And Tippett says application logs are the more effective way to monitor breaches than the traditional signature-based network devices like IDSes or even firewall logs: according to data from Verizon's second annual breach report, most attacks came out of the bad guys using stolen passwords. "Signature-based IDS doesn't work -- signatures tend not to happen [in these attacks]," Tippett said. "Most attacks are when the bad guy uses a legitimate password, and we put IDS on the critical machines, but the attack is on these non-critical machines that gets the [bad guy] to the critical machine."
It's those oft-forgotten machines that are more at risk, he said. "They don't attack critical machines. They attack the stupid machines no one pays attention to," Tippett said.
The number one attack method used in most breaches is the old standby, the stolen password, according to Verizon's data, followed by SQL injection and attacks that take advantage of improperly configured Access Control Lists (ACLs). While Web applications are a major attack vector, remote access via SSH, VNC, and PC-Anyware, is as well, Tippett said. "And we don't spend much on that" in security, he said.
Over 80 percent of the time, the application log data that Verizon Business gathers from its clients in its forensic investigations could have stopped an attack had the enterprise been watching those logs. "It turns out, of all the things that you could monitor -- IDS, firewall, etc. -- it's stronger to look at the application logs. 82 percent of the time we showed [the client's] management the log proof that [a breach occurred]. If they had seen that log [initially], it would've stopped it," Tippett said.
And two-thirds of the breaches last year involved stolen data records sitting on less-secure systems -- and the organization hadn't even known they were there. "You don't need to spend a million on data leakage protection. Stick a sniffer where the data should be and see where it goes," Tippett said. "Turn off vulnerability testing and do discovery testing" to locate sensitive data that could be exposed, he said. "That could take care of a significant proportion of data loss."
One-fourth of the breach cases were traced to an unknown network connection. "No one was paying attention," he said. "90 percent of all cases involve one of three unknowns: asset/data, connection, or user privileges."
Although targeted attacks accounted for 28 percent of the breaches in '08 (twice as many as last year), Tippett said most attacks were "opportunistic," and 74 percent came from the outside, not the feared insider attack. One-third were partner-related, he said: "That means people who had permission to use your systems."
Two-thirds of the cases involved hacking, and two-thirds didn't use malware at all, according to Verizon's data.
And the number of breach cases using a zero-day attack over the past five years: zero, Tippett said. "Not a single case that got anyone to the front page involved a vulnerability that was less than six months old," he said.
How long does it take cybercriminals to get in and take data out? According to Verizon's findings, the average is a little over one day. And in most cases, Tippett said, it took over an hour to get in and get the stolen data out of the victim organization.
Even more worrisome is how long it takes the victims to figure it out. More than 50 percent didn't discover their breach for several months, and then it takes them weeks to shut it down, Tippett said.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.