Skip to main content
Right of Boom
January 30, 2025

One Year Anniversary – Verizon Data Breach Report

In this video, Phil from Verizon and industry expert Joe Panetteri discuss the Verizon Data Breach Investigations Report and its implications for cybersecurity trends. They delve into the complexities of data breaches, the importance of strong cyber fundamentals, and the critical role of human elements in security incidents. The conversation also covers the challenges faced by small businesses in managing cybersecurity and the importance of credential management, multifactor authentication, and privilege management in mitigating risks.<ul><li>The webinar discussed the significance of understanding cybersecurity trends and the importance of human factors in data breaches, as highlighted by the Verizon Data Breach Investigations Report.</li><li>The importance of credentials management, multi-factor authentication, and access control were emphasized as critical steps for improving cybersecurity in small and medium-sized businesses.</li><li>The report revealed that a significant portion of data breaches involve human errors, underscoring the need for strong cyber fundamentals and not just technological solutions.</li></ul>

Guests

Andrew Morgan

Video Transcript

All right. We are live for the one year anniversary of the cyber call. Sounds like the Bulldog was excited about that, Ryan, if I heard correctly in the background, giving us some props. That's awesome. So, um, we've got a phenomenal show today with, uh, Phil Lwa from Verizon, specifically the Verizon Data Breach Investigative Report. We're joined by industry, uh, icon Joe Pan Terry of MSSP, alert and channel E two E as always, Gary Pika and Ryan as well.

Um, and then, um, unfortunately Wes couldn't make it today, but sends regards to everybody. Listen, He takes a risk, man. If this show goes well, he might be out. Joe, Wes is out. Wow. Pressure's on. All right. News you lose And we'll take Phil. I, I'm not picky. Yeah, no offense, Joe. Um, alright, so, cheers. Happy anniversary. Yeah, thanks, man. Yeah, yeah.

One year you guys, before we get started, can I just say, Andrew, you know, uh, people see it's on here, you know, having fun, but they might not see all the hard work you do of constantly finding guests preparing us so that we look good. Um, you spend a lot of time on this, uh, so that we can come on and take all the credit, and I appreciate it. My, it's my, it's been my pleasure. Uh, you know, it's, uh, I think, you know, I think we've done some good stuff for the channel.

I hope that's what everybody feels. Um, you know, so, um, anyway, that's what we wanted. That was the whole point of it. Um, so thank you for that, Gary. Yeah, Man. And, and last thing I wanna say is I get so many, so much feedback, like, just from my members, and I hear them quoting things and sending each other the links and, and so I can see that it's making a difference. So thank you. Awesome. Fantastic.

Well, just some stats, um, over the course of the year, as you guys can see in the registration, almost three, we almost made it to 3000. Um, but we, we impacted almost 3000 MSPs. Um, and, um, let's see, we are in, uh, six continents as well. People from six different continents have come to us. So, and, uh, thanks to my beautiful girlfriend, RZA, for that very nice comment out there. So thank you for all your support through all this craziness. So, um, let's get on into it.

So a few things up at the top I put in, and I'll put it in again. Um, just, uh, uh, you'll see it way up there. If you just scroll up. The Verizon Data Breach Investigative Report is there for everybody to go get and download. Other thing Threat modeling Workshop, Gary. Very, very cool. We now have a landing page for that. You'll find that in the call to action at the bottom. It's in green there, you'll see it.

And I'm also gonna throw in shortly back into, um, chat, just one other thing, which is the, um, uh, the, uh, Ryan, for those of you that know or are interested in CMMC, um, we have a two-part webinar starting, uh, on the 10th of this week. It's at 11:00 AM Eastern. Uh, and that is, uh, with, with Ryan Bonner and, uh, and Ken Tripp at, at NetworkX. And you're gonna have a shot to win, uh, a consulting engagement with Ryan, uh, for your MSP. So that's, I think all the announcements. Gary.

Oh, lastly, Gary. Next week we're going to have the gender reveal AKA, the True Methods reveal party. You wanna just tell a little bit about that, what we're gonna do? Yeah. So next week we're gonna take people and show 'em what we've been working on, uh, with, um, a content track around cybersecurity that's in the True Methods portal. And then we're gonna give anybody who wants it, um, some access, they can come and just check it out.

And while they're in there, we're gonna give 'em full access to all the True Methods content, not just, uh, not just that track. So we're, we're excited and, um, we'll spend the whole hour on it and some other content that we'll do. So we'll have a, it'll be really fun. Alright, let's go around. Alright, I'm, I'm distracted. I'm, I'm chatting with your girlfriend right now saying that her and I have to talk and compare Andrew stories without you, As long as my wife's not involved.

Alright, let's help Phil out here. Phil. Enough. Uh, you know, We're much Phil. Normally since our anniversary, we're usually much more professional than this. Yeah. Are we sure where Wes is today? Yeah. Uh, um, okay. So with that, let me, I'm gonna turn this over real quick over to the, the, the pros here. But Phil, let me start with you. Um, and if you could just give us a little intro of yourself. And again, thank you so much.

This is an MSP first for Verizon and the Data Breach Investigative Report to come and tell us about what's going on, uh, with that report and your world. So thanks again for doing this for us. Hey, my pleasure. Yeah, I mean, we're all about kind of spreading, you know, awareness for a lot of these cybersecurity issues, so I'm happy to, I'm absolutely thrilled to be talking about this with, uh, the MSPs. So, as mentioned, my name is Philip Langua.

I joined the Verizon team about two years ago, uh, prior I actually worked with Phyllis Lee from CIS, uh, I was working on the controls. And before that time at CISI worked in Canada, uh, for as, as a policy analyst for the federal government. So I've done kind of a, a rigor role in terms of different roles and capacities, but, you know, all these different experiences kind of help round you out. So here, talk about some cybersecurity trends we're seeing. Awesome. Thank you for coming.

