Verizon is adding a new service that aims to tie together its massive Data Breach Investigations Report and its incident classification and reporting repository into a tool that helps organizations plan and measure their security programs.
We think with the data breach report we have shown there is value in collecting structured, detailed information about incidents and seeing what we can learn from them.
Wade Baker, director of risk intelligence, Verizon
Called the Verizon Incident Analytics Service (IAS), the new Web application will bring together the information Verizon gathers from its customers and public data repositories. The anonymous and aggregated data could help organizations prioritize security projects and more efficiently allocate funds for defenses that adequately protect sensitive systems, said Wade Baker, director of risk intelligence for Verizon and one of the principal authors of the Verizon DBIR.
“We think with the data breach report we have shown there is value in collecting structured, detailed information about incidents and seeing what we can learn from them,” Baker said in an interview with SearchSecurity.com. “The Incident Analytics Service takes that same methodology and those same capabilities that we’ve been developing and focuses them on one particular organization in this service contract.”
The Verizon DBIR was first produced in 2008 and provided information on hundreds of breach investigations conducted by the company over a four-year period. Verizon has expanded the report’s data set each year and in 2011, the report will include the case loads from the Secret Service and the Dutch National High Tech Crime Unit. Each year security experts weigh in on which parts of the report provide actionable data and which parts can be highly misconstrued. Before the Verizon DBIR, organizations relied on the Computer Security Institute’s Computer Crime and Security Survey and data provided by the FBI to get a clearer picture of the threat landscape, incident response and the impacts of both malicious and non-malicious insiders.
“Any time you present information there’s certainly room for interpretive error and error in presenting data,” Baker said. “Caseload bias is important to understand and there are so many contributors that could lead to misrepresentation or misinterpretation.”
The IAS makes the annual Verizon DBIR more actionable, Baker said. The Verizon Enterprise Risk and Incident Sharing (VERIS) repository, which has been collecting anonymous data shared by enterprises since 2010, will help broaden the visibility into what other companies are doing, he said. Organizations can alter their security strategy based on the technologies and policies that are most effective, he said.
The new IAS tool will also help enterprises benchmark their security program, measuring it against their peers. The data provides anonymous information on security incidents, data losses, security controls and spending.
The new Verizon application is like an incident ticketing system, Baker said. The software is protected by authentication. It does not store anything that the organization doesn’t tell it to. It is a manual process to plug data into the software, he said. The data is then stored, shared anonymously with other organizations and available to generate reports.
“It’s serious and detailed about tracking these details over time and that will put a fine grained spotlight on the areas that are problematic and identify which controls can be implemented to address those problems,” Baker said.
The IAS will be combined with Verizon’s consulting services, which provides training, guidance, analysis and recommendations to Verizon clients. Verizon works with customers and categorizes them into peer groups to study their security incidents, track them and mine them to make risk-based decisions on the appropriate security posture, policies, practices and technologies that should be in place.