Hackers are not reinventing, but data breaches are on the rise: Time to get back to basics?


Web applications attacks are the #1 source of data breaches for the year 2015Verizon DBIR 2016.

Hackers exploit the weakest links – users/humans and applications – to get to your enterprise data. Humans are vulnerable to phishing and other forms of social engineering, with their careless actions leading to the spread of malware. Bad actors are stealing credentials and compromising enterprise data with ease, largely due to the effectiveness of web attacks, phishing, and malware. It is pretty apparent that no effective defense against phishing or malware has emerged, given their continued prevalence. However, it is hard to fathom why enterprises are not deploying web application firewalls (WAF) to stop the direct attack on web apps. With 89% of the threat actors being financially motivated or driven by espionage, having a data protection strategy will pay huge dividends by preventing major data breaches – even those caused by users or insiders.

Technical attacks, known vulnerabilities and stolen application credentials: Can a Web Application Firewalls (WAF) tackle them all?

Unsurprisingly, the top 10 known vulnerabilities are accounting for 85% of the successful exploits (source 2016 Verizon DBIR). The best defense against web attacks is to invest in a WAF. Content management systems (CMS) are notorious for being the most targeted web applications, the Imperva Defense Center research team first reported this trend in 2013 in the annual web application attack report(WAAR). The WAAR reports for the years 2014, and 2015 reaffirm CMS as one of the top targets for hackers. SQL injection continues to be one of the most popular technical web attacks simply because it is very effective. A WAF that can protect against the well-known top 10 OWASP list of technical attacks is a must for any enterprise.

Buyers Beware! A basic WAF lacking threat intelligence won’t do you much good since attackers now focus on stealing web application credentials (bank logins, SaaS/Cloud apps). Well-coordinated three-pronged attacks exploit phishing and malware to acquire web application credentials for further attacks. Find out how Account Takeover Protection from the industry leading Imperva SecureSphere WAF is the best solution hands down. No wonder Imperva SecureSphere WAF is the only leader in the Gartner magic quadrant for two years running!

 Phishing and Malware Defense: Rethink your approach

 “30 percent of phishing messages were opened – up from 23 percent in the 2015 report – and 13 percent of those clicked to open the malicious attachment or nefarious link” – Verizon DBIR 2016

The Imperva Defense Center Phishing Trip to Brazil report shows just how effective modern phishing campaigns are. This effectiveness is compounded by strong employee belief that firewall and endpoint security mechanisms will block malicious links within a phishing email.

“99% of malware hashes are seen for only 58 seconds or less” – Verizon DBIR 2016

“86% of the respondents are dissatisfied with their endpoint security solutions” – 2016 Cyberthreat Defense Report

The conclusion from the two data points – “Endpoint Protection is dead.” Malware is changing at a rapid rate and is avoiding detection even from advanced solutions. Increased IT security spend on endpoint protection has not increased protection against major data breaches.

“63% of confirmed data breaches involved weak, default or stolen passwords” – Verizon DBIR 2016

So what to do if you must assume hackers have compromised credentials. Two approaches:

  1. As mentioned above, ThreatRadar Account Takeover Protection can defend against stolen web application credentials.
  2. We believe that focusing on the tools used by hackers -phishing and malware- is not an effective data security strategy. Instead, you should focus on protecting the coveted prize the hackers want: your data.

Hacker have your enterprise login credentials: Can a data-centric approach prevent a major data breach?

In 93% of cases where data was stolen, systems were compromised in minutes or less

In 83% of cases, victims didn’t find out they’d been breached for weeks– Verizon DBIR 2016

If you read the above stats, it’s pretty clear current protection mechanisms aren’t preventing major data breaches. The reason is simple – the assumption that hackers can be identified and stopped before they try and access what they are ultimately after. Irrespective of the source of data breach –web applications (external) or users/insiders (internal), a database activity monitoring (DAM) solution is an absolute first step towards rapid detection and containment of data breaches.

DAM solutions provide the detailed visibility into who exactly accessed what data, which is a requirement for subsequently detecting abnormal activity. Furthermore, this same visibility helps meet compliance requirements and also helps with forensics in the case of a data breach. These activity logs are also critical in determining the extent of a data breach to help reduce any monetary penalties associated with a breach. Database Firewalls, like Imperva SecureSphere, is the logical next step to alert, quarantine, and block attacks and prevent major data breaches in real time.

Gartner Market Guide for Data-Centric Audit and Protection (DCAP) emphasizes that comprehensive data protection requires all five DCAP capabilities that CISOs need – databases, files, big data, SaaS, and IaaS.

 70% of breaches involving insider misuse took months or years to discover– Verizon DBIR 2016

Insiders pose a unique challenge to data breach prevention. They need legitimate access to data to perform their jobs. Many solutions available today claiming protection against insider threats miss the critical piece: context of data access. This is the knowhow/domain expertise needed to determine what access is normal vs. abnormal. Imperva CounterBreach applies advanced behavioral analysis and deception technology to identify and help contain insider threats. The Imperva March Hacker Intelligence Initiative Report, published in March 2016 by the Imperva Defense Center, provides an in-depth analysis of insider threat incidents detected by CounterBreach in live production environments.

Users/Endpoints will be compromised, Applications will be attacked, and Credentials will be stolen – Protect your Data!