And, uh, Joe, I think a a lot of people know you, but for those that don't, could you share a little bit about who you are? Yeah, sure. And, and again, thanks, uh, thanks for having me on. I appreciate it. Uh, short and sweet. I'm editor of a cyber site called MSSP Alert, which closely tracks the managed security service provider market. And I'm also editor of a sister site called Channel E two E, which tracks it service providers and MSPs from entrepreneur to exit. Excellent.

Well, thank you for coming on with that. Gary, I'm gonna give you the floor 'cause I want to get right on into, um, you know, all the great great work that Phil and his team do. So take it away. Yeah. So, Phil, the first question, I was looking at some stats that Andrew gave me, uh, that you analyze almost 80,000 incidents, uh, 30,000 of which, uh, met a qualification, uh, uh, of standards. And over 5,300 of those were confirmed data breaches from 88 countries.

That's, that's a staggering, uh, sample size. How do you do that? Like, how much of it has to be done like computerized and how would you do that? And how much of it is, uh, is pick and shovel? Yeah, you'd be surprised. You know, we actually go in the field and we delicately pick each incident and we review it and then put it through. We have an arsenal of people.

Um, but actually how we really do it is this, uh, this complex kind of data pipeline, if you will, where we have, you know, we ingest data from a variety of sources. So we work with 80 plus partners, and some of us provide data from, you know, straight from the database. Other are providing forensic reports or just PDFs. So what we try to do is we try to get the data to a standard format, which is called Veris. So this is open source format that we use.

It's hosted on GitHub and defines what we classify as an incident and how we codify it. So all those 80,000 incidents get transformed one way or another, uh, kind of like I said, mixed bag between manual and automated into this standard format. Once we get that, then we have a whole automated pipeline that goes through, cleans the data, sets up quality metrics on it, and does a bunch of other little fund reporting. So we get an idea as to, you know, how good is the data?

Then we kind of do a rinse and repeat. So once we get, you know, go through it, we'll go and see if there's anything that stands out as being abnormal. You know, why does one partner have 13,000, you know, finance individuals being impacted doesn't sound quite right. Um, so we go through this iterative process of cleaning the data and reviewing it. So it's really kind of this, this auto magical and slash very manual process.

And like a lot of data science work, you know, it's about 80% is just cleaning the data once it's clean. And once we have confidence in it, the analysis is easy. Right. We, we spend about two months or so just getting the data and cleaning it, and then relatively about a month writing. Wow. So There's, there's a whole lot that goes right into, you know, the upfront cleaning of the data and then getting it through the process. Wow.

Um, so one thing, uh, that, uh, I saw here was, this is staggering. You said that 85% of breaches involved some human element. Right? So, can you tell me a little bit about that? Um, it's interesting because coming from CISI guess you can kind of match up how you feel about frameworks, uh, right. With with what's happening with this particular piece of it. Can you talk to that a little bit? 'cause it's really interesting. Yeah.

So I think one of the, um, the big issues historically has been we look at technology problems as purely being technology problems, that there's a technical solution to all these issues. Um, but the human element plays such a large role in these breaches, like, as you mentioned, 85%. But when we're talking about human element, it's not just the, uh, user clicking a phishing email, even though that's a large chunk of it, people mis configuring databases is another one. Right.

That's super common. I think that's something we ignore that when we start looking at our risks, right, is the errors, but they're up there, you know, it's almost the third for the, uh, the most common in terms of the, the patterns we see. So it's, it's something that has to be taken consideration. So when you start looking at just the human piece of it, like, okay, well obviously my workforce plays a large role in my business, otherwise why do you have them as part of your workforce? Yep.

Um, but they also play an important role in your cybersecurity, right? They're really your first line of defense. They're the ones that are gonna identify the phishing emails. They're the ones that are hopefully gonna be trained to, you know, not misconfigure a database or, or you know, send them email to the wrong person. So when we started looking at controls, you know, don't just look at technology as a solution. There's the processes and the people that really supplement it. Yeah.

You know, um, it's funny, I was on a webinar, uh, uh, for some MSPs last week. I find myself doing that more often than I probably should. Um, and right when I got on, I was like in the green room and there was a vendor on before me, and they were presenting like an EDR tool or something. Good, good tool. But the last thing that he said before he signed off was, yeah, and then you can just tell your customers they're secure.

So, you know, I, I waited until he signed off to say, wait a minute, great presentation, but never tell your customers that. So Phil, that's what we see. MSPs are used to solving problems that tools can solve. And I think that's where we've learned over this past year here at the, on a cyber call, like, you know, that a lot of it is what you're talking about, like is big percentage of it is dealing with things that are beyond the, beyond the tools.

And do you see in general, like IT departments like struggling? Is it like we deal with MSPs, but is the same thing with IT departments? Is that what they struggle with? Oh, I mean, without doubt, I think the, uh, convincing the value of security and also realizing that this is gonna be super kitschy, but security is a journey, not a destination, right? Yeah.

You're never really done with security, which unfortunately for someone that just wants a quick, I wanna be compliant so that I don't have auditors or regulators bothering me, you know, that's a very minimum bar. It's a good thing I get to help push organizations, but you're not done at that point. Um, and you know, and obviously I think we can see that because industries that are regulated, even with, you know, stringent security requirements are also getting breached.

So it's not just a question of, you know, we're, we're compliant, we're secure, security goes much beyond compliance and goes kind of the next bar forward. So, uh, so this next question is, um, you know, you said one of the things you said was that you can't always use previous breaches to predict the future. And so I'm wondering, does that mean, you know, is there any value in still doing things like threat modeling workshops sign up below that we're doing?

Or, or, or are we going in the wrong direction? Please. I have a feeling if I'm gonna discredit threat modeling, I'm probably not gonna be invited back. Um, There, there's intrinsically a value, right? And it's when you start looking at the realm of possibilities, right? When it comes down to understanding what you can do, getting a good grasp of all the things that are possible is a good way to get started. Yeah.

But being able to take a step back and say, what is most likely, that's a different question, right? But if you don't understand what those, the realm of possibilities is, you don't really necessarily have a direction forward to prioritize your efforts. So threat modeling is, is an important endeavor. Um, especially as the world gets a little more complicated sometimes. We have a lot of relationships, a lot of trusted interactions between, you know, different services and such.

