Cybersecurity Tools – VERIS Incident Model

Lack of quality information in Cyber Security and incident response is real, you have too many sources for too many things, and most of the information at reach is not centralized. A couple of years back when I was working on learning more and more ins and outs on the InfoSec community I found VERIS, which I think is a nice initiative.

Here is a quick breakdown of what it is

What is VERIS, and what does it stand for?

The Vocabulary for Event Recording and Incident Sharing – Its a collection of metrics, information, and structure to help feed a Database of Incidents that is publicly available. The idea of VERIS is to end the lack of communication, structure, and information base for common reported Incidents. This helps organizations determine plans of action when handling the response of an incident.

As an example here is the simplest form of values required to be reported
UntitledImage

From the VERIS community website, I extracted the following to help identify the collection of information based on VERIS format

A quick Scenario and How to Document with VERIS:

you’re notified by the local police department that an employee in billing was arrested during a raid on an identity theft ring and is suspected of stealing identities from your company. You paid a forensic company $14,121 for an investigation which revealed that the employee had been accessing customer records without cause for three months. You also paid $8,000 to a law firm to make appropriate notification to the Attorney General in your state. Here is what the incident might look like in VERIS -> from Veris Community

UntitledImage

High-Level Categories or The 4 A’s

The 4 A’s is critical and meaningful information in any Incident report and helps provide good information to whoever is reading it. Again, this is not to be taken as a silver bullet or the definitive Incident Response reporting, but VERIS seems to be oriented in the right Direction

* Actor –> Who is behind an incident?
* Action –> Methods used
* Asset –> Devices Affected
* Attribute –> How were the devices affected?

Where to find the VERIS WebApp

Here is a Sample of the VERIS WebApp –> http://veriscommunity.net/veris_webapp_min.html#/submit/verisc/1.3.4
UntitledImage

The Community Page for VERIS includes lots of interesting Training resources to understand what VERIS is trying to do, and how it works.

For training and more information visit the VERIS Community Page

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 15 years of experience, Andres is specialized in Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security, and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.