SlideShare a Scribd company logo

Fix What Matters

Ed Bellis
Ed Bellis

A deep look inside real-world vulnerability, remediation and breach stats.

Technology
1 of 38
Download to read offline
Fix What Matters Ed Bellis & Michael Roytman
Nice To Meet You • CoFounder Risk I/O About Us Risk I/O • Former CISO Orbitz • Contributing Author: Beautiful Security • CSO Magazine/Online Writer • Data-Driven Vulnerability Intelligence Platform • DataWeek 2012 Top Security Innovator • 3 Startups to Watch - Information Week • InfoSec Island Blogger • 16 Hot Startups - eWeek Ed Bellis • Naive Grad Student • Still Plays With Legos • Barely Passed Regression Analysis • Once Jailbroke His iPhone 3G • Has Coolest Job In InfoSec Michael Roytman
Starting From Scratch “It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.” -Sir Arthur Conan Doyle, 1887
Starting From Scratch
Starting From Scratch Academia! • GScholar! • JSTOR! • IEEE! • ProQuest! InfoSec Blogs! • CSIOs! • Pen Testers! • Threat Reports! • SOTI/DBIR! ! Twitter! • Thought Leaders (you know who you are)! • BlackHats! • Vuln Researchers! Primary Sources! • MITRE! • OSVDB! • NIST CVSS Committee(s)! • Internal Message Boards for ^! Text CISOs
Data Fundamentalism Don’t Ignore What a Vulnerability Is: Creation Bias (http://blog.risk.io/2013/04/data-fundamentalism/) Jerico/Sushidude @ BlackHat (https://www.blackhat.com/us-13/briefings.html#Martin) Luca Allodi - CVSS DDOS (http://disi.unitn.it/~allodi/allodi-12-badgers.pdf):
Data Fundamentalism - What’s The Big Deal? ”Since 2006 Vulnerabilities have declined by 26 percent.” (http://csrc.nist.gov/groups/SNS/rbac/documents/vulnerability-trends10.pdf) “The total number of vulnerabilities in 2013 is up 16 percent so far when compared to what we saw in the same time period in 2012. ” (http://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_06-2013.en-us.pdf)
What’s Good? Bad For Vulnerability Statistics: NVD, OSVDB, ExploitDB, CVSS, Patches, Microsoft Reports, etc, et al, and so on. Good For Vulnerability Statistics: Vulnerabilities.
What’s Good?
What’s Good?
What’s Good?
What’s Good?
What’s Good?
What’s Good?
Counterterrorism Known Groups Surveillance Threat Intel, Analysts Targets, Layouts Past Incidents, Close Calls
What’s Good?
Uh, Sports? Opposing Teams, Specific Players Gameplay Scouting Reports, Gametape Roster, Player Skills Learning from Losing
InfoSec?
Defend Like You’ve Done It Before Groups, Motivations Exploits Vulnerability Definitions Asset Topology, Actual Vulns on System Learning from Breaches
Work With What You’ve Got: Akamai, Safenet ExploitDB, Metasploit NVD, MITRE
Add Some Spice
Show Me The Money 23,000,000 Vulnerabilities! Across 1,000,000 Assets! Representing 9,500 Companies! Using 22 Unique Scanners!
Whatchu Know About Dat?(a) Duplication Vulnerability Density Remediation
Duplication 0 225,000 450,000 675,000 900,000 1,125,000 1,350,000 1,575,000 1,800,000 2,025,000 2,250,000 2 or more scanners 3 or more 4 or more 5 or more 6 or more
Duplication - Lessons From a CISO We Have: F(Number of Scanners) => Number of Duplicate Vulnerabilities We Want: F(Number of Scanners) => Vulnerability Coverage Make Decisions At The Margins! <---------Good Luck! 0 25.0 50.0 75.0 100.0 0 1 2 3 4 5 6
Density Type of Asset ~Count Hostname 20,000 Netbios 1000 IP Address 200,000 File 10,000 Url 5,000 Hostname Netbios IP File Url 0 22.5 45.0 67.5 90.0
CVSS And Remediation Metrics 0 375.0 750.0 1125.0 1500.0 1 2 3 4 5 6 7 8 9 10 Average Time To Close By Severity OldestVulnerability By Severity
CVSS And Remediation - Lessons From A CISO 1 2 3 4 5 6 7 8 9 10 Remediation/Lack Thereof, by CVSS NVD Distribution by CVSS
The Kicker - Live Breach Data 1,500,000 ! Vulnerabilities Related to Live Breaches Recorded! June, July 2013 !
CVSS And Remediation - Nope 0 1750.0 3500.0 5250.0 7000.0 1 2 3 4 5 6 7 8 9 10 Oldest BreachedVulnerability By Severity
CVSS - A VERY General Guide For Remediation - Yep 0 37500.0 75000.0 112500.0 150000.0 1 2 3 4 5 6 7 8 9 10 OpenVulns With Breaches Occuring By Severity
The One Billion Dollar Question Probability(You Will Be Breached On A Particular Open Vulnerability)? 1.98% =(Open Vulnerabilities | Breaches Occurred On Their CVE)/(Total Open Vulnerabilities)
I Love It When You Call Me Big Data RANDOMVULN CVSS 10 CVSS 9 CVSS 8 CVSS 6 CVSS 7 CVSS 5 CVSS 4 Has Patch 0 0.01000 0.02000 0.03000 0.04000 Probability AVulnerability Having Property X Has Observed Breaches
Enter The Security Mendoza Line Wouldn’t it be nice if we had something that helped us divide who we considered “Amateur” and who we considered “Professional”? http://riskmanagementinsight.com/riskanalysis/? p=294 Josh Corman expands the Security Mendoza Line “Compute power grows at the rate of doubling about every 2 years” “Casual attacker power grows at the rate of Metasploit” http://blog.cognitivedissidents.com/2011/11/01/intro- to-hdmoores-law/ Alex Hutton comes up with Security Mendoza Line
I Love It When You Call Me Big Data RandomVuln CVSS 10 Exploit DB Metasploit MSP+EDB 0 0.1 0.2 0.2 0.3 Probability AVulnerability Having Property X Has Observed Breaches
Be Better Than The Gap
I Love It When You Call Me Big Data Spray and Pray => 2% CVSS 10 => 4% Metasploit + ExploitDB => 30%
Thank You Follow Us Blog: http://blog.risk.io Twitter: @mroytman @ebellis @riskio We’re Hiring! http://www.risk.io/jobs

