Alex PintoMay 1, 2024
Kelly Shortridge

The 2024 Verizon Data Breach Investigations Report (#DBIR) is out this morning, and I make sense of it in my new post: https://kellyshortridge.com/blog/posts/shortridge-makes-sense-of-verizon-dbir-2024/

I focused on what felt like the most notable points, from #ransomware to MOVEit to web app pwnage to #GenAI and more.

I have insights, quibbles, and hot takes as always — but the fact remains it’s our best source of empirical data on cyberattack impacts. If you’re a #cybersecurity vendor, please consider contributing data to it.

Shortridge Makes Sense of the 2024 Verizon DBIR

This post includes my commentary and summary of the 2024 Verizon Data Breach Investigations Report (DBIR).

Sensemaking by Shortridge
May 1, 2024 at 3:58pmWeb
Show threadClaudius LinkMay 1, 2024

@shortridge
Great write-up 🙏🏻

One question: could the meager 4% "success" rate of ransomware (rating a data loss as a success for the attacker) be caused by the measures already taken?
E.g. that the $100mm company already deploys EDR?

Then the $5,200 to $332,000 is the amount you could/should spend on improving your protection further?

Show threadKelly ShortridgeMay 1, 2024

@realn2s as I understand it, the 4% actual loss rate is _after_ attackers successfully implemented the ransomware — so, presumably, post-EDR’s chance.

But @alexcpsec likely knows the nuance better

Show threadAlex PintoMay 1, 2024
@shortridge @realn2s what Kelly said. Those were after compromise and ransom was requested by threat actor (and subsequently notified to the FBI IC3).
Show threadClaudius LinkMay 2, 2024

@alexcpsec @shortridge
🙏🏻
That's actually surprising for me.
I expected it to be much higher.

But very good to know and a nice example for FUD (i fell for) 😳

Show threadAlex PintoMay 2, 2024
@realn2s @shortridge yes, but remember all of those folks were breached and has costs with IR, recovery. The threat actors are getting less of it, and that is good news, but the breached orgs themselves still “suffer”.
Show threadAlex PapageorgiouMay 2, 2024

@shortridge
> a blahajillion of dollars

Didn't know numbers could be explicitly queer, but now I do and this is my new favourite amount of anything.

Love the sharpness and wit in the analysis!

Show threadGraeme HamiltonMay 7, 2024
@shortridge Thanks as always for your analysis and for sharing it with us all. I was wondering what you meant by “MOVEit’s customers are primarily in Education and Healthcare, sectors not known for their ability to effectively operationalize software”? Does that mean they’re buying software to check compliance boxes, but aren’t fully implementing the security controls it provides? Or perhaps they’re not monitoring the logs or alerts afterwards?