how to verisize v2 - bsidesquebec2013
Post on 27-Jan-2015
118 Views
Preview:
DESCRIPTION
TRANSCRIPT
Getting Started with VERIS
Kevin ThompsonTwitter: @bfistRisk and Intelligence Researcher, Verizon RISK Team
#ermascerity
VERIS - A Framework for Gathering Risk Management Information from
Security Incidents
Vocabulary for Event Recording and IncidentSharing
Risk Management: Operating Model
√∫∑
Framework
Models Data
=
∩
Evidence-Based Risk Management
Risk Management: Operating Model
√∫∑
Framework
Models Data
=
∩
UNCERTAINTY=Data
“The difference between the amount of information required to perform the task and the amount of information already possessed by the organization.”Galbraith, J. Organization Design, Addison-Wesley, Reading, MA, 1977.
EQUIVOCALITY=Framework
VERIS Framework
VERIS Framework
Data
The DBIR is an ongoing study that analyzes forensic evidence to uncover how sensitive data is stolen from organizations, who’s doing it, why
they’re doing it, and what might be done to prevent it.
- 2013 DBIR -19 global contributors
47,000+ security incidents621 confirmed data breaches
Methodology: Data Collection and Analysis
• DBIR participants use the Vocabulary for Event Recording and Incident Sharing (VERIS) framework to collect and share data.
• Enables case data to be shared anonymously to RISK Team for analysis
VERIS is a (open and free) set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner.
VERIS: https://veriscommunity.net/
(i.e. you can do this too)
Actor
External Internal Partner
State
Crime
Activist
Action
Hacking Malware SocialMisuse
SQLi
XSS
Brute
How VERIS worksINCIDENT REPORT“An external attacker sends a phishing email
that successfully lures an executive to open an attachment. Once executed, malware is installed on the exec’s laptop, creating a backdoor. The attacker then accesses the laptop via the backdoor, viewing email and other sensitive data. The attacker then finds and accesses a mapped file server that an internal admin failed to properly secure during the build/deployment process. This results in intellectual property being stolen from the server…”
VERIS takes this and…
How VERIS works
…and translates it to this…
Understand the Framework
Build your contacts
Build your collector
Practice, Practice, Practice
Refine your process
Make it your own
Basic Sections
• Incident Tracking• Victim Demographics• Events• Detection & Response• Impact
Demographics
• Company industry
• Company size
• Geographic location • of business unit in incident
• Size of security department
Incident Classification A4 event model
• Agent– What acts against us
• Action– What the agent does to the
asset
• Asset– What the agent acts against
• Attribute– The result of the agent’s action
against the asset
agent
action
asset
attribute
external
partner
internal
hackingmalware
socialphysical
misuseerror
environmental
typefunction
confidentiality
availability
integrity
possession
utility
authenticity
The series of events (a4) creates an “attack model”
1 2 3 4 5> > > >
Incident Classification A4 event model
AgentSource: External Type: Organized criminal group
ActionCategory: HackingType: SQL injectionPath: Web application
AssetType: DatabasePlatform: Acme Server 2008
Attribute Type: ConfidentialityData: Payment card data
A security INCIDENT is a series of EVENTS that adversely affect the information assets of an organization. Every event is comprised of the following ELEMENTS:
1 2 3 4 5> > > >
Discovery & Mitigation
• Incident timeline
• Discovery method
• Evidence sources
• Control capability
• Corrective action– Most straightforward manner in which the incident
could be prevented
– The cost of preventative controls
+
Impact Classification
• Impact categorization– Sources of Impact (direct, indirect)
– Similar to ISO 27005/FAIR
• Impact estimation– Distribution for amount of impact
• Impact qualification– Relative impact rating
$
Build your understanding
• Go to http://veriscommunity.net for full details of the framework.
Building Contacts
• While you’re at http://veriscommunity.net join the VERIS mailing list.
• You can ask questions about the framework and specific questions about how to categorize something.
Build your collector
• People, this is just a survey!– Use any of the millions of online survey websites
to make your collector.– Build this thing in Sharepoint and add a workflow
to it.
Excel Spreadsheet
laptop_incident_cost(params['data_count'], params['data_variety'])[0]
Pro Tip – Minimize Data Entry
You want source code?
• Tweet
“Oui Kevin! @bfist #BSidesQuebec”
Don’t be afraid to customize!
Sharing is Caring
• Share your data, it makes us all better off.– XML – JSON
• Form partnerships with other organizations and compare incidents.
Kevin Thompsonkevin.thompson@verizon.comtwitter: @bfist
top related