Skip to content

VERIS Overview

Jump to bottom Edit New page
whbaker edited this page May 6, 2015 · 9 revisions

VERIS can be organized into six major sections, each designed to capture a different aspect of the incident narrative. When viewed in aggregate, they give the business a tangible idea of cause and severity. The five sections are:

  • Summary
  • Victim
  • Event
  • Response
  • Impact
  • Plus

For each variable included in the schema, a repeating set of information is given here including suggested text questions, user and developer notes, why we think it's important, etc. VERIS also includes a free-for-all section where organizations can add variables that they want to collect that are not included in the framework.

Summary

View the main article on the summary fields.

This section captures general information about the incident. The main purpose is allow organizations to identify, store, and retrieve incidents over time.

Victim

View the main article on the victim fields.

The Victim section describes (but does not identify) the organization affected by the incident. The primary purpose is to aid comparisons between different types of organizations (across industries, sizes, regions, etc) or departments within a single organization. While any number of organizational characteristics could be tracked, those listed below provide an adequate basis for interesting and useful comparisons.

Event

This section translates the incident narrative of “who did what to what (or whom) with what result” into a form more suitable for trending and analysis. To accomplish this, VERIS employs the A4 threat model originally developed by researchers in Verizon. In the A4 model, an incident is viewed as a series of events that adversely affects the information assets of an organization. Every event is comprised of the following elements (the 4 A’s), which provide the top-level structure for metrics in this section.

  • Actors: Whose actions affected the asset?
  • Actions: What actions affected the asset?
  • Assets: Which assets were affected?
  • Attributes: How the asset was affected?

Describing the incident is a process of classifying all elements (and sub-elements) for all significant events. It is our position that the 4 A’s represent the minimum information necessary to adequately describe any incident or threat scenario. Furthermore, this structure provides an optimal framework within which to measure frequency, associate controls, link impact, and many other concepts required for risk management.

Actor

View the main article on the actor fields.

Entities that cause or contribute to an incident are referred to as threat actors. There can be more than one actor involved in any particular incident, and their actions can be malicious or non-malicious, intentional or unintentional, causal or contributory. VERIS recognizes three primary categories of threat actors - external, Internal, and partner. VERIS also has an Unknown actor for cases where the analyst is not able to determine a more appropriate choice.

Action

View the main article on the action fields.

Threat actions describe what the threat actor(s) did to cause or contribute to the incident. Every incident has at least one, but most will comprise multiple actions (and often across multiple categories). VERIS uses 7 primary categories of threat actions: Malware, Hacking, Social, Misuse, Physical, Error, and Environmental.

Asset

View the main article on the asset fields.

Assets are the organization's resources which were affected by the security incident and can include technology, personally-owned devices, paper records, or even people. “Affected” refers to any loss of confidentiality/possession, integrity/authenticity, availability/utility (primary security attributes). Naturally, an incident can involve multiple assets and affect multiple attributes of those assets.

Attribute

View the main article on the attribute fields.

Attributes are the qualities, characteristics, and properties of the previously-identified assets that were compromised during the incident. VERIS uses a paired version of the six primary security attributes of confidentiality/possession, integrity/authenticity, availability/utility. An extension of the “C-I-A Triad,” they are commonly called the “Parkerian Hexad,” after their originator, Donn Parker. Multiple attributes can be affected for any one asset and each attribute contains different metrics.

Response

View the main article on the response fields.

This section focuses on the timeline of the events, how the incident was discovered, and lessons learned during the response and remediation process. It provides useful insight into the detection and defensive capabilities of the organization and helps identify corrective actions needed place to detect and/or prevent similar incidents in the future.

Impact

View the main article on the impact fields.

One of the more important pieces of information about an incident is the impact it has on the organization. Unfortunately the true scope and extent of consequences can be difficult to measure since a wide array of tangible and intangible costs can be involved. With this in mind, the VERIS leverages three perspectives of impact in order to provide an understanding and measure of consequence associated with the incident. Together they seek to 1) categorize the varieties of losses experienced, 2) estimate their magnitude, and 3) capture a qualitative assessment of the overall effect on the organization.

Plus

View the main article on the plus fields.

Organizations may wish to record additional details about a security incident that are not included in the VERIS framework or fields that would not want to share with other organizations. The plus section of the VERIS framework is a catch-all where organizations can put whatever they want without fear of invalidating an incident.

Add a custom footer
Add a custom sidebar
Clone this wiki locally