Based on the assumption that the more companies can learn from other enterprises' breaches, the more likely they are to avoid compromise themselves, the Verizon VERIS program hopes to create more collaborative incident response.
In this video recorded at RSA Conference 2011, Verizon's Director of Risk Intelligence Wade Baker discusses his company's incident sharing system and explains how they hope to improve the incident response process.
For more information:
- Check out this video on this year's Verizon Data Breach Report.
- Wade Baker discusses the state of PCI in this video.
- Are 'security researchers' only out for fame? Watch this video.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Verizon VERIS: Wade Baker discusses incident sharing
Eric Parizo: Hi, I'm Eric Parizo from Searchsecurity.com. It's great to have you
with us. Joining me today is Wade Baker, Director of Risk Intelligence for
Verizon. Wade thanks so much for being with us today.
Wade Baker: Absolutely. I'm glad to.
Eric Parizo: Let's talk about the VERIS program for a few minutes. Verizon last
year launched its VERIS, or Verizon Incident Sharing, program. Can you
tell us briefly what that is?
Wade Baker: So, if you've read the Data Breach Report, you've seen the evidence
of, there's some kind of structure that we use to classify these breaches.
We report external, internet, and partner when we talk about threat agents,
when we report their actions in terms of malware, hacking, and social
misuse and those kinds of things. So, the VERIS framework is a
classification schema for describing a security incident. And it's
necessary when we take all of this information in the case report, which is
usually 60-70 pages of text, and we somehow need to transfer that into
data. So VERIS is what we developed over time to do that and we thought,
'Well huh, this is very interesting. Maybe other organizations would want
to do this.' So we published the framework. It's free, so any
organization, whether they're an IR group or whether they're just an
organization that wants to do a better job tracking and managing their
security incidents, can use this and describe incidents. They might want
to share that information. That's the point of it; it has sharing in the
title, right? So I mentioned a while ago that we put up a community
website where they can use the VERIS framework to describe an incident and
submit it. It's all anonymous but it's an attempt to facilitate
information sharing, because we haven't really been successful as an
industry in that; and we maintain that part of that is at least the
language. Everybody describes an incident differently. So, VERIS is an
attempt to give everybody a common language, Maybe then we'll be motivated
to actually start sharing this information.
Eric Parizo: Now, VERIS has been publicly available since last year, I believe,
but you actually recently released a new website to try to make it more
usable, right? Can you tell us about that?
Wade Baker: It's a website that is there, and you go, you can test it if you
want. Again, it's free for use, there's no fee here, there's no login,
it's all completely anonymous, and it will ask you a series of questions
based on the VERIS framework. So one of the first few questions it'll ask
is, "Did this involve an external threat agent?" There's a definition
there that describes what we mean; and if you say yes, then there's a
series of questions, "Well, what was the origin of that threat agent and
what kind? Were they a government? Were they an organized crime unit?"
So, it's an adaptive survey is really what it is when you get to it.
You go through the questions and when you hit submit, what we give people
is some immediate feedback, so this is one of the "Why should I spend my
time doing this?" One is that you get a report back that says everything
that you just submitted and how common or rare that is in comparison to our
overall data set. So it might say, "You said you had an external
government agency that attacked you," and we would show you, "Well, across
our case load, that happens about 1% or 2% of the time in all incidents."
And it does that for all of these factors and it also is a way to help the
community, because we're working on sharing that information back.
Eric Parizo: What is the benefit for Verizon? How do you go about using the
Wade Baker: We're keeping it separate from the Data Breach Report, because we do
what we can to vet the information submitted through the VERIS community
site, but at the end of the day, someone has claimed that this happened and
this is someone's description of that incident. It's not, say, a trained
forensic investigator that has gone and collected real evidence. So, we
think there are two different data sources of varying quality. We're
keeping them separate. The VERIS information won't appear in the Data
Breach Report, but it is useful information and we're reporting it and
sharing it, sort of in its own right, if you will.
Eric Parizo: So, the website essentially makes the information or the VERIS
framework more useable?
Wade Baker: Yes. Yes, so when we released the framework itself back in March, a
lot of people said, 'Well, how am I going to use this?', because the
framework is like an encyclopedia. It is on a Wiki format and it just says
here's the type of external threat agents that we have and maybe some
definitions there. You can't actually use it to submit an incident. You
would need to create some kind of survey or collection mechanism around it,
which some people have done. But ERIS, the application, was our
suggestion and our attempt at creating the actual collection tool for a
VERIS based incident classification system.