As part of its continuing focus on collecting information on data breaches and thefts, Verizon Business has released VERIS Community application, a new application that enables security professionals to enter anonymous information about an incident and receive a detailed report in return.
The application is based on the company’s Verizon Enterprise Risk and Incident Sharing Framework, which it uses to gather and assess information on the data breach incidents that Verizon Business investigates for its customers. That data also serves as the basis for the company’s comprehensive Data Breach Incident Report, an in-depth look at the trends and conclusions that can be drawn from the data. The new application builds on the methodology that the company has used in its investigations and DBIR releases to give security staffs at companies of all sizes a chance to enter as much data as they want about a specific incident and immediately see how the attack methods, tools and outcomes compare to other incidents.
The VERIS Community application goes through detailed questions about the size, industry and general geographic location of a company and then asks a series of specific questions about the incident the user is reporting. It begins with questions about the agent, action, assets and attributes involved in the incident, whether the incident was the result of external or internal actors, a partner or other agent, for example. Two other series of questions then gather data on how the incident was discovered, how closely involved in the incident the reporter was and what the impact of the incident ultimately was.
All of the data collected by the VERIS Community application is completely anonymous and Verizon officials said that from the beginning of the process of building the app, which has been ongoing for about a year, they had privacy and security at the forefront of their thinking. The application doesn’t log IP addresses, people reporting incidents can elect not to answer any of the questions and if someone enters information that could identify his company, Verizon Business will delete the data, said Alex Hutton, principal of research and intelligence at Verizon Business.
“We’re hoping it will help the community as well as help us by giving us more data to analyze,” Hutton said.
The reports that the new application generates give the user a detailed look at how the data he entered compares with other incidents recorded by the app, including demographic comparisons and a slew of graphs and charts related to the attack methods, impact and other variables.
“If the VERIS framework describes what information should be shared, the VERIS application provides how
to actually share it. Anyone wishing to classify and report an incident
can do so responsibly and anonymously using the application. In taking
the time to submit an incident, users directly contribute to the
collective knowledge of the community AND will receive a useful “thank
you” for their efforts. Upon submission, the application generates a
report that compares the incident to others in the VERIS dataset along
numerous metrics. These comparative analytics can be used by the
submitter in whatever manner they choose; we hope it helps to better
plan for an avoid similar incidents in the future,” Verizon’s Wade Baker wrote in a blog post announcing the application.
One of the main complaints that proponents of the data- and metrics-driven movement in information security have voiced in recent years is that there’s a serious lack of data on attacks and other incidents with which to work. Few organizations want to divulge any details of an attack or data breach, even behind the veil of anonymity, for fear that it will expose them to embarrassment, loss of customers or other consequences. But Hutton is hoping that the availability of new tools such as the Verizon Community application will help address that problem.
“Everyone says that there’s not enough data available on these things, so we’re trying to gather that and give it back to the community,” Hutton said.