VerIS - a Framework for Gathering Risk Management...
-
Upload
nguyenthien -
Category
Documents
-
view
220 -
download
5
Transcript of VerIS - a Framework for Gathering Risk Management...
![Page 1: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/1.jpg)
Cybertrust Security
VerIS‐aFrameworkforGatheringRiskManagementInforma8onfromSecurityIncidentsWade BakerAlex HuttonChris PorterRisk IntelligenceVerizon Cybertrust Security
![Page 2: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/2.jpg)
Cybertrust Security
Verizon Risk Intelligence View of Information Risk Management
Threat Landscape
Loss Landscape
Asset Landscape
risk
ANY USEFUL DATA WILL BE INFORMATION ABOUT ONE (OR MORE) OF THE LANDSCAPES
(or derived values created by modeling the interactions between landscape data)
Controls Landscape
![Page 3: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/3.jpg)
Cybertrust Security
Risk Management: Operating Model
√∫∑
Framework
Models Data=
∩
![Page 4: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/4.jpg)
Cybertrust Security
- data / frameworks / models
- equivocality & uncertainty
Problems in Information Risk Management
![Page 5: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/5.jpg)
Cybertrust Security
Risk Management: Operating Model
√∫∑
Framework
Models Data=
∩
![Page 6: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/6.jpg)
Cybertrust Security
UNCERTAINTY=Data
![Page 7: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/7.jpg)
Cybertrust Security
EQUIVOCALITY=Framework
![Page 8: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/8.jpg)
Cybertrust Security
Lessons from Organizational Theory
DAFT, R. AND LENGEL, R. 1986. Organizational Information Requirements, Media Richness and Structural Design. Management Science, 32, 4, 554-569.
![Page 9: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/9.jpg)
Cybertrust Security
Verizon has shared data
![Page 10: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/10.jpg)
Cybertrust Security
- 2009 – over 600 cases
- 2010 – between 1000 & 1400
![Page 11: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/11.jpg)
Cybertrust Security
Verizon is sharing our framework
![Page 12: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/12.jpg)
Cybertrust Security
What is the Verizon Incident Sharing (VerIS) Framework?
- A means to create metrics from the incident narrative
- how Verizon creates measurements for the DBIR
- how *anyone* can create measurements from an incident
![Page 13: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/13.jpg)
Cybertrust Security
What makes up the VerIS framework?
- Demographics- Incident Classification
- Event Modeling (a4)
- Discovery & Mitigation- Impact Classification
- Impact Modeling
![Page 14: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/14.jpg)
Cybertrust Security
demographics - company industry
- company size
- geographic location
- of business unit in incident
- size of security department
![Page 15: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/15.jpg)
Cybertrust Security
incident classification - agent- what acts against us
- asset- what the agent acts
against
- action- what the agent does to the
asset
- attribute- the result of the agent’s
action against the asset
agent
action
asset
attribute
external
partner
internal
hackingmalware
socialphysical
misuseerror
environmental
typefunction
confidentiality
availability
integrity
possession
utility
authenticity
![Page 16: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/16.jpg)
Cybertrust Security
the series of events (a4) creates an “attack model”
1 2 3 4 5> > > >
incident classification a4 event model
![Page 17: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/17.jpg)
Cybertrust Security
discovery & mitigation - incident timeline
- discovery method
- evidence sources
- control capability
- corrective action- most straightforward manner
in which the incident could be prevented
- the cost of preventative controls
+
![Page 18: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/18.jpg)
Cybertrust Security
Impact classification - impact categorization- sources of Impact
(direct, indirect)
- similar to iso 27005/FAIR
- impact estimation- distribution for
amount of impact
- impact qualification- relative impact
rating
$
![Page 19: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/19.jpg)
Cybertrust Security
$ $ $+demographics incident classification (a4) discovery
& mitigation impact classification
1 2 3 4 5> > > >
incident narrative incident metrics
![Page 20: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/20.jpg)
Cybertrust Security
$ $ $+demographics incident classification (a4) discovery
& mitigation impact classification
1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
case studies data set
a
b
c
d
e
f
![Page 21: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/21.jpg)
Cybertrust Security
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
data set knowledge & wisdom
a
b
c
d
e
f
demographics incident classification (a4) discovery& mitigation impact classification
![Page 22: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/22.jpg)
Cybertrust Security
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
threat modeling
a
b
c
d
e
f
demographics incident classification (a4) discovery& mitigation impact classification
![Page 23: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/23.jpg)
Cybertrust Security
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
threat modeling
a
b
c
d
e
f
demographics incident classification (a4) discovery& mitigation impact classification
![Page 24: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/24.jpg)
Cybertrust Security
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
impact modeling
a
b
c
d
e
f
demographics incident classification (a4) discovery& mitigation impact classification
![Page 25: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/25.jpg)
Cybertrust Security
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
$ $ $+1 2 3 4 5> > > >
impact modeling
a
b
c
d
e
f
demographics incident classification (a4) discovery& mitigation impact classification
![Page 26: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/26.jpg)
Cybertrust Security
1 2
3
4
5
6
7
1.1 Date of the Incident
Purpose: Facilitatestrendingovertime.
