SlideShare une entreprise Scribd logo

Getting Started with the VERIS Framework

Télécharger en tant que PPTX, PDF
BSidesQuebec2013
BSidesQuebec2013
TechnologieBusiness
1  sur  68
Getting Started with VERIS Kevin Thompson Twitter: @bfist Risk and Intelligence Researcher, Verizon RISK Team
#ermascerity
VERIS - A Framework for Gathering Risk Management Information from Security Incidents Vocabulary for Event Recording and Incident Sharing
Risk Management: Operating Model Framework ∑ = ∫√ Models ∩ Data
Evidence-Based Risk Management
Risk Management: Operating Model Framework ∑ = ∫√ Models ∩ Data
Data = UNCERTAINTY “The difference between the amount of information required to perform the task and the amount of information already possessed by the organization.” Galbraith, J. Organization Design, Addison-Wesley, Reading, MA, 1977.
Framework = EQUIVOCALITY
VERIS Framework
VERIS Framework Data
The DBIR is an ongoing study that analyzes forensic evidence to uncover how sensitive data is stolen from organizations, who’s doing it, why they’re doing it, and what might be done to prevent it. - 2013 DBIR 19 global contributors 47,000+ security incidents 621 confirmed data breaches
Methodology: Data Collection and Analysis • DBIR participants use the Vocabulary for Event Recording and Incident Sharing (VERIS) framework to collect and share data. • Enables case data to be shared anonymously to RISK Team for analysis VERIS is a (open and free) set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner. (i.e. you can do this too) VERIS: https://veriscommunity.net/
Actor External State Crime Activist Internal Partner
Action Hacking SQLi XSS Brute Malware Misuse Social
How VERIS works INCIDENT REPORT “An external attacker sends a phishing email that successfully lures an executive to open an attachment. Once executed, malware is installed on the exec’s laptop, creating a backdoor. The attacker then accesses the laptop via the backdoor, viewing email and other sensitive data. The attacker then finds and accesses a mapped file server that an internal admin failed to properly secure during the build/deployment process. This results in intellectual property being stolen from the server…” VERIS takes this and…
How VERIS works …and translates it to this…
Understand the Framework Build your contacts Build your collector Practice, Practice, Practice Refine your process Make it your own
Basic Sections • • • • • Incident Tracking Victim Demographics Events Detection & Response Impact
Demographics • Company industry • Company size • Geographic location • of business unit in incident • Size of security department
Incident Classification A4 event model • Agent – What acts against us • Action – What the agent does to the asset error malware hacking misuse environmental external action • Asset social physical – What the agent acts against agent internal confidentiality possession asset partner type function • Attribute availability attribute utility authenticity integrity – The result of the agent’s action against the asset
Incident Classification A4 event model The series of events (a4) creates an “attack model” 1 > 2 > 3 > 4 > 5
A security INCIDENT is a series of EVENTS that adversely affect the information assets of an organization. Every event is comprised of the following ELEMENTS: Agent Source: External Type: Organized criminal group Action Category: Hacking Type: SQL injection Path: Web application Asset Type: Database Platform: Acme Server 2008 Attribute Type: Confidentiality Data: Payment card data 1> 2> 3> 4 > 5
Discovery & Mitigation + • Incident timeline • Discovery method • Evidence sources • Control capability • Corrective action – Most straightforward manner in which the incident could be prevented – The cost of preventative controls
Impact Classification $ • Impact categorization – Sources of Impact (direct, indirect) – Similar to ISO 27005/FAIR • Impact estimation – Distribution for amount of impact • Impact qualification – Relative impact rating
Build your understanding • Go to http://veriscommunity.net for full details of the framework.
Building Contacts • While you’re at http://veriscommunity.net join the VERIS mailing list. • You can ask questions about the framework and specific questions about how to categorize something.
Build your collector • People, this is just a survey! – Use any of the millions of online survey websites to make your collector. – Build this thing in Sharepoint and add a workflow to it.
Excel Spreadsheet laptop_incident_cost(params['data_count'], pa rams['data_variety'])[0]
Pro Tip – Minimize Data Entry
You want source code? • Tweet “Oui Kevin! @bfist #BSidesQuebec”
Don’t be afraid to customize!
Sharing is Caring • Share your data, it makes us all better off. – XML – JSON • Form partnerships with other organizations and compare incidents.
Kevin Thompson kevin.thompson@verizon.com twitter: @bfist

