IBM Global Technology Services Research Report

Managed Security Services

IBM Security Services 2014

Cyber Security Intelligence Index
Analysis of cyber attack and incident data from IBM’s worldwide
security operations
2 IBM Security Services 2014 Cyber Security Intelligence Index

stolen. Heavy media coverage of several significant retail

About this report industry attacks pushed conversations about privacy and
security straight from boardrooms into living rooms around
IBM Managed Security Services continuously monitors billions the world.
of events per year, as reported by a sample of nearly 1,000
of our clients in 133 countries. This report is based on the The damage from such data breaches can be severe. If
cyber attack event data IBM collected between 1 January
consumers lose faith in a company’s ability to keep their
2013 and 31 December 2013 in the course of monitoring client
personal data safe, the company can ultimately lose customers.
security devices as well as data derived from responding
Most certainly they stand to lose money, and in some cases,
to and performing forensics on cyber attack incidents. It is
complementary to the IBM X-Force® 1Q 2014 Threat Intelligence intellectual property. In its most recent analysis, the Ponemon
Quarterly.1 Since our client profiles can differ significantly Institute found that in 2013 each lost data record cost
across industries and company size, we have normalized the companies an average of $145 per record, with companies
data for this report to describe an average client organization in Germany losing the most per record for each data breach
as having between 1,000 and 5,000 employees (although IBM ($201), followed by the United States ($195), and companies
typically serves larger client organizations), with an average of in India the least at $51.2 Based on the global average cost per
500 security devices deployed within its network. record, that means:

The annual Cyber Security Intelligence Index report offers • A major retailer with millions of leaked credit cards could
a high-level overview of the major threats trending across
face more than $100 million in direct costs, including fines.
businesses worldwide over the past year. Our goal is to help
• A university that leaked 40,000 records could suffer over
you better understand the current threat landscape by offering
$5.4 million in losses.
a detailed look at the volume of attacks, the industries most
affected, the most prevalent types of attacks and attackers, and
the key factors enabling them. We provide insights into where Ponemon also found that heavily regulated industries such
and how successful attacks can impact today’s technology- as healthcare, finance, pharmaceuticals and communications
dependent organizations and discuss how the threat landscape had a per record data breach cost ranging from $177 to
is evolving from year to year as companies work to better $359—placing them well above the mean of $145. Meanwhile,
detect and insulate themselves from future attacks. retailers and public sector organizations had a per record cost
of $105 and $100, considerably below the mean value.3

The U.S. experienced the highest total average cost at more

The problem that isn’t going away
than $5.9 million, followed by Germany at $4.7 million. At
After several years of continuing growth, data breaches literally
the other end of the scale, Brazilian and Indian companies
hit home in 2013. In that one year, more than half a billion
experienced the lowest total average cost at $1.6 million and
records of personally identifiable information—including
$1.4 million respectively.4
names, emails, credit card numbers and passwords—were
 IBM Global Technology Services 3

