Upload
ed-bellis
View
3.570
Download
0
Embed Size (px)
Citation preview
A Moneyball Approach to Security Intelligencehttp://[email protected]
• CoFounder Risk I/O
About Me
About Risk I/O
• Former CISO Orbitz
• Contributing Author: Beautiful Security• CSO Magazine/Online Writer
• Data-Driven Vulnerability Intelligence Platform
• DataWeek 2012 Top Security Innovator
• 3 Startups to Watch - Information Week
• InfoSec Island Blogger
• 16 Hot Startups - eWeek
Nice to Meet You
Stage 1: Ignorance is Bliss
Stage 2: Where are all of my vulnerabilities?
“Back in my Yahoo days I performed hundreds of web application vulnerability assessments. To streamline the workload, I created an assessment methodology consisting of a few thousand security tests averaging 40 hours to complete per website. Yahoo had over 600 websites enterprise-wide. To assess the security of every website would have taken over 11 years to complete and the other challenge was these websites would change all the time which decayed the value of my reports.”
Jeremiah GrossmanFounder, WhiteHat Security
Stage 3: Scan & Dump
Enter the Age of the Automated Scanner...
Why This Occurs
Lack of Visibility
Lack of Communication
Lack of Coordination
Silos, Silos, Everywhere
company name
“vulnerability prioritization for remediation presents THE critical problem” -Anton Chuvakin, Gartner Research Director
“Finding the flaws is only half of the battle. Fixing them -- sometimes called
vulnerability remediation -- is often the hardest part” -Diana Kelley, Dark Reading
“Businesses may be able to measure their performance through objective metrics such as sales
growth, production efficiency or customer preference, but information security management too often boils down to a reaction to recent events or the well-known trio of fear, uncertainty and doubt.” -Scott Crawford, EMA Associates
“Unless you work in a company that has unlimited resources and you have absolute support at all
levels for remediating the vulnerabilities in your environment, you MUST prioritize the issues that cause the most risk to your IT environment.” -Clay Keller, Wal-Mart InfoSec
“With the enormous amounts of data available, mining it — regardless of its
source — and turning it into actionable information is really a strategic
necessity, especially in the world of security.” -Chris Hoff, Juniper Networks
IT Security Is Buried in Noise
SaberMetrics for InfoSec?
HD Moore’s Law - Josh Corman
Example Use Case 1
aka Security Mendoza Line
“Compute power grows at the rate of doubling about every 2 years”
“Casual attacker power grows at the rate of Metasploit”
Predicting Vulnerability (or even breach)
Example Use Case 2
Key Attributes
Trending
Outcomes
CVE Trending Analysis
Example Use Case 3
Gunnar’s Debt Clock
My(vuln posture X threat activity) / (other vuln posture
X other threat activity)
Example Use Case 4
Targets of Opportunity?
company name
Data aggregation is necessary for everything we do
Table Stakes
Correlation, Normalization, De-Duplication
Full risk views down the entire technology stack
That’s So Meta
company name
Assembly Line Workflow
Putting The Robots To Work
Bulk Ticketing & Bug Tracking Integration
Automated ReTesting
API “All The Things”
company name
How do I know where to deploy my resources?
Web Scale Visibility
What matters when prioritizing remediation?
What does the threat landscape look like outside of my 4 walls?
How do I compare to peers?
VA Products
• Dynamic Application
• Network & Host
• Static AnalysisManual AssessmentsRemediation
• Trouble Ticketing
• Bug Tracking
• Configuration Management
• Patch Management
Integrating Disparate Solutions
Network Vulnerability
Scanners
Database Vulnerability
Scanners
Network Vulnerability
Scanners
Internal Remediation
Systems
Static Analysis
Tools
Application Vulnerability
Scanners
Pentesters/ Professional
Services
RiskDB
Centralizing the Data
Predefined and Custom Security Metrics Filter by Hundreds of Attributes and Metadata Real-World Vulnerability Trending Custom Fields Full Featured RESTful API
AutoFlagging based on “in the wild” Attack Traffic
Benchmarking Across Industries
Predictive Analytics & Machine Learning
Security && Ops NOT || Ops
Your Data, Your Way
Three Distinct Values
Vulnerability Scanners RiskDB
Static & Binary Analysis
Ticketing /Bug Tracking IPS / WAF
SIEM External Data
Faceted Search KnowledgeBaseCustom DashboardsAlerting Analyze & Prioritize
Network Mapping
Vulnerability Intelligence Platform
Vulnerability Intelligence Platformhttp://[email protected]
Q&A