Bay threat2011

From Shaman to Scientist:A Use Case in Data Driven Security

Nice To Meet YouAbout Me CoFounder HoneyApps Former CISO Orbitz Contributing Author Beautiful Security CSO Magazine/Online WriterHoneyApps Vulnerability Management as a Service 16 Hot Startups - eWeek 3 Startups to Watch - Information Week

Stage 1: Ignorance is Bliss

Stage 2: Where are all of my vulnerabilities? “Back in my Yahoo days I performed hundreds of web application vulnerability assessments. To streamline the workload, I created an assessment methodology consisting of a few thousand security tests averaging 40 hours to complete per website. Yahoo had over 600 websites enterprise-wide. To assess the security of every website would have taken over 11 years to complete and the other challenge was these websites would change all the time which decayed the value of my reports.” Jeremiah Grossman Founder, WhiteHat Security

Stage 3: Scan & Dump“thanks for the 1000 page report,now what?!”

Why This OccursLack of Communication Lack of DataLack of CoordinationSilos, Silos, Everywhere

Stage 4: A New BeginningOr......Using What You Got!

Vulnerability Management: A Case Study Building the WarehouseStructured Data LoadWebApp VulnerabilityType: XSSSeverityThreatSubtype: (persistent,reﬂected,etc)Asset URL/URIConﬁrmed?Dates Found/OpenedDates ClosedDescriptionAttack Parameters

Vulnerability Management: A Case Study Building the WarehouseStructured Data LoadWebApp Vulnerability Asset:URLType: XSS Platform / CodeSeverity Web Server VersionThreat Application Server VersionSubtype: (persistent,reﬂected,etc) Database VersionAsset URL/URIConﬁrmed?Dates Found/OpenedDates ClosedDescriptionAttack Parameters

Vulnerability Management: A Case Study Building the WarehouseStructured Data LoadWebApp Vulnerability Asset:URLType: XSS Platform / CodeSeverity Web Server VersionThreat Application Server VersionSubtype: (persistent,reﬂected,etc) Database VersionAsset URL/URIConﬁrmed? Asset:HostDates Found/Opened Host Operating SystemDates Closed Other Applications/VersionsDescription IP AddressesAttack Parameters Mac Address Open Services/Ports

Vulnerability Management: A Case Study Unstructured Data LoadWebApp Vulnerability Asset:URLType: XSS Platform / CodeSeverity Web Server VersionThreat Application Server Version Database VersionSubtype: (persistent,reﬂected,etc)Asset URL/URI Asset:HostConﬁrmed?Dates Found/Opened Host Operating SystemDates Closed Applications/Versions OtherDescription Addresses IPAttack Parameters Mac Address Open Services/Ports

Vulnerability Management: A Case Study Unstructured Data Load Meta DataWebApp Vulnerability Asset:URLType: XSS Platform / CodeSeverity Web Server Version Business Unit VERIS dataThreat Application Server Version Internal IP Address Database VersionSubtype: (persistent,reﬂected,etc) Geographic Location External IP AddressAsset URL/URI Asset:HostConﬁrmed? Development Team Network LocationDates Found/Opened Host Operating System Ops Team Site NameDates Closed Applications/Versions Other Compliance RegulationDescription Addresses IP Security Policy Asset GroupAttack Parameters Mac Address Open Services/Ports

Vulnerability Management: A Case Study Loosely Structured Data Load Meta DataWebApp Vulnerability Asset:URLType: XSS Platform / CodeSeverity Web Server VersionThreatUnit Application Server Version Business VERIS data Database VersionSubtype: (persistent,reﬂected,etc) Internal IP AddressAsset URL/URI Geographic LocationConﬁrmed? Asset:Host External IP Address DB HTTP Development Team Network LocationDates Found/Opened Host Operating SystemDates Closed Applications/Versions Ops Team Other Site NameDescription Addresses IP Compliance RegulationAttack Parameters Mac Address Security Policy Asset Group Open Services/Ports

Vulnerability Management: A Case Study Loosely Structured Data Load Meta DataWebApp Vulnerability Asset:URL Apply Internal Threat DataType: XSS Platform / CodeSeverity Web Server VersionThreatUnit Application Server Version Business VERIS data Firewall Application Database VersionSubtype: (persistent,reﬂected,etc) Internal IP AddressAsset URL/URI Geographic LocationConﬁrmed? Asset:Host External IP Address DB HTTP Development Team Network LocationDates Found/Opened Host Operating SystemDates Closed Applications/Versions Ops Team OtherDescription Addresses IP Compliance Regulation Site Name IDS/IPS WAFAttack Parameters Mac Address Security Policy Asset Group Open Services/Ports

Vulnerability Management: A Case Study Mixed Data Set Meta DataWebApp Vulnerability Asset:URLType: XSS Platform / CodeSeverity Web Server Version Apply Internal ThreatThreat Unit Application Server Version Business Internal IP Address VERIS data Database VersionSubtype: (persistent,reﬂected,etc)Asset URL/URI Geographic Location External IP Address Firew Asset:HostApplicatiConﬁrmed? Team Development Network LocationDates Found/Opened Host Operating SystemDates Team Other Applications/Versions Ops Closed Site Name IDS/ IPCompliance RegulationDescription Addresses WA Asset GroupAttack Parameters Security Mac Address Policy Open Services/Ports

