Upload
kory-johns
View
214
Download
0
Embed Size (px)
Citation preview
The VERIS frameworkConsistency in Reporting Data
Breaches
Some “Minor” Challenges• IT is getting more complex, more value is moving online, threats are getting more sophisticated.
•We can’t put a value on what is stolen/lost
•We don’t even publicise what is stolen/lost, so there is no way of sizing the problem
•We have no consistent way of describing or reporting an incident, so there is no consistency as to what “good” or “bad” looks like
•There are no standards on reaction to incidents; evidential weight, or providence are unfamiliar concepts in most private sector
•There is no consistent liaison with Law Enforcement – so no chance of bringing the criminal fraternity in Cyber Crime to justice.
Things to achieve if we are to Take Action Against CyberCrime
From Public Private Forum on bringing Cyber Criminals to Justice:
•Need for more awareness of the potential problems, and methods to combat the crimes
•Need for information sharing between all business sectors, public and private
•Need for continued education of business community; eCrime does not stand still, so this is a continuous process.
•Openness between organisation; we can all learn from each other.
•Need for international sharing of information
& intelligence to deal with this expanding
“cross border” crime wave.
•Creation of international standards for
reporting.
Carnegie Mellon - CERT
Background: The DBIR series
Available at: http://verizonbusiness.com/databreachUpdates/Commentary: http://securityblog.verizonbusiness.com
An ongoing study into the world of cybercrime that
analyzes forensic evidence to uncover how sensitive
data is stolen from organizations, who’s doing
it, why they’re doing it, and, of course, what might be
done to prevent it.
Some Illustrative Headlines
Methodology: Data Collection and Analysis
VERIS: https://verisframework.wiki.zoho.com/
DBIR participants use the Verizon Enterprise Risk and Incident Sharing (VERIS) framework to collect and share data.
Enables case data to be shared anonymously to RISK Team for analysis
VERIS is a set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner.
How VERIS works
VERIS: https://verisframework.wiki.zoho.com/
A security incident (or threat scenario) is modeled as a series of events. Every event
is comprised of the following 4 A’s:
Agent: Whose actions affected the asset
Action: What actions affected the asset
Asset: Which assets were affected
Attribute: How the asset was affected
1 2 3 4 5> > > >Incident as a chain of events>
The Incident Classification section employs Verizon’s A4 threat model
How VERIS works
INCIDENT REPORT
“An external attacker sends a phishing email that successfully lures and executive to open an attachment. Once executed, malware is installed on the exec’s laptop, creating a backdoor. The attacker then accesses the laptop via the backdoor, viewing email and other sensitive data. The attacker then finds and accesses a mapped file server that an internal admin failed to properly secure during the build/deployment process. This results in intellectual property being stolen from the server…”
VERIS takes this and…
How VERIS works
…and translates it to this…
How VERIS works
…and over time to this…
How VERIS works
…to help enable this.
Data-driven decisions
How can you use VERIS?
1. Research the VERIS framework. There is a wiki available at https://verisframework.wiki.zoho.com/.
2. Use the framework internally to track and report incidents.
3. Use the framework cooperatively with other organizations to facilitate data sharing.
4. Use the VERIS community site to report and share incident data at https://www2.icsalabs.com/veris/.
The VERIS framework is open and free. You can use it independently of or in partnership with Verizon. We can also help you set up your own VERIS collection mechanism and/or train your staff in the framework itself.
In addition, we now offer a solution to facilitate secure, anonymous VERIS-based information sharing within a single organization or between multiple consenting organizations.
Drop in Data Loss – Our Leading Hypotheses