With more data comes more

vulnerability—and more insight The impact of security incidents
Looking back at 2013, we asked a few key questions:
What is the impact of a security incident? As we look through
• What’s happening across the threat landscape? the data reported here, we see that the astronomical number
• What kinds of attacks are being launched? of security events (see Figure 1) is ultimately whittled down
to a much more manageable number of incidents. However,
• How many of those attacks result in incidents
of those incidents, how many are actually “noteworthy,” with
requiring investigation?
the potential to result in a significant or material impact to the
business? According to the IBM Computer Security Incident
As companies around the world continue to expand their Response Team, of all the security incidents they work through
businesses and IT infrastructure—adding more devices and and analyze, only three percent actually reach a level of severity
increasing connectivity across their organizations—their high enough to consider them “noteworthy”—with the most
volumes of data requiring 24x7 monitoring also continue to common impact being data disclosure or theft.
grow. That can increase an organization’s vulnerability by
making it even more difficult to develop and deploy effective What is fascinating—and disheartening—is that over 95
measures to fend off cyber attacks, but at the same time, such percent of all incidents investigated recognize “human error”
growth creates enormous quantities of data on security events. as a contributing factor. The most commonly recorded form
It also presents us with the challenge of understanding what all of human errors include system misconfiguration, poor patch
management, use of default user names and passwords or
that data means and deciding what to do about it.
easy-to-guess passwords, lost laptops or mobile devices,
and disclosure of regulated information via use of an incorrect
IBM employs proprietary advanced analytics to tackle the
email address. The most prevalent contributing human error?
massive amount of information collected across our monitored “Double clicking” on an infected attachment or unsafe URL.
platforms and develop useful insights into the kinds of attacks
that are taking place, who may be launching them and how
their techniques are evolving.
A more efficient approach to narrowing
This report reflects both the data we’ve gathered through our down the numbers
monitoring operations and the security intelligence generated IBM’s global monitoring operations and analysts have
by our analysis and the interpretations of our experienced determined that the average company experienced more than
security analysts and security response teams. 91 million security events in 2013 (see Figure 1)—a 12 percent
increase over 2012. That reflects the continued worldwide
growth of data, networks, applications and the new technology
and innovations they support. It also reflects a growing number
of targets for potential attacks.
4 IBM Security Services 2014 Cyber Security Intelligence Index

Virtually no company is equipped to deal with the threat

potential of 91 million events a year on its own. And because Disruptions defined
we know that only a fraction of a percent of those security
events end up being identified as incidents, the real challenge Security event: An event on a system or network detected by a
is determining which of those events deserve further attention security device or application.
(see sidebar Disruptions defined). IBM security intelligence
correlation and analytics tools filter through millions of events Security attack: A security event that has been identified
each year and determine which ones deserve further attention. by correlation and analytics tools as malicious activity that
In 2013, that meant identifying nearly 17,000 potentially is attempting to collect, disrupt, deny, degrade or destroy
critical attacks out of over 91 million events. information system resources or the information itself.

Security incident: An attack or security event that has been

While the number of security events grows, so does our ability
reviewed by IBM security analysts and deemed worthy of
to analyze and manage them more efficiently. As a result, the
deeper investigation.
annual number of security attacks seen by the average IBM
client in 2013 dropped to an average of 16,900, down from Security breach: An incident that has successfully defeated
73,000 in 2012. IBM security analysts went on to review those security measures and accomplished its designated task.
16,900 security attacks and found 109 security incidents for
the average company in 2013, which is 19 more than the
year before.5

Security events, attacks and incidents for 2013

Security events Security attacks Security incidents
Annual 91,765,453 Annual 16,856 Annual 109

Monthly 7,647,121 Monthly 1,405 Monthly 9

Weekly 324 Weekly 2

Weekly 1,764,720

Security Intelligence Security Intelligence

Correlation and analytics tools Human security analysts

Figure 1. Security intelligence makes it possible to reduce the millions of security events detected annually in any one of our clients’ systems to an average of 16,900
attacks—and under 110 incidents—in a single organization over the course of a year.
 IBM Global Technology Services 5

