in the MSP market for building out security practices and baking in added security value into general IT services.
An examination of statistics from real-world breaches investigated by Verizon's (VZ) forensics team, the DBIR most startlingly shows that in 60 percent of investigated incidents the attackers were able to compromise a target organization within minutes. Meanwhile, though many breach victims will publicly claim great sophistication in attacks involved with their particular breach, the truth is that the vast majority of the 80,000 incidents analyzed in the DBIR this year are attributable to just nine attack patterns.
The researchers say that 96 percent of breaches are due to either miscellaneous errors, such as sending an email to the wrong person; crimeware (various malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; Web app attacks; denial-of-service attacks, cyberespionage; point-of-sale intrusions and payment card skimmers. In fact, 83 percent of incidents are attributable to just the first three types of attack patterns.
Similarly, the report showed that 97 percent of all the exploits involved in breaches examined in the report took advantage of just 10 common and already well-known vulnerabilities, many of them years old.
"The point of a study like this is to show the reader which vulnerabilities are being exploited so you can supplement your patching programs with compelling knowledge and mitigate huge swaths of risk with this powerful information," says Bryan Sartin, director of the forensics practice for Verizon.
Meanwhile, managed security service providers (MSSP) in particular can see some of this as a directive and a proof-point for customers to up their game in vulnerability management.
"I think from an MSSP perspective, especially those working with smaller companies that may not have a lot of staff to deal with the IT work that needs to be done for the general health of their network, if that MSSP can help them look at vulnerability scan data and manage that vulnerability management practice the organization, this shows that would be a good thing for them to do," says Bob Rudis, managing principal and lead author of the report.