Verizon Launches Service Based On Data Breach Report Methodology

Verizon Business is offering an security incident analysis service based on the Verizon Incident Sharing framework (VerIS), the foundation of its highly regarded annual Data Breach Investigation Report (DBIR). The aim of the service is to generate metrics of an organization’s security incidents over time to discover the root causes of vulnerability and take preventive measures.

June 22, 2011

3 Min Read
Network Computing logo

Verizon Business is offering an security incident analysis service based on the Verizon Incident Sharing framework (VerIS), the foundation of the organization's highly regarded annual Data Breach Investigation Report (DBIR). The aim of the service is to generate metrics of an organization’s security incidents over time to discover the root causes of vulnerability and take preventive measures.

The DBIR has been particularly valuable in identifying common weaknesses--typically, failures to implement very basic security measures and controls that repeatedly result in breaches. The Verizon investigations show consistent issues across organizations in sectors such as hospitality, retail and financial services.

"We see patterns when we study the community," said Wade Baker, director of research and intelligence and principal DBIR author. "The same kinds of problems occur over and over again."

The Incident Analytics Service (IAS), on the other hand, turns the use case of the VerIS framework around to gather and analyze data from a single organization’s security incidents over a period of time. The enterprise uses the service to gather, classify and analyze information about incidents to discover root causes, the impact on the business, how the incidents affect the organization’s security posture and how to address the issues to improve security. Baker refers to this approach as "evidence-based risk management," drawing on what’s actually happened, as opposed to assessment based on, for example, pen testing and vulnerability scanning, which selectively tests what could happen.

Organizations often have capable incident response, but typically deal with incidents as one-offs rather than collect information that could show patterns of successful attacks. "There’s a disconnect when we ask, ‘What kind of incidents have you had in the past?'" Bakersays. "I’ve never been in an organization that can just print out a list of incidents of all types over the last two years so they can do risk analysis."The VerIS framework, is divided into four sections, each of which captures a different aspect of a security incident. Collectively, it's designed to help enterprises understand what happened and how damaging it was. The sections are:

  • Demographics, such as the date of the incident, how serious it was, the region in which it occurred and the vertical industry of the affected company.

  • Incident descriptions, using metrics to detail the series of events that an incident comprises, who was affected and what was done.

  • Discovery and mitigation analyzes the events immediately following an incident and the lessons learned. Metrics include a timeline, how the incident was discovered, the resources used, the controls used and whether they were adequate.

  • Impact analysis details direct asset losses, business disruptions, and response and recovery costs, as well as indirect losses affecting competitive advantage or marketplace damage.

    The 2009 Data Breach Investigations Supplemental Report is a good example of how VerIS works and the kind of data it yields.

    Enterprises can choose to track incidents on an organizationwide basis or by business unit. Verizon will integrate the service with existing incident response personnel, processes and mechanisms, such as ticketing systems, and issue reports monthly or quarterly depending on level of service. There are three levels of service. The lowest, which is almost a do-it-yourself approach to VerIS, is priced at $24,000 per year. The upper-tier version is $240,000. With this version, Verizon takes a much more active role, with extensive consulting and reporting. The middle tier is priced at $120,000 annually.

    See more on this topic by subscribing to Network Computing Pro Reports Strategy: Malware War (subscription required).

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
More Insights