Key Findings from the 2015 IBM Cyber Security Intelligence Index

© 2015 IBM Corporation
2015 IBM Cyber Security
Intelligence Index
July 2015

2© 2015 IBM Corporation
Today’s panelists
Nick Bradley
Practice Lead Threat
Research Group
IBM Security
nwbradley@us.ibm.com
@bradleyv20
Nick Coleman
Global Head Cyber
Security Intelligence
IBM Security
coleman@uk.ibm.com
@colemansec
Adam Trunkey
Global Marketing
Security Services
IBM Security
atrunkey@us.ibm.com
@atrunkey

Agenda – about this session
Our goal is to help you better understand the current
threat landscape:
1. Looking at the volume of attacks, the industries most
affected, the most prevalent types of attacks, using
the newly released Cyber Security Intelligence Index
2. Sharing some deeper insights into the Cyber Security
threat landscape – what it means to companies and
how can you, as a Security leader, better equip your
organization for success against the evolving global
threat landscape
3. Provide some example use cases that are meaningful
to customers that can help better understand key
threats that are occurring and how to use threat
intelligence to help you minimize risks in your
organization

What is happening in the threat landscape - The challenges of
keeping up with a perpetually evolving cyber security environment.
61%
data theft and cybercrime
are the greatest threats
to their reputation
of organizations say
Average data
breach in the
US cost
$6.5million
2015 Cost of Data Breach Study: Global Analysis
Ponemon Institute
2012 IBM Global Reputational Risk & IT Study
80%
of enterprises
have difficulty finding the
security skills they need
tools from
vendors
85
45 IBM client example
2013 Forrester Consulting, “Surviving the
Technical Security Skills Crisis”
70%
11.6M
2013 IBM CISO Survey
IBM X-Force® Threat Intelligence Quarterly 1Q 2015
Mobile malware is affecting
of security execs
are concerned about cloud
and mobile security
mobile devices

How we see the threat landscape

2014 was the year the Internet fell apart, with data breaches making
regular front-page headlines. And has continued into 2015…
2014
January August September
Large U.S. arts and
crafts retailer reveals
long-running
malware-related
breach affecting
several million
payment cards
In one of the largest
healthcare data
breaches in the U.S.,
the Social Security
numbers and other
data for millions of
patients was
compromised
A major U.S. home
goods retailer fell
victim to a point-of-
sale attack that
affected thousands of
stores, exposed
millions of payment
card data records and
resulted in theft of
millions of email
addresses

The IBM 2015 Cyber Security Intelligence Index is a key way IBM
sheds light on what is happening across the threat landscape.
Source of data for the Index
 Cyber security event data collected in the
course of monitoring client security
devices
 Data derived from responding to and
performing forensics on client cyber
security incidents
 Date range for this report:
1 January 2014 – 31 December 2014
Key questions addressed
 What’s happening across the threat
landscape?
 What kinds of attacks are being launched?
 How many of those attacks result in
incidents requiring investigation?
Billions of security events every year
A sample of over 1,000 clients
133 monitored countries
Worldwide IBM Cyber Security
Intelligence Index based upon:
Between 1,000 and 5,000 employees
Approximately 500 security devices
deployed within the network
“Average” client described in this
report:
Designed to complement the
IBM X-Force® Quarterly Report

Two industries were targeted in over 50 percent of all incidents
observed by IBM.
2013
2014
20.80%
25.33%
21.70%
19.08%
18.60%
17.79%
6.20%
9.37%
5.80%
5.08%
Finance and
insurance
Finance and
insurance
Manufacturing Information and
communication
Information and
communication
Manufacturing
Retail and
wholesale
Health and
social
services
Retail and
wholesale
Electric and
utilities
Incident rates across monitored industries

For the average client, IBM filters 81,342,747 security events to
identify the 109 security incidents that can potentially do harm.
Annual security events, attacks and incidents
2013 2014
109
Incidents
18,856
Attacks
91,765,453
Events
109
Incidents
12,017
Attacks
81,342,747
Events
.91%
incident-
to-attack
ratio
.65%
incident-
to-attack
ratio
Incident Attack serious enough
to warrant deeper
investigation
Attack Malicious activity attempting to
collect, disrupt or destroy
information or system resources
Event Activity on a system or network
detected by a security device or
application

