SlideShare uma empresa Scribd logo

Getting Started with the VERIS Framework

Transferir como PPTX, PDF
BSidesQuebec2013
BSidesQuebec2013
TecnologiaNegócios
1 de 68
Getting Started with VERIS Kevin Thompson Twitter: @bfist Risk and Intelligence Researcher, Verizon RISK Team
#ermascerity
VERIS - A Framework for Gathering Risk Management Information from Security Incidents Vocabulary for Event Recording and Incident Sharing
Risk Management: Operating Model Framework ∑ = ∫√ Models ∩ Data
Evidence-Based Risk Management
Risk Management: Operating Model Framework ∑ = ∫√ Models ∩ Data
Data = UNCERTAINTY “The difference between the amount of information required to perform the task and the amount of information already possessed by the organization.” Galbraith, J. Organization Design, Addison-Wesley, Reading, MA, 1977.
Framework = EQUIVOCALITY
VERIS Framework
VERIS Framework Data
The DBIR is an ongoing study that analyzes forensic evidence to uncover how sensitive data is stolen from organizations, who’s doing it, why they’re doing it, and what might be done to prevent it. - 2013 DBIR 19 global contributors 47,000+ security incidents 621 confirmed data breaches
Methodology: Data Collection and Analysis • DBIR participants use the Vocabulary for Event Recording and Incident Sharing (VERIS) framework to collect and share data. • Enables case data to be shared anonymously to RISK Team for analysis VERIS is a (open and free) set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner. (i.e. you can do this too) VERIS: https://veriscommunity.net/
Actor External State Crime Activist Internal Partner
Action Hacking SQLi XSS Brute Malware Misuse Social
How VERIS works INCIDENT REPORT “An external attacker sends a phishing email that successfully lures an executive to open an attachment. Once executed, malware is installed on the exec’s laptop, creating a backdoor. The attacker then accesses the laptop via the backdoor, viewing email and other sensitive data. The attacker then finds and accesses a mapped file server that an internal admin failed to properly secure during the build/deployment process. This results in intellectual property being stolen from the server…” VERIS takes this and…
How VERIS works …and translates it to this…
Understand the Framework Build your contacts Build your collector Practice, Practice, Practice Refine your process Make it your own
Basic Sections • • • • • Incident Tracking Victim Demographics Events Detection & Response Impact
Demographics • Company industry • Company size • Geographic location • of business unit in incident • Size of security department
Incident Classification A4 event model • Agent – What acts against us • Action – What the agent does to the asset error malware hacking misuse environmental external action • Asset social physical – What the agent acts against agent internal confidentiality possession asset partner type function • Attribute availability attribute utility authenticity integrity – The result of the agent’s action against the asset
Incident Classification A4 event model The series of events (a4) creates an “attack model” 1 > 2 > 3 > 4 > 5
A security INCIDENT is a series of EVENTS that adversely affect the information assets of an organization. Every event is comprised of the following ELEMENTS: Agent Source: External Type: Organized criminal group Action Category: Hacking Type: SQL injection Path: Web application Asset Type: Database Platform: Acme Server 2008 Attribute Type: Confidentiality Data: Payment card data 1> 2> 3> 4 > 5
Discovery & Mitigation + • Incident timeline • Discovery method • Evidence sources • Control capability • Corrective action – Most straightforward manner in which the incident could be prevented – The cost of preventative controls
Impact Classification $ • Impact categorization – Sources of Impact (direct, indirect) – Similar to ISO 27005/FAIR • Impact estimation – Distribution for amount of impact • Impact qualification – Relative impact rating
Build your understanding • Go to http://veriscommunity.net for full details of the framework.
Building Contacts • While you’re at http://veriscommunity.net join the VERIS mailing list. • You can ask questions about the framework and specific questions about how to categorize something.
Build your collector • People, this is just a survey! – Use any of the millions of online survey websites to make your collector. – Build this thing in Sharepoint and add a workflow to it.
Excel Spreadsheet laptop_incident_cost(params['data_count'], pa rams['data_variety'])[0]
Pro Tip – Minimize Data Entry
You want source code? • Tweet “Oui Kevin! @bfist #BSidesQuebec”
Don’t be afraid to customize!
Sharing is Caring • Share your data, it makes us all better off. – XML – JSON • Form partnerships with other organizations and compare incidents.
Kevin Thompson kevin.thompson@verizon.com twitter: @bfist

