Understanding Asset Risk Via Vulnerability Prioritization
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
UNDERSTANDING
ASSET RISK VIA
VULNERABILITY PRIORITIZATION
Understanding Asset Risk Via Vulnerability Prioritization
LAW 1
SECURITY IS A DATA PROBLEM
FLAW 1: DATA FUNDAMENTALISM
FLAW 2: STOCHASTIC IGNORANCE
ATTACKERS CHANGE TACTICS DAILY
DATA-DRIVEN SECURITY
REAL-TIME
TODO 1: CORRELATE AND CLEAN
TODO 2: FIND GROUND TRUTH1. Breaches
2. Exploits
3. Global Attack
4. Local Attack
5. Zero Days
6. Trends
7. Impact
• Alienvault, Dell, Internal(Snort)
• EDB, MSP, EKITS, Symatec, Internal(Scraper)
• SixScan, ISC, Dell, CarbonBlack, iSight, ThreatStream, PaloAlto, FireEye, Imperva, Norse
• Snort
• iDefense, ExodusIntel
• Internal, Interal(Attack Velocity), BitSight
• DBIR, NetDiligence, Config (Qualys)
TODO 3: RELATE TYPES OF RISK
“It is a capital mistake to theorize before one has data.
Insensibly, one begins to twist facts to suit theories, instead of theories to suit facts.”
I Love It When You Call Me Big Data150,000,000 Live Vulnerabilities
1,500,000 Assets
2,000 Organizations
I Love It When You Call Me Big Data
200,000,000 BREACHES
Baseline AllthethingsProbability (You Will Be Breached On A Particular Open Vulnerability)?
=(Open Vulnerabilities | Breaches Occurred On Their CVE) /(Total Open Vulnerabilities)
6%
Probability A Vuln Having Property X Has Observed Breaches
0 2 4 6 8 10 12
0
1
2
3
4
5
6
7
8
9
10
Breach1Probability1(%)
CVSS1Base
Probability A Vuln Having Property X Has Observed Breaches
0 5 10 15 20 25 30 35 40
CVSS*10
EDB
MSP
EDB+MSP
Breach*Probability*(%)
Not So Secret Sauce
CVSS$Base Normalize$Base$Score Metasploit? ExploitDB?
Exploit$Source$3,4,5,6...N?
Active$Breach$Velocity
Asset$Internal/External?
Vulnerability$Trending?
Zero$Days? Risk$Meter$Score
0
5
10
15
20
25
30
35
40
0 1 2 3 4 5 6 7 8 9 10
Positive2Predictive2Value
Score
Positive2Predictive2Value2as2a2Function2of2Score2Cutoff
CVSS2Base
CVSS2Temporal
Risk2Meter
NORMAL DISTRIBUTIONS RULE EVERYTHING AROUND ME
BREACH SIZE BY RECORDS LOST
P(Breach involves X records) = X^-1.31
BREACH FREQUENCY BY CVE TYPE
P(CVE has breach volume X) = X^-1.5
DEALING WITH FAT TAILS
ASSET RISK MODEL
APPLES TO APPLES, RISKS TO RISKS
MODEL DATA
ASSET RISK QUESTIONS:
VULN PRIORITY QUESTIONS:
How do we model risk?
Does topology matter?
How good is our current model?
What data do we need about exploits? What data do we need about live vulns?
How good is your asset inventory?
Related Documents
