Feb 28 2010
My friend Alex Hutton and the rest of the RISK Team at Verizon Business have done it again! This time rather than release a report about breaches however, they’ve release the Verizon Incident Sharing Metrics Framework (VerIS for short). All the awesomeness that went into creating the 2009 Verizon Breach Report is being shared with the incident response community so that we can compare apples to apples when it comes to compromises. Rather than each company capturing it’s own unique dataset and creating statistics in their own particular way, VerIS is a framework that allows companies to capture the same sorts of data at the compromise and compare it directly to the compromises other companies are seeing. This is exactly what we’ve been asking for since the first Verizon Breach Report.
One of the highlights of the year for me is when the Verizon Breach Report comes out. Many of us have anecdotal evidence of breaches and know on a visceral level that if we don’t secure our networks and enforce policies that bad things are going to happen. But the Breach Report is what allows us to take it from feelings and anecdotes to being able to show our company’s leadership exactly what lapses in security have led to many of the breaches in the last year. If you haven’t read the 2009 Verizon Breach Report, stop reading this and go review it now. After you’ve read that, you may also want to fill out some marketing surveys and read the Trustwave Global Security Report of 2010. Or at least read Rich’s short review of the report. Including the part where he asks the folks at SpiderLabs to use a standard base of metrics.
The Verizon Incident Sharing Metrics Framework gives us the ability to start collecting one of the things security is sorely missing: common collection and comparison methods for breaches. Long ago and far, far away I used to be in the life insurance biz and one of the cornerstones of insurance is actuarial tables. An insurance company can look at your height, weight, sex, and several dozen other statistics and tell you very easily if you’re likely to die from some factor within the span of their insurance policy. It’s no accident that as you become older insurance becomes more expensive. They know exactly what your chances are compared to those like you, in large part because they’ve had centuries of common data to draw from and create tables how those factors affect your long term survival. And as much as we talk about statistics in security, we’re a fledgling science and have a relatively small, confused dataset to draw from when creating our own actuarial tables. We literally don’t even have enough information to know what we don’t know yet, let alone create any sort of meaningful security measure to breach relationships. VerIS gives us a chance to start changing this.
Read the slick on what data VerIS is aimed at collecting and how it can be sliced and diced; I make no secret of the fact that I’m more of a consumer of the final information than I am interested in how it was collected. But what I find fascinating and important is the goals Verizon Business is setting with this framework. It’s not meant to be the last word in incident metrics; it’s only a starting point that other companies can extend. VzB is actually looking for help extending the framework and making it as powerful as they can. The VerIS Framework is meant to promote information sharing and if enough people contribute to the underlying datasets, we can get something important out of this as a community. It’s not hard to add your own unique twist to how you slice and dice the information, but what’s important is that we have a common set of statistics to start from so we can know we’re comparing the same factors when looking at breaches.
It’s going to be a while before we have anything as deep and rich (and boring) as an insurance company’s actuarial tables. But if a common framework gives us the possibility of being able to scientifically state what security measures are effective and which are only skin deep, VerIS is a winner. One of the complaints about a compliance framework like PCI is that it doesn’t respond well to changes in the real world. But what if the PCI Council mandated the use of something like the Verizon Incident Sharing Framework and made changes to the next version of PCI based on that instead of vendor and merchant wants and desires? Now that would make PCI something truly effective.
*Full disclosure: I work as a QSA at Verizon Business for my day job. However everything about this blog is strictly my opinion and no one but my wife has more than a cursory influence on what I write here.