Unauthorized access, malicious code and sustained probes or
scans dominate the threat landscape.
Categories of security incidents among the top five industries
38% Malicious
code
37% Unauthorized
access
20% Sustained
probe/scan
19% Unauthorized
access
12% Suspicious
activity
9% Access or
credentials abuse
2% Denial of
service
20% Malicious
code
20% Sustained
probe/scan
11% Suspicious
activity
8% Access or
credentials abuse
4% Denial of
service
2013 2014

Three “malware-less” threats emerged that exploit existing but
unknown vulnerabilities.
ShellShock Heartbleed Unicorn
 Attackers targeted
existing vulnerabilities
in the UNIX shell
 Rapid response by
cyber criminals
following news of
vulnerabilities
 Example of “malware-
less” attack—more
difficult to detect
 Exploits vulnerability in
OpenSSL protocol
 Allows attackers to
access and read
memory of systems
thought to be protected
 IBM has tracked over
1.8M Heartbleed
attacks against
customers
 Discovered by IBM,
Unicorn is a complex
vulnerability in
Microsoft Internet
Explorer
 Allows remote code to
gain control access to
programs via a data-
only attack

Who are the bad guys?
Outsiders
Malicious
insiders Inadvertent
actors
38%
31.5%
23.5%
55% of attacks came from people
who had insider access to an
organization’s systems

Where are these attackers located, and what are the threat levels by
country?

And from the IBM sponsored work of the Ponemon Institute,
we can see the cost of a data breach is on the rise.
NEW DATA from the
2015 Cost of Data Breach Study: Global Analysis
Independently conducted by Ponemon Institute,
Sponsored by IBM
$154
Average global cost
per record
compromised
$1.57 million
up 12%
over 2
years
Average cost of lost
business per data breach
up 23%
over 2
years
$3.8 million
Average global total
cost per data breach

Global and country-specific averages show key data breach costs.
Cost per record*
Cost per incident*
*Currencies converted to US dollars
$136
$154
Highest countries
Lowest countries
$217
$211
$78
$56
in Brazil
in India
in the U.S.
in Germany
$136
$3.8M $6.5M
$4.9M
$1.8M
$1.5M
in Brazil
in India
in the U.S.
in Germany23%
Global average
12%
Global average
increase over two years
Highest countries
Lowest countries
increase over two years

Per-record data breach costs vary widely, with a significant year-to-
year increase in several industries.
Healthcare Financial
Consumer Energy
Retail
Technology
$363 $215
$136 $132
$165
$127
* Currencies converted to US dollars
Industrial
$155
Public
$68

With threats and costs of a breach increasing, optimizing threat
prevention and response can be a challenge for any organization.
Firewall
logs
Proxy
logs
IDS/IPS1
logs
Web
logs
Application
logs
Authent-
ication
logs
Malware
detection
logs
Email logs
Network
security
logs
Building
access
logs
Fraud
payment
logs
CSIRT3
incidents
Vulner-
ability
patch
mgmt
DNS/
DHCP4
logs
Call/
IVR5
logs
Endpoint
security
logs
Employee
directory
SSO/
LDAP2
context
Application
inventory
Website
marketing
analytics
1Intrusion detection system / intrusion prevention system (IDS/IPS); Single sign-on (SSO) / lightweight directory access protocol (LDAP); 3Computer security
incident response team (CSIRT); 4Domain name system (DNS) / dynamic host configuration protocol (DHCP); 5Interactive voice response (IVR); 5Information
sharing and analysis center; (ISAC) 6Intellectual property; (IP) 7Open source intelligence (OSI); Malware detection or defense system (MDS)8
Ever-increasing
proliferation of
data sources
Malware
Hashes /
MD58
Brand
abuse
phishing
indicators
Malware
campaigns/
indicators
Fraud
payment
logs
Top tier
phishing
indicators
Customer asset
/ credentials
Threat
landscap
e intel
Intel as a
service
(IaaS)
Staff asset
/
credentials
Industry
threat
intel
sharing
Public
sector
threat
intel
ISAC5
threat
intel
Law
enforcemt
threat
intel
Passive
DNS4
intel
OSINT7
sentiment
analysis
Undergd/dar
k Web intel
6IP
reputation
intel
Human
Intel
Technical
Intel
Actor
intel/indic
ators
Human
Intel
(HUMINT)
Technical
Intel
(TECHINT)
• Threats and exposures
that affect a specific
organization
• Third party insight
• Industry- and geography-
specific threats and trends
Internal External

