The VERIS frameworkConsistency in Reporting Data

Breaches

Some “Minor” Challenges• IT is getting more complex, more value is moving online, threats are getting more sophisticated.

•We can’t put a value on what is stolen/lost

•We don’t even publicise what is stolen/lost, so there is no way of sizing the problem

•We have no consistent way of describing or reporting an incident, so there is no consistency as to what “good” or “bad” looks like

•There are no standards on reaction to incidents; evidential weight, or providence are unfamiliar concepts in most private sector

•There is no consistent liaison with Law Enforcement – so no chance of bringing the criminal fraternity in Cyber Crime to justice.

Things to achieve if we are to Take Action Against CyberCrime

From Public Private Forum on bringing Cyber Criminals to Justice:

•Need for more awareness of the potential problems, and methods to combat the crimes

•Need for information sharing between all business sectors, public and private

•Need for continued education of business community; eCrime does not stand still, so this is a continuous process.

•Openness between organisation; we can all learn from each other.

•Need for international sharing of information

& intelligence to deal with this expanding

“cross border” crime wave.

•Creation of international standards for

reporting.

Carnegie Mellon - CERT

Background: The DBIR series

Available at: http://verizonbusiness.com/databreachUpdates/Commentary: http://securityblog.verizonbusiness.com

An ongoing study into the world of cybercrime that

analyzes forensic evidence to uncover how sensitive

data is stolen from organizations, who’s doing

it, why they’re doing it, and, of course, what might be

done to prevent it.

Some Illustrative Headlines

Methodology: Data Collection and Analysis

VERIS: https://verisframework.wiki.zoho.com/

DBIR participants use the Verizon Enterprise Risk and Incident Sharing (VERIS) framework to collect and share data.

Enables case data to be shared anonymously to RISK Team for analysis

VERIS is a set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner.

How VERIS works

VERIS: https://verisframework.wiki.zoho.com/

A security incident (or threat scenario) is modeled as a series of events. Every event

is comprised of the following 4 A’s:

Agent: Whose actions affected the asset

Action: What actions affected the asset

Asset: Which assets were affected

Attribute: How the asset was affected

1 2 3 4 5> > > >Incident as a chain of events>

The Incident Classification section employs Verizon’s A4 threat model

How VERIS works

INCIDENT REPORT

“An external attacker sends a phishing email that successfully lures and executive to open an attachment. Once executed, malware is installed on the exec’s laptop, creating a backdoor. The attacker then accesses the laptop via the backdoor, viewing email and other sensitive data. The attacker then finds and accesses a mapped file server that an internal admin failed to properly secure during the build/deployment process. This results in intellectual property being stolen from the server…”

VERIS takes this and…

How VERIS works

…and translates it to this…

How VERIS works

…and over time to this…

How VERIS works

…to help enable this.

Data-driven decisions

How can you use VERIS?

1. Research the VERIS framework. There is a wiki available at https://verisframework.wiki.zoho.com/.

2. Use the framework internally to track and report incidents.

3. Use the framework cooperatively with other organizations to facilitate data sharing.

4. Use the VERIS community site to report and share incident data at https://www2.icsalabs.com/veris/.

The VERIS framework is open and free. You can use it independently of or in partnership with Verizon. We can also help you set up your own VERIS collection mechanism and/or train your staff in the framework itself.

In addition, we now offer a solution to facilitate secure, anonymous VERIS-based information sharing within a single organization or between multiple consenting organizations.

Drop in Data Loss – Our Leading Hypotheses