[Rtir] Use of the VerIS Framework

Terry MacDonald Terry.MacDonald at telecom.co.nz
Sat May 28 18:58:25 EDT 2011 

Hi Ruslan,

The VerIS framework is more a 'methodology' for classifying the types of incidents, their impact, the organisation it happened to, and the mitigations done to remedy the situation and the effectiveness of those. It was created by the Verizon Business team, to attempt to provide a way of better understanding the threats that an organisation faces, thereby helping the business understand where it should target its investment. The VerIS framework is free, and its used in Verizon's Data Breach Investigations Reports (DBIR): http://www.verizonbusiness.com/databreach  

My question was more around if anyone had customised their RTIR installation with any custom fields to add the VerIS incident classification fields and data i.e. something like this:

• Agent
  o Source: External
  o Type: Organized criminal group
  o Origin: Romania

• Action
  o Category: Hacking
  o Type: SQL injection
  o Path: Web application

• Asset
  o System: Database server
  o Data: Personal information

• Attribute
  o Type: Confidentiality

I first learnt about it when reading the Richard Bejtlich's Taosecurity blog I was quite impressed with the comprehensiveness, and after seeing the DBIR report I understood how good metrics can really help in formulating a business plan to upper management, and to help target your upcoming budget.

Regards

Terry MacDonald


________________________________________
From: ruslan.zakirov at gmail.com [ruslan.zakirov at gmail.com] On Behalf Of Ruslan Zakirov [ruz at bestpractical.com]
Sent: Saturday, 28 May 2011 1:51 a.m.
To: Terry MacDonald
Cc: rtir at lists.bestpractical.com
Subject: Re: [Rtir] Use of the VerIS Framework

Hi,

I don't know about any extensions for integrating RTIR with VerIS. As
far as I can see the only integration possible is to push data out of
RT/RTIR/AT into VerIS. It totally depends on VerIS capabilities to
import information.

Also, RTIR has workflow, but still it is quite flexible to quickly
bring generic enough integration that will work for many
installations, so it's better to start from some production case, but
we don't have any.

On Fri, May 27, 2011 at 8:11 AM, Terry MacDonald
<Terry.MacDonald at telecom.co.nz> wrote:
> Hi All,
>
> Just wondering if anyone has integrated the VerIS framework into RTIR
> (https://verisframework.wiki.zoho.com/) ? We’ve just installed a new RTIR
> install, and use the VerIS framework for classification of incidents.
> Wondering if anyone else has attempted it, and how difficult it was. I can’t
> find any VerIS framework extensions anywhere…
>
> Cheers
> Terry


--
Best regards, Ruslan.

More information about the Rtir mailing list