Over 75 percent of incidents target the industries deal directly with consumers, attackers there are
same five industries going after valuable personal and financial information—
The not-so-big news is we’re seeing the same five industries including credit cards, which have become a hot commodity on
top the list of those struck by the most incidents over the past the black market.
year. Some of them, however, have changed places within
the group since 2012. Once again, the top two (see Figure 2)
account for nearly half of the year’s security incidents among How credit cards allow attackers to cash in
our data sets. The only difference is that they swapped places
in 2013. It’s likely that these two industries will continue to The average credit card sells on the black market for anywhere
battle for the number one target spot in the years to come, from $25 to $100, depending on how much information is
available with the card data—such as CSV security code,
since a breach in either one can result in both major business
known limits, and expiration date. Since news accounts
disruption and big paydays for successful cyber criminals.
reported that more than 110 million credit records were stolen
in recent retail breaches, it’s easy to see how the sellers could
Moving down the list, the two industries occupying fourth and have netted as much as $11 billion.
fifth place have also swapped places—although together they
account for 12 percent of the incidents in 2013, compared to But the story doesn’t end there. Once the stolen cards are
14 percent in 2012. Because both the retail and health services acquired, they then move into an elaborate laundering scheme
where they’re used to buy gift cards and prepaid credit cards.
The shuffling of funds continues as these “untraceable” cards
are used to purchase other items that can then be sold online
with no ties back to the original stolen card data.
Incident rates across monitored industries
On the flip side, we know that in such large-scale cases as
Finance and those disclosed late in 2013, the attackers’ success can also be
insurance
23.8 %
their demise. News about these massive breaches travels fast,
and that means the stolen cards will often be deactivated by
Manufacturing 21.7% their owners before anyone can sell them.
Information and
communication 18.6% The United States is typically one of the largest targets in this
Retail and underground market. That’s at least partly due to its status as
wholesale 6.2 %
one of the last remaining countries using magnetic strip credit
Health and cards—which are the easiest to forge using stolen data, making
social services 5.8% them a highly attractive target. And although the retail industry
is the primary target here, credit card theft is really a threat to
many industries. That means we’re likely to see a strong push
for tighter credit card security in the very near future.
Figure 2. The finance and manufacturing industries continue to offer attackers
the most significant potential payoff.

0 5 10 15 20 25
6 IBM Security Services 2014 Cyber Security Intelligence Index

Malicious code and sustained probes or In fact, malicious code continues to be the primary mode of
scans still dominate the landscape attack in cyber crime. And it can include third-party software,
As was the case for 2012, there were two types of incidents Trojan software, spear phishing, keyloggers and droppers
dominating the cyber attack landscape in 2013. Together, (see the glossary on page 11 for definitions). Over the past
malicious code and sustained probes or scans accounted for year we’ve also continued to see greater sophistication in the
58 percent of the security incidents affecting our clients (see creation of attack tools and the development and underground
Figure 3). The two often go hand in hand. Sustained probes sale of tool kits (ready-to-use hacking applications). It appears
and scans are typically used to search for potential targets, that many of the tool kits that have been seen repeatedly over
enabling attackers to see where and when to unleash their the years have been updated and “recycled” for use today.
malicious code (or malware). Meanwhile, it might seem
surprising that denial of service attacks, which seem to run Unauthorized access incidents were more prevalent in 2013—
rampant across the threat landscape, make up only two percent up six percent over the previous year—which fits with the
of the incidents reported. But it turns out that many denial apparently growing use of malware to elevate privilege levels
of service attacks lack the bandwidth necessary to make a after hacking into a network. After all, just because attackers
significant impact on their targets. In addition, some clients are able to gain access to a network doesn’t mean they can
employ denial of service protection services, which also blunt navigate it. The situation is similar to a trespasser who’s able to
these attacks’ effectiveness. “tailgate” into a building by following close behind someone
with authorized access. Once inside, the trespasser still needs
to figure out how to move around undetected. That activity
in the cyber world is what comprises not only unauthorized
access but suspicious activity traffic as well.
Categories of incidents
Who’s behind these attacks and where are
Malicious code 38% they coming from?
Sustained As we continue to focus on determining who is carrying out
probe/scan 20% these attacks, it’s clear that the role played by both inadvertent
Unauthorized actors and outsiders has become increasingly important
access 19%
(see Figure 4). While inadvertent actors make up just five
Suspicious
activity 12% percent of the attacker population, as they did in 2012, they
remain among the most dangerous. As members of your own
Access or
credentials abuse 9% organization who are unwittingly “recruited” to aid the cause
of others with malicious intent, they can become key players
Denial of service 2% in carrying out highly damaging, potentially prolonged attacks
that fail to arouse suspicion.