So having an idea as to how that could be potentially leveraged is really important for the organization. And the, you know, the additional benefit is you're gonna be securing yourself against an advanced attacker, which is kind of what threat modeling will typically look at. Yeah. You're also gonna be addressing yourself against the most common, you know, type of attacks because they, there's a lot of commonality, right?

The initial way into an organization is frequently gonna be used to stolen credentials 'cause it works, right? Yeah. It's gonna be social engineering 'cause it works and it works for the groups. Or operating ransomware works for the groups that are, you know, doing business email compromises. It works for a lot of groups 'cause it works. So there's a lot of commonality between these attackers.

And if you're gonna go through the effort of doing threat modeling, you're gonna see benefits from these basic, not basic, but these common everyday type of attacks that just are pervasive across the internet. Alright, well, we're gonna, um, we're gonna stick with our, uh, workshop then. Good? Yeah. We're, we're gonna, we're gonna, we're gonna proceed with it.

Last question that I had before I hand it over to Ryan is, can you talk to like, um, between 2020 and 21, uh, about the number of breaches, like from small companies versus at large companies and anything you saw, like trends you're seeing there? Yeah, so this was an interesting one. Um, so what we saw in terms of the changes and what kind of jumped out, to me it was just the, the more, yes, more common, the more frequent small businesses.

So, you know, we have a breakdown, it's about 50% of our breaches, you know, we're falling between the small and then the large. So that's, that's a pretty big divide. But keep in mind that there's significant number more of small businesses than there are large businesses. So that was one thing that we wanted to do.

We unfortunately weren't able to necessarily actualize in the report, was doing statistical sampling of small businesses and do a statistical sampling of large businesses and see if there's some difference in between their infrastructure exposures or the breaches or what have you. Um, unfortunately that's a really complicated question.

Um, just because to get information on small businesses is extremely hard, but at least in our, the corpus of the incident data, they're showing up and they're showing up in relatively similar frequencies. Um, they're showing up 50 50 in terms of our data, and they share similar patterns, right? They're seeing system intrusion, social engineering, and basic web allocation attacks. So they're facing similar threats as large organizations. Um, however, they have less resources.

But there's a flip side to that. Being a smaller organization, you also have less to manage and you have more of a personal relationship with people. So we don't have this data to say, as a smaller business, you're less likely to fall the business email compromises.

But if you personally know the CFO and then emails coming in, requesting change to bank accounts or asking for W twos or what have you, you know, if there's more of a process or there's some trusted way to go and verify that, you know, there's that kind of personal connection which sometimes ends up being lost, I think, in large organizations. So there is a benefit to being a small organization as well.

Yeah, I guess it's hard, like it's hard to sort through all that and, and not, you know, separate kind of, you know, causality right? From correlation, I guess is what you're saying. Oh, yeah, no, for sure. That's one of the things that we try to, to make sure we, uh, we never really say things are caused. Um, yeah, to do that we'd have to, you know, control variables and, you know, manipulate and test it over time.

And, you know, that's, uh, simply outside the realm unless we get, I don't know, some giant funding or Something. But we can say there's a lot more breaches confidently. Yes. Yep. There is more breaches in our data corpus of small businesses this year. Awesome. Well then that was really good, Andrew. It sounds like you wanna say something then we'll go to Ryan.

I Was just gonna ask Phil, um, you know, Phil, it's almost like, um, you know, when you want information on small businesses versus an enterprise, you know, enterprise, you can go to Gartner, IDC, et cetera. Mm-Hmm, sure. Joe can give us some other thoughts there, but is it because the SMBs aren't, you know, plugged in to how to, you know, how you guys gather data?

Is it because their incident response, you know, policies and planning don't capture enough forensic data that would even be meaningful? Like what, and I don't want to keep going what the, i what could be, but could you, is there any thought on why, you know, we're not getting their data? Yeah, so, you know, we, uh, we have a very, I guess, uh, fortunate relationship. We're working a lot with the federal government, um, especially through the, uh, secret service.

And they, they're the ones that will track down if there's payment card breaches and, you know, there's, uh, you know, having to go through the cases, you know, manually at some level there, you know, a lot of small businesses don't have logging or don't have the information required to really kind of do these things. And also, you know, at least for the, the publicly disclosed breaches and not gonna fall through, we do work with large vendors, right.

You know, the big security vendors out there. My coffee shop's probably not gonna be calling FireEye to do instant response. So, you know, there's, there's always, I think there is a, a gap in that sense. Um, and we, we try to work through it by having a variety of partners. But I think at the end of the day, most people will just clean up the computer and they wanna go back to their business.

I'm, I'm just curious, and you don't have to say yes or no right now, but I, I'd love to put you in touch. A guy that we have on often is a guy named Chris Lair. Um, he runs a company called Security. They do incident response, and they've worked more the RMM breaches than just about any, any IAR firm in the country. You know, they're pretty good. They were so good. They got bought by CFCA syndicate of Lloyd's.

But I, I wonder if that might be an interesting conversation for you 'cause of he's working so many of these smaller organizations. So just a thought. Oh, Oh, yeah, for sure. I mean, we're always looking for partners to work with, um, you know, to collect incident data and really kind of help the story. And, you know, we're, we're fortunate that we've been doing this for 14 years. We've built a a lot of good friends and we're always looking for more friends at the table. Awesome.

I hope he's out there. If he is, uh, give us a a hey o as Gary would say, Chris, and I'll get you connected with Phil no matter what. So, Ryan, tha Phil, thank you for that, Ryan. Sorry to take away some of your time there, but let you proceed. No worries. Um, I've, I, I've been really digging into the report, um, while, while we've been talking, um, and, uh, I'm, I'm gonna throw a little bit of a curve ball, but not, not too big of one. I'm gonna ask some questions outta order here.

Um, can you define for us what the difference is between an incident and a breach in the report, um, and the context around those definitions? 'cause I think you, you cite, there's a lot of incidents, but Mm-Hmm. It's the Verizon data breach, uh, report. Right? So define for us what the difference is between those two. Yeah, so it's, uh, one of those where you, you crack open your old spy book and you blow the dust off it.

