Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.
The Get Cyber Resilient Show Episode #22
This week Gar is joined by Prescott Pym, Operations Director for Network Security at Verizon and self confessed ‘cyber-holic’. Prescott spent 7 years working at the Australian Bureau of Statistics before joining Verizon as a security analyst back in 2007. Prescott has built out SOC teams in Australia, India, Japan, Germany, Switzerland and the USA and currently runs a 70 person APAC SOC with a focus on government. Prescott brings a wealth of experience along with his passion for cyber resilience to this discussion focused on Verizon’s 2020 Data Breach Investigations Report including how Verizon use the report, the unexpected trends the data highlights, how the tried and tested attacks are still doing damage, what the data means to small and large businesses and where these attacks are coming from.
To get your copy of the Verizon’s 2020 Data Breach Investigations Report please follow this link: https://vz.to/3hR38eI
#cybersecurity #cyberresilience #getcyberresilient
The Get Cyber Resilient Show Episode #22 Transcript
Garrett O'Hara: [00:00:00] Welcome to the Get Cyber Resilient podcast, I'm Garrett O'Hara. And this week I'm excited to be joined by Prescott Pym, operations director for network security over at Verizon. As he quickly confesses in our conversation, Prescott is a cyber-holic. He found his love of cyber through university, and you're gonna hear that in his voice, it's still there.
He began in software development at government, and then moved over to a security team at the Australia Bureau of Statistics. While working on his masters, he then made the move over to Verizon to go really deep on cyber security.
And now, with nearly 14 years under his belt at Verizon, his experience really does run deep. He spent years in the U.S., Europe, and Asia, building out SOC teams, and right now, he's running a 70 person APAC SOC, with customers all over the region, but particularly focused on government. We get into Verizon's data breach investigation report in this episode, that's into its 13th year, and up to 81 contributors now, including the AFP, and the government of Victoria.
The DBIR, is a staple of the cyber industry reports, you're almost guaranteed to see its stats quoted at some point in a cyber security presentation, in my experience. The report runs for 119 pages, so we'll get into what we can in 30 minutes, which is actually a lot.
We talk about how Verizon use the DBIR, the trends the data in the report highlight, which are actually sometimes not what I would have expected, and maybe points to how we sensationalize things in our industry. How the tried and tested attacks are still there, what the data means in terms of large and small organizations, where the attacks are coming from, and the breakout of data of APAC.
You can hear the excitement Prescott found for cyber many years ago, in his voice, it has not gone away, so please enjoy this episode.
Welcome to the Get Cyber Resilient podcast, I'm Garrett O'Hara, and today I'm joined by Prescott Pym, from Verizon. Uh, Prescott's the operation director, um, for network security there. How're you doing this morning Prescott?
Prescott Pym: [00:02:02] Good thanks, Garrett. Appreciate you having me on the show.
Garrett O'Hara: [00:02:05] Oh, it's an absolute pleasure. Um, you're based out of Canberra, right?
Prescott Pym: [00:02:09] Yes, that's correct. I've been here for about 20 years now. Originally a Melbourne-nite, but, uh, yeah, the lifestyle in Canberra is too much to turn down.
Garrett O'Hara: [00:02:16] It's funny, because I've been down there a few times, and stayed for... my wife is really into running, stayed in Hotel Hotel, if you know that, um, place?
Prescott Pym: [00:02:24] Yes, yes, lovely.
Garrett O'Hara: [00:02:24] And amazing, yeah, it's so, so good. Um, what a great town. Absolutely love it down there, and it's very, very pretty and surrounded by, um, amazing nature, Lake George, big fan.
Um, so, Prescott, look. I always kind of like to kind of get started with, um, people and then how they got to where they are. And you've been with, uh, Verizon for, it's close to 14 years, I'm gonna say?
Prescott Pym: [00:02:47] Yeah, yeah. Um, it's close.
Garrett O'Hara: [00:02:48] I did some LinkedIn stalking earlier on today.
Prescott Pym: [00:02:50] [Laughs].
Garrett O'Hara: [00:02:50] So, um, yeah. Could you... do you mind just kind of running us through your kind of journey to- to get to being the operation's director there?
Prescott Pym: [00:02:57] Yeah, sure. So, you know, uh, my name's Prescott, I'm a cyber-holic, I've been a cyber-holic for 20 years now.
Garrett O'Hara: [00:03:03] [Laughs].
Prescott Pym: [00:03:03] Uh. [Laughs]. It's a problem I can't shake. Uh, but, uh, yeah. I- I started out, uh, with an interest in cyber really, through- through university. Uh, did a subject and like, "Yes! I know that's exactly what I wanna do with my career." Um, and then, you know, got a job in- in government, uh, and moved to Canberra for- for that. And, uh, I got put into doing software development. So. [Laughs]. Wasn't quite what I had in mind, but, yeah, as- as with anything, you learn, you take, uh, you know, what you can from each role, and then- and then you move on. So.