Recomendados

Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Amgad Magdy
 
Big Data Analytics for Cyber Security: A Quick Overview
Big Data Analytics for Cyber Security: A Quick OverviewBig Data Analytics for Cyber Security: A Quick Overview
Big Data Analytics for Cyber Security: A Quick OverviewFemi Ashaye
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...BCM Institute
 
Evidence-Based Risk Management
Evidence-Based Risk ManagementEvidence-Based Risk Management
Evidence-Based Risk ManagementEnergySec
 
Addressing cyber security
Addressing cyber securityAddressing cyber security
Addressing cyber securityFemi Ashaye
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 
Improve Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingImprove Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingTriskele Labs
 
Building Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital EconomyBuilding Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital EconomyAgus Wicaksono
 

Recomendados

Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Amgad Magdy
 
Big Data Analytics for Cyber Security: A Quick Overview
Big Data Analytics for Cyber Security: A Quick OverviewBig Data Analytics for Cyber Security: A Quick Overview
Big Data Analytics for Cyber Security: A Quick OverviewFemi Ashaye
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...BCM Institute
 
Evidence-Based Risk Management
Evidence-Based Risk ManagementEvidence-Based Risk Management
Evidence-Based Risk ManagementEnergySec
 
Addressing cyber security
Addressing cyber securityAddressing cyber security
Addressing cyber securityFemi Ashaye
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 
Improve Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingImprove Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingTriskele Labs
 
Building Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital EconomyBuilding Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital EconomyAgus Wicaksono
 
Cyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationCyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationSurfWatch Labs
 
Data Analytics in Cyber Security - Intellisys 2015 Keynote
Data Analytics in Cyber Security - Intellisys 2015 KeynoteData Analytics in Cyber Security - Intellisys 2015 Keynote
Data Analytics in Cyber Security - Intellisys 2015 KeynoteHPCC Systems
 
SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)James Neo
 
Wynyard Group -Technology modules
Wynyard Group -Technology modulesWynyard Group -Technology modules
Wynyard Group -Technology modulesWynyard Group
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...Aladdin Dandis
 
Helping Australian agencies fight serious crime
Helping Australian agencies fight serious crimeHelping Australian agencies fight serious crime
Helping Australian agencies fight serious crimeWynyard Group
 
DHS Cybersecurity Webinar
DHS Cybersecurity Webinar DHS Cybersecurity Webinar
DHS Cybersecurity Webinar businessforward
 
Cyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDICyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDIDavid Sweigert
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?John D. Johnson
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber ResilienceIan-Edward Stafrace
 
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...Aggregage
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveDawn Yankeelov
 
Fears and fulfillment with IT security
Fears and fulfillment with IT securityFears and fulfillment with IT security
Fears and fulfillment with IT securityDavid Strom
 
BCS ITNow 201406 - The Risk Business
BCS ITNow 201406 - The Risk BusinessBCS ITNow 201406 - The Risk Business
BCS ITNow 201406 - The Risk BusinessGareth Niblett
 
Cyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesCyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesblogzilla
 
Case Studies: An overview of Wynyard's solutions and how they are used worldwide
Case Studies: An overview of Wynyard's solutions and how they are used worldwideCase Studies: An overview of Wynyard's solutions and how they are used worldwide
Case Studies: An overview of Wynyard's solutions and how they are used worldwideWynyard Group
 
Vendor Landscape: Email Security Gateway
Vendor Landscape: Email Security GatewayVendor Landscape: Email Security Gateway
Vendor Landscape: Email Security GatewayInfo-Tech Research Group
 
Risk assessment
Risk assessmentRisk assessment
Risk assessmentkajal kumari
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?PECB
 
Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaAlexander Hutton
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...patmisasi
 

Mais conteúdo relacionado

Mais procurados

Cyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationCyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationSurfWatch Labs
 
Data Analytics in Cyber Security - Intellisys 2015 Keynote
Data Analytics in Cyber Security - Intellisys 2015 KeynoteData Analytics in Cyber Security - Intellisys 2015 Keynote
Data Analytics in Cyber Security - Intellisys 2015 KeynoteHPCC Systems
 
SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)James Neo
 
Wynyard Group -Technology modules
Wynyard Group -Technology modulesWynyard Group -Technology modules
Wynyard Group -Technology modulesWynyard Group
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...Aladdin Dandis
 
