Verizon Incident Metrics Framework Released
Wade BakerFebruary 19th, 2010
Many of you who read our blog regularly are familiar with our ‘Data Breach Investigations Report’. We hope that you’ve found past reports informative, useful, and above all, actionable.
The production of the DBIR has been driven by our desire to help solve what we see as two of the most significant problems facing our industry:
- Uncertainty due to the lack of data
- Equivocality due to the lack of a common framework
Basically, we believe that until we can all be on the same page regarding what terms mean and why those terms are useful, we’re going to have a problem creating meaning from any data we *do* get.
One of the reasons we feel that the DBIR is so useful is because it translates the incident narrative (the attacker did this, then that, then the other thing) into a data set. To accomplish this translation, we used a set of metrics developed internally. Think of it as a framework of incident elements we believe will, when gathered consistently, help people better interpret data and manage risk.
Today we’re making a version of that framework, the Verizon Incident Sharing Framework (VERIS), available for you to use.
In the document that you can download here, you’ll find the first release of the VERIS framework. You can also find a shorter executive summary here. Our goal for our customers, friends, and anyone responsible for incident response, is to be able to create data sets that can be used and compared because of their commonality. Together, we can work to eliminate both equivocality and uncertainty, and help defend the organizations we serve.
We hope that you’ll use and even take an active interest in the VERIS Framework. To that extent, we’ve set up an online wiki for questions and answers, and have put in place an advisory board of independent security experts to work with the community for the better growth and evolution of the framework as it’s used outside of Verizon.
We truly believe that together, we can begin to make a real difference, and it is our hope that this “common language” will be the first step towards creating an era of shared knowledge and collaboration for our industry.
A very cool idea! Adding transparency to incidents can also aide in the the development of stronger technologies to prevent future attacks.
Posted by: only_samurai on March 1st, 2010 at 10:56 pmYeah, very good idea and job, i download install and try it.
Posted by: Eric Seguinard on March 2nd, 2010 at 12:29 pmGood Items thx
I Have readen this pdf, great document, but release this framework ?
Posted by: Consultant Securite informatique on March 2nd, 2010 at 4:51 pmI am waiting,
Nice framework and thanks for publishing it.
But there is a problem with the licensing. You limit it to non-commercial purposes. That makes virtually unusable.
Posted by: Doug Cornelius on March 2nd, 2010 at 8:02 pmDoug,
I am not a lawyer but I will check with our legal team. My understanding was that the language that was provided to us by them and included in the document gives any organization wishing to use the framework to do so. What the licensing was supposed to prevent was another company selling the framework for profit or selling consulting services to implement it. I assure you that I will bring this up and, if necessary, change the language. The intent is that it be usable as described at the end of the document. Thank you for the comments.
Posted by: Wade Baker on March 3rd, 2010 at 1:34 amIt is good to have a common language to describe the incidents. Maybe I missed it: shouldn’t the framework also include external interfaces to push or pull data to/from various incident reporting systems to allow for greater sharing flexibility? Otherwise, it is pretty limited. I am also concerned about the legal clauses. To make this framework truly useful by the community, Verizon should give it out for free with no restrictions, including consulting services, which is used by the U.S. government a lot. Otherwise, many organizations will not contribute to or implement the framework.
Posted by: Daniel W. on March 4th, 2010 at 7:36 pmHi,
The link to download is the pdf of the beta version.
How can I do to download it ?
Thanks
Posted by: Benoist on March 5th, 2010 at 11:00 amDo you have examples of export file formats for data sharing? Perhaps some XML samples and a DTD?
I tried to ask this via the online forum mentioned, but even after logging in couldn’t see a way to reply to topics or add new ones.
Posted by: Clerkendweller on March 9th, 2010 at 10:20 amDaniel and Clerkendweller,
Yes, to be used, the framework needs an interface or an export format. As it stands now, we released only the framework itself. It is (our suggestion of) the “what to share” piece of the whole “incident sharing” puzzle. Once we receive feedback on the framework, we’ll move from beta to v1. We want to iron that out first.
The “how to share” piece is the next logical step and one that we hope people will begin to ask and develop. We (Verizon) are working on several things to facilitate this but others may be as well. Internally, our IR team uses a custom questionnaire built into our case tracking software based on the VerIS framework. Anyone wishing to use the framework will need to create a spreadsheet, survey, application, etc to actually use it. We’ve tried to give guidance on doing this in the framework (i.e., the “Question Type” fields for each metric). Stay tuned…
Posted by: Wade Baker on March 10th, 2010 at 3:41 am@Doug –
RE: Non-Commercial – we’re appending the license.
Posted by: Alex Hutton on March 22nd, 2010 at 2:40 pmThe TM Forum is the logical place for a Incident Metrics “study”. We have hundreds of members who might benefit: Service Providers, Gov’t/Defense agencies, and Cable MSOs, and offer a rich Business Metrics Development Program.
We are having discussion within the TM Forum Security Management Community about the VerIS, and will be considering it as we enhance our TM Forum Frameworx with Network Defense.
In discussion with Wade on all of the above.
Posted by: Christy Coffey on July 6th, 2010 at 8:43 pm