I managed to- to swing a job in the security team, uh, at the Bureau of Stats. Uh, long before the census 2016. And, uh, yeah, worked there for about seven years with a great bunch of people, uh, and sort of helped to run the internet gateway, uh, there, you know, doing cyber security, you know, security infrastructure management.
Uh, it was really interesting in 2000, and, uh, 2006. We- we did the first online census. So, sort of in the command center there 24x7. Uh, that's the sort of stuff I- I really love, and I've been doing security operations work for 20 years now. Uh, it can get a little bit tiring at times, uh, with the 24x7 nature of it, but, uh, yes. So then I... I actually was doing my masters degree in information system security, and that sort of triggered me to wanna, you know, deep dive into cyber a little bit more.
So, uh, I got the role at Verizon here in 2007. I've had quite a journey at Verizon, actually. I've had a chance to spend quite some time in, uh, the U.S., Europe, uh, and Asia, helping to build up, uh, SOCs team, SOC teams all around the globe. So, um, probably spent nearly a year out of- out of that time, you know, overseas, and helping to- to recruit, and build and train, uh, train SOCs around the globe.
Garrett O'Hara: [00:04:46] Fantastic, so lots of times in hotels and airports it sounds like?
Prescott Pym: [00:04:50] Yes, [laughs]. Indeed, indeed. Uh, so- so that's been, that's been the great thing about Verizon, as a global international carrier, uh, is we have to have that global- global reach, and tap into a lot of great resources from- from people. Made some really great, uh, friends and acquaintances, you know, all around the world, here at Verizon.
Garrett O'Hara: [00:05:07] Awesome. And you guys are going through pretty br-, uh, busy time I would imagine, given the huge transformation in Australia since, oh, I suppose, late January, February, you know, the work from home movements, and- and all of that stuff? Um, fair to say you're- you're- you're a busy man, and your team is probably flat out at the moment?
Prescott Pym: [00:05:24] [Laughs], indeed, indeed. That's right. So, yeah, I have around about 70 people in- in the SOC here that we- we look after for Asia Pacific security operations, uh, customers all over the region. But particularly focused in government here in- in Canberra, which is why we're here. So, uh, we've been helping assist, uh, a lot of the government agencies, you know, transition their, uh, work from home, as well as my own workforce, uh, transitioning to work from home, uh, as- as well. So, it's been quite the challenge over the past couple of months, but, uh, you know, I think, overall, Australia's done a really good job, um, you know, transitioning to- to the- the new arrangements.
Garrett O'Hara: [00:06:01] Totally agree. Um, you know, we- we... I've- I've been talking a lot about the, uh, COVID response, and then just how Australia's done, and- and, um, somebody on a- a session about a week or two ago asked, like, for one word, you know, what- what do you feel, um, about the transition, and how Australia's dealt with it? And the words were things like, "Proud," you know, "Proud," um, uh, you know, "Happy." They're all very positive words, um, rather than, "Yeah, we messed it up." So. I think, yeah, a big pat on the back for Australia-
Prescott Pym: [00:06:29] [Laughs].
Garrett O'Hara: [00:06:29] ... for- for how we've done this stuff. Um, like, Verizon, obviously, you guys, um, run a- a sort of high end SOC. Uh, but one of the things you're probably globally famous for, more broadly in the cyber security industry, is the Data Breach Investigations Report, that gets produced every year. And, um, you're into the- the 13th year, I believe now? And, um, the report itself has, kind of, come on... I think originally was one contributor, and you're up to 81, and in Australia you've got the AFP, and- and the government of Victoria are now contributing to- to the, uh, report.
Um, it- it's gonna be impossible, so this is maybe a little bit of a trick question giving the report is 119 pages long, but, like, [laughs], how would you summarize the- the findings, or the trends in this year's, uh, report?
Prescott Pym: [00:07:16] Yeah, look, I... it's really interesting, and thank you for the- for the background there. Um, you know, we- we've been involved in the- the- the Data Breach Investigations Report, the DBIR, for quite some time here. And so, at the... sort of, the- the range of contributors, uh, a- across the globe, ra-, uh, ranges from, you know, as you mentioned, Australian federal police here in Australia, CERT Japan, CERT Malaysia, CERT US. And then we've got a smattering of other companies, um, ParaFlare is a relatively new cyber security, uh, organization out at Sydney. They're a contributor, um, you know, Swisscom is a telecommunications company in, um, in Switzerland. So, there- there's quite a range of different types of inputs, of- of data.
Um, and data does change a little bit from- from year to year. A- and as you mentioned, we had, uh, Victorian government coming this year for- for the first time. Uh, so, uh, it- it's really a great snapshot. It's not just, you know, Verizon's view of what- what we see, it's, uh, a- across industry. I think, uh, yeah, we- we sort of see that, uh, a- a lot of the breaches, uh, now that there's mandatory reporting, in a lot of regions, are continuing to increase. M- maybe that's a little bit of the, you know, the iceberg that was under the water previously, um, coming up to- to the surface.
