Wade Baker from the Verizon RISK Team gave this presentation at the NESCO Town Hall in May 30-31 in New Orleans, LA. Wade discussed various aspects related to sharing incident information, threat agents along with a great explanation as to what evidence-based Risk management is and looks like.
2. My favorite (professional) topics
• Security incidents (as in studying them – not experiencing them)
• Information sharing (specifically incident-related info)
• Data analysis (how else will we learn?)
• Risk management (but not the ‘yellow x red = orange’ kind)
3. Data Breach Investigations Report (DBIR) series
An ongoing study into the
world of cybercrime that
analyzes forensic evidence to
uncover how sensitive data is
stolen from organizations,
who’s doing it, why they’re
doing it, and, of course, what
might be done to prevent it.
5. Methodology: Data Collection and Analysis
• DBIR participants use the
Verizon Enterprise Risk and
Incident Sharing (VERIS)
framework to collect and
share data.
• Enables case data to be
shared anonymously to RISK
Team for analysis
VERIS is a (open and free) set of metrics designed to provide a common
language for describing security incidents (or threats) in a structured and
repeatable manner.
VERIS: https://verisframework.wiki.zoho.com/
6. Sharing incident information
TACTICAL STRATEGIC
What point solutions How do I measure &
should I implement now? manage risk over time?
✔* X
8. Sample characteristics
• 855 incidents of confirmed data compromise
• 174 million stolen data records
• All varieties of data included (CC#s, PII, IP, etc)
• Victims of all industries, sizes, geographic regions
• Cases worked by Verizon, investigated by law enforcement, or reported
to (Irish) CERT
33. What is EBRM?
EBRM aims to apply the best available
evidence gained from empirical research to
measure and manage information risk.
34. Measuring and managing information risk
To properly manage risk,
we must measure it.
To properly measure risk,
we must understand our
information assets, the
threats that can harm
them, the impact of such
events, and the controls
that offer protection.
35. A threat event that is measurable (and thus
manageable) identifies the following 4 A s:
Agent: Whose actions affected the asset
Action: What actions affected the asset
Asset: Which assets were affected
Attribute: How the asset was affected
43. What are the benefits of EBRM?
• Metrics
– Builds outcome-based metrics around security processes and failures in order to
get a better read on the security pulse of the organization.
• Remediation
– Strengthen security posture by identifying gaps, pinpointing the most critical
remediation strategies, and focusing longer-term strategic planning.
• Efficiency
– Enable better and more justified decision-making, improve resource allocation,
reduce unproductive security spending, and generally achieve “more bang for
the buck.”
• Communication
– Increase information flows across organizational and functional boundaries.
Create and communicate ongoing performance measures to key stakeholders.