Verizon Business' annual Breach Investigations Report has become one of the industry's most comprehensive and revealing looks at the real-world attacks going on within enterprises. In an interview with Dark Reading via Twitter yesterday -- also known as a Twitterview -- Alex Hutton, principal, risk and intelligence, at Verizon Business (@alexhutton), tweeted about the challenges of measuring risk, and how providing organizations a safe and anonymous way to share and compare details on their breach experiences can help.

For all of you non-Tweeps or those of our @DarkReading Twitter followers who may have missed it, here's the transcript from the Twitterview. The hashtag (#verizonDR) and the reply Twitter handles were stripped out for easier reading:

@DarkReading There's been discussion lately in pen testing, vuln assessment, PCI about assessing actual risks of a threat vuln.

@DarkReading Are enterprises getting overwhelmed with vuln/threat info and looking to cut to the chase?

@alexhutton Thanks for having me! I think people are getting overwhelmed with making sense of the data. Not necessarily volume

@DarkReading Do you think the security industry has been going at it all wrong with the emphasis on defense, bugs, etc. vs. risk?

@alexhutton I think those things are just risk determinants. So back to my former answer - how valuable is that determinant.

@alexhutton So risk and security are hypothetical constructs. They're not directly observable- so we have to create shadow #s

@alexhutton shadow #s that are representative of "secure". That's where the confusion is. That requires modeling (=hard)

@alexhutton elements, I'd say. These are amorphous as political power, as technical as data "governance"

@alexhutton I think the important thing is to have a team that can help identify valuable data, missing data, and how that data

@alexhutton how that data can be acquired.

@alexhutton BTW - this twitterview is a pretty cool concept. :)

@DarkReading Voluntary breach disclosure (Google/Adobe/Aurora) is rare but useful...any chance we'll see more cos. do this ?

@DarkReading ... as in going public when they don't necessarily have to?

@alexhutton I certainly hope so! We're trying with #VERIS to assist in that quest but I think it's also likely...

@alexhutton ...that we'll see more sophisticated private data sharing within industries. Like the ISACs on steroids.

@alexhutton because we have 3 missing keys in the search for risk certainty - measure controls, measure threat capabilities...

@alexhutton ... and COMPARATIVE ANALYTICS. There's never going to be any progress until (#constitutional peasant, #montypython)

@alexhutton So I think that at some point, the value in comparative analytics will be recognized and data sharing will happen...

@alexhutton ... course for that to happen, we need to know why measurements matter (back to first question).

@DarkReading Do you think sharing breach info among victims is ultimately the best way to defend, and possibly get to attackers?

@alexhutton great question. In terms of outcomes, we can measure 2 things - successes and failures...

@alexhutton ... and breach info is STRONG failure data. Success data? Not there yet. You have both metrics & luck.

@DarkReading Can you talk more about how the metrics piece would work?

@alexhutton in terms of best way to defend, I think breach data are strong indicators of past performance. But you need...

@alexhutton ...present threat analysis and future threat analysis, too. Breach data can identify patterns and trends.

@alexhutton well, VzB RISK has an evidence-based risk management view. It's a little different than normal views of risk.

@alexhutton in addition to traditional likelihood x impact statements, we use #VERIS and the #DBIR (among other data/frameworks)

@alexhutton to identify determinants, determinants are traced to behaviors and demographics - it's much more a...

@alexhutton ...natural science look at "risk" than an engineering view. And I like that a lot b/c Security is not *just* CompEng

@DarkReading Verizon data earlier this year showed 1/2 of the breaches it investigated in past 2 yrs were related in some way...

@alexhutton so for us, the metrics piece is threat, control, asset, & impact data, viewed through a lens of org. capabilities

@DarkReading ...Do you think there are even more of these related attacks than we have found thus far, and can VERIS help here?

@alexhutton wow! yeah! So being specific on attacks vs. incidents, I'd say that this would be a key goal of #VERIS...

@alexhutton theoretically, with the right sharing mechanisms, we could find both successful defenses and failures from the same-

@alexhutton - threat source. That would be a pretty huge breakthough if we could start modeling their attack techniques and..

@alexhutton inductively match technique to successful defense vs. just trying to say "hey control A *should* defend us"

@alexhutton like the work at ICSA Labs (and others) but outside of a lab and in the wild.

@DarkReading Cos. historically have been hesitant to share. How will VERIS make this process more attractive to them?

@alexhutton Great Q. several benefits 1-existing data 2-quality of framework 3-sweet .pdf artifact

@alexhutton VERIS solves the problem of common language by being a COTS framework (OpenOTS?). THEN it even has great data.

@alexhutton ..finally, the cool new app does "build your own #DBIR" in the artifact. REally cool and useful.

@alexhutton Co's want a metrics program that matters, VERIS is COTS pre-built and freely* available.

@DarkReading I know it's still new, but can you share any info on participation in VERIS or attack trends gathered thus far?

@alexhutton Don't want to spoil anyone's Xmas/Chanukah gifts to the #Infosec community ;-)

@alexhutton I will say this, we're very happy thus far with the quality of submissions!

@DarkReading Fair enough. =) I think we have time for at least one more question....

@DarkReading What role if any should the federal government have in incident-sharing? Howard Schmidt touched on this.

@DarkReading ... As in should the feds offer an anonymous reporting/sharing mechanism of sorts?

@alexhutton a hard political question! The feds should offer a VERIS app! Srsly - depends on the framework and value of the #s

@alexhutton MITRE CAPEC for example, would be great data sharing for app/system architects.FISMA op metrics great for comparison

@alexhutton hopefully VERIS can fill a risk management data role there.

@DarkReading Alex, thanks so much for taking the twitterview. Great insight and info on hot topics..& in 140-char increments. =) #verizonDR

@alexhutton - thanks for having me. This is fun & cool. I hope you'll do more of these on all sorts of infosec topics!

@DarkReading Are you willing to do this again sometime?

@alexhutton WOULD.LOVE.TO. good fun.

@DarkReading Excellent! And thanks to all of our followers for tuning in. Kelly Jackson Higgins here from DR.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.