And, you know, we go back to the CIHI ad, so the confidentiality, integrity and availability of security assets. So incidents are kind of the, the very big picture, the big bubble. So it's anything that has an impact to one of those three. Um, then confidentiality, that's where the definition of a breach comes in. So we know there's some type of data where it was intended not to be shared.

It was intended to be confidential and, you know, it got out, these are credentials, personal data, internal data, um, you name it. So that's really kind of the big differentiator between the breaches and the incident. But when it comes to the incidents, there's some other interesting things in there that we touch upon, but not say in depth. Uh, so we also look at, you know, we consider, uh, malware installation as, as an incident, right? It's software installation.

Someone put something on a system. So we see, you know, a lot of those where you have, say, a DDoS bot being installed on a web server that was, uh, vulnerable, right? That will track into our incident data if it met quality metrics. And you also have the availability in which you're the unfortunate person that's on the receiving end of that DDoS bot. Um, that disrupts your business and impacts your ability to provide services. So that's the availability.

So we talk a little bit about availability and some of our DDoS sections, um, but that's normally kind of the, the breakdown we do, um, for it. And it ends up being interesting for, for ransomware. I don know if I wanna be jumping the gun and talk about ransomware, but that is a shift we've seen where ransomware has moved from our incident data to now our breach data, right?

Because there's this new tactic of name and shame where they're gonna be taking the data out of your network, then they're gonna be posting it publicly and just to add additional pressure while they also encrypt your data, um, to get you to pay up. So we've seen this transition from it being purely an incident to now being a breach. Cool. Thank you for that. I think it that, that's gonna help contextualize my next question, which I really wanted to dig into.

The one size fits most, um, uh, part of the, of the report, which is geared towards, well, the report calls SSMB, which is less than a thousand, uh, people, which, um, I think is still, um, you know, in this space we would probably consider that still medium sized. But I think if from the vc, uh, the VC report side, it's certainly more on the small side.

But you said in the report this year, small and large organizations are less, um, far apart in terms of what you're seeing with 307 breaches in large companies, more than a thousand people, which saw 819 incidents in the report, right? And small, which had 263 breaches across the thousand incidents. So there's actually more incidents in the small bucket than the large bucket in the report.

And you said 45% of detected breaches, um, of small, of small organizations, 45% detected a breach in a day or less, which is actually getting worse than last year. So last year we saw that improved. This year we saw it degrade again. Um, and then you, you go on to say that the top three patterns, which cover 80% of all of those incidents are system intrusion. Mm-Hmm. Um, miscellaneous errors in basic web application attacks.

Um, and if you really dig into those three areas, like miscellaneous errors seems to be heavily weighted towards server compromise, database compromise, misconfiguration, uh, of those assets. But the basic web app attacks and system intrusions have a very strong undercurrent of credential. Um, like al if you look at all of them, like more than half of each bucket has some relation to credential compromise. So can you give us some more insights into that?

And like really, what should the takeaway for MSPs that focus on small to medium sized businesses, b given this kind of, you know, time to detect getting worse, um, credentials becoming even more important across all the different patterns, you know, what, what do you think is the most important thing for them to take away given all that data?

Yeah, and this is probably gonna be super kitchy as well, but, you know, uh, credentials are the key to the, to the system or the key to the world nowadays, right? Credentials are really one of those, uh, key components to an organization security. And, uh, you know, I said that we should probably avoid saying that technology solutions are, um, the only kind of avenue or, or purely the, the best option. But something like multi-factor authentication does mitigate a lot of these issues.

Um, so it's, I think it's a drum worth beating and I will probably repeat it five more times. Everyone wants to get a counter, it'll probably be at least five more times. Yeah. You, I guarantee you can't have told, uh, you cannot tell MSPs more that they need MFA than Joe, me, Andrew, Gary, and Wes have in the past three years.

So it's, it's been like, uh, you know, this is probably the hill I'm gonna die on in the MSP and SMB spaces, uh, credential management and, uh, and, and credential theft. So really, really important, um, there. So thanks for that. Um, shifting gears entirely, I, I think there's, um, there's, there's some slight changes in attack patterns where, um, you're seeing slightly more on the social engineering side and slightly more in terms of system intrusions.

Do you think that that's the result of the COVID-19 world that we just, uh, are living through just live through, um, depending on your perspective, like how did that really play into the report and, and did, did it really affect the findings in the way that you kind of would've hypothesized? Yeah, so we, um, I'm gonna start off to say we don't do causal, right?

So we, we might say these things happen in the same era that the, the pandemic happened, the quarantine happened, but we can't necessarily say that these were caused. Um, so, uh, you know, we published last year's report in, um, March, April, may, I don't remember. It all kind of blurs together right now at some point during the height of the pandemic. And a few weeks after, we were asked to look forward and say, and what would be our best guesses not to predict, right?

'cause we can't do prediction, we don't have our crystal balls, but what do we think is actually gonna happen, um, based on our expert knowledge? And so we were like, well, you know, fishing's gonna continue to be a thing because people are gonna have to work remote. They're gonna have to adjust their workflow to accommodate for, you know, a new workforce that historically wasn't remote. People are probably still gonna be using stolen credentials.

Um, ransomware is probably still gonna be a thing. And, uh, yeah, so we actually have a page that looks at our predictions, our predictions, and then contrasts to what we saw. So we did see a large increase in phishing, right? It was from 25% of our breaches last year. Now it's 36% of our breaches. Um, use of stolen credentials, somewhat increased, but not necessarily statistically significantly. Um, just 'cause it's always been a good tactic and it's still a good tactic.

Um, ransomware also happened to increase. So whether or not these were things that were caused by the, the pandemic, we don't know. We'd have to, to run experiment and, you know, set up another one or something. I don't wanna do that. That seems like a lot of headache. So, you know, we can just say these things are lightly, um, related and, uh, I think next year will be kind of interesting as people go back to the office or don't go back to the office. Um, we don't know.