Helping Australian agencies fight serious crime
Helping Australian agencies fight serious crimeHelping Australian agencies fight serious crime
Helping Australian agencies fight serious crimeWynyard Group
 
DHS Cybersecurity Webinar
DHS Cybersecurity Webinar DHS Cybersecurity Webinar
DHS Cybersecurity Webinar businessforward
 
Cyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDICyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDIDavid Sweigert
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?John D. Johnson
 
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...Aggregage
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveDawn Yankeelov
 
Fears and fulfillment with IT security
Fears and fulfillment with IT securityFears and fulfillment with IT security
Fears and fulfillment with IT securityDavid Strom
 
BCS ITNow 201406 - The Risk Business
BCS ITNow 201406 - The Risk BusinessBCS ITNow 201406 - The Risk Business
BCS ITNow 201406 - The Risk BusinessGareth Niblett
 
Cyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesCyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesblogzilla
 
Case Studies: An overview of Wynyard's solutions and how they are used worldwide
Case Studies: An overview of Wynyard's solutions and how they are used worldwideCase Studies: An overview of Wynyard's solutions and how they are used worldwide
Case Studies: An overview of Wynyard's solutions and how they are used worldwideWynyard Group
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?PECB
 

Mais procurados (20)

Cyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationCyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution Demonstration
 
Data Analytics in Cyber Security - Intellisys 2015 Keynote
Data Analytics in Cyber Security - Intellisys 2015 KeynoteData Analytics in Cyber Security - Intellisys 2015 Keynote
Data Analytics in Cyber Security - Intellisys 2015 Keynote
 
SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)
 
Wynyard Group -Technology modules
Wynyard Group -Technology modulesWynyard Group -Technology modules
Wynyard Group -Technology modules
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...
 
Helping Australian agencies fight serious crime
Helping Australian agencies fight serious crimeHelping Australian agencies fight serious crime
Helping Australian agencies fight serious crime
 
DHS Cybersecurity Webinar
DHS Cybersecurity Webinar DHS Cybersecurity Webinar
DHS Cybersecurity Webinar
 
Cyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDICyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDI
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate Perspective
 
Fears and fulfillment with IT security
Fears and fulfillment with IT securityFears and fulfillment with IT security
Fears and fulfillment with IT security
 
BCS ITNow 201406 - The Risk Business
BCS ITNow 201406 - The Risk BusinessBCS ITNow 201406 - The Risk Business
BCS ITNow 201406 - The Risk Business
 
Cyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesCyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responses
 
Case Studies: An overview of Wynyard's solutions and how they are used worldwide
Case Studies: An overview of Wynyard's solutions and how they are used worldwideCase Studies: An overview of Wynyard's solutions and how they are used worldwide
Case Studies: An overview of Wynyard's solutions and how they are used worldwide
 
Vendor Landscape: Email Security Gateway
Vendor Landscape: Email Security GatewayVendor Landscape: Email Security Gateway
Vendor Landscape: Email Security Gateway
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
 

Destaque

Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaAlexander Hutton
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...patmisasi
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011Ed Bellis
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 

Destaque (6)

Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelona
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
 
BSidesTO 2016 - Incident Tracking
BSidesTO 2016 - Incident TrackingBSidesTO 2016 - Incident Tracking
BSidesTO 2016 - Incident Tracking
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 

Semelhante a Getting Started with the VERIS Framework

CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...TI Safe
 
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxC4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxbakhtinasiriav
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementProlifics
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Damir Delija
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisJim Kaplan CIA CFE
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...James Anderson
 
ComResource - NW Agent Cybersecurity
ComResource - NW Agent CybersecurityComResource - NW Agent Cybersecurity
ComResource - NW Agent CybersecurityAnthony Dials
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsIBM Security
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?CBIZ, Inc.
 
