Use of the VerIS Framework

Hi All,

Just wondering if anyone has integrated the VerIS framework into RTIR (https://verisframework.wiki.zoho.com/) ? We’ve just installed a new RTIR install, and use the VerIS framework for classification of incidents. Wondering if anyone else has attempted it, and how difficult it was. I can’t find any VerIS framework extensions anywhere…

Cheers

Terry

Hi,

I don’t know about any extensions for integrating RTIR with VerIS. As
far as I can see the only integration possible is to push data out of
RT/RTIR/AT into VerIS. It totally depends on VerIS capabilities to
import information.

Also, RTIR has workflow, but still it is quite flexible to quickly
bring generic enough integration that will work for many
installations, so it’s better to start from some production case, but
we don’t have any.On Fri, May 27, 2011 at 8:11 AM, Terry MacDonald Terry.MacDonald@telecom.co.nz wrote:

Hi All,

Just wondering if anyone has integrated the VerIS framework into RTIR
(https://verisframework.wiki.zoho.com/) ? We’ve just installed a new RTIR
install, and use the VerIS framework for classification of incidents.
Wondering if anyone else has attempted it, and how difficult it was. I can’t
find any VerIS framework extensions anywhere…

Cheers
Terry

Best regards, Ruslan.

Hi Ruslan,

The VerIS framework is more a ‘methodology’ for classifying the types of incidents, their impact, the organisation it happened to, and the mitigations done to remedy the situation and the effectiveness of those. It was created by the Verizon Business team, to attempt to provide a way of better understanding the threats that an organisation faces, thereby helping the business understand where it should target its investment. The VerIS framework is free, and its used in Verizon’s Data Breach Investigations Reports (DBIR): http://www.verizonbusiness.com/databreach

My question was more around if anyone had customised their RTIR installation with any custom fields to add the VerIS incident classification fields and data i.e. something like this:

• Agent
o Source: External
o Type: Organized criminal group
o Origin: Romania

• Action
o Category: Hacking
o Type: SQL injection
o Path: Web application

• Asset
o System: Database server
o Data: Personal information

• Attribute
o Type: Confidentiality

I first learnt about it when reading the Richard Bejtlich’s Taosecurity blog I was quite impressed with the comprehensiveness, and after seeing the DBIR report I understood how good metrics can really help in formulating a business plan to upper management, and to help target your upcoming budget.

Regards

Terry MacDonaldFrom: ruslan.zakirov@gmail.com [ruslan.zakirov@gmail.com] On Behalf Of Ruslan Zakirov [ruz@bestpractical.com]
Sent: Saturday, 28 May 2011 1:51 a.m.
To: Terry MacDonald
Cc: rtir@lists.bestpractical.com
Subject: Re: [Rtir] Use of the VerIS Framework

Hi,

I don’t know about any extensions for integrating RTIR with VerIS. As
far as I can see the only integration possible is to push data out of
RT/RTIR/AT into VerIS. It totally depends on VerIS capabilities to
import information.

Also, RTIR has workflow, but still it is quite flexible to quickly
bring generic enough integration that will work for many
installations, so it’s better to start from some production case, but
we don’t have any.