UNDERSTANDING

ASSET RISK VIA

VULNERABILITY PRIORITIZATION

Understanding Asset Risk Via Vulnerability Prioritization

LAW 1

SECURITY IS A DATA PROBLEM

FLAW 1: DATA FUNDAMENTALISM

FLAW 2: STOCHASTIC IGNORANCE

ATTACKERS CHANGE TACTICS DAILY

DATA-DRIVEN SECURITY

REAL-TIME

TODO 1: CORRELATE AND CLEAN

TODO 2: FIND GROUND TRUTH1. Breaches

2. Exploits

3. Global Attack

4. Local Attack

5. Zero Days

6. Trends

7. Impact

• Alienvault, Dell, Internal(Snort)

• EDB, MSP, EKITS, Symatec, Internal(Scraper)

• SixScan, ISC, Dell, CarbonBlack, iSight, ThreatStream, PaloAlto, FireEye, Imperva, Norse

• Snort

• iDefense, ExodusIntel

• Internal, Interal(Attack Velocity), BitSight

• DBIR, NetDiligence, Config (Qualys)

TODO 3: RELATE TYPES OF RISK

“It is a capital mistake to theorize before one has data.

Insensibly, one begins to twist facts to suit theories, instead of theories to suit facts.”

I Love It When You Call Me Big Data150,000,000 Live Vulnerabilities

1,500,000 Assets

2,000 Organizations

I Love It When You Call Me Big Data

200,000,000 BREACHES

Baseline AllthethingsProbability (You Will Be Breached On A Particular Open Vulnerability)?

=(Open Vulnerabilities | Breaches Occurred On Their CVE) /(Total Open Vulnerabilities)

6%

Probability A Vuln Having Property X Has Observed Breaches

0 2 4 6 8 10 12

0

1

2

3

4

5

6

7

8

9

10

Breach1Probability1(%)

CVSS1Base

Probability A Vuln Having Property X Has Observed Breaches

0 5 10 15 20 25 30 35 40

CVSS*10

EDB

MSP

EDB+MSP

Breach*Probability*(%)

Not So Secret Sauce

CVSS$Base Normalize$Base$Score Metasploit? ExploitDB?

Exploit$Source$3,4,5,6...N?

Active$Breach$Velocity

Asset$Internal/External?

Vulnerability$Trending?

Zero$Days? Risk$Meter$Score

0

5

10

15

20

25

30

35

40

0 1 2 3 4 5 6 7 8 9 10

Positive2Predictive2Value

Score

Positive2Predictive2Value2as2a2Function2of2Score2Cutoff

CVSS2Base

CVSS2Temporal

Risk2Meter

NORMAL DISTRIBUTIONS RULE EVERYTHING AROUND ME

BREACH SIZE BY RECORDS LOST

P(Breach involves X records) = X^-1.31

BREACH FREQUENCY BY CVE TYPE

P(CVE has breach volume X) = X^-1.5

DEALING WITH FAT TAILS

ASSET RISK MODEL

APPLES TO APPLES, RISKS TO RISKS

MODEL DATA

ASSET RISK QUESTIONS:

VULN PRIORITY QUESTIONS:

How do we model risk?

Does topology matter?

How good is our current model?

What data do we need about exploits? What data do we need about live vulns?

How good is your asset inventory?