Complicate, detect, respond: stopping cyber attacks with identity analytics
Complicate, detect, respond: stopping cyber attacks with identity analyticsComplicate, detect, respond: stopping cyber attacks with identity analytics
Complicate, detect, respond: stopping cyber attacks with identity analyticsCA Technologies
 
ComResource Agency Solutions
ComResource Agency SolutionsComResource Agency Solutions
ComResource Agency SolutionsAnthony Dials
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSScott Suhy
 
Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsBilalMehmood44
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attackAndreanne Clarke
 

Semelhante a Getting Started with the VERIS Framework (20)

CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
 
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxC4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
 
CCA study group
CCA study groupCCA study group
CCA study group
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access Management
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log Analysis
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
 
ComResource - NW Agent Cybersecurity
ComResource - NW Agent CybersecurityComResource - NW Agent Cybersecurity
ComResource - NW Agent Cybersecurity
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 
2011 mini metricon
2011 mini metricon2011 mini metricon
2011 mini metricon
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?
 
Complicate, detect, respond: stopping cyber attacks with identity analytics
Complicate, detect, respond: stopping cyber attacks with identity analyticsComplicate, detect, respond: stopping cyber attacks with identity analytics
Complicate, detect, respond: stopping cyber attacks with identity analytics
 
ComResource Agency Solutions
ComResource Agency SolutionsComResource Agency Solutions
ComResource Agency Solutions
 
encase enterprise
encase enterprise encase enterprise
encase enterprise
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMS
 
Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendations
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attack
 

Mais de BSidesQuebec2013

Simplified security code review - BSidesQuebec2013
Simplified security code review - BSidesQuebec2013Simplified security code review - BSidesQuebec2013
Simplified security code review - BSidesQuebec2013BSidesQuebec2013
 
Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013BSidesQuebec2013
 
L'information personnelle numérique - BSidesQuebec2013
L'information personnelle numérique - BSidesQuebec2013L'information personnelle numérique - BSidesQuebec2013
L'information personnelle numérique - BSidesQuebec2013BSidesQuebec2013
 
Investigating at the speed of compromise - BSidesQuebec2013
Investigating at the speed of compromise - BSidesQuebec2013Investigating at the speed of compromise - BSidesQuebec2013
Investigating at the speed of compromise - BSidesQuebec2013BSidesQuebec2013
 

Mais de BSidesQuebec2013 (6)

Simplified security code review - BSidesQuebec2013
Simplified security code review - BSidesQuebec2013Simplified security code review - BSidesQuebec2013
Simplified security code review - BSidesQuebec2013
 
Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013
 
L'information personnelle numérique - BSidesQuebec2013
L'information personnelle numérique - BSidesQuebec2013L'information personnelle numérique - BSidesQuebec2013
L'information personnelle numérique - BSidesQuebec2013
 
Investigating at the speed of compromise - BSidesQuebec2013
Investigating at the speed of compromise - BSidesQuebec2013Investigating at the speed of compromise - BSidesQuebec2013
Investigating at the speed of compromise - BSidesQuebec2013
 
BSidesQuebec2013-ssl
BSidesQuebec2013-sslBSidesQuebec2013-ssl
BSidesQuebec2013-ssl
 
BSidesQuebec2013_fred
BSidesQuebec2013_fredBSidesQuebec2013_fred
BSidesQuebec2013_fred
 

Último

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 

Último (20)

