WE HAVE MET THE ENEMY AND HE IS US
BSIDES SEATTLE 2013
DAVID F. SEVERSKI, @DSEVERSKI
AGENDA

The Dark Side
Shiny

Discovery

All The Things

Rocket Ships
and Puppies
2
Come to the Dark Side…

AKA…WHO THE FSCK ARE YOU?
3
DATA-DRIVEN DISCOVERY
4
INITIAL REPORTING AND TRACKING

Discover

Open
Finding

Close

Define
Remediation
Actions

Verify

Track

Assign Date

5
STUCK FINDINGS
6
Plateau of Despair

“SUCCESS” OF DATE-DRIVEN
FINDINGS
7
It’s Over 9000!!
AND HOW ABOUT THAT PATCHING
PROGRAM?
8
THE DEFINITION OF INSANITY
9
ANALYZE THIS!

 What went wrong?
 Competing priorities


Too much else to do.



Unscheduled work.

 Why should we ca...
PRINCIPLES

 Use the data that’s already present
 Transparent measurement process
 Joint goal setting
 Continuous meas...
SETTING PERFORMANCE GOALS

High Risk Apps

High Risk Hosts

Maintain the
Program

# of Severe
Vulnerabilities

Measuring t...
DATA SOURCES AND TOOLS
Data Sources
• CMDB
• Vulnerability Scan Data
• Network Configurations

Tools
• PowerShell (Extract...
CURRENT STATE – NEW SHINY
 24 mo. pilot underway for Vulnerability

Management
 Established reasonable goals in consulta...
TO INFINITY…AND BEYOND!
15
IF YOU’VE GOT 99 PROBLEMS…

 Don’t have your finding process be the source of

problems
 Takeaways


Provide flexibilit...
THANKS!
Questions? Comments? Complaints?
 @dseverski

17
Upcoming SlideShare
Loading in...5
×

We Have Met the Enemy

150

Published on

Presented at BSides Seattle 12/14/2013

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
150
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • There are fixers and there are breakers…I’m a fixerBreakers have several advantages, among them – stories.We need more stories from fixers. Let’s fix that, fixers.Objective: Understand our evolution and how it may apply to your org.
  • Agenda is pretty simple…from The Dark Side to Puppies….
  • About my org – large non-profit pediatric hospital, 20+ locations over 4 states and 3 time zonesMy role…“The dark side” – Audit and Management, you decide which is worse.This is a story about audit…making findings actionable and measurable, using vulns as a specific case
  • Finding issues through review of data-Application Review Program, see Andrew’s question regarding owner and data typesFrom Katie’s key note, we do (try) to be data-driven. We use data to verify/disclaim our “gut” feelings.
  • TPS ReportsAccess DB, based on aMS template of all thingsDescribe process
  • Results were as expected1)Lots of findings2) Dates come and go3) Tension between the finders (us) and the fixers (ops)And this all resulted in…<next slide>
  • Reaching a critical point of frustration
  • It’s over 9000!!!!
  • Well...that didn’t work…Towards a new approachIncentivize the GAF factor
  • Okay…so what went wrong?Interaction time!
  • This is our OPS team’s data.
  • Vuln dashboard-Data is from operational systems (vuln scanners, CMDB, network, etc.)-Don’t like the numbers? It’s from your systems!Reference Andrew Stewart’s talk
  • Future directions1) More of this!2) Data-driven – use data of the environment3) Modelling risk – more of the “so what” (CVSS scores)
  • Here are the takeaways we have so far…
  • We Have Met the Enemy

    1. 1. WE HAVE MET THE ENEMY AND HE IS US BSIDES SEATTLE 2013 DAVID F. SEVERSKI, @DSEVERSKI
    2. 2. AGENDA The Dark Side Shiny Discovery All The Things Rocket Ships and Puppies 2
    3. 3. Come to the Dark Side… AKA…WHO THE FSCK ARE YOU? 3
    4. 4. DATA-DRIVEN DISCOVERY 4
    5. 5. INITIAL REPORTING AND TRACKING Discover Open Finding Close Define Remediation Actions Verify Track Assign Date 5
    6. 6. STUCK FINDINGS 6
    7. 7. Plateau of Despair “SUCCESS” OF DATE-DRIVEN FINDINGS 7
    8. 8. It’s Over 9000!! AND HOW ABOUT THAT PATCHING PROGRAM? 8
    9. 9. THE DEFINITION OF INSANITY 9
    10. 10. ANALYZE THIS!  What went wrong?  Competing priorities  Too much else to do.  Unscheduled work.  Why should we care?  High/Medium/Low a go-go 10
    11. 11. PRINCIPLES  Use the data that’s already present  Transparent measurement process  Joint goal setting  Continuous measurement  Specify problems…not solutions (No, Really!)  Self-service reporting 11
    12. 12. SETTING PERFORMANCE GOALS High Risk Apps High Risk Hosts Maintain the Program # of Severe Vulnerabilities Measuring the Riskiest Hosts Median Time to Patch Servers Total Vulnerabilities Total Number of Vulnerabilities Scan Frequency 12
    13. 13. DATA SOURCES AND TOOLS Data Sources • CMDB • Vulnerability Scan Data • Network Configurations Tools • PowerShell (Extraction) • SQL Server (Storage) • Tableau (Presentation) 13
    14. 14. CURRENT STATE – NEW SHINY  24 mo. pilot underway for Vulnerability Management  Established reasonable goals in consultation with ops  Regular reporting – Reporting on Demand  Incorporated security into CIO messaging  Generating lots of discussion  Driving towards process and automation  Data pulled from existing systems 14
    15. 15. TO INFINITY…AND BEYOND! 15
    16. 16. IF YOU’VE GOT 99 PROBLEMS…  Don’t have your finding process be the source of problems  Takeaways  Provide flexibility to the doers  Determine the goals and methods for measuring success up front  You probably have more (usable) data available than you think  Report, report, report! 16
    17. 17. THANKS! Questions? Comments? Complaints?  @dseverski 17
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×