Uh, so we- we do see increases in the number of breaches and incidents, which, uh, you know, has- has a number of, uh, causes. But, uh, yeah, we still see that 70% roughly of, uh, breaches happen externally-
Garrett O'Hara: [00:08:45] Mm-hmm [affirmative].
Prescott Pym: [00:08:45] ... um, to- to and organization. So, uh, that- that's probably across the- the-, uh, across industries. The- the DBIR actually allows you to, drill down into individual verticals. Um, which is what makes it really relevant for a lot of organizations. So that if you're in manufacturing, you can go drill down and see, "Okay, what are the types of attacks that I might typically see?" Um, there's some... on the- the DBIR website, there's actually some interactive sections, you can- you can drill down and see, you know, okay, manufacturing, external threats, what are the types of threats. Uh, that's a really useful tool, just to- to flag your listeners as well.
In the past, we've also developed a Splunk app that, uh, allows you to, um, you know, run that over your Splunk instance, and- and map some of-
Garrett O'Hara: [00:09:31] Yeah.
Prescott Pym: [00:09:31] ... the instance as well. I'm- I'm not sure if we still maintain that, but there the sorts of just, you know, outreach that we're trying to- to get with the DBIR. And, uh, you know, inform people, uh, to, what are their threats, and then you can use that information to help set your agenda for your cyber security policy. You know, reporting, you know, accurate information up to a board level, is typically something that- that's quite challenging for a lot of people. So to be able to get some really relatable information to your industry, um, and then use that to help communicate why you need an information security program, uh, is- is one of the really good outcomes from this.
Garrett O'Hara: [00:10:07] Yeah, definitely, with some high quality, um, strategic threat intel-
Prescott Pym: [00:10:10] Yep.
Garrett O'Hara: [00:10:10] ... um, based on, you know, such a big data set. And the data set is, uh, looking at the numbers here, 32,002 security incidents, and out of that, and just under 4,000, so, 3,950 were confirmed breaches, so it's a huge data set for people to be able to leverage. Um. So, in- in terms of the, uh, the report, so obviously you're working in a SOC, and, how- how do you go about using the- the report data to, kind of, help your customers?
Prescott Pym: [00:10:41] Yeah, and... a great question. So, uh, the- the- the base of the Data Breach Investigations Report, is a framework which is called, uh, VERIS. As the, I guess the language to describe, um, how a breach happens.
So what we do is, we take, uh, a- an example of a- of an attack, or a breach, run that through the VERIS framework, and that sort of, uh, consolidates the data, and makes it into common format, that we can- we can, you know, historically go back and look at the information in things like the DBIR. So, quite often, we find that our customers wanna, you know, uh, put their events in the VERIS framework, um, so then they can, uh, check h- how they are performing against the data set of the DBIR as well.
So, um, you know, just- just to give you, uh, an example of how we in SOC might interact with, uh, with the teams and the data that goes into here. Um, we- we also have a side publication called the Data Breach Digest, um, which gives a- a bit more of a deep dive and a case study into some of the forensic investigations that we do, that- that follow into the report. Um, we did have one a couple of years ago that- that featured in the report, um, from- from an Australian, um, organization, um.
Some suspicious activity was flagged into- to our SOC, we started doing an investigation, worked out that there was some- some really, uh, unusual and strange, uh, traffic going on to various seafood related sites, which wasn't typical for, [laughs], for that organization.
Garrett O'Hara: [00:12:06] [Laughs].
Prescott Pym: [00:12:07] Uh, and then, uh, we- we called in the Verizon forensics team to- to run an analysis, and they found that, the, um, I think it was the- the vending machine network at this organization had been, uh, compromised, and was, uh, being used as a command control network. So, uh, that- that sort of information-
Garrett O'Hara: [00:12:23] Oh.
Prescott Pym: [00:12:23] ... is an example of- of a data breach that will feed into the investigations in the report.
Garrett O'Hara: [00:12:28] And it- it's amazing to have access to that, sort of, deep analysis of, uh, breaches. Um, and looking at, you know, some of the- the diagrams in the DBIR. Um, there is one particularly, where the- the sort of, the author, whoever's writing the copy for it, sort of describes it as a work of art, like an abstract art, where it's got the, um, the lines that indicate the number of steps. And, um, I looked at it, and I was like, "Oh, my God, my- my brain's kind of melting here-"
Prescott Pym: [00:12:56] [Laughs].
Garrett O'Hara: [00:12:56] ... it took me a little while to be able to kind of get what it- what it all meant. [Laughs]. But, um, yeah, looking at the long tail of, um, how complex the, you know, the chains are sometimes in- in those breaches, is, uh, it's pretty- pretty impressive stuff.
