Verizon Business is offering an security incident analysis service based on the Verizon Incident Sharing framework (VerIS), the foundation of the organization's highly regarded annual Data Breach Investigation Report (DBIR). The aim of the service is to generate metrics of an organization’s security incidents over time to discover the root causes of vulnerability and take preventive measures.
The DBIR has been particularly valuable in identifying common weaknesses--typically, failures to implement very basic security measures and controls that repeatedly result in breaches. The Verizon investigations show consistent issues across organizations in sectors such as hospitality, retail and financial services.
"We see patterns when we study the community," said Wade Baker, director of research and intelligence and principal DBIR author. "The same kinds of problems occur over and over again."
The Incident Analytics Service (IAS), on the other hand, turns the use case of the VerIS framework around to gather and analyze data from a single organization’s security incidents over a period of time. The enterprise uses the service to gather, classify and analyze information about incidents to discover root causes, the impact on the business, how the incidents affect the organization’s security posture and how to address the issues to improve security. Baker refers to this approach as "evidence-based risk management," drawing on what’s actually happened, as opposed to assessment based on, for example, pen testing and vulnerability scanning, which selectively tests what could happen.
Organizations often have capable incident response, but typically deal with incidents as one-offs rather than collect information that could show patterns of successful attacks. "There’s a disconnect when we ask, ‘What kind of incidents have you had in the past?'" Baker
says. "I’ve never been in an organization that can just print out a list of incidents of all types over the last two years so they can do risk analysis."