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 

Getting Started with the VERIS Framework

  • 1. Getting Started with VERIS Kevin Thompson Twitter: @bfist Risk and Intelligence Researcher, Verizon RISK Team
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14. VERIS - A Framework for Gathering Risk Management Information from Security Incidents Vocabulary for Event Recording and Incident Sharing
  • 15. Risk Management: Operating Model Framework ∑ = ∫√ Models ∩ Data
  • 17. Risk Management: Operating Model Framework ∑ = ∫√ Models ∩ Data
  • 18. Data = UNCERTAINTY “The difference between the amount of information required to perform the task and the amount of information already possessed by the organization.” Galbraith, J. Organization Design, Addison-Wesley, Reading, MA, 1977.
  • 20.
  • 23.
  • 24. The DBIR is an ongoing study that analyzes forensic evidence to uncover how sensitive data is stolen from organizations, who’s doing it, why they’re doing it, and what might be done to prevent it. - 2013 DBIR 19 global contributors 47,000+ security incidents 621 confirmed data breaches
  • 25. Methodology: Data Collection and Analysis • DBIR participants use the Vocabulary for Event Recording and Incident Sharing (VERIS) framework to collect and share data. • Enables case data to be shared anonymously to RISK Team for analysis VERIS is a (open and free) set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner. (i.e. you can do this too) VERIS: https://veriscommunity.net/
  • 28. How VERIS works INCIDENT REPORT “An external attacker sends a phishing email that successfully lures an executive to open an attachment. Once executed, malware is installed on the exec’s laptop, creating a backdoor. The attacker then accesses the laptop via the backdoor, viewing email and other sensitive data. The attacker then finds and accesses a mapped file server that an internal admin failed to properly secure during the build/deployment process. This results in intellectual property being stolen from the server…” VERIS takes this and…
  • 29. How VERIS works …and translates it to this…
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41. Understand the Framework Build your contacts Build your collector Practice, Practice, Practice Refine your process Make it your own
  • 42. Basic Sections • • • • • Incident Tracking Victim Demographics Events Detection & Response Impact
  • 43. Demographics • Company industry • Company size • Geographic location • of business unit in incident • Size of security department
  • 44. Incident Classification A4 event model • Agent – What acts against us • Action – What the agent does to the asset error malware hacking misuse environmental external action • Asset social physical – What the agent acts against agent internal confidentiality possession asset partner type function • Attribute availability attribute utility authenticity integrity – The result of the agent’s action against the asset
  • 45. Incident Classification A4 event model The series of events (a4) creates an “attack model” 1 > 2 > 3 > 4 > 5
  • 46. A security INCIDENT is a series of EVENTS that adversely affect the information assets of an organization. Every event is comprised of the following ELEMENTS: Agent Source: External Type: Organized criminal group Action Category: Hacking Type: SQL injection Path: Web application Asset Type: Database Platform: Acme Server 2008 Attribute Type: Confidentiality Data: Payment card data 1> 2> 3> 4 > 5
  • 47.
  • 48.
  • 49. Discovery & Mitigation + • Incident timeline • Discovery method • Evidence sources • Control capability • Corrective action – Most straightforward manner in which the incident could be prevented – The cost of preventative controls
  • 50. Impact Classification $ • Impact categorization – Sources of Impact (direct, indirect) – Similar to ISO 27005/FAIR • Impact estimation – Distribution for amount of impact • Impact qualification – Relative impact rating
  • 51. Build your understanding • Go to http://veriscommunity.net for full details of the framework.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58. Building Contacts • While you’re at http://veriscommunity.net join the VERIS mailing list. • You can ask questions about the framework and specific questions about how to categorize something.
  • 59. Build your collector • People, this is just a survey! – Use any of the millions of online survey websites to make your collector. – Build this thing in Sharepoint and add a workflow to it.
  • 61. Pro Tip – Minimize Data Entry
  • 62. You want source code? • Tweet “Oui Kevin! @bfist #BSidesQuebec”
  • 64. Sharing is Caring • Share your data, it makes us all better off. – XML – JSON • Form partnerships with other organizations and compare incidents.
  • 65.
  • 66.
  • 67.

