informa
6 MIN READ
Quick Hits

Twitterview: Verizon Business Expert Talks Risk, Breach Info-Sharing

Real data on successes in combating breaches "not there yet," but sharing information could help pinpoint defenses that work against attacks
Verizon Business' annual Breach Investigations Report has become one of the industry's most comprehensive and revealing looks at the real-world attacks going on within enterprises. In an interview with Dark Reading via Twitter yesterday -- also known as a Twitterview -- Alex Hutton, principal, risk and intelligence, at Verizon Business (@alexhutton), tweeted about the challenges of measuring risk, and how providing organizations a safe and anonymous way to share and compare details on their breach experiences can help.

For all of you non-Tweeps or those of our @DarkReading Twitter followers who may have missed it, here's the transcript from the Twitterview. The hashtag (#verizonDR) and the reply Twitter handles were stripped out for easier reading:

@DarkReading There's been discussion lately in pen testing, vuln assessment, PCI about assessing actual risks of a threat vuln.

@DarkReading Are enterprises getting overwhelmed with vuln/threat info and looking to cut to the chase?

@alexhutton Thanks for having me! I think people are getting overwhelmed with making sense of the data. Not necessarily volume

@DarkReading Do you think the security industry has been going at it all wrong with the emphasis on defense, bugs, etc. vs. risk?

@alexhutton I think those things are just risk determinants. So back to my former answer - how valuable is that determinant.

@alexhutton So risk and security are hypothetical constructs. They're not directly observable- so we have to create shadow #s

@alexhutton shadow #s that are representative of "secure". That's where the confusion is. That requires modeling (=hard)

@alexhutton elements, I'd say. These are amorphous as political power, as technical as data "governance"

@alexhutton I think the important thing is to have a team that can help identify valuable data, missing data, and how that data

@alexhutton how that data can be acquired.

@alexhutton BTW - this twitterview is a pretty cool concept. :)

@DarkReading Voluntary breach disclosure (Google/Adobe/Aurora) is rare but useful...any chance we'll see more cos. do this ?

@DarkReading ... as in going public when they don't necessarily have to?

@alexhutton I certainly hope so! We're trying with #VERIS to assist in that quest but I think it's also likely...

@alexhutton ...that we'll see more sophisticated private data sharing within industries. Like the ISACs on steroids.

@alexhutton because we have 3 missing keys in the search for risk certainty - measure controls, measure threat capabilities...

@alexhutton ... and COMPARATIVE ANALYTICS. There's never going to be any progress until (#constitutional peasant, #montypython)

@alexhutton So I think that at some point, the value in comparative analytics will be recognized and data sharing will happen...

@alexhutton ... course for that to happen, we need to know why measurements matter (back to first question).

@DarkReading Do you think sharing breach info among victims is ultimately the best way to defend, and possibly get to attackers?

@alexhutton great question. In terms of outcomes, we can measure 2 things - successes and failures...

@alexhutton ... and breach info is STRONG failure data. Success data? Not there yet. You have both metrics & luck.

@DarkReading Can you talk more about how the metrics piece would work?

@alexhutton in terms of best way to defend, I think breach data are strong indicators of past performance. But you need...

@alexhutton ...present threat analysis and future threat analysis, too. Breach data can identify patterns and trends.

@alexhutton well, VzB RISK has an evidence-based risk management view. It's a little different than normal views of risk.

@alexhutton in addition to traditional likelihood x impact statements, we use #VERIS and the #DBIR (among other data/frameworks)

@alexhutton to identify determinants, determinants are traced to behaviors and demographics - it's much more a...

@alexhutton ...natural science look at "risk" than an engineering view. And I like that a lot b/c Security is not *just* CompEng

@DarkReading Verizon data earlier this year showed 1/2 of the breaches it investigated in past 2 yrs were related in some way...

@alexhutton so for us, the metrics piece is threat, control, asset, & impact data, viewed through a lens of org. capabilities

@DarkReading ...Do you think there are even more of these related attacks than we have found thus far, and can VERIS help here?

@alexhutton wow! yeah! So being specific on attacks vs. incidents, I'd say that this would be a key goal of #VERIS...

@alexhutton theoretically, with the right sharing mechanisms, we could find both successful defenses and failures from the same-

@alexhutton - threat source. That would be a pretty huge breakthough if we could start modeling their attack techniques and..

@alexhutton inductively match technique to successful defense vs. just trying to say "hey control A *should* defend us"

@alexhutton like the work at ICSA Labs (and others) but outside of a lab and in the wild.

@DarkReading Cos. historically have been hesitant to share. How will VERIS make this process more attractive to them?

@alexhutton Great Q. several benefits 1-existing data 2-quality of framework 3-sweet .pdf artifact

@alexhutton VERIS solves the problem of common language by being a COTS framework (OpenOTS?). THEN it even has great data.

@alexhutton ..finally, the cool new app does "build your own #DBIR" in the artifact. REally cool and useful.

@alexhutton Co's want a metrics program that matters, VERIS is COTS pre-built and freely* available.

@DarkReading I know it's still new, but can you share any info on participation in VERIS or attack trends gathered thus far?

@alexhutton Don't want to spoil anyone's Xmas/Chanukah gifts to the #Infosec community ;-)

@alexhutton I will say this, we're very happy thus far with the quality of submissions!

@DarkReading Fair enough. =) I think we have time for at least one more question....

@DarkReading What role if any should the federal government have in incident-sharing? Howard Schmidt touched on this.

@DarkReading ... As in should the feds offer an anonymous reporting/sharing mechanism of sorts?

@alexhutton a hard political question! The feds should offer a VERIS app! Srsly - depends on the framework and value of the #s

@alexhutton MITRE CAPEC for example, would be great data sharing for app/system architects.FISMA op metrics great for comparison

@alexhutton hopefully VERIS can fill a risk management data role there.

@DarkReading Alex, thanks so much for taking the twitterview. Great insight and info on hot topics..& in 140-char increments. =) #verizonDR

@alexhutton - thanks for having me. This is fun & cool. I hope you'll do more of these on all sorts of infosec topics!

@DarkReading Are you willing to do this again sometime?

@alexhutton WOULD.LOVE.TO. good fun.

@DarkReading Excellent! And thanks to all of our followers for tuning in. Kelly Jackson Higgins here from DR.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.