Um, one of the things I'm- I'm kinda curious to talk about is, the things that we maybe overestimate in terms of real impact, um, based on the data. You know, as humans, I think we- we have a tendency sometimes to, kind of, uh, respond to the emotional stuff, but actually the data, kind of, tells us something else. Like, what do you- what do you think are things that maybe we overestimate, in terms of that actually real impact, when you look at the data?
Prescott Pym: [00:13:31] Yeah, I- I think, you know, sometimes cyber or security can be a bit sensationalized, um-
Garrett O'Hara: [00:13:36] Mm-hmm [affirmative].
Prescott Pym: [00:13:36] ... particularly in- in the media. I- I guess we- we saw that even just yesterday, uh, with- with some, uh, a large apparent DDoS attacks in- in the US, taking out a number of, uh, providers. Um, and, you know, the first I heard about that was from my wife. Uh, saying, "Hey, what's this going on?" [Laughs]-
Garrett O'Hara: [00:13:51] Yeah.
Prescott Pym: [00:13:52] ... uh, from News.com.au. Uh, so, uh, yeah, so, uh, it can be quite sensationalized. Um, I think is probably the biggest problem, um, but, a- at the core of it, a lot of it, uh, the- the breaches and attacks, are very opportunistic.
Garrett O'Hara: [00:14:06] Mm-hmm [affirmative].
Prescott Pym: [00:14:06] Uh, so we see, you know, uh, you know, the sort of the theft of credentials, um, social attacks, um, making up around 67% of the- the breaches. Um, so, getting that- that sort of basic hygiene right around, you know, having a- a good authentication management system, uh, fo- for your credentials. Um, you know, uh, you know, security controls around web and email browsing. Um, they're the- the sort of critical things that- that are the common avenue to- to attack, that people just, you know, don't necessarily get right. Or, uh, you may have the controls in place, but they're not configured adequately. Um. Because you know, people might jump up and down, and say, "Hey, I can't get to this website," so we unblock the category.
Uh, just- just recently, uh, there was a- a breach that the Australia Cyber Security Center was involved in, and the, uh, source of that was actually through, uh, through LinkedIn. So, uh, one of the users at the organization, you know, was- was targeted, sent a document, uh, through LinkedIn, uh, which was then used to compromise the- the pc, so. Um, yeah, those sort of attacks a- are very much common these days.
Garrett O'Hara: [00:15:17] Yeah, it's interesting you say that, we actually had a, uh, a warning circulated in- in our organization, for a- a person who appeared to be fake, you know, a fake person. And, um, you know, was highlighted by our security team, um, and it again, it was through LinkedIn. And I'm definitely, I suspect you may be in the same position where, um, people connect with you, and, um, I'm getting more and more sort of suspicious of who they are, who are they connected to, like, what's the, "Why?" you know, "Why are we connecting here?" Um, and being honest, some of them actually look like they're AI pictures, they don't... there's something weird about them-
Prescott Pym: [00:15:50] Mm-hmm [affirmative].
Garrett O'Hara: [00:15:50] ... they don't even look like humans. And- and I don't know-
Prescott Pym: [00:15:52] [Laughs].
Garrett O'Hara: [00:15:52] ... if this is my- my tin foil hat coming out here, but, uh, [laughs], definitely strange days on LinkedIn.
Prescott Pym: [00:15:57] Yeah, I- I- I... whenever I get a connection request, uh, on- on social media, I typically take the, uh, the image of that person, run it through Google search, image search, and quite often, you'll find that- that picture is being reused in a number of places. So.
Garrett O'Hara: [00:16:12] Phenomenal, actually, as you say that to me on, uh, was on LinkedIn, had a post last week, I think it was, where they- they had gone through that process, and shown that it was actually a stock photo. Um, so they responded to the person, then kind of called it out and said, "Oh, right, you're a stock photo model? Why are we connecting?" [Laughs], I'm in cyber security. It's like, what a- what a way to do it. Um.
Prescott Pym: [00:16:31] [Laughs].
Garrett O'Hara: [00:16:31] Um, yeah, very funny. So look, in- in the report, it's definitely, um, it was also a really interesting split, um, between the sort of small and large victims, and I think the- the stats were 28% and 72% respectively. And, like, I- I think there would be a perception that larger- larger organizations would have, like, bigger walls, better protection, but it sort of seems like the stats point to that maybe not being true. Like, what are your thoughts on that?
Prescott Pym: [00:16:57] Yeah, it- it's interesting, and the- there's many different ways you can interpret those statistics, uh, to- to suit, you know, uh, your own organization. I think, uh, the- the stats that you called there, for the small business in particular, I- I think are really interesting. In that, while the report probably is weighted towards the data set that, um, you know, comes from large organizations, um, you know, the smaller organizations, uh, actually, you probably see in the- in the stats, it's roughly a 50:50 breach to incident ratio, that was something that I pulled out of there that was interesting. So.