Recommandé

Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Amgad Magdy
 
Big Data Analytics for Cyber Security: A Quick Overview
Big Data Analytics for Cyber Security: A Quick OverviewBig Data Analytics for Cyber Security: A Quick Overview
Big Data Analytics for Cyber Security: A Quick OverviewFemi Ashaye
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...BCM Institute
 
Evidence-Based Risk Management
Evidence-Based Risk ManagementEvidence-Based Risk Management
Evidence-Based Risk ManagementEnergySec
 
Addressing cyber security
Addressing cyber securityAddressing cyber security
Addressing cyber securityFemi Ashaye
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 
Improve Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingImprove Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingTriskele Labs
 
Building Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital EconomyBuilding Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital EconomyAgus Wicaksono
 

Recommandé

Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Healthcare info tech systems cyber threats ABI conference 2016
Healthcare info tech systems cyber threats ABI conference 2016Amgad Magdy
 
Big Data Analytics for Cyber Security: A Quick Overview
Big Data Analytics for Cyber Security: A Quick OverviewBig Data Analytics for Cyber Security: A Quick Overview
Big Data Analytics for Cyber Security: A Quick OverviewFemi Ashaye
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...BCM Institute
 
Evidence-Based Risk Management
Evidence-Based Risk ManagementEvidence-Based Risk Management
Evidence-Based Risk ManagementEnergySec
 
Addressing cyber security
Addressing cyber securityAddressing cyber security
Addressing cyber securityFemi Ashaye
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 
Improve Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingImprove Cybersecurity Education Or Awareness Training
Improve Cybersecurity Education Or Awareness TrainingTriskele Labs
 
Building Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital EconomyBuilding Cyber Resilience in the Digital Economy
Building Cyber Resilience in the Digital EconomyAgus Wicaksono
 
Cyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationCyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationSurfWatch Labs
 
Data Analytics in Cyber Security - Intellisys 2015 Keynote
Data Analytics in Cyber Security - Intellisys 2015 KeynoteData Analytics in Cyber Security - Intellisys 2015 Keynote
Data Analytics in Cyber Security - Intellisys 2015 KeynoteHPCC Systems
 
SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)James Neo
 
Wynyard Group -Technology modules
Wynyard Group -Technology modulesWynyard Group -Technology modules
Wynyard Group -Technology modulesWynyard Group
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...Aladdin Dandis
 
Helping Australian agencies fight serious crime
Helping Australian agencies fight serious crimeHelping Australian agencies fight serious crime
Helping Australian agencies fight serious crimeWynyard Group
 
DHS Cybersecurity Webinar
DHS Cybersecurity Webinar DHS Cybersecurity Webinar
DHS Cybersecurity Webinar businessforward
 
Cyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDICyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDIDavid Sweigert
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?John D. Johnson
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber ResilienceIan-Edward Stafrace
 
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...Aggregage
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveDawn Yankeelov
 
Fears and fulfillment with IT security
Fears and fulfillment with IT securityFears and fulfillment with IT security
Fears and fulfillment with IT securityDavid Strom
 
BCS ITNow 201406 - The Risk Business
BCS ITNow 201406 - The Risk BusinessBCS ITNow 201406 - The Risk Business
BCS ITNow 201406 - The Risk BusinessGareth Niblett
 
Cyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesCyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesblogzilla
 
Case Studies: An overview of Wynyard's solutions and how they are used worldwide
Case Studies: An overview of Wynyard's solutions and how they are used worldwideCase Studies: An overview of Wynyard's solutions and how they are used worldwide
Case Studies: An overview of Wynyard's solutions and how they are used worldwideWynyard Group
 