But I think organizations have to be prepared, um, to take that into consideration. Okay. So, um, I'm gonna give you kudos and a criticism in my next question, right? So, um, people like me and my team spend hours dissecting the Verizon data breach report to figure out kind of where our programs are relative to what you're seeing. And like, it's, it takes a lot of like mental math to map that back, right? And so, um, that's fine because at least we have the data, right?

But for most MSPs, that's always been difficult too. Like, you know, okay, they can say, okay, well yeah, the, the summary is that credentials, okay, I'll focus on credentials, right? Um, but for a long time there hasn't really been a, what do I do about this? Like, here's the data, but what should I do? And so this year, that was the criticism. Here's the compliment.

This year, um, the V-Z-D-B-I-R started to map to CIS and talk to us about how that came about and, um, and kind of why you're doing that now and, and what benefit you think that has for practitioners. Yeah. So, um, I, I'm the one that kind of spearheaded that effort to map the CIS and that was actually at the behest of my, uh, my boss who said, I'm tired of having right control sections. He's like, I don't wanna do it.

So Phil, you're the new guy you worked at CIS, you draw the short straw, you write about how these things can work. So that's what we did. We centralized around CIS obviously, because I have, um, a history there. I know it well. And it does, I think, tie back well from the, the tactical, technical component, um, to our patterns. So we broadly have these relationships that exist between, you know, the actions we see in our patterns.

And then the CIS controls themselves, and we actually have that mapping published on our GitHub account in, uh, in Ouris GitHub account. So if anyone wants to use it, it's publicly available. Um, we did the same thing with our ma uh, mappings to Mitre attack. So have some connection. We try to, yeah, it's because at the end of the day, we're all, we're all chopping up the same piece of pie right? At different levels and looking at different abstractions. But it's all essentially the same thing.

So the more we can kind of harmonize and talk the same language, the easier it is. 'cause honestly, um, Ryan, I don't want you to be doing that. You know, having a map to Veris. Um, I'd rather I do it. And then everyone else just benefits from, not that you can't, I'm sure you did an awesome job. I'm, I'm happy to look it over if you're ever interested in, uh, in inputs. But as a community, I think the more we can share and leverage the resources that we build, um, the better off it is.

So that's what I did. I used the CIS controls, which are community based, so I don't have to rely on, on me knowing everything. There's a couple hundred or a thousand or so volunteers that work on the ci s controls. So I'm gonna pull on their expertise to tie back to what we're seeing in, in Verizon. So hopefully make these translations and help organizations prioritize their efforts. So, Yeah.

So I'm actually gonna ask, would you mind dropping links to the, to the attack framework mapping and the CIS from your GitHub into the, um, into the, the, the chat? Um, I think that's, that's gonna be tremendous. 'cause you know, our, our upcoming, uh, threat modeling workshop that Gary talked about, we're gonna be digging into, uh, MITRE attack quite deeply. And so I think, you know, coming off of that, people should have a really good understanding of how to map this back.

Um, and they already are familiar with CIS, so that's gonna be great. So thanks for doing both of those things. 'cause it's really starting to create a standardized language that we can use to, to help MSPs and SMBs improve, um, and, and let them interpret these reports. So, um, I'm not sure who, I think I'm handing off to Joe next. So Joe, over to you. Hey, thank you very much. And, uh, it, it, it's always great to hear from you.

Thank you so much for, uh, the questions you posed today, but also for the interviews over over the years. I appreciate it, Ryan. Uh, good to connect again, Phil jumping over to you. Um, first of all, thank you for the research. I appreciate it. We covered it out on MSSP alert, um, and every, every year we do look forward to it. Um, I think our readers do as well. So thanks for your time and thanks for all the analysis.

Um, I did wanna connect the dots between, um, sort of your, the research you do, your day-to-day work. And then what we're seeing out in the market right now, and, and I'll make the understatement of the year in that the US federal government, it's getting more vocal about proper cybersecurity to say the least. You know, this is no longer just a cyber call conversation or an MSSP alert conversation. It's a cover of the Wall Street Journal conversation every day.

And if you look at President Biden's executive order in, in recent weeks about cybersecurity, it specifically mentioned the role of IT service providers and, and proper government, uh, supply chain security. And with that context in mind, uh, do you expect better coordination between the federal government and private companies in service providers, sort of to drive down some of the risks you've outlined in the report? So I, I'm, I'm an optimist, so I'm gonna say I'm hopeful, right?

I think there's, there's a lot of opportunity to collaborate and there's some great examples where that collaboration happens. Um, so previously when I was working at CIS, um, a lot of people don't know this, but the MS. iac, which is a multi-state information sharing analysis center, resides within CIS. So mm-hmm, these ISACs serve as this kind of junction point between the federal government and whatever other entities. So in this case, the states and local governments of the United States.

Um, by having this kind of collaboration center, it'll kind of helps alleviate some of the tension sometimes that exists between, um, regulators and the regulated, or, you know, different levels of government. 'cause there's this private entity that exists in between it to help, you know, facilitate and collaborate. So when I was working there, there was a lot of awesome efforts that really were closely done with the federal government and the state and local government through the MS.

Iac, how to share information, share best practices, uh, you know, just collaborate on the same issue that we're all facing without having to necessarily go through, um, you know, the, the regulatory type relationship, which I think a lot of people have with the federal government or, or with other entities like that. So organizations like that are immensely helpful. Uh, InfraGard is another one, right?

If you work, I'm sure there's a chapter nearby in your area, it is absolutely worth at least attending and potentially, you know, meeting the FBI and the other federal agents that work in the area and building a relationship so that, you know, if there is an incident, you at least know who you're calling and, you know, it's less intimidating 'cause it's, you know, it's David instead of special agents. So and so, um, so that, you know, from, that's from the, uh, the ground up.

But federally, I think there's a lot of opportunities to, um, set a standard, whether that is a regulatory standard or it's a best practice, or we're also seeing a lot more of is the, um, duty of care or kind of an expectation that helps protect you from, um, civil litigation, right? That says that I was doing, you know, what was due diligence for cybersecurity.