Uh, if there's gonna be an incident, uh, it's more likely to result in a breach for a smaller organization, whereas for a- a much larger organization, as you mentioned, there's- there's typically quite a lot of defenses in play. So all of those incidents actually don't translate into, you know, serious data breaches. Um.
I don't think anyone is really getting cyber- cyber right. Um, yeah, you can invest a lot, there's always gonna be a- a high level of APT type activity, and we've seen a lot of that happening, um. I- I was reading last night, the Google, um, blog, stating that, you know, uh, a lot of... I think it was more than... they- they'd identified more than 12 campaigns by APT actors, um, yeah, surrounding COVID and phishing, and, you know, G Mail sees about 20 million phishing attempts for- for COVID every day. [Laughs].
Uh, so, yeah. The... the- the challenge there for large organizations is, you know, do they have visibility over their entire IT fleet? Um, shadow IT, a lot of, uh, information's being spun up in the cloud, sort of outside- outside of the normal control channels. Um, and that's proving a challenge for them.
Garrett O'Hara: [00:18:44] Yeah, it's a bit of a wild west when it comes to shadow IT, and just how easy it is to spin things up. Like, so obviously, we- we work heavily in the email space, and one of the things we see when we go to Implements, um, Security, uh, Security, My Gateways, is, um, the amount of platforms that have been spun up by HR departments, or finance, you know, they pay for sometimes with a credit card sometimes, but it's spoofing domains, um, and you only really get the... uh, you only really get to see that when you, kind of, implement a new platforms, um, definitely it's, uh, it is strange days. And- and a huge, as you said, a huge, huge, uh, spike in, um, malicious and scam websites around COVID.
You know, using COVID as a lure, that was astonishing, um, to see, just the- the sheer volume of those. I think Recorded Future, um, put out a paper on it, I'm gonna get this number wrong, but I think they were seeing something like 400 or 500 domains per day, uh, being spun up. Um, where, you know, it was mentioning COVID, or coronavirus, and, um, our- our team, um, the security team, sourcing it, and like it was ov- just over 60, 000, um, when they looked at it in mid-Feb, so.
Prescott Pym: [00:19:54] [Laughs], yeah.
Garrett O'Hara: [00:19:55] Amazing to see.
Prescott Pym: [00:19:55] That's amazing.
Garrett O'Hara: [00:19:56] You know, the-
Prescott Pym: [00:19:57] Yeah, like- like we said before, the, I guess, a lot of the attacks are very opportunistic, so-
Garrett O'Hara: [00:20:01] Mm-hmm [affirmative].
Prescott Pym: [00:20:01] ... they'll take advantage of any- any, uh, fear or weakness, um, to, um, try and get someone to perform an action like, you know, click on a link, or open a document.
Garrett O'Hara: [00:20:10] And do you think this- this, kind of COVID thing has been a little bit of a training ground for us? You know, that people maybe, uh, maybe have a little bit better of a security awareness, just given how prevalent the attacks were? 'Cause, like, let's be honest, it's gonna happen again, it might not be COVID, there'll be other things, you know, it happens every year, Black Friday, um, Cyber Monday, like, we see this stuff time and again. What are your thoughts around, I don't know, like, and uptick in awareness training, um, or security awareness?
Prescott Pym: [00:20:40] Yeah, look, uh, I think it, definitely, that's sometimes that a lot of organizations, um, will continue to- to invest in. Uh, I think we- we've seen a really great lift in, uh, the number of security awareness training, um, you know. Particularly, uh, dedicated positions within large organizations.
Garrett O'Hara: [00:20:56] Mm-hmm [affirmative].
Prescott Pym: [00:20:57] Uh, try- trying to get that message out there, there's some great stuff coming out of ANZ, um, and other Australian organizations. Um, but, uh, what I probably believe, is that, a lot of... as we've shifted to remote working, a lot of organizations are asking their employees to, uh, to use their own equipment as well.
Garrett O'Hara: [00:21:17] Mm-hmm [affirmative].
Prescott Pym: [00:21:17] Uh, saw some- some research coming out yesterday, that indicated, you know, roughly 60% of, uh, people using their own, uh, equipment, to- to connect into-
Garrett O'Hara: [00:21:25] Wow!
Prescott Pym: [00:21:25] ... to corporates. Um, so, uh, that's a- that's a bit of a- a minefield, and, uh, you know, particularly when we- when we look at, in terms of remote access solutions. Uh, late last year, there was a number of brea- uh, sorry, uh, vulnerabilities, uh, discovered, uh, that were being used by ATP actors, um, in- in some common, uh, security platforms, and, uh, also in evidence that, um, you know, a lot of these had been breached, and- and- and used to exfiltrate data. So, you know, having a- an old, uh, or misconfigured remote access solution, combined with, uh, you know, end user laptops that probably aren't cared for with the right endpoint security, um, yeah, that- that has been really worrying.