Vendor Landscape: Email Security Gateway
Vendor Landscape: Email Security GatewayVendor Landscape: Email Security Gateway
Vendor Landscape: Email Security GatewayInfo-Tech Research Group
 
Risk assessment
Risk assessmentRisk assessment
Risk assessmentkajal kumari
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?PECB
 
Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaAlexander Hutton
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...patmisasi
 

Contenu connexe

Tendances

Cyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationCyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationSurfWatch Labs
 
Data Analytics in Cyber Security - Intellisys 2015 Keynote
Data Analytics in Cyber Security - Intellisys 2015 KeynoteData Analytics in Cyber Security - Intellisys 2015 Keynote
Data Analytics in Cyber Security - Intellisys 2015 KeynoteHPCC Systems
 
SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)James Neo
 
Wynyard Group -Technology modules
Wynyard Group -Technology modulesWynyard Group -Technology modules
Wynyard Group -Technology modulesWynyard Group
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...Aladdin Dandis
 
Helping Australian agencies fight serious crime
Helping Australian agencies fight serious crimeHelping Australian agencies fight serious crime
Helping Australian agencies fight serious crimeWynyard Group
 
DHS Cybersecurity Webinar
DHS Cybersecurity Webinar DHS Cybersecurity Webinar
DHS Cybersecurity Webinar businessforward
 
Cyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDICyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDIDavid Sweigert
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?John D. Johnson
 
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...Aggregage
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveDawn Yankeelov
 
Fears and fulfillment with IT security
Fears and fulfillment with IT securityFears and fulfillment with IT security
Fears and fulfillment with IT securityDavid Strom
 
BCS ITNow 201406 - The Risk Business
BCS ITNow 201406 - The Risk BusinessBCS ITNow 201406 - The Risk Business
BCS ITNow 201406 - The Risk BusinessGareth Niblett
 
Cyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesCyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesblogzilla
 
Case Studies: An overview of Wynyard's solutions and how they are used worldwide
Case Studies: An overview of Wynyard's solutions and how they are used worldwideCase Studies: An overview of Wynyard's solutions and how they are used worldwide
Case Studies: An overview of Wynyard's solutions and how they are used worldwideWynyard Group
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?PECB
 

Tendances (20)

Cyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution DemonstrationCyber Threat Intelligence Solution Demonstration
Cyber Threat Intelligence Solution Demonstration
 
Data Analytics in Cyber Security - Intellisys 2015 Keynote
Data Analytics in Cyber Security - Intellisys 2015 KeynoteData Analytics in Cyber Security - Intellisys 2015 Keynote
Data Analytics in Cyber Security - Intellisys 2015 Keynote
 
SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)SingHealth Cyber Attack (project)
SingHealth Cyber Attack (project)
 
Wynyard Group -Technology modules
Wynyard Group -Technology modulesWynyard Group -Technology modules
Wynyard Group -Technology modules
 
The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...The role of big data, artificial intelligence and machine learning in cyber i...
The role of big data, artificial intelligence and machine learning in cyber i...
 
Helping Australian agencies fight serious crime
Helping Australian agencies fight serious crimeHelping Australian agencies fight serious crime
Helping Australian agencies fight serious crime
 
DHS Cybersecurity Webinar
DHS Cybersecurity Webinar DHS Cybersecurity Webinar
DHS Cybersecurity Webinar
 
Cyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDICyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDI
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate Perspective
 
Fears and fulfillment with IT security
Fears and fulfillment with IT securityFears and fulfillment with IT security
Fears and fulfillment with IT security
 
BCS ITNow 201406 - The Risk Business
BCS ITNow 201406 - The Risk BusinessBCS ITNow 201406 - The Risk Business
BCS ITNow 201406 - The Risk Business
 
Cyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responsesCyber(in)security: systemic risks and responses
Cyber(in)security: systemic risks and responses
 
