Verizon Incident Classification and Reporting

Verizon Incident Classification and Reporting.

In an effort to broaden the range of incidents used by Verizon Business’s annual Data Breach Investigations Report beyond those it investigates itself and those provided in 2010 by the Secret Service, Verizon Business’s ICSA Labs has created an application that allows anyone to add incidents using the VERIS Framework.

In return for adding anonymized incident information,

…you will receive a comparative report that frames your incident within the broader VERIS dataset. You will, for instance, know whether your incident was a rare event or one commonly experienced by others and such information can help you decide what, if anything, should be done to prevent similar events in the future.

Is this enough value? Why not allow direct access to the VERIS database through an API? This would allow you to do your own analysis rather than just relying on Verizon’s. Is it possible that third parties, bringing different perspectives and tools, would glean insights that Verizon is missing?

The VERIS Framework is very straightforward. There are three key components to any incident – Agents (actors), Actions, Assets. Perhaps I like it because it’s very similar to methodology I developed with a colleague for log analysis using the terms Subject, Action, Object, which not coincidentally corresponds to the three key parts of a sentence – Subject, Verb, Object.

There is a fourth “A” which stands for Attributes of the above mentioned three A’s. The selection of classification Attributes is critical to effective analysis. For anonymized incident information, Verizon has done a good job in its classification attribute selection.