Garrett O'Hara: [00:22:12] Yeah, it is, it's- it's a- a huge thing, I suppose, the amount of times I've heard of organizations where their employees were office based, and they had towers. So nothing that was mobile, nothing that, you know, somebody could bring home easily on the bus. Um, [laughs], or at least not without, you know, disturbing the, uh, fellow passengers, or- or whatever. So, um. Yeah, I've- I've heard some of the things, I just had no idea it was, uh, the- the numbers were that high, 60% is, um, that's not a small amount of- of people using, yeah, potentially, yeah, completely inappropriate, um, hardware, and- and software. Wow!
Prescott Pym: [00:22:45] Mm-hmm [affirmative].
Garrett O'Hara: [00:22:46] And, one of the- the other, kind of, things that really stood out for me in the report was, like, when we think of attackers generally, the picture I get in my mind is the, you know, the meme that I know we all want to die, which is the, you know, the person in the hoodie sitting in a basement somewhere, and then, you know, probably in an exotic country. Um, you know, somewhere hot with, um, good beer and, um, you know, that's the- the sort of picture that I get. You know, lawless countries.
But, uh, the DBIR calls out that 85% of attackers are actually in the same country. And I kind of wonder then, does that, like, apply broadly to all attack types, or like, can you tell us more about that?
Prescott Pym: [00:23:25] Yeah, uh. Yeah, it is interesting, uh, the- the- stats that you mention there from the report. Um, what we find, I guess, is it depends very much on- on the industry. So, in healthcare we see a lot more insider, um, you know, attacks, uh, on the network. And- and typically, those- those insider attacks would be launched from, you know, even with, just within that organization, or within the country. So, um, yeah, there- there is quite a large element to that.
And that's one of the- the really great things about the- the DBI report, is you can- you can drill down into, uh, you know, individual information that is relevant to your- your industry vertical. And- and know that, "Okay, for healthcare, um, you know, I'm a medical surgery, I've got to look at, for, um, attacks that are coming from the inside, more- more so than the exo- outside." So, um, having that- having that- that awareness of what's going on, is definitely critical.
Garrett O'Hara: [00:24:19] Yeah, absolutely. Um, and- and to your point, like, the amount of detail in the report is quite astonishing. You know, it's 120 pages, but it's actually rich. Um, I know there's- there's some reports that I've seen where there's a lot of... it feels like filler sometimes, and a little bit of fluff. Um, but actually, it's just really dense with useful information. Um, and written in a style, I don't know if you know the person who, kind of, writes it? But, um, please congratulate them, 'cause I love the fact that it's also entertaining, which is pretty tricky to do-
Prescott Pym: [00:24:48] [Laughs].
Garrett O'Hara: [00:24:48] ... when you think about some of the... you know, it's a huge report with a lot of stats and data, um, but the... there's probably a joke per sentence, or every second sentence, you know, quite a- quite a funny style, so, really love that about it as well.
Prescott Pym: [00:25:00] Yeah, no, there's been quite a few contributors to the report over the years, um. You know, Wade Baker, Bob Brutus, um, Gabe Bassett, they've sort of really, you know, set the tone, you know, reading through reams of information can be pretty horrible, especially, uh, if you have to study it, uh, for- for a university subject. I'm doing my MBA at the moment, uh, so, uh, try and juggle that with, uh, with work, uh, fall asleep, [laughs]. Regularly trying to, uh, just remember a whole bunch of information, but, you know, being able to contextualize it, and- and make it a little bit more fun to read, um, you know, I think definitely helps.
And we- we do have an executive summary that, uh, is- is about, uh, I think, you know, uh, 12 or 13 pages long, so, highly recommend that as an entry point into it if you haven't read it before, [laughs].
Garrett O'Hara: [00:25:45] Yeah, and then you can, as you say, you can deep dive into the- the sort of meat of the full report as needed, um. So, look, one of the things you mentioned a little bit earlier on actually, was, this idea of, you know, reporting surfacing what, you know, what appeared to be originally the tip of the iceberg, once things like, uh, regulatory requirements for mandatory reporting come into play.
You know, you see a problem better, so you get better visibility of a problem, and- and there's more open reporting. Um, so look, one of the- the other kind of things that you- you mentioned a little bit earlier on, um, but kind of briefly, was that, you know, sort of in life, it can seem like things are getting worse, but really what's happening is, that we've got better visibility of a problem, um, or more open reporting. So for example, with, globally there's more and more kind of regulatory requirements around mandatory notifications of- of things like breaches.
Um, like, do you think the DBIR reflects any of those, kind of, possibilities, I suspect it does, based on your comments earlier on?
Prescott Pym: [00:26:47] Yeah, that's right. Uh, I think we- we continue to see a lot of organizations wanting to get increased visibility, um, of their cyber security spend, especially now, uh. The worlds in a bit of an e- economic crunch and-
Garrett O'Hara: [00:27:01] Mm-hmm [affirmative].
