Today, the 11th edition of the Verizon Data Breach Investigations Report (DBIR) has been released. This year’s report includes 53,308 security incidents, 2,216 data breaches, 65 countries, and 67 contributors.

I participated in a panel discussion with the Verizon team on BrightTALK earlier today. Listen to the recording here.


The DBIR is one of the most anticipated annual reports and has endured for many years. If you’ll indulge me and take a trip down memory lane, here are some of the events you might remember from the year the first DBIR was written:

  • The first Twilight film was released, and the nation was divided by “Team Edward” or “Team Jacob.”
  • The Dark Knight starring Heath Ledger was released. This serves as a painful reminder of just how terrible Ben Affleck’s Batman is.
  • The stock market crashed on September 29, 2008.

Some of the key findings for me:

  • “68% of breaches took months or longer to detect.” In a world of real time this and real time that, I’d be happy to forgo the real time if I get better fidelity alerting. From both my time at Forrester and my time now as CISO, I generally view “real time intelligence” as “real time false positives” that are going to create more work for my security team. If we are looking at “months or longer” for breaches, I’d be happy to wait a few more hours or days to get better quality reporting that doesn’t DoS (denial of service) my team and reduce my overall time to detect.


  • Ransomware is the top flavor of malicious software, found in 39% of cases where malware was identified. You must have a plan for extortion attempts, and not just ransomware, but also DDoS extortion or intellectual property extortion. Your business continuity planning must take these scenarios into account. My colleague Harriet Gruen and FBI Supervisory Special Agent, Sheraun Howard, recently did a webinar on ransomware that you might find useful. “Emerging Ransomware Threats and How to Protect Your Data


  • I find the “Denial of Service: Storm preparations” section to be particularly relevant. This was a focus area of mine at Forrester and I also have to deal with this in my day job. DDoS “attacks, on average, are more like a thunderstorm than a Category 5 hurricane”. “You will find that most of the attacks are measured in minutes.” The question for CISOs is how much do I invest in a thunderstorm? Do I have enough budget to prep for a Category 5 hurricane? When it comes to budget tradeoffs these are important questions.  Having intelligence on threat actors who conduct these activities against your industry can help with this calculation.


  • JavaScript (.js), Visual Basic Script (.vbs), MS Office and PDF10 tend to be the file types found in first-stage malware. This isn’t breaking news, but it’s a good reminder to make sure we incorporate this into our vulnerability management triage process. We should be tracking the software, technologies and CVEs that malware is exploiting.

Source: Verizon DBIR

Since we are eleven years into the DBIR, I suspect that you are familiar with how to leverage the report, but just in case you aren’t, here are some quick suggestions:

  • The report is filled with great content, and there is a lot of it. The report is nearly 50 pages without the appendices. I found it useful to read through it once in its entirety before I started making notes. I understood the full context and then I could start breaking it down into “byte-sized” bits.


  • Yesterday was National Unicorn Day, and you may very well be a unicorn. Not everything in the DBIR will apply to your business. Make sure to take this into consideration while reading the report.


  • Go to Figure 28 “Industry Comparison” on page 26, look at your industry and the attack patterns that are most common in the DBIR data set. Do you have the appropriate security controls in place to detect and mitigate these attacks?

Source: Verizon DBIR

  • You can use the attack patterns to build intelligence requirements and to kick start your collection plan. For example, if you are in the banking industry you can build or buy collection capabilities around these areas:
    • Banking Trojans (tools, actors, exploits, configuration files)
    • Denial of service (tools, actors, target selection)


I’ve already read through the DBIR multiple times and with each subsequent reading I find something else that is useful. One final recommendation that I’ve been suggesting for many years is to create your own version of the DBIR based on your own intrusion and breach data. Nothing is more relevant than what is happening within your own organization. The DBIR has some great examples of graphics that you can incorporate into your own tailored reports, which you can then use to communicate the threat landscape to your executives.


To learn more, subscribe to our threat intelligence emails here.