There are fixers and there are breakers…I’m a fixerBreakers have several advantages, among them – stories.We need more stories from fixers. Let’s fix that, fixers.Objective: Understand our evolution and how it may apply to your org.
Agenda is pretty simple…from The Dark Side to Puppies….
About my org – large non-profit pediatric hospital, 20+ locations over 4 states and 3 time zonesMy role…“The dark side” – Audit and Management, you decide which is worse.This is a story about audit…making findings actionable and measurable, using vulns as a specific case
Finding issues through review of data-Application Review Program, see Andrew’s question regarding owner and data typesFrom Katie’s key note, we do (try) to be data-driven. We use data to verify/disclaim our “gut” feelings.
TPS ReportsAccess DB, based on aMS template of all thingsDescribe process
Results were as expected1)Lots of findings2) Dates come and go3) Tension between the finders (us) and the fixers (ops)And this all resulted in…<next slide>
Reaching a critical point of frustration
It’s over 9000!!!!
Well...that didn’t work…Towards a new approachIncentivize the GAF factor
Okay…so what went wrong?Interaction time!
This is our OPS team’s data.
Vuln dashboard-Data is from operational systems (vuln scanners, CMDB, network, etc.)-Don’t like the numbers? It’s from your systems!Reference Andrew Stewart’s talk
Future directions1) More of this!2) Data-driven – use data of the environment3) Modelling risk – more of the “so what” (CVSS scores)
Here are the takeaways we have so far…
We Have Met the Enemy
WE HAVE MET THE ENEMY AND HE IS US
BSIDES SEATTLE 2013
DAVID F. SEVERSKI, @DSEVERSKI
The Dark Side
All The Things
Come to the Dark Side…
AKA…WHO THE FSCK ARE YOU?
What went wrong?
Too much else to do.
Why should we care?
High/Medium/Low a go-go
Use the data that’s already present
Transparent measurement process
Joint goal setting
Specify problems…not solutions (No, Really!)
SETTING PERFORMANCE GOALS
High Risk Apps
High Risk Hosts
# of Severe
Median Time to
Total Number of
DATA SOURCES AND TOOLS
• Vulnerability Scan Data
• Network Configurations
• PowerShell (Extraction)
• SQL Server (Storage)
• Tableau (Presentation)
CURRENT STATE – NEW SHINY
24 mo. pilot underway for Vulnerability
Established reasonable goals in consultation
Regular reporting – Reporting on Demand
Incorporated security into CIO messaging
Generating lots of discussion
Driving towards process and automation
Data pulled from existing systems
IF YOU’VE GOT 99 PROBLEMS…
Don’t have your finding process be the source of
Provide flexibility to the doers
Determine the goals and methods for measuring
success up front
You probably have more (usable) data available
than you think
Report, report, report!