Verizon Business Launches Incident-Sharing VERIS Community Website
One of the most persistent and critical issues affecting the information security community is a lack of data about security incidents. To help advance understanding of information security risk industrywide, Verizon is launching the VERIS community website, which is designed to collect and share information about security incidents that are voluntarily and anonymously reported by participating organizations around the globe.
The site can be found at https://www2.icsalabs.com/veris/.
Organizations and individuals can now share their data by using a new online application for collecting, classifying, analyzing and comparing security incident information. Each person who submits data will receive a customized mini "Data Breach Investigations Report" that analyzes the incidents and compares them with similar incidents that occurred at other participating organizations.
The VERIS website will also feature easy access to other tools such as the VERIS Wiki, example incidents, white paper, user guide, sample report and a link to the "2010 Data Breach Investigations Report."
"With the VERIS Project, Verizon is publicly sharing data that we have spent years gathering through our data breach caseload," said Peter Tippett, vice president of technology and innovation, Verizon Business. "We are sharing the aggregate data -- and encouraging other companies to anonymously share their security-event data -- to promote more dialogue and understanding of security incidents. The collective sharing of in-the-trenches security events offers us the opportunity to fundamentally change how we all manage risk."
The VERIS Project was introduced in March when Verizon Business publicly released the research framework used for the company's landmark "Data Breach Investigations Reports." The framework, which has since been publically vetted by the security community, was pivotal in introducing a common language and structured, repeatable process to allow organizations to objectively classify security incidents. The common language is critical, as there is currently no universal language that describes security incidents or an accepted industry standard for the development of risk metrics.
Participating organizations can gain great benefit from the VERIS online application. Through VERIS, organizations can regularly generate incident reports that can be distributed and analyzed within their organization, while maintaining their privacy.
For example, participating enterprises will know whether their incident was a rare event or one commonly experienced by others, and such information can help enterprises decide what, if anything, should be done to prevent similar events in the future.
All participating organizations need to do is complete the online form, which consists of the following areas:
- Demographics -- Submitters describe (but do not identify) the entity affected by the incident to enable comparative analytics.
- Incident classification -- Describes the role of the threat agent, the agent's actions and their impact on the information assets.
- Discovery and Mitigation -- Focuses on events immediately following the incident, as well as lessons learned from the response process.
- Impact Classification -- The submitter provides a description and measures the consequences of the incident on the impacted organization.
This project is a joint effort of the Verizon RISK Team and ICSA Labs, an independent division of Verizon Business that performs third-party security testing and certification. For more than 20 years, ICSA Labs has facilitated data sharing and collaboration within the security industry. ICSA Labs' facility and network will provide the backbone for the VERIS Project.
"The VERIS application is a smart way for Verizon Business to crowd-source breach data collection, and giving back to the data-starved security community makes it even more valuable," said Wendy Nather, senior security analyst, The 451 Group.