Prescott Pym: [00:27:01] ... uh, having- having good access to- to information to make decisions is absolutely critical. Um. As- as organizations are, sort of, winding back some of their- their resourcing in- in the last couple of months, it's still really critical that they maintain, you know, some sort of cyber security presence and, uh, you know, there's been some- some, uh, recent breaches, like I say, Easyjet in, um, in- in the UK. Um, as we know, the airline industry's h- had a really hard time of it, and have been, you know, uh, standing down quite a lot- a lot of staff.
So, um, yeah, one of those- those areas that, you know, should maintain a bit of visibility is, if you've got a large customer data set, that's really attractive for- for criminals. Um.
Garrett O'Hara: [00:27:45] Mm-hmm [affirmative].
Prescott Pym: [00:27:46] And- and when your defenses are- are really weak, uh, it's- it's a great time to- to capitalize that from- from an attacker's perspective. So, that- that's probably one- one thing I'd- I'd state- state there. Um, the second is, uh, we're also seeing, a- an increase in demand for, "How can I report this information up to- to- to board level?" Um, that's... whenever I talk to a customer, that's, you know, "How can I use this information to articulate and manage the investment decisions that the organization is making into- to cyber security?"
Um, so this is a- a great tool to, sort of, bring in that, uh, generalized information, about, um, your- your industry, and your vertical, and- and the trends that are happening. Um, but there's a number of other tools that can be utilized to- to help, uh, with- with that reporting up, uh, through executives, uh. We- Verizon also has a service, uh, called Cyber Risk Monitoring, which, you know, sort of takes a lot of the information that we have in the- the DBIR, and matches it up with, as mentioned before, Recorded Future, and- and other tools like that, to present a really unique, um, you know, scoring system to show you how you compare to- to industry as well.
There's probably a number of similar- similar tools, uh, to be able to, you know, help, um, you know, articulate those messages to boards.
Garrett O'Hara: [00:29:02] I love that idea of benchmarking, um, within industries. And we've definitely seen traction with that, with some of the, um, yeah, call them exec reports, that we- we kind of roll up from the data from our gateway systems. And, um, it's amazing how influential that can be, you know, it- it's sort of, uh, [laughs], it's not just an absolute measure of where we're at, but it's, "Hey, we're- we're actually behind our peers." Um, and I think that- that sort of puts a little bit of a, yeah, emotional pressure, I suppose, on the kind of execs and ex-co within organizations to, you know, potentially give much needed funding or support for programs that work. Um, definitely get that.
Prescott Pym: [00:29:38] [crosstalk 00:29:38].
Garrett O'Hara: [00:29:39] And actually on that, um, one of the things that the report does kind of call out, is that, so often hacking involves, kind of, using creds, um, and you know, it's either brute force, or they're stolen from somewhere. And one of the things, a- as I was reading through the report, it- it occurs to me, we've got good password managers, we know about two factor, normal two factor auth, and, can I just... I'm kinda wondering, like, from your perspective, what do you think the barriers are for, you know, rolling out something like better credential managements within a normal organization?
Prescott Pym: [00:30:12] Yeah, uh, that's a great question. Uh, it's something that a lot of organizations, uh, struggle with, single sign on isn't necessarily, [laughs], a single sign on either. Um, so, we- we're still sort of challenged with, you know, users having to- to manually remember passwords, uh, you know. We- we have a lot of password managers that are available, but companies will often, you know, uh, restrict access to those. Because they don't want users storing their corporate credentials, you know, in- in the cloud, uh, somewhere else.
Um, you know, Verizon, we- we manage quite a- a large identity, uh, practice as well. So, and just here- here in Australia, for instance, um, you know, we- we do, uh, you know, signing of, uh, of passports and medical, uh, transactions and things like that, through- though identity management. Uh, again, I think a lot of this c- comes back to the focus in investment. It's not the forefront of people's, um, you know, purchasing decisions, um, so it tends to get, uh, left off, because it's not as sexy as, uh, some of the other types of, uh, investment in cyber security programs.
Garrett O'Hara: [00:31:14] Yeah.
Prescott Pym: [00:31:15] Um, but, yeah. To your point, it's absolutely critical and, uh, you know, um, it's one of the most common vectors of, um, th- that we see in- in the SOC here, of, uh, credentials being- being exposed, put out on the dark web and, uh, it's something we regularly work with our customers on.
Garrett O'Hara: [00:31:32] Yeah, absolutely. And it feels like we've almost come full circle, 'cause you did mention at the start, you know, kind of getting some of the basics right, and getting good web security, email security, probably doing patch management, you know. It- it feels so often like we just need to do the basics and do them well. And then do the cool, sexy, you know, latest, um, you know, latest and greatest shiny thing, um, in cyber.
Um, the report also has a- a pretty solid set of breakouts for different regions, and- and APAC is included, uh, in- in that. What's the- the nuances that data's, kind of, showing for that region?
