Verizon's VERIS Framework for Studying Breaches: A Look Inside
Sitting behind Verizon's annual Data Breach and Investigations report is the Vocabulary for Event Recording and Incident Sharing, or VERIS, a framework for understanding and recording security breaches.
One of the most import aspects of the Verizon DBIR is the sharing of information about how data breaches happen, Chris Porter, managing principal for the Verizon RISK (research, investigations, solutions and knowledge) Team, explained to eWEEK.
The DBIR details the trends derived from thousands of security incidents and is considered a leading indicator of the current state of information security. The underlying framework is now available to the community.
"We have recently finally gotten VERIS to a stable state, so we have released it to the community as well as a schema so other people can utilize it," Porter said.
Verizon has placed VERIS on the community GitHub social coding site, so anyone can freely download it. Verizon hasn't just put the VERIS framework out on its own; they've also included some 1,200 publicly known data breaches in the data set for researchers to go through on the VERIS Community Database site.
VERIS provides a way for data-breach information to be normalized and compared.
"I describe VERIS as the lens we use to look at any security incident," Porter said. "It gives meaning and definition, such that it's a repeatable process for every incident."
So whether the data breach was an act of organized crime leveraging malware or it's a nation-state attack leveraging a distributed denial-of-service (DDoS) attack against servers, VERIS can define those incidents within the framework. Data input into VERIS can be used to do analysis and comparison across multiple incidents.
The process of getting data into VERIS is not fully automated. Verizon's security analysts dig through information and code information into the system, Porter said.
One of the key challenges that Porter sees overall with data breaches, and why human security analysts are still needed, is the fact that the terms that are publicly used to define a breach can sometimes differ. In contrast, the goal with VERIS is to have very specific set definitions for data-breach terms.
With VERIS, a specific threat can be easily defined, Porter said. For example, in broad strokes, there is an external actor that is using a specific action, against a specific technical asset and affecting the asset's attributes in some way. The primary goal is to describe a very well-defined threat.
"So the idea is to get that type of detailed information out of unstructured public data, and that's what makes it hard to do in some kind of fully automated approach," Porter said. "It does need an analyst to look through the information and decide what type of action is involved."
VERIS can potentially be integrated alongside an enterprise security incident and event management (SIEM) system, a common tool that is widely used by many enterprises today, Porter said.
"The key and the hope here is that decision makers can collect information about incidents within their own organizations and can compare that against other publicly known security incidents," Porter said.
When an organization can compare its own data against publicly known incidents, it might be easier to come up with solutions or to dig deeper to find the root cause, he said.
The VERIS framework does not currently have a mechanism that allows users to directly report their breach information to Verizon, but that is a feature on the road map for future development, Porter said.
While VERIS is freely available for anyone to use, Verizon also does have a commercial service called the Incident Analytics Service (IAS). Porter explained that IAS is a professional services engagement where Verizon staff will go into an organization and analyze a specific security incident using the VERIS framework. With IAS, Verizon will also provide the organization with a full report.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.