Case Studies: An overview of Wynyard's solutions and how they are used worldwide
Case Studies: An overview of Wynyard's solutions and how they are used worldwideCase Studies: An overview of Wynyard's solutions and how they are used worldwide
Case Studies: An overview of Wynyard's solutions and how they are used worldwide
 
Vendor Landscape: Email Security Gateway
Vendor Landscape: Email Security GatewayVendor Landscape: Email Security Gateway
Vendor Landscape: Email Security Gateway
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
 

En vedette

Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaAlexander Hutton
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...patmisasi
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011Ed Bellis
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 

En vedette (6)

Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelona
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
 
BSidesTO 2016 - Incident Tracking
BSidesTO 2016 - Incident TrackingBSidesTO 2016 - Incident Tracking
BSidesTO 2016 - Incident Tracking
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 

Similaire à Getting Started with the VERIS Framework

CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...TI Safe
 
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxC4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxbakhtinasiriav
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementProlifics
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Damir Delija
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisJim Kaplan CIA CFE
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security ManagementJonathan Coleman
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...James Anderson
 
ComResource - NW Agent Cybersecurity
ComResource - NW Agent CybersecurityComResource - NW Agent Cybersecurity
ComResource - NW Agent CybersecurityAnthony Dials
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemAffine Analytics
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsIBM Security
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?CBIZ, Inc.
 
Complicate, detect, respond: stopping cyber attacks with identity analytics
Complicate, detect, respond: stopping cyber attacks with identity analyticsComplicate, detect, respond: stopping cyber attacks with identity analytics
Complicate, detect, respond: stopping cyber attacks with identity analyticsCA Technologies
 
ComResource Agency Solutions
ComResource Agency SolutionsComResource Agency Solutions
ComResource Agency SolutionsAnthony Dials
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSScott Suhy
 
Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsBilalMehmood44
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attackAndreanne Clarke
 

Similaire à Getting Started with the VERIS Framework (20)

CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
CLASS 2018 - Palestra de Denis Prado (Security Intelligence Sales Leader Lati...
 
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptxC4I cyber secuirty by Eric Eifert - Keynote 9.pptx
C4I cyber secuirty by Eric Eifert - Keynote 9.pptx
 
CCA study group
CCA study groupCCA study group
CCA study group
 
Identity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access ManagementIdentity intelligence: Threat-aware Identity and Access Management
Identity intelligence: Threat-aware Identity and Access Management
 
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
Encase cybersecurity alat za proaktivnu kontrolu korporativne it sigurnosti 2
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log Analysis
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
 
ComResource - NW Agent Cybersecurity
ComResource - NW Agent CybersecurityComResource - NW Agent Cybersecurity
ComResource - NW Agent Cybersecurity
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
How to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security OperationsHow to Improve Threat Detection & Simplify Security Operations
How to Improve Threat Detection & Simplify Security Operations
 
2011 mini metricon
2011 mini metricon2011 mini metricon
2011 mini metricon
 
Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?Hacking the Human - How Secure Is Your Organization?
Hacking the Human - How Secure Is Your Organization?
 
Complicate, detect, respond: stopping cyber attacks with identity analytics
Complicate, detect, respond: stopping cyber attacks with identity analyticsComplicate, detect, respond: stopping cyber attacks with identity analytics
Complicate, detect, respond: stopping cyber attacks with identity analytics
 
ComResource Agency Solutions
ComResource Agency SolutionsComResource Agency Solutions
ComResource Agency Solutions
 
encase enterprise
encase enterprise encase enterprise
encase enterprise
 
CYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMSCYBER SECURITY FOR LAW FIRMS
CYBER SECURITY FOR LAW FIRMS
 
Lec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendationsLec 1- Intro to cyber security and recommendations
Lec 1- Intro to cyber security and recommendations
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attack
 

Plus de BSidesQuebec2013

Simplified security code review - BSidesQuebec2013
Simplified security code review - BSidesQuebec2013Simplified security code review - BSidesQuebec2013
Simplified security code review - BSidesQuebec2013BSidesQuebec2013
 
Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013BSidesQuebec2013
 
L'information personnelle numérique - BSidesQuebec2013
L'information personnelle numérique - BSidesQuebec2013L'information personnelle numérique - BSidesQuebec2013
L'information personnelle numérique - BSidesQuebec2013BSidesQuebec2013
 
Investigating at the speed of compromise - BSidesQuebec2013
Investigating at the speed of compromise - BSidesQuebec2013Investigating at the speed of compromise - BSidesQuebec2013
Investigating at the speed of compromise - BSidesQuebec2013BSidesQuebec2013
 

Plus de BSidesQuebec2013 (6)

Simplified security code review - BSidesQuebec2013
Simplified security code review - BSidesQuebec2013Simplified security code review - BSidesQuebec2013
Simplified security code review - BSidesQuebec2013
 
Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013Making pentesting sexy ossams - BSidesQuebec2013
Making pentesting sexy ossams - BSidesQuebec2013
 
L'information personnelle numérique - BSidesQuebec2013
L'information personnelle numérique - BSidesQuebec2013L'information personnelle numérique - BSidesQuebec2013
L'information personnelle numérique - BSidesQuebec2013
 
Investigating at the speed of compromise - BSidesQuebec2013
Investigating at the speed of compromise - BSidesQuebec2013Investigating at the speed of compromise - BSidesQuebec2013
Investigating at the speed of compromise - BSidesQuebec2013
 
BSidesQuebec2013-ssl
BSidesQuebec2013-sslBSidesQuebec2013-ssl
BSidesQuebec2013-ssl
 
BSidesQuebec2013_fred
BSidesQuebec2013_fredBSidesQuebec2013_fred
BSidesQuebec2013_fred
 

Dernier

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Dernier (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Getting Started with the VERIS Framework

  • 1. Getting Started with VERIS Kevin Thompson Twitter: @bfist Risk and Intelligence Researcher, Verizon RISK Team
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14. VERIS - A Framework for Gathering Risk Management Information from Security Incidents Vocabulary for Event Recording and Incident Sharing
  • 15. Risk Management: Operating Model Framework ∑ = ∫√ Models ∩ Data
  • 17. Risk Management: Operating Model Framework ∑ = ∫√ Models ∩ Data
  • 18. Data = UNCERTAINTY “The difference between the amount of information required to perform the task and the amount of information already possessed by the organization.” Galbraith, J. Organization Design, Addison-Wesley, Reading, MA, 1977.
  • 20.
  • 23.
  • 24. The DBIR is an ongoing study that analyzes forensic evidence to uncover how sensitive data is stolen from organizations, who’s doing it, why they’re doing it, and what might be done to prevent it. - 2013 DBIR 19 global contributors 47,000+ security incidents 621 confirmed data breaches
  • 25. Methodology: Data Collection and Analysis • DBIR participants use the Vocabulary for Event Recording and Incident Sharing (VERIS) framework to collect and share data. • Enables case data to be shared anonymously to RISK Team for analysis VERIS is a (open and free) set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner. (i.e. you can do this too) VERIS: https://veriscommunity.net/