Operationalizing intelligence enables organizations to answer the
most critical questions about today’s threats.
Who are the
adversaries I
should be most
concerned about?
What campaigns are
targeting organizations
like mine?
Who is vulnerable to their
kinds of attacks? Have
others already been
attacked? How is attacker
behavior trending?How can I better adapt my
defense posture to
counter these adversaries?
How have other victims
reacted?
What is the nature of
my adversary?
Criminal? Industrialized
or highly focused?
What kinds of tools,
techniques & practices
are adversaries using &
how serious are they?

But many organizations still lack a comprehensive approach to put
their security intelligence strategy into action.
• What tradecraft are others seeing?
• What findings are most relevant?
• How can I utilize this intel?
• What is the fastest route to
containment and controlled loss?
• Are my people in the right place,
doing the right things?
• How should incidents and
response shape strategy?
• How can I expand my strategy to
address cloud-based risk?
• How can I optimize visibility with
intelligence and SIEM?
• How can I better plan, allocate and
respond with expertise?
• How can I learn from and apply
experience with real-world threats?
PLANNING AND BUILDING
CAPABILITY
LEVERAGING INTELLIGENCE
MANAGING RESPONSE
How can I strengthen and
extend my current
investment in security
operations?
Security Intelligence
Platform
How do I address phases
of an attack lifecycle?

Security intelligence underpins the overall security challenge.
It is core to IBM’s approach with clients.
Buyers
CISO, CIO, and Line-of-Business
Deliver a broad portfolio of solutions differentiated
through their integration and innovation to address the latest trends
Key Security Trends
Advanced
Threats
Skills
Shortage
Cloud Mobile and
Internet of Things
Compliance
Mandates
IBM Security Portfolio
Strategy, Risk and Compliance Cybersecurity Assessment and Response
Security Intelligence and Operations
Advanced
Fraud
Protection
Identity
and Access
Management
Data
Security
Application
Security
Network, Mobile
and Endpoint
Protection
Advanced Threat and Security Research
Support the
CISO agenda1
Innovate around
megatrends2
Lead in selected
segments3

What makes IBM Security different – global view of threat.
monitored countries (MSS)
service delivery experts
devices under contract
+
endpoints protected
+
events managed per day
+
IBM Security by the Numbers
+
+

How can the Index help you? Key questions to ask about your
organization’s exposure.
What level of events, attacks,
incidents are you seeing?
• Events – what is the tuning and how efficient is your
SOC / SIEM working for you?
• Are you getting the right use cases and data to allow
you to manage and see the threats?
• Do you have the right intelligence processing and
insight you need today to see?
Are you prepared and able to
respond to the incidents?
• Do you have the intelligence to be able to see what
is happening out there?
• How many incidents are you facing a year, do you
have the support and preparation you need?

Cybersecurity Awareness Executive Briefing – Security Services
Behind the scenes illustration
of modern cyber attacks
 Cyber attacks happen on a daily basis – we see
them on the news but how do they happen and why?
 A 2 hour briefing that goes behind the scenes, using
real-world scenarios, illustrative examples, and
interactive demonstrations to examine the anatomy
of modern cyber attacks:
 The 5-stage chain attackers typically follow
 Common methods and attack surfaces
 The role of social media
 Technological advancement and operational
sophistication
 Generate executive level awareness on current
threat level, cyber risk profile, global trends, potential
attack impact and essential practices
 Discuss key actions that can be taken today to
better protect yourself and your organization
Data
Infrastructure
People

IBM can help you chart the course to a more secure organization.
Learn more! Download the
2015 Cyber Security Intelligence Index
Contact your IBM sales representative for a discussion on:
Cyber Security Assessment and Response Services
Advanced Threat Intelligence or other IBM Security offerings
Download the
2015 Cost of Data Breach Study

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security

Key Findings from the 2015 IBM Cyber Security Intelligence Index

More Related Content

What's hot

Viewers also liked

Similar to Key Findings from the 2015 IBM Cyber Security Intelligence Index

More from IBM Security

Recently uploaded

Key Findings from the 2015 IBM Cyber Security Intelligence Index