In 2014, it seemed that no industry went unscathed. The data breaches this year were broad and deep. Software maker Adobe was hit for 152 million records. Online marketplace eBay was drained of another 145 million; Bank and financial services firm JP Morgan Chase 76 million; retailers Target and The Home Depot for another 70 million and 56 million records, respectively. There were numerous healthcare breach disclosures as well, such as at Community Health Services, which lost records on 4.5 million patients.The attackers are getting creative and they are costing businesses big. In its October earnings call, eBay cited its data breach as one of the primary reasons for dramatically lower third quarter revenue growth. Earlier in October, security vendor Invincea released information on how attackers are targeting organizations in the defense and aerospace industry through highly targeted malicious advertising.Despite it being yet another year of staggering data breaches, and as you\u2019ll see later from the 12th annual Global State of Information Security Survey 2015 conducted by PricewaterhouseCoopers and CSO, these breaches are costing enterprises more \u2013 and information security budgets aren\u2019t keeping up with the threat. In some cases, they even have fallen slightly. It\u2019s as if security teams manage to make a small foothold against cyber attacks one year, and the next year they slide back.2014\u2019s big cyber chillFinancially motivated breaches aren\u2019t all that continued to make their mark this year. International espionage-related hacking remained big in the headlines. Notably, the US government took unprecedented action in May when a Pennsylvania grand jury indicted five members of the Chinese military on felony hacking charges.While largely lauded as a bold step, not everyone cheered the move. \u201cThis is probably the worst thing we could have done,\u201d said retired Lt. Col. William Hagestad II, author of the book Operation Middle Kingdom: China's Use of Computers & Networks as a Weapon System, in our story published earlier this year. \u201cWhen we place them on the same wanted posters as jihadists and terrorists, we say that we don\u2019t understand them and are out of ideas. And if there was any relationship building in place, it was castrated with this dumb action,\u201d he said.The result of that indictment played heavily, Hagestad contended, into the chilling of the trade ties between the US and China this year. Audi, GM, Volkswagen, and companies in the tech sector \u201care all now being investigated for fraud or malfeasance because of that [indictment] action,\u201d he said.Executives take noticeThe cybersecurity headlines and data breaches are having an impact on perceptions of security by executives. \u201cEspecially when executives see the fallout at the executive level,\u201d says Kenneth Swick, information security officer at Citi Group. \u201cI am seeing higher budget allocations, and from the additional recruitment activity across industries I am absolutely certain that financial sectors are responding to all of this breach news.\u201dAll of this makes the previous optimistic cybersecurity convictions in last year\u2019s Global State of Information Security Survey annual survey, covered in our story Security spending continues to run a step behind the threats, look overly hopeful in comparison. In last year\u2019s survey, a surprising 84 percent of CEOs and 82 percent of CIOs stated that they believed that their cybersecurity programs were currently effective. Even 78 percent of CISOs expressed confidence in their programs.With record setting breaches and the confidence of many most certainly shattered, 2014 is certainly a year that will be noticed in the cybersecurity history books.An infrastructure remains at risk, breach incidents and costs riseIt seems that the very applications that help to keep the Internet secure and running revealed a number of deep crinkles this year. In April, a significant security flaw dubbed \u201cHeartbleed\u201d became publicly known. The flaw resides within the OpenSSL cryptography library and makes it possible to steal data from vulnerable systems. That flaw was shortly followed in September by Shellshock, another large vulnerability. Shellshock, a set of flaws uncovered in the popular Unix Bash shell, makes it possible for attackers to execute commands of their choice on target systems. Another flaw, POODLE, resides within the dated SSL 3.0 protocol, and makes it easier to steal user cookies and then potentially use that advantage to conduct further attacks.The relentless hammering of new software vulnerabilities, the increasing sophistication of attackers, and misplaced optimism from previous years are all taking their toll. The reality is that more enterprises saw even more encroachments onto their networks, with the number of detected incidents rising to 42.8 million this year. That\u2019s an increase of nearly 50 percent from the prior year. In fact, since 2009, the annual growth rate of detected incidents has risen 66 percent.For larger enterprises, the financial losses associated with these incidents are also up. Large companies experienced a rise of 53 percent in related costs. Mike Rothman, an analyst at the IT security research firm Securosis, says the rise in costs largely come down to regulatory mandated expenses associated with breaches \u2013 and larger enterprises tend to have many more records compromised than their small and midsized counterparts. Midsized organizations experienced a slower, but still a sizable, bump with a 25 percent increase in incident costs.Security budgets flat, security analytics hotRemarkably, IT security budgets are flat, even down in some areas, this past year. That result is causing some scratching of heads. \u201cThe drop in budget may not be an actual drop in real dollars, but an accounting shift,\u201d says Javvad Malik, an analyst at the 451 Group. That accounting shift could be related to enterprise refresh cycles, which would make the dip a temporary blip, or it could be due to the lower costs associated with cloud, virtualization, and employees increasingly