In an initiative to make it easier for companies to analyze and exchange data about security breaches and unite in the fight against cybercrime, Verizon Business is publicly releasing the research framework used for the company’s landmark Data Breach Investigations Reports.
With this, businesses will be able to compare and contrast their security data with Verizon’s data breach reports, as well as with data of other organizations that use the VerIS framework, to gain a better understanding of how security breaches occur and what can be done to better manage risk.
The Verizon Incident-Sharing (VerIS) framework addresses a critical industry-wide issue: the lack of a common standard for the collection of security-incident data and analysis. Businesses and government agencies currently use a variety of different – and often incompatible – systems to collect this data, making it difficult to quickly identify major trends in security breaches and to take collective action.
The incident-sharing framework will provide enterprises with a common structure for describing and analyzing security incidents. As a result, businesses will be able to compare and contrast their security data with Verizon’s data breach reports, as well as with data of other organizations that use the VerIS framework, to gain a better understanding of how security breaches occur and what can be done to better manage risk.
“Since we began issuing the Data Breach Investigations Report, our customers and the security community at large have told us of their need for an open-source security-incident sharing program that will provide a universal foundation for data collection and analysis,” said Peter Tippett, vice president of security and enterprise innovation at Verizon Business. “With the public release of VerIS, Verizon is answering this call by enabling organizations to work together in the ongoing fight against cybercrime.”
The Verizon Incident-Sharing Framework Takes a Real-World Approach
The VerIS framework is designed to give organizations actionable security intelligence that can help improve an organization’s ability to make sound security decisions. The framework uses first-hand information taken from an organization’s actual investigations to elicit insight into security attacks.
Specifically, the framework examines four intersecting factors — threat, asset, impact and control– to collect information useful to risk management. VerIS metrics are organized in four sections: demographics, incident description, discovery, and mitigation and impact description. When viewed in the aggregate, they give businesses a tangible idea of cause and severity of attack.
“For far too long, the information security industry has been chasing today’s headline threats with a limited ability to measure success,” said Jeremiah Grossman, CTO of WhiteHat Security and a VerIS advisory board member. “VerIS provides a path to leave security mysticism behind us. The knowledge of who our adversaries are, what they want, and how they are getting it is critical to safeguarding our digital world.”
Helping Organizations Make the Most of Security Data
Companies can access Verizon’s framework at http://securityblog.verizonbusiness.com/2010/02/19/veris-framework
, where other resources will also be available, including an online community forum for open discussion among VerIS users. Verizon also plans to name an advisory board to oversee the evolution of the VerIS framework to ensure it meets the needs of all organizations across all sectors.