A new Web site could help turn security breach guesswork into science.
Database breaches, social engineering attacks, and hacking incidents happen at companies every day, but very few end up being reported publicly. That's because organizations fear--and rightly so--damage to their reputation, public humiliation, and loss of customer confidence.
But this silent victim syndrome means that others can't learn from the missteps of victims and that the industry as a whole doesn't have a good grasp on the scope of the problem.
In a first-of-its-kind effort, Verizon Business is launching a public Web site for reporting security incidents that could crack open the self-defeating secrecy of data breaches.
"This will benefit the overall community," Alexander Hutton, a principal of research and intelligence at Verizon Business, told CNET in an interview. "The valid data helps us all learn from mistakes."
Verizon is officially launching today its Veris information-sharing site where network or security professionals can provide detailed information about an incident and get back a report that illustrates via charts, graphs, and other information how the reported incident compares with others.
The site's multiple-page questionnaire dives into the details of incidents and particulars about the company, such as which industry it's part of, the size of the business, and how many security staffers it has, so comparisons can be made to similar organizations. The online form also asks respondents how long it took to discover and contain the incident, how it could have been prevented, and how much time, resources, and money were lost due to the breach.
"There is a lot of survey data out there [about estimated costs], but it's not like you can go in and get actual figures," Hutton said. "We're hoping to get specific information by doing this."
Once the data is submitted, the site generates a downloadable report on the fly--in a demonstration the report was 19 pages in length--that classifies the type of incident, analyzes the details, and shows how it stacks up to other incidents in Verizon's incident database compiled over the last five years. That database, which consists of information that Verizon has gleaned from its managed service of customer networks, has about 900 million records and includes information from the U.S. Secret Service that was added this summer.
The individualized report that participants walk away with is a key piece of the project, providing an incentive to entice organizations to do something they ordinarily are loathe to do: disclose information about security problems. The report is designed to help participants better understand what happened to them and to figure out how to prevent future problems. It undoubtedly will be a useful tool for security professionals who usually have some explaining to do to C-level executives after an incident.
Veris, which stands for Verizon Enterprise Risk and Incident Sharing, is focused on collecting data and offering participants analysis and is not really set up at this point to spit out analysis and statistics to the public, according to Hutton. Asked if that option would ever be available, he declined to say.
It's also unclear how the data will be used to flesh out the Verizon Data Breach Investigations Report (PDF), which is published annually and is highly regarded. Hutton said the data will be kept separate from the annual report and could be included as a supplement to it, but also said that the data collected on the public-facing Veris site will help broaden the types of information gathered beyond the Verizon customer base. For instance, there are likely to be more small companies represented in the Veris site data and more information on different types of incidents like laptop theft that Verizon customers tend not to contact Verizon about.
The site's openness does have its drawbacks, too. The fact that anyone can use the Veris site to report an incident, even potentially fudging or fabricating data, means it may not be considered as trustworthy as the insight Verizon gets from its own customers.
There is another site that offers the public statistics on data breaches, the Open Security Foundation's DataLossDB. Anyone can post information there on incidents that they read about on news sites and other places, so it's generally limited to what's been publicly disclosed.
"I don't see this as a competing pursuit," Hutton said of the Veris site. "Our goal is to give those who have suffered an incident analytics and the ability to build their own data breach report."