Security Snowflakes: Interactive IBM X-Force Feature Visualizes Data Breach Records
Security incidents are like snowflakes. Individually, each is a unique variation of a set of repeating patterns, yet over time, they tend to pile up into an unruly mound of a billion or more leaked records of personal data. Given the pervasive effects of a data breach, there are many public resources that do a great job tracking and advising on these numerous security incidents, although it is not always easy to see at a glance what is going on.
Over the years, IBM X-Force has reported on a sampling of security incidents to understand trends and key events. In 2011, in the midst of frequent reports of data leaks, denial-of-service (DoS) attacks and social hacktivism, X-Force declared 2011 the “Year of the Security Breach.” Since that time, we have maintained the security incident bubble chart, a data visualization that provides a graphical representation of security incident activity.
Until now, this has been a static look for the given period and is only updated once or twice a year. This week, IBM X-Force launched an interactive version of this visualization that provides an up-to-date overview of security incidents and a way to filter data based on disclosed attack types, affected industries, financial impact and geography.
Data Breach Tracking
When presented with this kind of information, common questions include, “How many security incidents were reported in the past year?” and, “Have there been more security incidents this year than any previous year?”
Though we have been asked these questions often over the four years since IBM X-Force has tracked data breaches and security incidents, the answer is not so straightforward. It is helpful to consider how security incidents are uncovered and reported. There are generally four primary methods: firsthand knowledge, mandated disclosure, secondhand knowledge and public disclosure.
Security vendors, managed security services providers and companies that provide emergency response services are often informed about security incidents that don’t make headlines. These are the people tasked with collecting forensic data, mitigating future exposure and often fixing the problems that led to the data breach in the first place.
Depending on the scope of the incident, these don’t always get covered by the media, and unless ordered by law, they may not be disclosed publicly. Users may individually discover a security incident if they detect suspicious activity of an online account or are unable to access an online service, as is the case in a DoS attack.
Due to privacy laws in many countries, companies that have discovered the potential loss of data or private information are required to inform their customers. This is particularly true for health care providers and other industries where personally identifiable information (PII) is collected. The severity and impact of these incidents may vary, though. If a USB drive with PII goes missing, it does not automatically mean the information will be used for malicious purposes. In that respect, the full number of these incidents adds to the total but may not indicate increased criminal intent.
The effects of a security incident can sometimes become apparent over time, as is the case with the rise of retail breaches in the United States in the past few years. Credit card providers notice an increase in fraudulent activity and can determine whether there is a common merchant connected with the card numbers. In this case, the disclosure becomes public as customers are informed or more details of the data breach are released.
As demonstrated by several high-profile incidents over the past year, data stolen from a company can be posted publicly. This might include a user table dump from a website with email addresses and passwords that are often weakly encrypted or in plaintext, or a full dump of intellectual capital, email messages and other sensitive documents.
There are many anonymous websites on which attackers can post this type of information and then inform the world through public platforms such as social media. Given that the information is coming from the attackers, the authenticity of the data can be questionable. Cybercriminals who want to make a name for themselves could post old credentials from previous data breaches to falsely represent a new incident.
Putting It Together
Given the diversity and volume of incidents coming from these various sources, it can be challenging to comprehensively track all security incidents, let alone determine their severity and root cause or find other detailed information. Additionally, every country has different disclosure laws, which makes it difficult to collect incident statistics on a global scale.
Some security vendors produce anonymous reports from firsthand knowledge that give insights into what would otherwise be private information. Additionally, there are several excellent online data loss resources that actively track mandated disclosures, as well as services that comb through public disclosures and dumps to determine whether a given email address has been involved in an incident.
Each of these organizations tracks pieces of the bigger picture, and their data can help analyze trends in increased or decreased volume. However, this still makes it difficult to answer the question of how many incidents occurred this year.
For the interactive security incident visualization, it is worth noting that the total incidents IBM X-Force tracks are less than the total number of all incidents in any given year. While the data represents a variety of incidents and targets, there are some minimum requirements. By excluding unverified dumps from unknown sources and smaller incidents, we can provide a representative sampling of several prominent incidents at a given time but not claim to be a fully comprehensive resource.
By visualizing how security incidents have evolved over time and immersing ourselves in the unique, snowflake-like patterns found within each incident, we can better understand how to better prepare ourselves for future risk awareness and the subsequent actions that help us implement more effective security fundamentals.