The document discusses evidence-based risk management and the VERIS framework. It explains that VERIS provides a common language for describing security incidents in a structured way. Incidents are broken down into a series of events involving an agent, action, asset, and attribute. This data can then be used to better understand risk, make data-driven decisions, and identify optimal controls. The goal is to move from random observations to formal modeling and evidence-based management.

1. Evidence Based Risk Management Better management through better measurement

3. threat landscape asset landscape impact landscape controls landscape risk Suggested context: Capability to manage (skills, resources, decision quality…) Sources of Knowledge

4. Risk Management State of Nature State of Knowledge State of Wisdom Evidence level 1 Lists Feeling like we’ve done something Evidence level 2 Simple derived values with ad-hoc modeling Outcomes with ad-hoc deductive selections Evidence level 3 Formal Modeling Decision making constructs Evidence level 4

5. Risk Management State of Nature State of Knowledge State of Wisdom Evidence level 1 Lists Feeling like we’ve done something Evidence level 2 Simple derived values with ad-hoc modeling Outcomes with ad-hoc deductive selections Evidence level 3 Formal Modeling Decision making constructs Evidence level 4

6. EBRM State of Nature State of Knowledge State of Wisdom Evidence level 1 Lists Feeling like we’ve done something Evidence level 2 Simple derived values with ad-hoc modeling Outcomes with ad-hoc deductive selections Evidence level 3 Formal Modeling Decision making constructs Evidence level 4

7. The VERIS Framework

11. What VERIS does … and translates it to this… Event 1 Agent: External (Org crime) Action: Hacking (SQLi) Asset: Server (Web server, Database) Attribute: Integrity Event 2 Agent: External (Org crime) Action: Malware (Keylogger) Asset: Server (Web server) Attribute: Confidentiality Event 3 Agent: External (Org crime) Action: Hacking (Use of stolen creds) Asset: Server, Network (multiple) Attribute: Confidentiality, Integrity Event 4… 1 2 3 4 > > > >

12. What VERIS does … and over time to this…

13. What VERIS does … and enables this… Data-driven decisions

14. What VERIS does … to better achieve this. (and that ’s what it’s all about, right?) Risk & Spending

15. The VERIS community project

17. VERIS Community Data

18. Let’s look at a scenario

19. 2010 Investigative Response Data

20. VERIS Community Data

21. 2010 Investigative Response Data

22. 2008-2010 Investigative Response Data

23. Let’s look at a scenario

24. What controls would be relevant to this scenario?

25. How about another scenario? External Physical Offline Data Confidentiality

26. What controls would be relevant to this scenario?

27. Mapping action types to identified vulnerabilities Hacking -> Exploitation of default or guessable credentials Web Application User with Easily Guessable Admin Password Cisco Devices with Default Credentials Default Oracle Authentication Credentials Easily Guessable Password for "admin" User Guessable Credentials Discovered Microsoft SQL Server Account with Guessable Password

28. Measure distributions of impact

30. A vision of EBRM Metrics

32. Incident Frequency – Executive Dashboard

33. Agent Breakdown (High Level)

34. Action Breakdown (High Level)

35. Asset Breakdown (High Level)

36. Attribute Breakdown (High Level)

37. Incident Impact – Executive Dashboard

38. Impact (High Level)

39. Incident Impact –Impact Values By High Level Determinants

40. Determinant Drill-Down

41. DBIR: www.verizonbusiness.com/databreach VERIS: https://verisframework.wiki.zoho.com/ Blog: securityblog.verizonbusiness.com Email: dbir@verizonbusiness.com