So there's certain states that are, have legislation out there that define, you know, at kind of a rough bar as to what due diligence somewhat looks like for cybersecurity. Um, that's another venue, right? To help encourage organizations to adopt best practices. You know, I think the, the regulatory frameworks tend to be a little bit of a hammer and, uh, don't, you know, they're slow to, uh, necessarily adapt changes in technology.

Um, so there needs to be some middle ground in which we can encourage organizations to adopt without necessarily stifling them. Um, and setting 'em in a certain direction that requires them to adopt things that don't necessarily make sense for their business, don't make sense for, for, you know, their day to day. Yeah. You know, I'm an optimist too, except when it comes to the government being able to do anything effectively. I, I don't know.

You know, I I I will say I'm an optimist and, and I'll, I'll, uh, attempt to paraphrase that line. I think it's credited to Woody, Woody Allen. 80% of success is just showing up. And, and, you know, to the federal government's credit, um, I, I do see them showing up and having, uh, a statement, a perspective, a next step on whatever's happening in the cyber world right now. So I'll, I'll give them that credit and, and it's good to see, frankly, will they get it right long term?

I certainly don't know, but at least they're, they have, they now have a chair at the table as part of the conversation, uh, and a big chair at that. And, and, and more and more people in the seats. Um, building on, uh, a little bit of that, that, uh, sort of, uh, the US view, and Phil, forgive me, um, we power, we, we summarized the research on MSSP alert, but I don't recall, so I'm gonna ask you a naive question.

Um, is this mainly sort of a US view of what's going on in the world or to, uh, Andrew's point at the top of the show, he mentioned, uh, we've got attendees worldwide on the cyber call. So I'm just, uh, curious are the trans completely different region to region, whereas, hey, you know what, Joe, this was a US focused effort. Yeah. So for the, um, for the data breach investigations report, we're extremely fortunate to have partners around the world. So we have about 88 countries represented.

Um, and we do some regional analysis and kind of breakdown and say, okay, you know, very broad strokes, this is what Asia Pacific sees, this is what Europe Middle East sees. This is what North America sees. Um, you know, a lot of the trends are relatively similar.

You know, I think that a large part of that is, that's such a valance of you have a system on the internet, you have an email address somewhere, you know, you're just gonna get bombarded by phishing, you're gonna get bombarded by anyone that kind of wants to get in. So it's almost a, a pretty consistent internet noise level of badness, um, that happens regardless of where you are. Um, but yeah, that's something that we're always looking to improve, right? Is that collaboration internationally.

And you know, we, like I said, we have some phenomenal partners, uh, that are providing us some, some good information, but the more information, the more it's better a picture we can paint for those regions. Um, so that's, that's my quiet plea. If anyone wants to contribute data internationally, uh, you know, we're always taking partners. Got it. Okay. And then I wanna reinforce one of the questions that, that Ryan asked.

I'm sort of gonna, uh, you answered it in many ways, Phil, but I wanted to drive it home. And, and here's sort of the question, and it ties back to what Brian said in terms of next steps. Um, you know, as part of the official announcement about the report there, there was a, uh, a, a, um, supplied quote from Verizon, and it really emphasized that readers should focus on quote unquote strong cyber fundamentals rather than sweeping and revolution revolutionary solutions to the threats, unquote.

So if our attendees wanna focus on quote unquote strong cyber fundamentals building on what's already been asked, can you reinforce to us where do they start? What other strong cyber fundamentals so that people leave here with some key next steps? Yeah. So, you know, the good news is Phyllis has my, uh, Venmo account, so this is probably gonna work out well for me, but you, you really should start looking at the CI IS controls implementation group one.

Um, and that's one of the, the beauties of the CIS controls, um, obviously very strong convert is it's prioritized, right? It provides you a very strong starting point. And from there you build off that because these controls tie into each other. And that's one of the things that, if I had more time, you know, or energy or, or what have you, research is understanding how do these pieces tie into each other? How does having a good inventory help you with your detection abilities?

How does managing user accounts prevent blah, blah, blah, right? So looking at how these pieces tie together, and at the end of the day, if you really look at the foundation, it's a lot of it's about management, right? It's about managing users, managing devices, managing data. And if you don't have that strong foundation, you know, throwing an EDR is not necessarily gonna be helpful if you don't necessarily know what all the assets are that need the MDR, you know, EDR.

Um, so having that, that foundation is, is extremely key. And I think it's, uh, you know, probably the best place to start. And that's why when we tied back to the controls, we looked at explicitly implementation group one, right? For each of the industries saying that out of baseline, everyone should take in consideration, you know, these three controls based on the patterns you're seeing. Excellent. Thanks. Uh, that's all I got in terms of, uh, my kickoff questions.

I may have some follow ups based on what uh, attendees are asking Andrew, but Phil, thanks again for your time. I definitely appreciate it and I know our readers out on MSSP alert also. Appreciate it. Hey, my pleasure. Thanks Joe. Um, yeah, we had a few questions come in, Phil, and again, guys and gals out there, send them in. Um, we've got some time here, which we don't often, right? Gary, we don't often, and Ryan, we don't have time. And, and so first question comes from Cody, Phil.

He says, um, have you seen a massive spike in illicit grant consent attacks since in many cases it can bypass MFF? So we haven't seen a whole lot of attacks that bypass MFA. So yeah, that's, that's one of those level of details. And uh, we would love to have in the incident reports is the controls that failed, right? So if there was a malware and the person pivoted around, this is how they bypassed.

So I know, you know, scratching the back of my head, I know of one case in which MFA was bypassed, uh, and it was bypassed like this. They had set up Office 365, but none of the users has logged in yet. So the first person that logs in gets to set the phone number for the Office 365 account. So when they got the credentials, they were the first one to log in. So then they set up MFA, so it was set up, but no one had used at that point.

So the attacker was able to set up multi attacker using their cell phone account for all the user accounts that they use. So we haven't seen a whole lot. I mean, I haven't seen, I haven't seen, and the data I've looked at, um, it, you know, there are of course, I think cases of SIM swapping and things like that, um, that falls less common in, we haven't seen it in the enterprise breaches.

