150 likes | 316 Views
The VERIS framework Consistency in Reporting Data Breaches. Some “Minor” Challenges. IT is getting more complex, more value is moving online, threats are getting more sophisticated. We can’t put a value on what is stolen/lost
E N D
The VERIS framework Consistency in Reporting Data Breaches
Some “Minor” Challenges • IT is getting more complex, more value is moving online, threats are getting more sophisticated. • We can’t put a value on what is stolen/lost • We don’t even publicise what is stolen/lost, so there is no way of sizing the problem • We have no consistent way of describing or reporting an incident, so there is no consistency as to what “good” or “bad” looks like • There are no standards on reaction to incidents; evidential weight, or providence are unfamiliar concepts in most private sector • There is no consistent liaison with Law Enforcement – so no chance of bringing the criminal fraternity in Cyber Crime to justice.
Things to achieve if we are to Take Action Against CyberCrime From Public Private Forum on bringing Cyber Criminals to Justice: • Need for more awareness of the potential problems, and methods to combat the crimes • Need for information sharing between all business sectors, public and private • Need for continued education of business community; eCrime does not stand still, so this is a continuous process. • Openness between organisation; we can all learn from each other. • Need for international sharing of information & intelligence to deal with this expanding “cross border” crime wave. • Creation of international standards for reporting.
Background: The DBIR series An ongoing study into the world of cybercrime that analyzes forensic evidence to uncover how sensitive data is stolen from organizations, who’s doing it, why they’re doing it, and, of course, what might be done to prevent it. Available at: http://verizonbusiness.com/databreach Updates/Commentary: http://securityblog.verizonbusiness.com
Methodology: Data Collection and Analysis DBIR participants use the Verizon Enterprise Risk and Incident Sharing (VERIS) framework to collect and share data. Enables case data to be shared anonymously to RISK Team for analysis VERIS is a set of metrics designed to provide a common language for describing security incidents (or threats) in a structured and repeatable manner. VERIS: https://verisframework.wiki.zoho.com/
How VERIS works The Incident Classification section employs Verizon’s A4 threat model > Incident as a chain of events A security incident (or threat scenario) is modeled as a series of events. Every event is comprised of the following 4 A’s: Agent: Whose actions affected the asset Action: What actions affected the asset Asset: Which assets were affected Attribute: How the asset was affected 1 2 3 4 5 > > > > VERIS: https://verisframework.wiki.zoho.com/
How VERIS works INCIDENT REPORT “An external attacker sends a phishing email that successfully lures and executive to open an attachment. Once executed, malware is installed on the exec’s laptop, creating a backdoor. The attacker then accesses the laptop via the backdoor, viewing email and other sensitive data. The attacker then finds and accesses a mapped file server that an internal admin failed to properly secure during the build/deployment process. This results in intellectual property being stolen from the server…” VERIS takes this and…
How VERIS works …and translates it to this…
How VERIS works …and over time to this…
How VERIS works Data-driven decisions …to help enable this.
How can you use VERIS? • Research the VERIS framework. There is a wiki available at https://verisframework.wiki.zoho.com/. • Use the framework internally to track and report incidents. • Use the framework cooperatively with other organizations to facilitate data sharing. • Use the VERIS community site to report and share incident data at https://www2.icsalabs.com/veris/. The VERIS framework is open and free. You can use it independently of or in partnership with Verizon. We can also help you set up your own VERIS collection mechanism and/or train your staff in the framework itself. In addition, we now offer a solution to facilitate secure, anonymous VERIS-based information sharing within a single organization or between multiple consenting organizations.
Drop in Data Loss – Our Leading Hypotheses Random caseload variation Unlikely; other external sources show similar results Huge global improvement in security posture Unlikely; Not enough time and doesn’t explain rise in breaches Prosecution and incarceration of “Kingpins” Deterrence and/or scrambling among criminal groups Change in criminal tactics Away from massive breaches to smaller, less risky heists Helps explain increase in breaches Market forces (law of supply and demand) Oversupply of data in black market driving prices down Targeting different (non-bulk) data types More IP, classified data, etc stolen They’ve gotten better at evading detection Maybe; but doesn’t seem to fully account for the drop