Figure 3. Malicious code and sustained probes or scans top the list of incident
categories affecting every industry covered in this report.
0 5 10 15 20 25 30 35 40
 IBM Global Technology Services 7

That said, outsiders will likely continue to play the largest role
in cyber crime for some time to come, making it essential that The social life of the inadvertent actor
we understand who those outsiders really are—and where they
are located. A new addition to the threat index shows us where Today’s organizations are made up of individuals who are more
these attacks originate (see Figure 5). But let’s be clear about likely than ever to have vast networks of online relationships,
what this information means. For example, when considering each of which involves huge amounts of personal data. But how
the list of the top 10 countries responsible for the attacks we can that personal data pose a threat to your company?
detected in 2013, we need to take into account the size of
Rather than seeing a particular enterprise as a single entity,
each country and the availability of bandwidth within it. That
attackers now also look at an enterprise as collections of
goes a long way toward explaining why more than half of the
individuals. That means they decide to target specific people
attacks we saw in 2013 originated in the United States. And for
instead of enterprise infrastructures or applications. In other
many of the same reasons, the United States was also the most words, the personal lives and business activities of employees
attacked country in 2013 (see Figure 6). can be leveraged to target an enterprise.

Social networks intentionally make it easy for users to contact

one another. It’s a great way to wish a faraway friend a happy
birthday. But it’s also an easy way for an attacker to send
Categories of attackers a user to a malicious website or to send malware directly
to that user—all of which renders enterprise email security
Outsiders 56% countermeasures completely useless.

Combination 22% For example, a user can access social media using a device
attached to a corporate network and thus open up a pathway
Malicious insiders 17% for the malware. Or an attacker can take advantage of
personal information available online to learn enough about
Inadvertent actor 5% the individual to execute a targeted phishing campaign via the
corporate email account. In this scenario the bad guy sends
what appears to be legitimate business correspondence and
dupes the employee into opening an infected email attachment.
Figure 4. More than half of all attacks are most likely to be instigated Either way, the command and control malware gets into the
by outsiders. enterprise systems.

0 10 20 30 40 50 60
8 IBM Security Services 2014 Cyber Security Intelligence Index

Countries where the most Countries where the most

attacks originated attacks took place
United States 589,180 United States 1,456,577
Japan 119,578 Japan 407,644
China 86,237 Singapore 88,819
Canada 29,319 China 86,824
United Arab Emirates 25,055 Canada 71,585
Germany 23,478 Australia 42,783
India 16,058 Italy 37,404
United Kingdom 15,800 United Kingdom 32,991
0 10 20 30 40 50 60
Italy 14,780 Germany 23,787
Australia 11,125 Netherlands 17,905

Figure 5. More than half of all attacks originated in the United States. Figure 6. More than 45 percent of all attacks took place in the United States.
 IBM Global Technology Services 9