Um, but you know, you have to think, there's a whole other subset of breaches that we don't talk, and that's about personal breach, right? So yeah, your credit card stolen, or you have your Bitcoins taken from your wallet through Binance or whatever. We don't track those that kind of outside of our dataset. Um, so, you know, I think there's perhaps more examples of, you know, sims being swapped and MFA being bypassed in, uh, in those type of cases.

Would You consider that MFA bypass or miscellaneous error because it's really poor configuration, insecure configuration type of, you know, human error type of things. Yeah. So in that case, and this is like one of those nuances with our, our data framework, um, it would still be like used to stolen credentials. You don't, we don't count the, the bypass of controls as kind of the defining feature. Yeah.

Um, so, you know, it's one of those where if they hadn't configured that properly where there have still been a breach, well no, 'cause you still needed someone to go and, and use credentials against it. Um, so sometimes we'll have, you know, a, a database being misconfigured, a researcher finds it and notifies a bad person finds it and deletes it. That's two separate breaches. That's two separate incidents, right? Right.

So, so attacker, you know, uh, has a system intrusion on an MSP texts workstation, which is already logged into the service, that that's not, you know, that's system intrusion, not NFA bypass, right? Yeah, correct. Right. So there's, there are ways that attackers are using to bypass MFA, but they're really using other patterns as a means to do that. Yeah, absolutely. Right. They're, they're gonna use the path of lease resistance, right? It's almost like water.

It's like, yeah, I can try to brute force this 14 character password, or I can just send, you know, a thousand phishing emails, phishing emails. I'm just gonna get one that works. Good. Good. Um, next one. Oh, Go ahead. Sorry, I was just gonna ask you a random question. What was the thing that surprised you the most? It's one of those things that shouldn't have surprised me, but it did was the, the pre valence of ransomware.

Um, I was, you know, part of it is, you know, we look at a lot of public data breaches, obviously it's kind of one of our data streams in, I was like, well, you know, obviously there's a lot of publicity because all of a sudden these actors have websites that all threat intelligence vendors go and scrape, and then they can, you know, they contact the victim or, you know, it's, it's not as hidden. Um, but even when looking at that, the numbers are still, you know, astronomically high.

And this is something, you know, 2013 or so when like ransomware was slowly starting to creep up, oh, this is getting, you know, this is kind of serious now. It seems like it's been really ramping. And you know, unfortunately next year it's probably gonna continue that, that similar trend, not predicting it, I'm just saying I would put, you know, my money on that horse that's gonna continue. Um, unless there's some serious, he would bet his, He would bet his Bitcoin On it. That's right. Good.

Okay. Um, next one. Can you talk about the threat actors portion of the SMB report? 44% are internal question mark. Is this insider threats RO employees? So again, I'm going based on this. Is that sound too? So, so when it comes down to internal, um, most of it tends to be errors, right? Uh, so you're, you're talking about the misconfigured database or the user sending the email to the wrong person. Uh, I think, you know, that that happens a lot as well. I think we've all done that a few times.

Um, autocomplete is not always the, the best solution. Um, especially now you can tap complete the, the sentences in your email. So you, you don't even have to write emails anymore. You just kinda set the theme.

Um, and then you have, you have some, um, misuse where people are intentionally, um, either going beyond their permissions to, you know, the typical example is, uh, someone has access to a background checking system and then they use it to look up their girlfriend or someone that they're interested in, you know, kind of that step beyond their official purposes. Um, but that's really not as common as, as the errors.

So, you know, when you think internal think largely errors and then just a little sprinkling of, of intentional bad people on the inside. Got it. Hey Andrew, I have a, I have a sort of a follow up on that, if it's okay. Yeah, of course, Joe. So with, with this the insider threat or the insider error, um, and then, uh, connecting the dots back to the, the best practices and controls you've dis uh, been discussing.

Um, one, one of the big trends I've been noticing in the MSSP market is large MSPs acquiring cloud security posture management companies, um, to, um, make sure that, uh, public cloud settings, whether it's on AWS or Azure or Google Cloud platform or others to make sure everything's properly configured. Mm-Hmm. It's my long-winded way of saying, you know, the, the these control best practices that you're recommending. Do the best practices hold true in, in a multi-cloud, hybrid cloud world?

'cause so many, I know we're well along in the cloud journey now, but, but many MSPs still, when they think of security, it's about lock down my own business first, lock down the customer premises, but now we've got all these workloads everywhere, so are the controls gonna hold as we go, uh, towards multi-cloud security and cloud security posture management? Yeah, I, I think absolutely.

Um, and you know, for a lot of the, the cloud vendors and cloud solution out there, you're starting to see adoption of, you know, everything being accessible, right? And you can go and verify that settings are set on a system in a very consistent way. So I think, you know, large part is, is the capability gonna be there for me to go and ask my systems, you know, is this securely configured, is my environment configured according to best practice?

And then from there, that's gonna be the next step is, you know, are we going to, to adopt it? So you have the, where it gets a little tricky is understanding where the responsibilities and the trade-offs are, right? Instead of saying, oh, wow, I thought you were supposed to configure a password for that database. Right? Right.

And having that explicit when you're working with partners and just making sure that there's, there's some delineation or responsibilities that, you know, when you're spinning up an EC2 instance and A-W-S-A-W-S isn't responsible for the configurations within that individual system. Right? And that's, yep.

So when you're getting a server or when you're using a service, you know, there's different expectations when you're using, you know, the platform of service or service, uh, service of service or in my, my cloud terms here all mixed up. But yeah, it's all about that delineation or enroll and responsibility. And I think we can't just assume that someone's handling it. Um, you know, you have to be able to kind of break that down. Got it. Thank you. It's a really good question, Joe.

Um, 'cause we, in our peer groups, there's a lot of conversation around this. Like, so much of what we've done is not only based on premise, but it's so based on the end point, the end user. And you know, as that changes not only the policies, how people think about things, it's more complex, right? Even small businesses have this, these cloud, like they might have five or seven or eight different cloud environments, um, but there's not as much technology.

