For all of you non-Tweeps or those of our @DarkReading Twitter followers who may have missed it, here's the transcript from the Twitterview. The hashtag (#verizonDR) and the reply Twitter handles were stripped out for easier reading:
@DarkReading There's been discussion lately in pen testing, vuln assessment, PCI about assessing actual risks of a threat vuln.
@DarkReading Are enterprises getting overwhelmed with vuln/threat info and looking to cut to the chase?
@alexhutton Thanks for having me! I think people are getting overwhelmed with making sense of the data. Not necessarily volume
@DarkReading Do you think the security industry has been going at it all wrong with the emphasis on defense, bugs, etc. vs. risk?
@alexhutton I think those things are just risk determinants. So back to my former answer - how valuable is that determinant.
@alexhutton So risk and security are hypothetical constructs. They're not directly observable- so we have to create shadow #s
@alexhutton shadow #s that are representative of "secure". That's where the confusion is. That requires modeling (=hard)
@alexhutton elements, I'd say. These are amorphous as political power, as technical as data "governance"
@alexhutton I think the important thing is to have a team that can help identify valuable data, missing data, and how that data
@alexhutton how that data can be acquired.
@alexhutton BTW - this twitterview is a pretty cool concept. :)
@DarkReading Voluntary breach disclosure (Google/Adobe/Aurora) is rare but useful...any chance we'll see more cos. do this ?
@DarkReading ... as in going public when they don't necessarily have to?
@alexhutton I certainly hope so! We're trying with #VERIS to assist in that quest but I think it's also likely...
@alexhutton ...that we'll see more sophisticated private data sharing within industries. Like the ISACs on steroids.
@alexhutton because we have 3 missing keys in the search for risk certainty - measure controls, measure threat capabilities...
@alexhutton ... and COMPARATIVE ANALYTICS. There's never going to be any progress until (#constitutional peasant, #montypython)
@alexhutton So I think that at some point, the value in comparative analytics will be recognized and data sharing will happen...
@alexhutton ... course for that to happen, we need to know why measurements matter (back to first question).
@DarkReading Do you think sharing breach info among victims is ultimately the best way to defend, and possibly get to attackers?
@alexhutton great question. In terms of outcomes, we can measure 2 things - successes and failures...
@alexhutton ... and breach info is STRONG failure data. Success data? Not there yet. You have both metrics & luck.
@DarkReading Can you talk more about how the metrics piece would work?
@alexhutton in terms of best way to defend, I think breach data are strong indicators of past performance. But you need...
@alexhutton ...present threat analysis and future threat analysis, too. Breach data can identify patterns and trends.
@alexhutton well, VzB RISK has an evidence-based risk management view. It's a little different than normal views of risk.
@alexhutton in addition to traditional likelihood x impact statements, we use #VERIS and the #DBIR (among other data/frameworks)
@alexhutton to identify determinants, determinants are traced to behaviors and demographics - it's much more a...
@alexhutton ...natural science look at "risk" than an engineering view. And I like that a lot b/c Security is not *just* CompEng
@DarkReading Verizon data earlier this year showed 1/2 of the breaches it investigated in past 2 yrs were related in some way...
@alexhutton so for us, the metrics piece is threat, control, asset, & impact data, viewed through a lens of org. capabilities
@DarkReading ...Do you think there are even more of these related attacks than we have found thus far, and can VERIS help here?
@alexhutton wow! yeah! So being specific on attacks vs. incidents, I'd say that this would be a key goal of #VERIS...
@alexhutton theoretically, with the right sharing mechanisms, we could find both successful defenses and failures from the same-
@alexhutton - threat source. That would be a pretty huge breakthough if we could start modeling their attack techniques and..
@alexhutton inductively match technique to successful defense vs. just trying to say "hey control A *should* defend us"
@alexhutton like the work at ICSA Labs (and others) but outside of a lab and in the wild.
@DarkReading Cos. historically have been hesitant to share. How will VERIS make this process more attractive to them?
@alexhutton Great Q. several benefits 1-existing data 2-quality of framework 3-sweet .pdf artifact
@alexhutton VERIS solves the problem of common language by being a COTS framework (OpenOTS?). THEN it even has great data.
@alexhutton ..finally, the cool new app does "build your own #DBIR" in the artifact. REally cool and useful.
@alexhutton Co's want a metrics program that matters, VERIS is COTS pre-built and freely* available.
@DarkReading I know it's still new, but can you share any info on participation in VERIS or attack trends gathered thus far?
@alexhutton Don't want to spoil anyone's Xmas/Chanukah gifts to the #Infosec community ;-)
@alexhutton I will say this, we're very happy thus far with the quality of submissions!
@DarkReading Fair enough. =) I think we have time for at least one more question....
@DarkReading What role if any should the federal government have in incident-sharing? Howard Schmidt touched on this.
@DarkReading ... As in should the feds offer an anonymous reporting/sharing mechanism of sorts?
@alexhutton a hard political question! The feds should offer a VERIS app! Srsly - depends on the framework and value of the #s
@alexhutton MITRE CAPEC for example, would be great data sharing for app/system architects.FISMA op metrics great for comparison
@alexhutton hopefully VERIS can fill a risk management data role there.
@DarkReading Alex, thanks so much for taking the twitterview. Great insight and info on hot topics..& in 140-char increments. =) #verizonDR
@alexhutton - thanks for having me. This is fun & cool. I hope you'll do more of these on all sorts of infosec topics!
@DarkReading Are you willing to do this again sometime?
@alexhutton WOULD.LOVE.TO. good fun.
@DarkReading Excellent! And thanks to all of our followers for tuning in. Kelly Jackson Higgins here from DR.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.