Storytelling is a powerful tool for cybersecurity leaders aiming to improve communication with IT and non-IT stakeholders alike; the most trusted advisors are effective storytellers. With the right data—like the recently released 2019 Verizon Data Breach Investigations Report—CISOs and their teams can tell meaningful and relevant stories that help organizations strengthen their security cultures and empower executives to make better decisions about resource allocation and risk tolerance.
2. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
3. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
To rally your coalition, focus on outcomes, not the process.
Enhanceyour visibility
of cyber risk
Minimize impact and
quickly restore
operations
Detect and respond
to cyber attacks
faster
Protect the attack
surface
4. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Rocket science is important, of course…
• VerizonRisk Report
• VerizonThreat Intelligence
Platform
• Vulnerabilitymanagement
o Vulnerability management
o Penetration testing
• Securityrisk assessment &
complianceservices
o Business Security Assessment
o Security Architecture Review (SAR)
o PCI Compliance
o Operational technology security
assessment
o Device testing and certification (ICSA)
o Asset discovery / classification
• Securitystrategyadvisory
• Securegateway solutions
o Secure Cloud Gateway
o Virtual Network Services - Security
o Managed Trusted Internet Protocol
• Device& endpointmanagement
o Device Health and Availability
o Policy & Configuration Management
• Web defense
o DDOS Shield
o DNS Safeguard
o Email security
• Identity& access management
solutions
o Managed Certificate Services
o Verizon ID (Identity Verification)
• Cloud securitysolutions
• Mobilesecuritysolutions
o Enterprise Mobility Management (MDM?)
o IoT Security Credentialing
• Softwaredefinedperimeter
• Manageddetection& response
solutions
o Managed Security Services-Analytics
o Network detection & responsesolutions
o Autonomous Threat Hunting
o Managed endpoint detection (Cylance
Optics)
• Managedendpointsolutions
• MachineState Integrity
• Deception-as-a-service
• HybridSOC solutions
o Managed SIEM
o Advanced Security Operations Center
• Breach investigationsand
response
• Rapid responseretainer
• Attack detectionassessment
• Incidentresponseplanning
Enhanceyour visibility
of cyber risk
Minimize impact and
quickly restore
operations
Detect and respond
to cyber attacks
faster
Protect the attack
surface
5. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 5
Failure (to communicate effectively) is not an option.
Despite working harder than ever, CISOs
and their teams appear to be losing the
“perception battle.”
Effective storytelling can rectify this.
% of organizational leaders are briefed
on risk topics at every senior leadership
meeting despite security being a top
concern
% of board directors and C-level execs
say they lack confidence in their
organization’s level of cybersecurity
87
% of organizations believe that
malicious attacks are on the rise y/y,
but 48% lack confidence in their teams’
ability to address complex attacks
21
53
Source: 2017 ISACA State of Cyber Security Report.
6. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Use data to tell stories.
• Leverage available research to help
stakeholders understand cyber
threats.
• Use data to focus attention on the
probability of a specific type of
compromise, rather than every
possibility.
• Actively engage stakeholders across
the entire organization.
• Collaborate on risk tolerance,
security priorities and incident
response.
8. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Use it to validate your strategy, course-correct – and tell stories that lead to action.
2019 Data Breach Investigations Report (DBIR) is brimming
with actionable security data.
8
12 years
86 countries
73 contributors
41,686 security incidents
2,013 data breaches
9. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Back in 2014 we identified nine incident patterns
that cover most of the threats likely to be faced.
98.5% of security incidents and 88.0% of
confirmed data breaches continue to fall into
these patterns across the 2019 report.
Pattern consistency allows security professionals
to prioritize spend when looking at investments in
IT/OT/IoT Security.
Key DBIR findings.
9
10. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
10
Shift in attacker
behavior towards
cloud-based services
Compromise of web-based email
accounts using stolen credentials
(98%) is rising (seen in 60% of
attacks involving hacking a web
application.)
Publishing errors in the cloud are
increasing year-over-year, exposing
at least 60 million records analyzed
in the DBIR dataset. This
(misconfiguration) accounts for 21%
of breaches caused by errors.
11. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Unbroken Chains – Path-based attack analysis
11
• Most of the successful attacks are short, likely because it is both cheaper and easier for the attacker (or the breach is simply due to
a single error).
12. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Unbroken Chains – Path-based attack analysis
12
• When you examine the
attack paths, the “malware”
threat action variety usually
doesn't begin a breach (it is
normally a second or later
step in the compromise).
• Also, breaches rarely end
with a “social” action (so if
you see a social attack, you
can expect more to follow).
13. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
• One quarter of all breaches are still associated with espionage.
• External threat actors are still the primary force behind attacks
(69% of breaches) with insiders accounting for 34%.
• Chip and PIN payment technology has started delivering security
dividends - the number of payment card web application
compromises is close to exceeding the number of physical
terminal compromises in payment card related breaches.
• Senior executives are 12x more likely to be the target of social
incidents, and 9x more likely to be the target of social breaches
than in previous years – and financial motivation remains the key
drive.
• Financially motivated social engineering attacks (12%) are a key
p ’ p ,
ALL levels of employees are made aware of the potential impact
of cybercrime.
Other key DBIR findings
13
14. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Representative industry view: Financial and Insurance
14
• In this industry, we acknowledge, but
filter, over 40,000 breaches associated
with botnets to be analyzed
separately.
• Physical attacks against ATMs have
seen a decline from their heyday of
the early 2010’s. We are hopeful that
the progress made in the
implementation of EMV chips in debit
cards, influenced by the liability shift
to ATM owners, is one reason for this
decline.
15. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Representative industry view: Healthcare
15
• Unsurprisingly, medical data is 18
times more likely to be compromised
in this industry.
• When an internal actor is involved, it is
14 times more likely to be a medical
professional such as a doctor or nurse.
• Databases are a favorite for internal
misuse, and those attacks take longer
to discover versus attacks by external
actors.
• Over 70% of all malware in this vertical
was ransomware.
16. Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
• While we have observed a definite shift in attacker behavior towards cloud-
based services for email and online payment card processing systems, this does
not indicate that there are necessarily any inherent weaknesses associated with
those environments.
• Instead, we believe this to simply be a result of the attacker changing tactics
and targets to meet the corresponding change in the locations of valuable
corporate assets.
• As the victim organizations increasingly migrate to cloud based solutions, the
attackers must alter their actions in order to access and monetize those assets.
• The evolving job of the CISO/CSO is to understand how this large-scale digital
relocation changes the landscape, and how they can make known risk vectors
more or less likely.
The moral of the story…
16
“The more things change, the more they stay the same.”