The Verizon Risk Team and ICSA LAbs are launching a public Web site for reporting security incidents that could illuminate the self-defeating secrecy of data breaches. No business wants to advertise that it has experienced a serious security issue, so intelligence about incidents, responses, and IR metrics remains sketchy at best.
VERIS stands for Verizon Enterprise Risk and Incident Sharing, and is focused on collecting data and offering participanting organizations analysis. It is designed to create metrics from the details of an information security incident, while introducing a common language and structured, repeatable process to allow organizations to objectively classify security incidents. This common language is critical, as there is currently no universal way to consistently describe security incidents from organization to organization, or an accepted industry standard for the development of incident related risk metrics. The VERIS Project was introduced in March of this year when Verizon publicly released the research framework used for the company’s landmark “Data Breach Investigations Reports.”
The damage from an actual security incident may be insignificant compared to the damage taken from press coverage and public ridicule. Once a company’s reputation has been damaged, it can be an up-hill journey to re-establish trust and assurance with customers and win new ones. So, why would a business bother using this new “VERIS” service? Isn’t it better to just shutup and say nothing than to risk exposure through such a service? Not if you value free information regarding best practices, details about how other people are handling incidents, the potential to identify specific attack models and trends, and the sharing of information about attackers that they already have about small to medium sized businesses. You and I will only get out of it what we actually put into it.
Isn’t there already an OpenSource effort to handle this sort of thing? Yes, and no. The Open Security Foundation’s DataLossDB offers statistics on data breaches, and anyone can post information there that they read about on news sites and other places, so it’s generally limited to what’s already been publicly disclosed. I use it and often reference it in blog articles found here. It does not however, offer the potential insights and guidance that this service may offer.
In my opinion, SMB’s and even larger companies can gain significant benefit from the VERIS online application. Through VERIS, organizations can generate incident reports that can be distributed and analyzed within their organization, while maintaining their privacy. For example, participating enterprises will know whether their incident was a rare event or one commonly experienced by others. This information can help determine if this was part of a larger attack, what, if anything, should be done to prevent similar events in the future, and can offer guidance and insight into actual costs incurred in remediating a specific incident. That last point is something that I personally have always struggled with when developing C-Level reports for Incident Response.
Participating organizations need to complete the online form when reporting incidents, which consists of the following areas:
- Demographics – Submitters describe (but do not identify) the entity affected by the incident to enable comparative analytics.
- Incident classification – Describes the role of the threat agent, the agent’s actions and their impact o on the information assets.
- Discovery and Mitigation: Focuses on events immediately following the incident, as well as lessons learned from the response process.
- Impact Classification: The submitter provides a description and measures the consequences of the incident on the impacted organization.