A new security reality has taken hold

Organized criminals, hacktivists, governments and adversaries It starts with a phone call and ends with a major data breach
are motivated by financial gain, politics and notoriety to attack
your most valuable assets. Their operations are well funded Social engineering techniques allow attackers to target a
and businesslike. Attackers patiently evaluate targets based specific company and gain access to its valuable data. They
on potential effort and reward. Their methods are extremely steal internal phone directories and then call employees of
targeted; they use social media and other entry points to track interest. Their goal? To convince victims to willingly install
remote administration software that the hackers can use to gain
down people with access, take advantage of trust, and exploit
access into the victims’ network. Posing as internal security
them as vulnerabilities. Meanwhile, negligent employees
or IT staff members, they direct their victims to download and
inadvertently put the business at risk via human error. Even
install well-known remote administration software to help
worse, security investments of the past fail to protect against resolve a “critical systems problem.” Or they instruct their
these new classes of attacks. The result is more severe security unwitting victims to join a web conference and hand over
breaches more often. In fact, 61 percent of organizations say control to the attackers.
data theft and cybercrime are the greatest threats to their
reputation.6 And the costs are staggering. Once the attackers gain control of the system, they download
and install malware to maintain a persistent connection, then
Why act now? elevate privileges and penetrate the network. Because most
companies don’t have a system in place to verify calls, this has
Your business may be more vulnerable than you think. And
become a highly effective method for attackers to infiltrate
that’s just the first reason. Here are a few more:
internal systems—especially when those attackers are able to
gain an understanding of the targets’ processes and use it to
• Criminals will not relent: Once you’re a target, criminals
convince victims that it’s important to take immediate action.
will spend as much time trying to break into your
enterprise as you spend on your core business. If you The victims targeted for these attacks typically have easy
don’t have visibility into attacks as they happen, the access to the data that the attackers are after. So once a point
criminals will succeed. of presence is solidified within the network, the attackers are
• Every business is affected: Banks were once the primary able to steal just about any type of data—including financials
targets of cyber criminals, but today, diverse actors move and intellectual property.
with lightning speed to steal money, intellectual property,
customer information and state secrets across all sectors. Even those companies with strong security practices are
• Your perimeter may already have been breached: Recent still vulnerable to acts of social engineering. It’s important to
attacks demonstrate that victims were compromised for educate employees on an ongoing basis about identifying
suspicious communications and potential risks to
months before they discovered it. Assuming that you have
the organization.
already been breached is today’s prudent security posture.
10 IBM Security Services 2014 Cyber Security Intelligence Index

Why IBM Security? At IBM, our IT security services can cover every corner of
Traditional security defenses are no match for today’s your network, from infrastructure to applications to devices.
unrelenting, well-funded attackers, while disruptive We monitor, in near real time, some of the most complex
technologies introduce new vulnerabilities to exploit. corporate networks in the world. We develop some of the
Organizations must accelerate their ability to limit new risk most sophisticated testing tools in the industry, many of which
and apply intelligence to stop attackers—regardless of how are used by our competitors. And our team of highly skilled
advanced or persistent they are. New analytics, innovation, and security professionals is constantly identifying and analyzing
a systematic approach to security are necessary. And there are new threats, often before they are even known by the world at
very few companies able to meet those requirements on their large. In fact, we maintain the largest single database of known
own. That’s why Forrester Research has noted: “[Managed cyber security threats in the world.
security services providers] leverage impressive economies of
scale to offer clients an enhanced security environment, cost- For more information
effective security, and a scalable and flexible security platform To learn more about how IBM can help you protect your
capable of handling future expansion.”7 organization from cyber threats and strengthen your IT
security, contact your IBM representative or IBM Business
When you engage with IBM for managed security services, Partner, or visit this website:
you gain access to a full suite of capabilities that can help you ibm.com/services/security
extend protection from the back office to the front office. And
we help ensure that it’s all integrated and coordinated across Follow us
your enterprise. Should you experience a security breach, you
can call on IBM’s emergency response team to help speed your
response to and recovery from a computer security incident.
 IBM Global Technology Services 11