Notas do Editor

  1. Let’s start with a story. In August of 2012 Toyota fired a programmer that worked on their part sourcing software but failed to revoke his access immediately. A few hours after the programmer was fired, he logged into Toyota systems and planted logic bombs that caused some functions of the application to fail. He also downloaded trade secrets presumably to take to the next company he went to work for. Toyota IT security said it would take days to figure out the extent of the damage from this programmers actions. Let’s tell another story. 2 months ago on the Verizon Security blog we put up a story about a man that outsourced his own job. How many people heard about that? A company decided to start proactively reviewing its log files and found weird VPN connections coming in from China using an employees credentials. The company used 2FA on VPN and the employee was in his cubicle. It turns out that this guy had hired a Chinese company to do his programming work for him, and he mailed his RSA token to them so they could log in. He just showed up and collected a check.Let’s talk about security incidents.
  2. All of us have security incidents
  3. And (almost) all of us are aware of that.
  4. Large majority of us are trying to reduce the frequency and severity of security incidents by applying controls
  5. But the majority of the majority is using ad-hoc processes and select controls based on gut instinct or blindly following checklists.
  6. In fact, most organizations don’t document their security incidents either because they don’t know about them or because they lack the process maturity to do so.
  7. Among organizations that do record security incidents, many times it is in the form of free form text. Most are not using a defined schema to capture consistent data.
  8. 85.3% of statistics are made up on the spot.
  9. 100% of the statistics I just shared are made up but …
  10. Overall very few organizations are recording security incidents using a standard schema that is open to the public and suitable for performing data analysis and sharing anonymized incident information with other organizations.
  11. That’s what we’re here to talk about. VERIS is an open framework which you can use to record information security incidents in a format suitable for data analysis and sharing.
  12. In order to place controls, we need to make decisions. This is a representation of what we need to make security decisions. We need to have some model of how the world works, we need to have data, and we need to have a framework to support that data. Our model builds the framework, our framework fills the data, and the data helps us to re-evaluate our models.
  13. The goal is to move ever closer to evidence-based risk management. Right now our models are based on gut instinct and so our controls are based on gut instinct. There’s nothing wrong with that to start with, but …
  14. Few of us are gathering the data to re-evalute our model. The loop never gets closed up. The most common excuse that I hear for why we can’t move towards EBRM is that we don’t have the data to do so, and yet few of us are gathering data.
  15. No data means that we’re uncertain. We don’t know how often bad things happen to us. We don’t know how bad those things hurt us. We don’t know if those bad things have anything in common.
  16. But in addition to not having data, we also don’t have a framework to describe things. A framework that allows us to put information into buckets so that we can count it properly. A vocabulary that ensures that when I talk about an incident you understand what I mean.
  17. VERIS is our attempt to solve the framework piece of the puzzle.
  18. We use VERIS to collect data about security incidents that we investigate and we use that to produce the Verizon Data Breach Investigations Report
  19. Our analysis of a sample - of information security incidents that resulted in a loss of control of non public data - significant enough to ask for outside professional assistance.This is a sample of facts, we investigate these incidents
  20. For those who may not know what the DBIR is…Emphasize the large number of partners this year (was 5 last year), and that they span prublic-private and international boundaries. We do this to widen the perspective of the report, reduce bias, and make the dataset as representative as we can of “what’s really going on out there.” If you’re talking to an org that might make a good partner, offer them the opportunity. We can follow up with more info.
  21. Talk about the four A’s here
  22. Even our so-called “highly adaptive adversaries” exhibit very clear patterns in their motives and methods. This is extremely important to grasp and leverage for securing our organizations.
  23. Wrapping some analysis and wording around those frequency-based patterns yields this. In many ways, Table 1 summarizes the 2013 DBIR. The rest of the report puts a lot more #s and %s around these points, but the basic actor-focused approach exhibited here is the way we decided to organize our findings this year. And that makes sense. In analyzing the complex dataset we received for this report, we noticed a very strong correlation among the motives, methods, etc of different groups of threat actors.
  24. This gives a more detailed view of the most common threat actions. It’s quite interesting that physical tampering (mostly ATM skimming) is the most common. Highlight that some actions are mostly used in financial crimes, others in espionage, some fairly equal in both. Some differences in large v small orgs.
  25. This pulls out just “hacking” actions – those used to gain unauthorized network/system access. Main point is to show the large percentage of attacks that tie back to weak or stolen credentials. 4 of 5 intrusions trace back to this.
  26. This is very similar to previous years.
  27. Similar to previous years, except that “unrelated party” is at the top. Suggest reading the report to understand what that’s about.
  28. You can do this too, and you might be able to do it better than we can.Gasp! Let’s do that as an exerciseCustomizationSampling BiasNear Misses
  29. Customization. You can answer your own questions that Verizon is not going to answer for you
  30. Sampling Bias
  31. Near misses
  32. This is an area that we do not have a lot of insight into right now. You probably have better data about this than we do.
  33. Remember these three guys? Let’s VERISize this case.Is the actor Internal, External or Partner?What is the motivation of the actor? [espionage, fear, financial, fun, grudge, ideology]What is the role of the actor in this incident? [malicious, inappropriate, indirect, unintentional]
  34. What actions were present in this incident [Malware, Hacking, Social, Misuse, Error, Physical, Environmental]
  35. One common objection we hear about sharing incident data is that it is not real-time or tactical for defense. You won’t be able to use the information in VERIS to update your firewall black list. Some people feel then that the information is VERIS is less valuable. Tactical intel (what you can change right now) is surely part of the solution – BUT –It would be foolish to ignore or downplay the fact that we’re still having the same problems from 5, 10, 20 years ago and don’t seem to be learning our lesson. The DBIR tells us year after year “brute force attacks, social engineering, and malware.” Most orgs can’t answer “what are the top attacks against your organization in the last year” with any quantitative rigor. They fall back to anecdote and media regurgitation.