Cybersecurity threats follow certain patterns and are not chaotic, Verizon's Managing Principal for RISK Intelligence Wade Baker said today during a webinar to discuss the company's widely reported most recent Annual Data Breach Investigations Report (DBIR). With acknowledgement to science and spiritual philosopher Gregg Braden, who popularized the concept of repeating patterns in nature called fractals, Baker said that the key to understanding how to manage data breaches is to look for patterns of simplicity. "If we do, it's really important to how we defend our systems," he said.
If cyber threats are complex, then the methods of managing them become complex too. But if you look for similar and repeating patterns, then effective systems of combating threats emerge. "If it’s chaotic, then we have to implement complicated controls," Baker said. But, "if there are patterns, we can set up logical defenses instead of worrying about the seemingly more complex" and ultimately difficult to implement solutions.
In analyzing the data shared with Verizon by 19 global organizations, "we see these patterns emerge and those patterns are pretty clear and distinct from each other...they're not chaotic." Citing one analysis of 315 incidents that could be categorized according to associations among actors, actions, assets and attributes (the 4 "As" set of metrics developed as part of the Vocabulary for Event Recording and Incident Sharing (VERIS)), Baker noted that there are ten or twelve patterns that seem to be repeated constantly.
"This is really good news for defenders," he said. For example, if a firm has intellectual property or trade secrets, then understanding the patterns of groups that target these kinds of assets makes for a much better defense.
During the webinar, Baker added additional insight into the DBIR's findings. One conclusion from the report is that the number of breaches for small firms (less than 100 employees) rose substantially between 2011 and 2012, with 193 of the 621 relevant breaches attributable to small companies. Baker suggested that these are mostly small engineering firms that manufacture parts that will go upstream into the defense industrial base.
Another finding from the report suggests that state-affiliated breach incidents jumped dramatically between 2011 and 2012. However, Baker suggested that the huge jump in those breaches reflect better methods for identifying state-affiliated attacks and do not necessarily reflect a rise in those kinds of breaches. "This is an increased ability to recognize that activity," he said, due to better information sharing and the rise of more groups tracking those actors.