By now everyone in the infosec community with a pulse has heard about the release of the 2013 Verizon Data Breach Investigation Report. This yearly publication from the Verizon RISK team is always eagerly awaited, reviewed, consumed, digested, and used. The basic taxonomy which allows the authors to digest the massive amount of data (47,000 incidents this year) is the Vocabulary for Event Recording and Incident Sharing (VERIS). While VERIS has been freely available and even rebranded away from any association with the Verizon corporate presence, widespread enterprise adoption seems to remain elusive. That’s a shame because an organization could take their own VERIS encoded incidents and create a DBIR report that is specifically relevant to them.
In this (hopefully ongoing) series of posts I’ll document my efforts to build in the VERIS classification scheme at my own organization’s incident response program. I’ll then analyze that data set using tools and techniques similar to those employed by the data gurus at Verizon with the goal of creating actionable intelligence out of our specific incident data.. On this somewhat unexpected journey, I’ve got my own Gandalf – one of the authors of the DBIR report, Jay Jacobs, who has generously offered his services as a mentor.
I should note that I am very much a student of data analysis and visualization. While I’ve done a fair amount of work with tools such as Tableau and SQL Server, and some moderately intensive data loads and API interfaces with my organization’s scripting language of choice, PowerShell, there is a tremendous amount that I don’t know. Comments, suggestions, criticisms, etc. are all most welcome. You’ll have access to the code, schemas, and processes that I use. It’s my hope that this inspires others to pick up the torch and carry it further, allowing me to steal your work myself.
Stay tuned next time for a discussion of the incident response classification form we’ve developed, which creates JSON files following the VERIS schema.