Verizon DBIR: Edgescan Explains the Stats

by Eoin Keary, CEO and founder of Edgescan:

For the third year running Edgescan contributed to the Verizon DBiR. The DBiR is recognized as the defacto cyber report which casts a wide net across all types of cyber security and breaches, this includes vulnerability management in both infrastructure and applications.

Edgescan vulnerability data is curated and validated, sanitised and reflects tens of thousands of assessments we deliver globally across the full stack to our clients.

As stated by Gabriel Basset of Verizon “I think there’s a positive story around how vulnerability scanning, patching, and filtering are preventing exploiting vulnerabilities from being the easiest way to cause a breach but that asset management is needed to identify and patch unpatched systems…

A few things that stand out to me in the report are as follows:
Nearly half of breaches involved Hacking and 70% of breaches were external threat actors. To me this makes sense as in our experience most large enterprises have at lease one critical vulnerability living in their estate and the majority of risk (as per our research) is in the web layer/Layer 7 – Web sites, Applications and API’s.

Of a 977 breach sample-space the majority of threat actors were associated with organised crime. These folks are professional, determined hackers. Its how they make their living. They don’t care where the vulnerability resides in the stack. An automated approach to vulnerability management alone wont ensure your defence.

Using software/tools alone to defend against experienced humans wont result in robust security. 

This is the case in particular when the people we are trying to defend against actors who are very skilled and determined, professional blackhat folks, if you will.

Human Error was cited to be a significant contribution to system insecurity and breach in the 2020 DBiR report.

Misconfiguration taking the prize for main contributor; “They are now equally as common as Social breaches and more common than Malware, and are truly ubiquitous across all industries.” according to the report authors.

What we see in Edgescan is pretty much aligned with this metric. Misconfigurations are a common vulnerability and not going away anytime soon. Insecure deployments, misconfigured frameworks, directory listing, data exposure via errors all cousins and steadily increasing over the past number of years.

The concept of continuous assessment, profiling and validation is key to detecting such issues. Generally they are not difficult to detect or fix but if we don’t know about them we’re leaving the door open for someone else to use.