Prescott Pym: [00:32:09] Yeah, I- I think for the APAC region we still see a lot of web application attacks, um, as the- the- the primary, um, source of- of breaches. So, um, I think... an- and external, uh, probably more than other regions, um. I think 83% of- of attacks are, um, externally focused in APAC, compared to 70 something overall. So, there's definitely a, you know, a propensity for, um, you know, external, uh, threats to the perimeter, um, rather than internal. And, uh, yeah, with the- with the web application attacks, it's, uh, I think increasingly over the last couple of years, especially in the government space, a lot of organizations are trying to shift to, you know, uh, platforms as service, uh, applications as a service, um, and as we mentioned before, uh, sort of the shadow IT organizations.
Garrett O'Hara: [00:33:04] Yeah.
Prescott Pym: [00:33:04] Uh, you know, spinning- spinning them up without realizing the impact, or, um, misconfigurations is- is, uh, is- is another really huge one, uh, there. So you may be deploying, um, out in- in a cloud, uh, environment, but not aware of the permissions and access control, and people can just come along and, uh, scrub the buckets, and, you know, find, uh, a treasure trove of information, which can be then used to pivot, um, particularly with... if you've, uh, storing credentials, uh, out in those environments, to, uh, to- to attack your systems in other ways.
Garrett O'Hara: [00:33:39] It is a... it's such a complex world isn't it? When you think about it. Um, I- I almost hark back to 20 years ago, and how quaint things actually felt by comparison to the... just, it- it feels like such an avalanche of stuff to- to think about, in terms of security and privacy, and, you know, the kind of regulatory pressures. It just, yeah, it's astonishing to me that we- we don't all end up in a bar somewhere, and just, kind of, uh, trying to get through our stressful, [laughs], stressful days in the cyber security industry.
Prescott Pym: [00:34:08] [Laughs].
Garrett O'Hara: [00:34:08] Um, yeah, I think it is that-
Prescott Pym: [00:34:09] Yeah, 20, 20 years ago, the- that, I guess, the first, um, cyber security incident I came across was the I Love You virus. Uh-
Garrett O'Hara: [00:34:17] Oh.
Prescott Pym: [00:34:18] That was, like, my first week-
Garrett O'Hara: [00:34:19] I'm getting nostalgic.
Prescott Pym: [00:34:19] ... week on the job. [Laughs].
Garrett O'Hara: [00:34:21] [Laughs].
Prescott Pym: [00:34:22] So, uh, yeah. The- the threats are continuing to- to evolve and change but, you know, we- we're still compromising, uh, you know, uh, machines in organizations through- through email, like- like the I Love You virus. Um.
Garrett O'Hara: [00:34:35] Yeah.
Prescott Pym: [00:34:35] But that just, yeah, points to, uh, the need to- to improve them with hygiene and awareness.
Garrett O'Hara: [00:34:41] Yep, 100%. And then the report does call that out in there, the kind of key take-aways. You know, the, uh, the- the exact words are, "The times, they aren't changing." And, you know, I think in our industry, look, I think the people on the in- inside the industry kind of acknowledge that. And to your point, it is quite often just the same old stuff. We just need to do better at that; better awareness training, better, uh, technologies, w- you know, where appropriate and when useful.
Um, and, you know, hopefully we'll kind of, we get there in the end. But I don't think there is an end. Um, is suspect you and I will be in- in jobs, and- and talking about the same stuff 10 years from now, and 20 years from now.
Prescott Pym: [00:35:17] Yep, yep, indeed. And, I- I- like I say, a good point there is, um, the- the data in the DBIR does point to the... there are some improvements that, you know, can be seen. So, you know, we're seeing less, um, you know, organizations being breached because of- of patching from Microsoft vulnerabilities. And- and- and the common, um... you know, the sorts of, uh, you know, hygiene around, and around those areas.
I think the- the- the Australian signals director at essential eight is making a big impact, particularly in government, um, as- as more and more organizations become focused around just getting some of those- those basics right. So, there- there are some, um, some good signs from the report that, you know, the blue teams are having some- some, uh, some impact, um, and it's not just all, uh, scary red team stuff. [Laughs].
Garrett O'Hara: [00:36:04] It's good to hear. So it feels like a positive note to end on. And, um, yeah, look, Prescott, really, really appreciate you taking the time, I know you're a very, very busy person. Um, with a huge team of people who are at a particularly busy time, um, in- in the world, and in Australia, in the region. So, um, yeah, like, very, very much appreciate you taking the time, uh, to talk to us today.
Prescott Pym: [00:36:26] Not a problem. Really appreciate it, thanks, Garrett.
Garrett O'Hara: [00:36:33] Thanks again to Prescott for the great conversation, I truly enjoyed chatting to him, and getting his insights into the DBIR. I know I'll be keeping an eye out for his speaking events and webinars, and we'll include a link to any of those, and to the DBIR, and in the show notes.
As always, thank you for listening to the Get Cyber Resilient podcast. And we do have that back catalog of episodes, so please do have a listen to those also.
And I look forward to catching you on the next episode.