Verizon Framework Looks To Standardize Security Incident Reporting

• By Cindy Horbrook
• Apr 05, 2010

Verizon Business is giving away information that officials believe will help the IT security industry address a critical issue -- the lack of a common standard for the collection of security-incident data and analysis -- with the hopes that it will help the industry fight cybercrime.

“It’s really quite exciting because I don’t know of any other organization that has given out something at this level of risk management information and framework to the community,” said Alex Hutton, research and intelligence principle for Verizon’s risk team.

The recently released Verizon Incident-Sharing (VerIS) framework provides a common structure for describing and analyzing security incidents. The framework examines four intersecting factors -- threat, asset, impact and control -- to collect information useful to risk management. VerIS metrics are organized in four sections: demographics, incident description, discovery and mitigation and impact description.

“A company can take the VerIS document and they can use it as a foundation for a metrics program for themselves,” Hutton said.

VerIS is the research framework used for Verizon’s Data Breach Investigations Reports that the company has been doing biannually for a number of years.

“Here are the incidents that we’ve seen. Here’s why they happen. Here’s some metrics that you should be aware of,” Hutton said, describing the reports. “The real benefit is it gives security managers an idea of how to allocate resources so that they are not making the same mistakes others have made. The industry really has not seen anything to the depth that these Data Breach Investigation Reports do. That’s one of the reasons why they’re so popular.”

The decision to release the VerIS framework came from Dr. Peter Tippett, vice president of security and enterprise innovation at Verizon Business Response. Tippett noticed a need for the security community to have an open-source sharing program to provide a universal foundation for data collection and analysis.

“Dr. Tippett has been in the industry for a very long time. He has an emotional investment in making sure that we make the problem of cybercrime better and we keep evolving the field,” Hutton said.

Hutton said the response to the VerIS framework release has been overwhelming.

“We’ve got a lot of people who are very interested in using the framework internally. I’ve been contacted by incident response team leads who are telling me ‘I’ve got at least 100, 150 of these narratives that we’d like to work with you on translating,’” Hutton said. “It’s been very exciting to watch people figure out we really do have risk management data and we really can make sense of it and use it to make better decisions.”

Companies can access Verizon’s framework and other information at http://securityblog.verizonbusiness.com/20101/02/19/veris-framework.