VERIS is a framework to record and categorise security incidents – making it easier to record and later report on a single incident or track trends over time.
VERIS is the Vocabulary for Event Recording and Information Sharing. VERIS is designed around a four part model that can describe any incident: someone (the Actor) does something (the Action) to a thing (the Asset) and as a result the thing is affected (the Attribute).
Peter Drucker famously said that: what gets measured gets managed; and the opposite is true: if you don’t measure it, you can’t manage it. VERIS provides a means to record and measure security incidents more easily and efficiently. If security incidents are not being recorded in a central repository it is hard to imagine how the security of an organisation can be effectively managed.
Why it is hard to record Security Incidents
Security Incidents (that is anything that happens which impacts the Confidentiality, Integrity or Availability of your information – whether or not it succeeds) happen all the time in a myriad of different ways.
Here are four simple examples:
- On your web application an attacker attempts to perform an SQL Injection against a text input field at 1am.
- In your customer services team, a team member opens an email attachment from a client which is loaded with malware at 11am.
- In the finance team a phone call is received by Bob from someone attempting to socially engineer access to the accounts system at 10:30am.
- On the database server the security audit log records that someone used the root user account at 3pm
How can these varied incidents be logged effectively and responded to – both to ensure effective security response and demonstrate compliance with any frameworks and standards the organisation subscribes to. (For example PCI-DSS requirement 12.5)
Example 1 – the SQL injection attack is detected by the Web Application Firewall and logged appropriately in its application logs. The SIEM environment ensures those logs are copied to the central repository and relevant alerts escalated automatically to support staff.
Example 2 – the anti-virus software on the PC detects the malware and blocks it. Again, the logs are collected by the SIEM system for later analysis.
Example 4 – the security logs on the server are monitored and the use of the restricted user account (root) causes an alert to be raised which again the SIEM collates for central review.
How about the third example – the phone call into the finance team? Bob may tell his supervisor, or he may mutter about scammers and go to get some coffee and think nothing more of it. Perhaps Bob pings an email to the IT helpdesk to record what has happened, and since nothing is broken the IT Helpdesk closes the ticket.
If only there was an easy way for Bob to report what had happened in a structured way that captures detail about the incident and later enables reports to be run. Then, in our example, the CISO could realise that there have been 12 attempts in the last two weeks to obtain access to finance systems through social engineering across five different branch offices. Perhaps the business is being targeted.
The VERIS framework provides a means to record security incidents in a structed and consistent way allowing both human-human and technological attacks to be recorded into the same database and then analysed. It is also helpful to have the ability to record failed attacks (a Near Miss in VERIS terminology) as the number of Near Misses is an indicator of the threat level against the organisation.
What does a VERIS report look like?
At the simplest level, a minimal VERIS record contains the following:
| VERIS Field | Value |
| Timeline.incident.year | 2020 |
| schema_version | 1.3.1 |
| incident_id | 1 |
| security_incident | Confirmed |
| discovery_method | Unknown |
| action | Unknown |
| asset | Unknown |
| actor | Unknown |
| attribute | Unknown |
So we have a Date, (a VERIS version number), a unique record identifier, Confirmation that an security incident occurred, and then declaring that nothing else is known about what happened. Most fields in the VERIS schema are optional, only needing to be included if relevant to the incident in question.
In reality you are going to know a lot more than this. To use the example of Bob’s social engineering attack we know the following:
| VERIS Field | Value |
| Timeline.incident.year | 2020 |
| Timeline.incident.month | 07 |
| Timeline.incident.day | 20 |
| schema_version | 1.3.1 |
| incident_id | 2020-07-20-00008 |
| security_incident | Near Miss |
| summary | Caller impersonated IT support team asking for password to access Finance system remotely |
| discovery_method | Int – reported by user |
| discovery_notes | Bob received a suspicious call from an external actor then Bob hung up |
| action.social | True |
| action.social.variety | Pretexting |
| action.social.vector | Phone |
| action.social.target | Finance |
| action.social.notes | Caller had Australian accent |
| asset.variety | S – Web application |
| actor.external | True |
| attribute.confidentiality. data_disclosure |
No |
What are the benefits of adopting VERIS?
Since security incidents have to be reported and recorded somehow, using an existing proven framework rather than reinventing the wheel is going to be quicker and more reliable. For organisations with multiple IT system or different operating units, adopting a well documented framework such as VERIS makes is much simpler to aggregate reports at the corporate level.
One of the design goals for the VERIS framework was to provide a means for organisations to anonymously share incident information to allow cross-industry reporting and analysis of security incidents. The Verizon Data Breach Incident Report is one such example that benefits for VERIS recording. For organisations that want to engage in information sharing, VERIS make that much easier.
VERIS is a framework not a standard, and each organisation can adapt it to meet their own needs. Perhaps its greatest benefit is to provide a standard vocabulary to describe the human involvement in security incidents which makes it easier to capture and record those incidents and near misses.
For organisations looking to update (or create) their security incident reporting mechanisms, the VERIS framework could save time and enhance the quality of information captured for each incident.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)