2020 Verizon DBIR Includes CIS Data and Mappings
The thirteenth Verizon Data Breach Investigations Report (DBIR) was released on May 19, 2020. Verizon may be most well-known for their leadership in telecoms, but they’re also a leading provider of network cybersecurity services and solutions for organizations around the world. The DBIR is considered a must-read for both public and private organizations. The Center for Internet Security (CIS) has contributed best practice expertise to the DBIR again in 2020.
Data-based, Inclusive Approach
Verizon’s partner-oriented approach to share data, analyze, and share results is perfectly consistent with the CIS “community-first” approach to cyber defense: shared problems require shared knowledge, leading to shared understanding and common solutions. CIS has been collaborating with Verizon and contributing to the DBIR since 2013. We’re proud to have continued that participation for the 2020 report by providing expertise from our security best practice organization.
For the last 7 years, CIS has worked with Verizon to map the DBIR’s summaries and patterns of attack to the CIS best practices, specifically the CIS Controls. This not only helps to improve the selection of controls covered, but also to help with the vital translation of attack information into positive, constructive action.
CIS Controls Section in the DBIR
For the first time, the 2020 Verizon DBIR integrated the CIS Controls throughout the report. For every sector, the Verizon DBIR lists relevant Controls in the “Top Controls” to show what mitigations are most effective against attacks for that sector. Additionally, there is a section dedicated to the CIS Controls that details the percentage of CIS Controls mapped to Verizon attack patterns. This close alignment with the CIS Controls emphasizes the importance of basic cyber hygiene, as outlined in CIS Controls Implementation Group 1, in preventing or mitigating the top 4 attacks and others outlined in the DBIR. This demonstrates the value of CIS Controls in helping organizations and sectors improve their cybersecurity programs.