  • 28. How VERIS works INCIDENT REPORT “An external attacker sends a phishing email that successfully lures an executive to open an attachment. Once executed, malware is installed on the exec’s laptop, creating a backdoor. The attacker then accesses the laptop via the backdoor, viewing email and other sensitive data. The attacker then finds and accesses a mapped file server that an internal admin failed to properly secure during the build/deployment process. This results in intellectual property being stolen from the server…” VERIS takes this and…
  • 29. How VERIS works …and translates it to this…
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36.
  • 37.
  • 38.
  • 39.
  • 40.
  • 41. Understand the Framework Build your contacts Build your collector Practice, Practice, Practice Refine your process Make it your own
  • 42. Basic Sections • • • • • Incident Tracking Victim Demographics Events Detection & Response Impact
  • 43. Demographics • Company industry • Company size • Geographic location • of business unit in incident • Size of security department
  • 44. Incident Classification A4 event model • Agent – What acts against us • Action – What the agent does to the asset error malware hacking misuse environmental external action • Asset social physical – What the agent acts against agent internal confidentiality possession asset partner type function • Attribute availability attribute utility authenticity integrity – The result of the agent’s action against the asset
  • 45. Incident Classification A4 event model The series of events (a4) creates an “attack model” 1 > 2 > 3 > 4 > 5
  • 46. A security INCIDENT is a series of EVENTS that adversely affect the information assets of an organization. Every event is comprised of the following ELEMENTS: Agent Source: External Type: Organized criminal group Action Category: Hacking Type: SQL injection Path: Web application Asset Type: Database Platform: Acme Server 2008 Attribute Type: Confidentiality Data: Payment card data 1> 2> 3> 4 > 5
  • 47.
  • 48.
  • 49. Discovery & Mitigation + • Incident timeline • Discovery method • Evidence sources • Control capability • Corrective action – Most straightforward manner in which the incident could be prevented – The cost of preventative controls
  • 50. Impact Classification $ • Impact categorization – Sources of Impact (direct, indirect) – Similar to ISO 27005/FAIR • Impact estimation – Distribution for amount of impact • Impact qualification – Relative impact rating
  • 51. Build your understanding • Go to http://veriscommunity.net for full details of the framework.
  • 52.
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58. Building Contacts • While you’re at http://veriscommunity.net join the VERIS mailing list. • You can ask questions about the framework and specific questions about how to categorize something.
  • 59. Build your collector • People, this is just a survey! – Use any of the millions of online survey websites to make your collector. – Build this thing in Sharepoint and add a workflow to it.
  • 61. Pro Tip – Minimize Data Entry
  • 62. You want source code? • Tweet “Oui Kevin! @bfist #BSidesQuebec”
  • 64. Sharing is Caring • Share your data, it makes us all better off. – XML – JSON • Form partnerships with other organizations and compare incidents.
  • 65.
  • 66.
  • 67.