Vulnerability Management: A Case Study Mixed Data Set Apply External Threat Data Meta DataWebApp Vulnerability Asset:URLType: XSS Platform / CodeSeverity Web Server Version Apply Internal ThreatThreat Unit Application Server Version Business Internal IP Address VERIS data Database VersionSubtype: (persistent,reﬂected,etc)Asset URL/URI Geographic Location External IP Address Firew Asset:HostApplicatiConﬁrmed? Team Development Network LocationDates Found/Opened Host Operating SystemDates Team Other Applications/Versions Ops Closed Site Name IDS/ IPCompliance RegulationDescription Addresses WA Asset GroupAttack Parameters Security Mac Address Policy Open Services/Ports

Vulnerability Management: A Case Study Mixed Data Set Apply External Threat Data Meta DataWebApp Vulnerability Asset:URL Example Data SourcesType: XSS Platform / CodeSeverity Web Server Version Apply Internal ThreatThreat Unit Application Server Version Business Internal IP Address VERIS data ❖DataLossDB Database VersionSubtype: (persistent,reﬂected,etc) ❖Verizon DBIRAsset URL/URI Geographic Location External IP Address Firew Asset:HostApplicatiConﬁrmed? Team ❖WHID DevelopmentDates Found/Opened Host Operating System Network Location ❖Trustwave Global Security ReportDates Team Other Applications/Versions Ops Closed Site Name ❖FS-ISAC IDS/ IPCompliance RegulationDescription Addresses ❖SANS ISC WA Asset GroupAttack Parameters Security Mac Address ❖Veracode State of S/W Security Policy Open Services/Ports ❖ExploitDB

Vulnerability Management: A Case Study Unstructured Data LoadWebApp Vulnerability Asset:URL Meta Data Type: XSS Platform / Code Severity Web Server Version Threat Application Server Version Apply Internal Threat Database Version Subtype: (persistent,reﬂected,etc) Business Unit Internal IP Address VERIS data Asset URL/URI Asset:Host Geographic Location External IP Address Conﬁrmed? Firew Applicati Dates Found/Opened Network Location Host Operating System Development Team Dates Closed Applications/Versions Ops TeamOther Site Name Description Compliance Regulation IP AddressesIDS/ Attack Parameters Mac Address Asset Group WA Security Policy Open Services/Ports

Vulnerability Management: A Case Study Unstructured Data LoadWebApp Vulnerability Asset:URL Meta Data Type: XSS Platform / Code Severity Web Server Version Remediation Statistics Threat Application Server Version Apply Internal Threat Database Version Subtype: (persistent,reﬂected,etc) Business Unit Internal IP Address VERIS data Asset URL/URI Internal Bug Tracking Reports Asset:Host Geographic Location External IP Address Conﬁrmed? Firew Applicati Dates Found/Opened Network Location Host Operating System Development Team Denim Group Remediation Study Dates Closed Applications/Versions Ops TeamOther Site Name Description Compliance Regulation IP AddressesIDS/ Attack Parameters Mac Address Asset Group Build and Development Process WA Security Policy Open Services/Ports

Data Lenses:Views into the Warehouse

Low Hanging Fruitvulns >10% of external breaches >10% of our malicious trafﬁc in scope for $regulation sort

Secure Code Training Metric all vulns by application*vulns opened before 12/31/10** vulns opened after 2/28/11***sort by vulnerability class**secure code training rolled out 1/1/11 - 2/28/11

HD Moore’s Law

Vulns w/Ext Access

w/MetaSploit Modules

and connected systems

“Now sort by base,temporal &environmental”

Got MSSP?The Alex Hutton FormulaMy(vuln posture * other threat activity) / (other vuln posture * other threat activity)

Got MSSP?The Alex Hutton FormulaMy(vuln posture * other threat activity) / (other vuln posture * other threat activity) OR When Will Our Luck Run Out?

(we need more of this)

using what we have

The Twitter Poll

My Favorite Non-Sec ToolsTeaLeafGreenPlumZettasetRubySelenium

Resources ReferencedVerizon DBIR http://www.verizonbusiness.com/dbir/WASC Web App Security Stats http://projects.webappsec.org/w/page/VERIS Framework https://www2.icsalabs.com/veris/ 13246989/Web-Application-Security-StatisticsDenim Group - Real Cost of S/W FS-ISAC http://www.fsisac.com/Remediation WHID http://projects.webappsec.org/w/page/http://www.slideshare.net/denimgroup/real-cost-of- 13246995/Web-Hacking-Incident-Database/software-remediation SANS Internet Storm CenterDataLoss DB http://datalossdb.org/ http://isc.sans.org/TrustWave Global Security Report XForce http://xforce.iss.net/https://www.trustwave.com/GSR Veracode SOSS http://www.veracode.com/ images/pdf/soss/veracode-state-of-software-ExploitDB security-report-volume2.pdfhttp://www.exploit-db.com/

Q&Afollow us the blog http://blog.honeyapps.com/ twitter @ebellis And one more thing.... @risk_io We’re Hiring! https://www.risk.io/jobs

http://blog.honeyapps.com	702
http://blog.risk.io	85
http://feeds.feedburner.com	14
http://feedproxy.google.com	1

Bay threat2011

by Ed Bellis on Dec 19, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

4 Embeds 802

Statistics

Bay threat2011 — Presentation Transcript