Verizon releases framework for reporting security incidents
Effort seeks a common language, with help from security community
- By William Jackson
- Mar 02, 2010
SAN FRANCISCO — Verizon Business on Monday released for public use a framework for collecting and reporting information about security incidents in the hope of creating a standardized way for government and industry to share information about breaches.
“If we don’t have a common language to collect and communicate data, we are going to be handicapped,” said Wade Baker, director of risk intelligence for Verizon.
The company announced the availability of the Verizon Information-Sharing framework at the RSA Security Conference. The site also contains a forum for VerIS users. Baker said the framework is expected to evolve with input from the security community.
“We’re not making the claim that this is perfect,” he said. Verizon also is creating an advisory board of outside security experts go oversee further development.
VerIS is based on the methodology used by Verizon to produce its annual Data Breach Investigation Reports. The reports contain information gleaned from forensics investigations of security incidents conducted by Verizon’s Investigative Response Team, which it offers as a commercial service. It examines the threat involved, asset targeted, impact of the incident and methods of control.
There is a trend toward standardizing language used to identify vulnerabilities and threats, such as the Common Vulnerabilities and Exposures dictionary sponsored by the Homeland Security Department and maintained by Mitre Corp. But so far the trend has not extended to the reporting of security incidents.
“Everybody at some level tracks major incidents,” Baker said. “But they’ve all been collecting it in different ways. It usually is an internal way of doing it,” specific to an organization.
Publicly available information about security breaches, although they are common and often make headlines, is not consistent or complete. “The details tend to be somewhat sketchy,” he said. “Never have I seen a classification of how the incident took place.”
Several government agencies as well as private companies had asked Verizon about using the underlying framework used to collect its report data.
“We made the decision to make the release and let others use it,” free of royalty, Baker said.
The metrics in the framework are organized in four sections:
- Demographics, which is the largest section; “who did what to who and with what result,” Baker said.
- Incident description.
- Discovery and mitigation.
The goal is provide organizations with a tangible idea of the cause and severity of attacks within that organization. It also enables sharing by anonymizing the data giving it a common format and language.
“Not everybody wants to share data, but those who do need to have a standard language,” Baker said. “There is one large government agency that is using this currently,” to classify incidents from the last three years for analysis. He said he could not name the agency.
William Jackson is freelance writer and the author of the CyberEye blog.