Some worrying/fascinating stats:
- Only 7% of data breaches are identified through a detection process
- It takes weeks to do anything about them (pp22-23)
- Two thirds of breaches involved data that the organisation did not know was present on the system (p25)
On the bright side, a basic patching strategy would protect against most attacks – even if the patches are applied weeks late.
And to wrap up, one of the SANS editors puts this report into context (my emphasis):
The learning that results from this kind of forensic analysis of actual security failures is invaluable if it is used as feedback to inform our security investments. It also is useful to guide the selection of security outcome metrics we should be tracking on a continuing basis to determine how well or poorly our security investments are working. Cybersecurity begs for more application of causality oriented feedback learning. The lack of this type of analysis and feedback is a great weakness in so-called risk management.
Download the report here (it’s only 27 very readable pages).
More comments etc:
Finally, you can get on the SANS mailing list via http://portal.sans.org/.
Update (24 June)
Bruce Schneier has now picked up on this – expect some interesting chat here.