Glossary

Term Definition Phishing A term used to describe when users are lured into
browsing a malicious URL designed to pose as a
Access or Activity detected that violates the known use policy
website they trust, thus tricking them into providing
credentials of that network or falls outside of what is considered
information that can then be used to compromise their
abuse typical usage.
system, accounts, and/or steal their identity.
Attacks Security events that have been identified by correlation
Security An event on a system or network detected by a
and analytics tools as malicious activity attempting to
event security device or application.
collect, disrupt, deny, degrade, or destroy information
system resources or the information itself. Security Security Any device or software designed specifically to detect
events such as SQL Injection, URL tampering, denial of device and/or protect a host or network from malicious
service, and spear phishing fall into this category. activity. Such network-based devices are often
referred to as intrusion detection and/or prevention
Breach or An incident that has successfully defeated security
systems (IDS, IPS or IDPS), while the host-based
compromise measures and accomplished its designated task.
versions are often referred to as host-based intrusion
Denial of Attempts to flood a server or network with such a large
detection and/or prevention systems (HIDS or HIPS).
service amount of malicious traffic that it renders the device
Spear Phishing attempts with specific targets. These targets
unable to perform its designated functions.
phishing are usually chosen strategically in order to gain access
Droppers Malicious software designed to install other malicious
to very specific devices or victims.
software on a target.
SQL injection An attack that attempts to pass SQL commands
Event An event is an observable occurrence in a system
through a website in order to elicit a desired response—
or network.
one that the website is not designed to provide.
Inadvertent Any attack or suspicious activity sourcing from an IP
Suspicious These are lower priority attacks or suspicious traffic
actor address inside a customer network that is allegedly
activity that could not be classified into one single type of
being executed without the knowledge of the user.
category. They are usually detected over time by
Incidents Attacks and/or security events that have been reviewed analyzing extended periods of data.
by security analysts and have been deemed a security
Sustained Reconnaissance activity usually designed to gather
incident worthy of deeper investigation.
probe/scan information about the targeted systems such as
Keyloggers Software designed to record the keystrokes typed on a operating systems, open ports, and running services.
keyboard. This malicious software is primarily used to
Trojan Malicious software hidden inside another software
steal passwords.
software package that appears safe.
Malicious A term used to describe software created for malicious
Unauthorized This usually denotes suspicious activity on a system
code use. It is usually designed to disrupt systems, gain
access or failed attempts to access a system by a user or
unauthorized access, or gather information about the
users who does not have access.
system or user being attacked. Third party software,
Wiper Malicious software designed to erase data and
Trojan software, keyloggers, and droppers can fall into
destroy the capability to restore it.
this category.
Outsiders Any attacks sourced from an IP address external to a
customer’s network.
 © Copyright IBM Corporation 2014

IBM Corporation
IBM Global Technology Services
Route 100
Somers, NY 10589

Produced in the United States of America

May 2014

IBM, the IBM logo, ibm.com and X-force are trademarks of International
Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the Web at
“Copyright and trademark information” at ibm.com/legal/copytrade.
shtml

This document is current as of the initial date of publication and

may be changed by IBM at any time. THE INFORMATION IN
THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY
WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT
ANY WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR
1
IBM Managed Security Services is responsible for monitoring exploits CONDITION OF NON-INFRINGEMENT. IBM products are
related to endpoints, servers (including web servers) and general network warranted according to the terms and conditions of the agreements under
infrastructure. This team tracks exploits delivered over the web as well which they are provided.
as via other vectors such as email and instant messaging. Meanwhile,
the X-Force research and development team studies and monitors the The client is responsible for ensuring compliance with laws and
latest threat trends including vulnerabilities, exploits and active attacks, regulations applicable to it. IBM does not provide legal advice or
viruses and other malware, spam, phishing, and malicious web content. In represent or warrant that its services or products will ensure that the
addition to advising customers and the general public about emerging and client is in compliance with any law or regulation.
critical threats, X-Force also delivers security content to help protect IBM
customers from these threats. As a result, these two groups issue reports Statement of Good Security Practices: IT system security involves
that look at similar issues, but from a slightly different perspective and over protecting systems and information through prevention, detection and
different timeframes. Therefore, their findings are meant to complement response to improper access from within and outside your enterprise.
one another, even though those findings are not always identical. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of
2,3,4
2013 Cost of Data Breach Study: Global Analysis, Ponemon Institute, your systems, including for use in attacks on others. No IT system or
May 2013. product should be considered completely secure and no single product,
service or security measure can be completely effective in preventing
5
IBM Security Services 2013 Cyber Security Intelligence Index, improper use or access. IBM systems, products and services are designed
June 2013. to be part of a comprehensive security approach, which will necessarily
involve additional operational procedures, and may require other systems,
6
2012 Global Reputational Risk & IT Study, IBM. products or services to be most effective. IBM DOES NOT WARRANT
THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE
7
The Forrester Wave: Managed Security Services: North America, FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM,
Forrester Research, Inc., March 26, 2012. THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Please Recycle

SEW03039-USEN-01