Every year for the past twelve years, Verizon has published a comprehensive briefing on their annual data breach investigations. They call it the Data Breach Investigations Report (DBIR), and this year's is built upon their analysis of 41,686 security incidents. I do recommend that you go and read the full report from Verizon—but, bear in mind that it's 78 pages long and begins with a quote from Rumi. Just so you know what you're in for.
If reading the whole thing isn't in the cards for you right now, I went ahead and summarized a few points that jumped out as being particularly noteworthy for those of us invested in cloud-native security (which should be everyone whose business relies on cloud-scale development). Let's get into it!
56% of breaches took months or longer to discover.
Dwell time has become a far more familiar term than we'd like (grab a quick history of the stat here), but, like phishing, just because we're sick of talking about it doesn't mean it's not a serious problem. The average threat can lurk undetected inside an environment for over 100 days, a number that's actually increased over the past few years.
Impacts of the Cloud on Dwell Time
One reason for longer dwell times is the fact that, as you move to the cloud and diversify your infrastructure, your perimeter goes from being a concrete wall to a chain link fence. Not only do more attack vectors present themselves, but the nature of the public cloud is such that users won't necessarily have the same level of visibility as they do on-prem.
Another complication is that because cloud security is a rapidly evolving category for everyone involved, many consumers lack a firm and process-backed understanding of the shared responsibility model that dictates exactly which aspects of your cloud environment you're personally responsible for securing, as opposed to what your cloud service provider will protect.
The good news is, the cloud is also perfectly designed to combat longer dwell times via intelligent automation. If you actively build cloud-friendly applications, they'll become significantly more resilient and open to automation. You could, for example, automate your VMs to shut down at suspicious behavior; from there, your friendly elastic load manager would notice and spin up a new instance to cover the gap.
The Missing Piece of SOC Visibility
Of course, the cloud isn't the only thing to blame for longer dwell times. The standard SOC reliance on endpoint detection and response (EDR) plus SIEM products has resulted in a general lack of east-west visibility, meaning visibility into the communications within a network itself. That means that once an attacker does breach your increasingly permeable perimeter, it's unlikely you'll notice unusual behavior or communications unless you're specifically looking for them in a sea of other data.
Learn how network detection and response (NDR) products complement these other sources of visibility for better security control coverage in this SANS Institute webinar.
60% of compromised web applications (the top hacking action vector of 2019) were the front-end to cloud based email servers.
Couple things here. Most of these attacks were brought to us by stolen credentials. A lot of the ways people steal credentials sound like a less metal organ trade, considering you can harvest creds or buy them on the black market, but by far the most effective method is still phishing. Nobody has figured out how to solve phishing. Somebody please do this and retire young.
Anyway, it really cannot be said enough: cybersecurity involves everyone, and if your company does not regularly invest time, money, and patience in reminding employees about basic security best practices, well... please reconsider.
A Cloud-Native Mindset
The whole "security as everyone's job" concept is even more critical for cloud-native businesses and development workflows. One of the main benefits of the cloud is how flexible it allows you to be and how quickly you can move, but that means the security team needs to either accept the inevitability of mistakes and misconfigurations, or push back against rapid development and therefore against business goals. Neither of these are good options.
A cloud-native security mindset goes beyond tools and technologies. Instead, we view it as a full-on philosophy. It means accepting that what worked/works on-premises can't just be stretched and tweaked to fit the cloud, both in terms of detection and response workflows and in terms of policy enforcement. The cloud fundamentally changes what you can do, so it must also fundamentally change how you secure what you do.
Easier Patching and Scanning
Which brings me to point number two for this stat: a large amount of these vulnerabilities could have been secured by patching or regular vulnerability scans. Patching is hard because the IT team generally wants to actually use those applications for the several months it could take, and here's another spot where the cloud shines: you can tear down a cloud application and stand up a new version extremely quickly, and by doing this on the regular, you'll by default limit your possible dwell time.
Scans, on the other hand, can be easier said than done (or at least, easier scanned than acted upon) in part because scanning with traditional security tools also results in a whole bunch of false positives, alert fatigue, and infrastructure costs. Learn how advanced behavioral analytics, one of the key differentiators of NDR products, can help reduce alert fatigue and improve security hygiene.
Short attack paths are much more common than long attack paths, and the second-most common first step was the result of user error.
In the hierarchy of entry points in the attack chain, right below hacking comes user error. Combined with the insight into how long attack paths tend to be, this both reinforces the last point about how security awareness is super important, and reminds us why it does actually make a huge difference if you can detect attacks as soon as they breach your network rather than days or weeks afterwards.
That part sounds obvious, but one consequence of a standard model of doing things is complacency. We're all guilty of it in various ways, and one thing we tend to see over and over again in the InfoSec space is that people are used to slower and more manual workflows, think they work well enough, and therefore are not all that motivated to change.
The more complicated and varied your infrastructure and applications, however, the more opportunities there are for misconfigurations and for missed signs of an attack. Cloud-native NDR products are able to detect subtly weird behavior in real time, inside the perimeter, across hybrid environments. They can also correlate events to form a contextualized map of the attack path so threat hunters can act fast. You can watch an example of this here.
Final Thoughts
The main takeaway of this year's report is more or less the same as it is every year: cybersecurity is a constantly shifting, infuriating, and fascinating arena that will play an increasingly large role in which companies succeed, and which fall by the wayside as their customers lose faith.
Not only that, but more and more of daily life is on devices, in the cloud, and validating Black Mirror's not-so-futuristic futurism at an alarming rate. I don't say that to be a downer, but just to reiterate that it's important that we all—not just SecOps and not just engineers—read reports like these, discuss their implications, and design solutions for the world we're in and the world we're going to be in soon instead of the world that no longer exists.
On that note, IDC just put out a workbook for cloud security best practices where they talk about exactly this. Download a copy for strategies, requirements, and a handy checklist you can use to vet and compare cloud security vendors.