bringing their own devices. \u201dThat's going be the long tail that's going to carry on for a number of years. We've seen a lot of investments move away from on-premise, and overall you may see a broad reduction of IT budgets,\u201d Malik says.Brian Honan, CEO at Dublin, Ireland-based BH Consulting, agrees. \u201cA greater adoption of cloud computing for enterprise applications and projects is the first reason,\u201d Honan says. \u201cThis is moving many large IT projects away from being solely IT budget items to items shared\u00a0 with business units,\u201d he says.But data need to be comprehended to be useful. \u201cThe issue is not how much data you are getting, or how you look at data in new ways, but how effective is the information you get and how can you act on it? Pretty visualizations and pie charts don't protect your systems. Good actionable information does,\u201d says Honan. \u00a0One thing is certain: as more data is spread through on-premise clouds, mobile devices, and third-party providers, CISOs are going to need all of the information about how their data are being used, who is accessing them, and where they\u2019re going as they can get their hands on.The rush to data-driven security Perhaps the rising costs of breaches, the increasingly high profile of information security, and better insight from security-related data will have a positive impact on how enterprises successfully defend and respond in the years ahead. Many certainly are pinning more on increased insight through data. This year (the first time the survey question was asked), 64 percent of respondents reported that they use big data analytics to improve their security programs. And for those that do use big data analytics, 55 percent said that it can help in detecting incidents.Malik isn\u2019t convinced that those results are reflective of the real-world use of big data analytics \u2013 certainly not as it\u2019s broadly defined. It\u2019s clear, however, that businesses of all sizes are using data more. They are reading their logs more. They are turning to their security information and even monitoring tools, and they\u2019re looking at the data they are collecting in a more intelligent way.Given that broad definition of security analytics, it\u2019s accurate to contend that anything from basic log analysis to intrusion-detection event alerts and up through sophisticated big data analytics fall under the umbrella of \u201csecurity analytics\u201d by many. Yet, Rothman argues that most enterprises heading down this path have yet to reach a level of maturity where their security data analytics efforts are improving their operational effectiveness. \u201cI just don't think that many of these companies have figured out how to leverage those data more effectively. But they are certainly trying. That is clearly an area of increased investment in the industry,\u201d says Rothman.Doing data rightHow do enterprises do better with data? The solutions are straightforward, but not necessarily simple. \u201cThere are two approaches to figuring out what is happening in your environment. One is threat modeling. You determine what your valuable data are to potential adversaries. Determine the ways those adversaries could potentially get to those data. When that\u2019s complete, build a threat model around it and enumerate the monitoring analytics that are in place to look for those specific attacks,\u201d says Rothman.The other approach is to baseline enterprise activity. There are tons of security-rich data within traffic logs and netflows; there are application and database logs; there are transaction data; there are authentication and logon data. Baseline these data, Rothman advises. \u201cThen constantly look for anomalous situations that deviate from that baseline.\u201d But it\u2019s not just about raw data collection, of course. \u201cThe issue is not how much data you are getting, or how you look at them in new ways, but how effective is the information you get and how can you act on it? Pretty visualizations and pie-charts don't protect your systems; good actionable information does,\u201d says Honan.Most of the experts interviewed suggest that enterprises also continue to expand the systems and types of data monitored. \u201cIf you are only using events from a certain type of device, start adding more events. If you are not using full back-capture, then start doing that. If you are not pulling end-point level telemetry, then that would be another area to start thinking about,\u201d says Rothman. \u201cWhat you want to do is start building out a broader collection environment. This will give you the ability to start looking for patterns based upon a more inclusive and broader data set,\u201d he says.Regardless of the level of enterprise maturity with security analytics efforts now, security technologies will have analytics capabilities built in soon. Gartner predicts that by 2020, 40 percent of enterprises will have built a purpose-built security data warehouse. \u201cBy storing and analyzing the data over time, and by incorporating context and including outside threat and community intelligence, patterns of "normal" can be established and data analytics can be used to identify when meaningful deviations from normal have occurred, the research firm predicted earlier this year.That type of data analytics integration with security platforms would certainly be welcome. Perhaps that pervasive availability of security analytical tools will help solve what Citi\u2019s Swick says is one of the biggest challenges security pros have when it comes to having too much data with too little actionable insight. \u201cMany CISOs are implementing SIEMs because that's what they're supposed to do. They don\u2019t understand enough about what it is that they are undertaking,\u201d says Swick.Improved analytics toolsets could certainly help security teams to not only understand more about the data they collect \u2013 and the risks that events actually pose to the business \u2013 but also what to do about pressing threats and attacks much more swiftly than they do today. That most certainly would be a big and welcome step forward.