+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

What is the VERIS framework?

VERIS is a framework to record and categorise security incidents – making it easier to record and later report on a single incident or track trends over time.

VERIS is the Vocabulary for Event Recording and Information Sharing. VERIS is designed around a four part model that can describe any incident: someone (the Actor) does something (the Action) to a thing (the Asset) and as a result the thing is affected (the Attribute).

Peter Drucker famously said that: what gets measured gets managed; and the opposite is true: if you don’t measure it, you can’t manage it.  VERIS provides a means to record and measure security incidents more easily and efficiently.  If security incidents are not being recorded in a central repository it is hard to imagine how the security of an organisation can be effectively managed.

Why it is hard to record Security Incidents

Security Incidents (that is anything that happens which impacts the Confidentiality, Integrity or Availability of your information – whether or not it succeeds) happen all the time in a myriad of different ways.

Here are four simple examples:

  1. On your web application an attacker attempts to perform an SQL Injection against a text input field at 1am.
  2. In your customer services team, a team member opens an email attachment from a client which is loaded with malware at 11am.
  3. In the finance team a phone call is received by Bob from someone attempting to socially engineer access to the accounts system at 10:30am.
  4. On the database server the security audit log records that someone used the root user account at 3pm

How can these varied incidents be logged effectively and responded to – both to ensure effective security response and demonstrate compliance with any frameworks and standards the organisation subscribes to. (For example PCI-DSS requirement 12.5)

Example 1 – the SQL injection attack is detected by the Web Application Firewall and logged appropriately in its application logs.  The SIEM environment ensures those logs are copied to the central repository and relevant alerts escalated automatically to support staff.

Example 2 – the anti-virus software on the PC detects the malware and blocks it. Again, the logs are collected by the SIEM system for later analysis.

Example 4 – the security logs on the server are monitored and the use of the restricted user account (root) causes an alert to be raised which again the SIEM collates for central review.

How about the third example – the phone call into the finance team? Bob may tell his supervisor, or he may mutter about scammers and go to get some coffee and think nothing more of it.  Perhaps Bob pings an email to the IT helpdesk to record what has happened, and since nothing is broken the IT Helpdesk closes the ticket.

If only there was an easy way for Bob to report what had happened in a structured way that captures detail about the incident and later enables reports to be run.  Then, in our example, the CISO could realise that there have been 12 attempts in the last two weeks to obtain access to finance systems through social engineering across five different branch offices.  Perhaps the business is being targeted.

The VERIS framework provides a means to record security incidents in a structed and consistent way allowing both human-human and technological attacks to be recorded into the same database and then analysed.  It is also helpful to have the ability to record failed attacks (a Near Miss in VERIS terminology) as the number of Near Misses is an indicator of the threat level against the organisation.

What does a VERIS report look like?

At the simplest level, a minimal VERIS record contains the following:

VERIS Field Value
Timeline.incident.year 2020
schema_version 1.3.1
incident_id 1
security_incident Confirmed
discovery_method Unknown
action Unknown
asset Unknown
actor Unknown
attribute Unknown

 

So we have a Date, (a VERIS version number), a unique record identifier, Confirmation that an security incident occurred, and then declaring that nothing else is known about what happened.  Most fields in the VERIS schema are optional, only needing to be included if relevant to the incident in question.

In reality you are going to know a lot more than this.  To use the example of Bob’s social engineering attack we know the following:

VERIS Field Value
Timeline.incident.year 2020
Timeline.incident.month 07
Timeline.incident.day 20
schema_version 1.3.1
incident_id 2020-07-20-00008
security_incident Near Miss
summary Caller impersonated IT support team asking for password to access Finance system remotely
discovery_method Int – reported by user
discovery_notes Bob received a suspicious call from an external actor then Bob hung up
action.social True
action.social.variety Pretexting
action.social.vector Phone
action.social.target Finance
action.social.notes Caller had Australian accent
asset.variety S – Web application
actor.external True
attribute.confidentiality.
data_disclosure
No

 

What are the benefits of adopting VERIS?

Since security incidents have to be reported and recorded somehow, using an existing proven framework rather than reinventing the wheel is going to be quicker and more reliable.  For organisations with multiple IT system or different operating units, adopting a well documented framework such as VERIS makes is much simpler to aggregate reports at the corporate level.

One of the design goals for the VERIS framework was to provide a means for organisations to anonymously share incident information to allow cross-industry reporting and analysis of security incidents.  The Verizon Data Breach Incident Report is one such example that benefits for VERIS recording. For organisations that want to engage in information sharing, VERIS make that much easier.

VERIS is a framework not a standard, and each organisation can adapt it to meet their own needs.  Perhaps its greatest benefit is to provide a standard vocabulary to describe the human involvement in security incidents which makes it easier to capture and record those incidents and near misses.

For organisations looking to update (or create) their security incident reporting mechanisms, the VERIS framework could save time and enhance the quality of information captured for each incident.

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.