You see some of the startups, uh, around, you know, management and monitoring now. Um, but it's, but it's still in its early stages, right? Yeah, yeah. Without a doubt. But I think it's moving fast. I think it's moving very quickly. Sure. And I do think, uh, the early adopters on the MSP side are making a lot of progress And MSPs will get better and better at it over the next couple years 'cause they don't have a choice, right? There's, uh, failures not an option.

What's interesting is, you know, go ahead. Oh, I was gonna, I was gonna ask a, a question if you wanna keep going on that, you should say whatever you're gonna Say. I was gonna say, it was interesting and we posted this, um, you know, CIS does a lot around secure configurations, Phil, as you know.

Um, but they just recently put something out around Zoom and then somebody put it actually in GitHub where, um, you know, some of really good automation guys that I, that are in our community are, are looking at it where you could potentially just, you know, use your tool sets your RMS to go and check users, are they securely configured?

But to your point, Gary, and, and, and Joe, I, I, I think, you know, the more we can all again, share that knowledge, get that information out, and that people are actually, you know, MSPs are actually checking those configurations, it all can make a big difference. So anyway, sorry. Go Ryan. Um, yeah, I was gonna say, we, we didn't really, this year you, you kind of recast privilege, privilege, abuse, privilege misuse. We haven't talked about that at all.

Can you give us just a brief overview of what the main finding there was? Yeah, so the, um, let me pull up my section because it's a section I don't have memorized. 'cause uh, Well, it's only what, a hundred and how many pages filled that you don't have memorized? Yeah. A hundred give you a shorter one by the way. I I think we, uh, we missed the mark on it, but the, uh, yeah. When it, when it comes down to, to privilege misuse or privilege abuse, yeah.

It is largely abusing the, the existing privilege, right? So it's vast majority, I think's just under 80% is doing that. And then after that, you're kind of looking at data mishandling, which is about 20%. So, you know, when we're talking about data mishandling, it's the frequently, oh, I just wanted to work at home and I emailed my customer spreadsheet to my personal email account type of incidents, right? That's not someone that's um, you know, erroneously doing it.

They're intended to work around existing controls. That's why it falls within the privilege. And then, so, yep, go ahead. So it would be fair to say, you know, MFA for sure, yes. And like, you know, stronger credential management for sure, but also access management, what privileges people have with those accounts is really kind of, there's like a trifecta there of things. So someone, they got me thinking, 'cause someone asked a question, they were like, what are the three controls?

Like what are the three top things? And I know in the industry sector, you actually went there and listed like top three IG one most protective controls. But it got me thinking like, well what, what would my three recommendations be based off the report? And everything I read said, MFA, cred management, privilege management. Like those are the three things for me that felt like they would have the biggest reductive power across everything I was reading in the report. Yeah, for sure.

And the appendix, you know, we, as we tied back to the controls, um, Phyllis is probably another extra coffee by the way, if you're keeping track, is the, uh, was looking at, you know, secure configuration account management, which is where we're talking about MFA and access control management, right? So about those privileges and assuring users only have access to what they need to do. Um, and that ties back to management, right?

You need to know what your users need for to do their job, um, and then restricting it to that. So I think it's, you know, I think we're aligned. We're on the same page here. Okay. And, and, and RDP open to the internet is not secure configuration. Right. Okay. I just wanted to make sure. Please. Uh, yeah, please don't, I, I run some honeypots. The quickest, uh, brute force someone got in was about less than two hours. So it's, yeah.

You're, you're gonna get bombarded the second they show up on the internet. Yeah. Excellent. Well let's, let's leave it there. Um, 'cause we got about a minute and a half left. So one, Phil, thank you so much for making our one year anniversary show. Um, I think really special. So appreciate you coming on, I hope and, and you're welcome. Anytime, uh, as, as Gary said early on, we may be looking for a replacement for Wes jokingly, obviously. Um, Joe, uh, always great to have you.

We Wes, uh, always great to have you with us. Uh, yeah, No thanks to each of you. I really appreciate you guys having me on. And then Phil, it was great to meet you. It was an absolute pleasure. Yeah. So, uh, well In general, I will say we prefer not, we prefer people not to have hair normally. Right on. But we made an exception so that, that, that speaks volumes. Um, so Ryan, any any closing thoughts from you, uh, in this last minute?

No, I mean, I think I, I mean, if I could give our audience some homework, which we don't normally do, but I would say we're gonna have the threat workshop at the end of the month. It's worth reviewing this report. It's worth looking at the link that Phil posted, um, that has the, uh, CIS mappings, uh, and the attack framework mappings, because we're gonna be spending a lot of time, uh, in the, in the Mitre attack framework.

And so, so you're really gonna, by the end of this month, you're gonna be able to link these three things together, CIS the data breach into the report and MIT framework. And this is gonna become less of a nebulous thing and more of an actionable thing for you. So it's gonna really be helpful if you have fully contextualize yourself before we get into that, uh, threat modeling workshop.

That's not to say you couldn't do it later, but if you wanna make the most use of that session, it's probably gonna be worthwhile to have a, a passing knowledge of it upfront. Gary, I'm gonna kind of close by handing it to you, but I mean, again, if you have an understanding of the three things Ryan just said, true or false, that kind of command, as you call it, is gonna be very worthwhile in your prospects and sales conversations. Absolutely.

The, the, the, the kind of information you got today, diving in, uh, to the Breach report, visiting Joe's site on a daily basis, it only takes a couple minutes, but we have to be the most informed people when we get in front of customers and prospects and they'll know immediately. So this has, if you're in this business, this has to be part of your job. You have to know more than other people about all these things. And so, um, I mean, we're working hard.

Try to point you in the right direction. We've had so many experts, but you have to do the work. Excellent. Alright, so with that, Phil, Joe, thank you so much again, Ryan, Gary, and everybody, we look forward to seeing you, uh, next week. Have a, have a great one. Take care. Bye. Care guys. Cheers. Cheers, Phil.

Related Videos

One Year Anniversary – Verizon Data Breach Report | Right of Boom