Notes: Selectthemonthandyeartheincidentoccurred.
QuestionType: SingleSelectforMonth;Number;ieldforYear
SuggestedOptions:
• Month:[Listofmonths]
• Year:NAMiscellaneous: Whiletheexactdateoftheincidentcouldbeused,themonthandyearallows
trendingandprovidessomemeasureofde‐identi;icationfordatasharingpurposes.Usingonlytheyearprovidesevenmore.
![Page 27: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/27.jpg)
Cybertrust Security
1.1 Date of the Incident
Purpose: Facilitatestrendingovertime.
Notes: Selectthemonthandyeartheincidentoccurred.
QuestionType: SingleSelectforMonth;Number;ieldforYear
SuggestedOptions: • Month:[Listofmonths]
• Year:NA
Miscellaneous: Whiletheexactdateoftheincidentcouldbeused,themonthandyearallowstrendingandprovidessomemeasureofde‐identi;icationfordatasharingpurposes.Usingonlytheyearprovidesevenmore.
![Page 28: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/28.jpg)
Cybertrust Security
![Page 29: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/29.jpg)
Cybertrust Security
VerIS Projects
Analysis &
Reporting
Decisions &
ExecutionIncident
Data
VerIS FrameworkGlobal Contributors
![Page 30: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/30.jpg)
Cybertrust Security
• Use the framework internally. Anyone is free to use the VerIS framework to aid the tracking and reporting of incidents within their
organization. We hope those that do will share some of the interesting and innovative ways they are using the metrics in their security program.
• Use the framework cooperatively. Organizations within an existing information exchange, consortium, or other types of partnerships can
leverage the VerIS framework for improved data sharing.
• Share data with others. As the ultimate goal of the VerIS Framework is to foster information sharing, we hope users will consider
how they might responsibly share data with others. We’re working on ways to help facilitate this, and our IR team will continue to do so via the DBIR. We also invite others with access to a large number of incidents from many organizations to use the framework and report their findings. We’d love to see a large number of accessible and comparable datasets in the not-so-distant future.
• Promote the framework externally. Every cause needs a champion, and this one could use many. If you find the VerIS Framework useful or
believe it to be beneficial to the community, we’d appreciate you letting others know.
![Page 31: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/31.jpg)
Cybertrust Security Advisory BoardRichard Bejtlich
Andrew Bonillo
Chris Carlson
Dan Geer
Jeremiah Grossman
Jake Kouns
Rich Mogull
![Page 32: VerIS - a Framework for Gathering Risk Management …securitymetrics.org/attachments/Metricon-4.5-Baker... · · 2014-02-05Framework for Gathering Risk Management ... Cybertrust](https://reader033.fdocuments.in/reader033/viewer/2022051508/5aa698d47f8b9a517d8eb3e3/html5/thumbnails/32.jpg)
Cybertrust Security
Questions Slide
- Your Turn!