the veris framework - from risk to response

Powerpoint Templates


The VERIS FrameworkFrom Risk to Response

http://www.powerpointstyles.com/



Theory of VERIS-tivityTerry’s



What is VERIS

• It describes:• Incident Tracking• Victim Demographics• Incident Description• Discovery & Response• Impact Assessment• Indicators of Compromise

DamnUseful



Incident Description

• Actor (Who did it?)

• Action (What did they do?)

• Asset (What did they do it to?)

• Attributes (What did we lose?)



Incident Description Examples

• Actor: external.activist internal.helpdesk

• Action: malware.backdoor hacking.mitm environmental.meteorite

• Asset: server.file userdevice.mobilephone people.helpdesk

• Attributes: confidentiality.secrets integrity.fradulenttransaction availability.loss



So what?

• VERIS lets us measure the types of security incidents we are experiencing

• We can then compare ourselves globally against the DBIR

• We can look for trends in the local threats we are experiencing.

• We can identify areas that need better protection



So what?

VERIS A4 Grid



Use VERIS everywhere!

• The VERIS framework can help

VERIS

VERIS can be very useful



Identify Risks with VERIS

You can use VERIS to classify risks:

•‘An external attacker will brute force the main web server customer portal login to gain administrative access to the customer portal’

Maps to the VERIS framework

•Actor: external (2nd level too specific so ignore)•Action: hacking.brute_force•Asset: server.web•Attribute: integrity.modified_data



SIEM Use Cases with VERIS

You can use VERIS to develop SIEM Use Cases!

For each risk description:•Identify systems and devices that are on the traffic path•Identify which log events would be triggered by the attack happening e.g. Logs from the external firewall, NIDS,

load balancer, the web server

•Develop a SIEM rule to alert incident response staff when that use case happens.

e.g. external.hacking.brute_force.server.web



Respond with VERIS

You can use VERIS to respond to attacks!

When a SIEM rule alerts you know that a particular risk is being realised

For each SIEM rule you can create a matching IR pre-plan to identify:

•How to stop or contain the attack•Who to call to help (make them have their own pre-plans too)



Respond with VERIS

e.g.

1 x SIEM rule

It can be one rule to many pre-plans

An IR Pre-plan:

Containing the steps to follow.

Equals

external.hacking.brute_force.server.web

Actor Action Asset



Measure with VERIS

• Build VERIS classification into your ticketing systems

• Report on the VERIS data

• Use VERIS to highlight where your attacks are coming from

• Create your own DBIR!

• Highlight what you are seeing



Model with VERIS

You can use VERIS to improve your risk models!

•By tracking what attacks you see, you can begin to understand where you are most likely at risk

•Create a risk model which maps change in incidents to change in risk

•Compare yourself to the world using DBIR

•Find trends if possible to work out new threats that need to be included



Model with VERIS

Updating the risk model is your feedback loop!

Threats change over time and we need to adapt.

Using the same language (VERIS) makes it easy to use reality to update our theoretical risk models



Model with VERIS

BUT:•Is biased to your detective capability!

•Many different types of risk model definitions so no standard risk description lang.

•What the world sees is not always what we see here in NZ

•No good shared data for NZ (can the NZITF or APCERT help here?)



Invest with VERIS



The VERIS value

• Classifies incidents

• We can use that incident data to work out where we are most under threat

• Target investment at that areas that need it most

• Track how much that investment helped

• Show management ROI


the veris framework - from risk to response

Data & Analytics