Community Information-Sharing Website to Advance Knowledge of Security Incidents via Anonymous Reporting
Verizon has launched a Web site designed to collect and share information about security incidents that can be voluntarily and anonymously reported by participating organizations around the globe.
The site, “VERIS community Web site,” is essentially a crowd-sourced collection of data breach incidents. Using the site, organizations and individuals can share their data by using an online application for collecting, classifying, analyzing and comparing security incident information.
The site is built on the VERIS framework, the same platform introduced in March when Verizon Business publicly released the research framework used for the company’s landmark “Data Breach Investigations Reports.” The framework, which has since been publically vetted by the security community, was pivotal in introducing a common language and structured, repeatable process to allow organizations to objectively classify security incidents. The common language is critical, as there is currently no universal language that describes security incidents or an accepted industry standard for the development of risk metrics.
“With the VERIS Project, Verizon is publicly sharing data that we have spent years gathering through our data breach caseload,” said Peter Tippett, vice president of technology and innovation, Verizon Business. “We are sharing the aggregate data — and encouraging other companies to anonymously share their security-event data — to promote more dialogue and understanding of security incidents. The collective sharing of in-the-trenches security events offers us the opportunity to fundamentally change how we all manage risk.”
In order to report an incident, participating organizations complete a fairly simple set of online forms put together a wizard, consisting of the following areas: Demographics, Incident classification, Discovery and Mitigation and Impact Classification. Verizon says that after submitting data on an incident, users will receive a customized mini “Data Breach Investigations Report” that analyzes the incidents and compares them with similar incidents that occurred at other participating organizations.
For example, participating enterprises will know whether their incident was a rare event or one commonly experienced by others, and such information can help enterprises decide what, if anything, should be done to prevent similar events in the future.
The project is a joint effort of the Verizon RISK Team and ICSA Labs, an independent division of Verizon Business that performs third-party security testing and certification.
You can visit the VARIS Community Site at: https://www2.icsalabs.com/veris/
