Last month Verizon released a publicly available version of the Verizon Incident Sharing (VerIS) framework. This metrics framework is a very easy read and should be of interest to both information security professionals and IT managers. It is intended to help an organization understand the impact of a security incident based on some specific categories. VerIS defines four metrics categories as follows.
- Demographics – This section describes (but does not identify) the entity affected by the incident. The primary purpose is to aid comparisons between departments within a single organization or among different organizations participating in an information exchange. While any number of organizational characteristics could be tracked, those listed below provide an adequate basis for interesting and useful comparisons.
- Incident classification – This section translates the incident narrative of “who did what to what (or whom) with what result” into a form more suitable for trending and analysis. To accomplish this, VerIS employs the A4 Threat Model developed by Verizon’s Risk Intelligence team. In the A4 model, a threat scenario or actual security incident is viewed as a series of events that adversely affects the information assets of an organization.
- Discovery and mitigation – This section focuses on events immediately following the incident and the lessons learned during the response and remediation process. It provides useful insight into the detection and defensive capabilities of the organization and helps identify necessary corrective actions that need to take place to prevent similar incidents in the future.
- Impact classification – One of the more important pieces of incident information is the impact an incident has on the organization. Unfortunately the true impact of an incident can be difficult to measure, as it is rarely possible to observe all negative aspects of an incident simply by focusing on cost accounting. The VerIS categories of breach impact metrics are designed to help the security professional understand what causes the organization to feel impact (types of impact), so that the organization that they serve can be better prepared to anticipate and contain future losses.
I think that the discovery and mitigation category shown above is one of the most challenging to follow through. How do you keep lessons-learned fresh? What processes do you put into place to detect weaknesses and mitigate threats? Verizon has also opened an online forum for discussion on the VerIS framework. Word needs to get out to the infosec community about this framework and its possible application to an organization. I plan on taking some of the suggestions and improving the security incident handling process at my organization. Share with me and other ITKE readers what you think is right or wrong with this framework or what framework you currently use for your organization.
Thanks for reading and let’s continue to be good network citizens!