understanding asset risk via vulnerability prioritization

Download Understanding Asset Risk Via Vulnerability Prioritization

Post on 17-Aug-2015

91 views

Category:

Technology

2 download

Embed Size (px)

TRANSCRIPT

  1. 1. UNDERSTANDING ASSET RISK VIA VULNERABILITY PRIORITIZATIONUnderstanding Asset Risk Via Vulnerability Prioritization
  2. 2. LAW 1 SECURITY IS A DATA PROBLEM
  3. 3. FLAW 1: DATA FUNDAMENTALISM
  4. 4. FLAW 2: STOCHASTIC IGNORANCE
  5. 5. ATTACKERS CHANGE TACTICS DAILY
  6. 6. DATA-DRIVEN SECURITY REAL-TIME
  7. 7. TODO 1: CORRELATE AND CLEAN
  8. 8. TODO 2: FIND GROUND TRUTH 1. Breaches 2. Exploits 3. Global Attack 4. Local Attack 5. Zero Days 6. Trends 7. Impact Alienvault, Dell, Internal(Snort) EDB, MSP, EKITS, Symatec, Internal(Scraper) SixScan, ISC, Dell, CarbonBlack, iSight, ThreatStream, PaloAlto, FireEye, Imperva, Norse Snort iDefense, ExodusIntel Internal, Interal(Attack Velocity), BitSight DBIR, NetDiligence, Config (Qualys)
  9. 9. TODO 3: RELATE TYPES OF RISK
  10. 10. It is a capital mistake to theorize before one has data. Insensibly, one begins to twist facts to suit theories, instead of theories to suit facts.
  11. 11. I Love It When You Call Me Big Data 150,000,000 Live Vulnerabilities 1,500,000 Assets 2,000 Organizations
  12. 12. I Love It When You Call Me Big Data 200,000,000 BREACHES
  13. 13. Baseline Allthethings Probability (You Will Be Breached On A Particular Open Vulnerability)? =(Open Vulnerabilities | Breaches Occurred On Their CVE) /(Total Open Vulnerabilities) 6%
  14. 14. Probability A Vuln Having Property X Has Observed Breaches 0 2 4 6 8 10 12 0 1 2 3 4 5 6 7 8 9 10 Breach1Probability1(%) CVSS1Base
  15. 15. Probability A Vuln Having Property X Has Observed Breaches 0 5 10 15 20 25 30 35 40 CVSS*10 EDB MSP EDB+MSP Breach*Probability*(%)
  16. 16. Not So Secret Sauce CVSS$Base Normalize$Base$ Score Metasploit? ExploitDB? Exploit$Source$ 3,4,5,6...N? Active$Breach$ Velocity Asset$ Internal/External? Vulnerability$ Trending? Zero$Days? Risk$Meter$Score
  17. 17. 0 5 10 15 20 25 30 35 40 0 1 2 3 4 5 6 7 8 9 10 Positive2Predictive2Value Score Positive2Predictive2Value2as2a2Function2of2Score2Cutoff CVSS2Base CVSS2Temporal Risk2Meter
  18. 18. NORMAL DISTRIBUTIONS RULE EVERYTHING AROUND ME
  19. 19. BREACH SIZE BY RECORDS LOST P(Breach involves X records) = X^-1.31
  20. 20. BREACH FREQUENCY BY CVE TYPE P(CVE has breach volume X) = X^-1.5
  21. 21. DEALING WITH FAT TAILS
  22. 22. ASSET RISK MODEL
  23. 23. APPLES TO APPLES, RISKS TO RISKS
  24. 24. MODEL DATA ASSET RISK QUESTIONS: VULN PRIORITY QUESTIONS: How do we model risk? Does topology matter? How good is our current model? What data do we need about exploits? What data do we need about live vulns? How good is your asset inventory?

Recommended

View more >