Notes de l'éditeur

  1. Let’s start with a story. In August of 2012 Toyota fired a programmer that worked on their part sourcing software but failed to revoke his access immediately. A few hours after the programmer was fired, he logged into Toyota systems and planted logic bombs that caused some functions of the application to fail. He also downloaded trade secrets presumably to take to the next company he went to work for. Toyota IT security said it would take days to figure out the extent of the damage from this programmers actions. Let’s tell another story. 2 months ago on the Verizon Security blog we put up a story about a man that outsourced his own job. How many people heard about that? A company decided to start proactively reviewing its log files and found weird VPN connections coming in from China using an employees credentials. The company used 2FA on VPN and the employee was in his cubicle. It turns out that this guy had hired a Chinese company to do his programming work for him, and he mailed his RSA token to them so they could log in. He just showed up and collected a check.Let’s talk about security incidents.
  2. All of us have security incidents
  3. And (almost) all of us are aware of that.
  4. Large majority of us are trying to reduce the frequency and severity of security incidents by applying controls
  5. But the majority of the majority is using ad-hoc processes and select controls based on gut instinct or blindly following checklists.
  6. In fact, most organizations don’t document their security incidents either because they don’t know about them or because they lack the process maturity to do so.
  7. Among organizations that do record security incidents, many times it is in the form of free form text. Most are not using a defined schema to capture consistent data.
  8. 85.3% of statistics are made up on the spot.
  9. 100% of the statistics I just shared are made up but …
  10. Overall very few organizations are recording security incidents using a standard schema that is open to the public and suitable for performing data analysis and sharing anonymized incident information with other organizations.
  11. That’s what we’re here to talk about. VERIS is an open framework which you can use to record information security incidents in a format suitable for data analysis and sharing.
  12. In order to place controls, we need to make decisions. This is a representation of what we need to make security decisions. We need to have some model of how the world works, we need to have data, and we need to have a framework to support that data. Our model builds the framework, our framework fills the data, and the data helps us to re-evaluate our models.
  13. The goal is to move ever closer to evidence-based risk management. Right now our models are based on gut instinct and so our controls are based on gut instinct. There’s nothing wrong with that to start with, but …
  14. Few of us are gathering the data to re-evalute our model. The loop never gets closed up. The most common excuse that I hear for why we can’t move towards EBRM is that we don’t have the data to do so, and yet few of us are gathering data.
  15. No data means that we’re uncertain. We don’t know how often bad things happen to us. We don’t know how bad those things hurt us. We don’t know if those bad things have anything in common.
  16. But in addition to not having data, we also don’t have a framework to describe things. A framework that allows us to put information into buckets so that we can count it properly. A vocabulary that ensures that when I talk about an incident you understand what I mean.
  17. VERIS is our attempt to solve the framework piece of the puzzle.
  18. We use VERIS to collect data about security incidents that we investigate and we use that to produce the Verizon Data Breach Investigations Report
  19. Our analysis of a sample - of information security incidents that resulted in a loss of control of non public data - significant enough to ask for outside professional assistance.This is a sample of facts, we investigate these incidents
  20. For those who may not know what the DBIR is…Emphasize the large number of partners this year (was 5 last year), and that they span prublic-private and international boundaries. We do this to widen the perspective of the report, reduce bias, and make the dataset as representative as we can of “what’s really going on out there.” If you’re talking to an org that might make a good partner, offer them the opportunity. We can follow up with more info.
  21. Talk about the four A’s here
  22. Even our so-called “highly adaptive adversaries” exhibit very clear patterns in their motives and methods. This is extremely important to grasp and leverage for securing our organizations.
  23. Wrapping some analysis and wording around those frequency-based patterns yields this. In many ways, Table 1 summarizes the 2013 DBIR. The rest of the report puts a lot more #s and %s around these points, but the basic actor-focused approach exhibited here is the way we decided to organize our findings this year. And that makes sense. In analyzing the complex dataset we received for this report, we noticed a very strong correlation among the motives, methods, etc of different groups of threat actors.
  24. This gives a more detailed view of the most common threat actions. It’s quite interesting that physical tampering (mostly ATM skimming) is the most common. Highlight that some actions are mostly used in financial crimes, others in espionage, some fairly equal in both. Some differences in large v small orgs.
  25. This pulls out just “hacking” actions – those used to gain unauthorized network/system access. Main point is to show the large percentage of attacks that tie back to weak or stolen credentials. 4 of 5 intrusions trace back to this.
  26. This is very similar to previous years.
  27. Similar to previous years, except that “unrelated party” is at the top. Suggest reading the report to understand what that’s about.
  28. You can do this too, and you might be able to do it better than we can.Gasp! Let’s do that as an exerciseCustomizationSampling BiasNear Misses
  29. Customization. You can answer your own questions that Verizon is not going to answer for you
  30. Sampling Bias
  31. Near misses
  32. This is an area that we do not have a lot of insight into right now. You probably have better data about this than we do.
  33. Remember these three guys? Let’s VERISize this case.Is the actor Internal, External or Partner?What is the motivation of the actor? [espionage, fear, financial, fun, grudge, ideology]What is the role of the actor in this incident? [malicious, inappropriate, indirect, unintentional]
  34. What actions were present in this incident [Malware, Hacking, Social, Misuse, Error, Physical, Environmental]
  35. One common objection we hear about sharing incident data is that it is not real-time or tactical for defense. You won’t be able to use the information in VERIS to update your firewall black list. Some people feel then that the information is VERIS is less valuable. Tactical intel (what you can change right now) is surely part of the solution – BUT –It would be foolish to ignore or downplay the fact that we’re still having the same problems from 5, 10, 20 years ago and don’t seem to be learning our lesson. The DBIR tells us year after year “brute force attacks, social engineering, and malware.” Most orgs can’t answer “what are the top attacks against your organization in the last year” with any quantitative rigor. They fall back to anecdote and media regurgitation.