Recommended

BsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersBsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersMichael Roytman
 
Mobile CRO - The psychology behind selling to thumbs
Mobile CRO - The psychology behind selling to thumbsMobile CRO - The psychology behind selling to thumbs
Mobile CRO - The psychology behind selling to thumbsOnline Dialogue
 
Hushcon 2016 Keynote: Test for Echo
Hushcon 2016 Keynote: Test for EchoHushcon 2016 Keynote: Test for Echo
Hushcon 2016 Keynote: Test for EchoDeja vu Security
 
Green Custard Friday Talk 19: Chaos Engineering
Green Custard Friday Talk 19: Chaos EngineeringGreen Custard Friday Talk 19: Chaos Engineering
Green Custard Friday Talk 19: Chaos EngineeringGreen Custard
 
Greg Wilson - We Know (but ignore) More Than We Think
Greg Wilson - We Know (but ignore) More Than We ThinkGreg Wilson - We Know (but ignore) More Than We Think
Greg Wilson - We Know (but ignore) More Than We Think#DevTO
 
Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Michael Roytman
 
Applying principles of chaos engineering to Serverless
Applying principles of chaos engineering to ServerlessApplying principles of chaos engineering to Serverless
Applying principles of chaos engineering to ServerlessYan Cui
 
The present and future of serverless observability
The present and future of serverless observabilityThe present and future of serverless observability
The present and future of serverless observabilityYan Cui
 

Recommended

BsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersBsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersMichael Roytman
 
Mobile CRO - The psychology behind selling to thumbs
Mobile CRO - The psychology behind selling to thumbsMobile CRO - The psychology behind selling to thumbs
Mobile CRO - The psychology behind selling to thumbsOnline Dialogue
 
Hushcon 2016 Keynote: Test for Echo
Hushcon 2016 Keynote: Test for EchoHushcon 2016 Keynote: Test for Echo
Hushcon 2016 Keynote: Test for EchoDeja vu Security
 
Green Custard Friday Talk 19: Chaos Engineering
Green Custard Friday Talk 19: Chaos EngineeringGreen Custard Friday Talk 19: Chaos Engineering
Green Custard Friday Talk 19: Chaos EngineeringGreen Custard
 
Greg Wilson - We Know (but ignore) More Than We Think
Greg Wilson - We Know (but ignore) More Than We ThinkGreg Wilson - We Know (but ignore) More Than We Think
Greg Wilson - We Know (but ignore) More Than We Think#DevTO
 
Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Michael Roytman
 
Applying principles of chaos engineering to Serverless
Applying principles of chaos engineering to ServerlessApplying principles of chaos engineering to Serverless
Applying principles of chaos engineering to ServerlessYan Cui
 
The present and future of serverless observability
The present and future of serverless observabilityThe present and future of serverless observability
The present and future of serverless observabilityYan Cui
 
Fix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementFix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementMichael Roytman
 
Vulnerability & Exploit Trends: A Deep Look Inside the Data
Vulnerability & Exploit Trends: A Deep Look Inside the DataVulnerability & Exploit Trends: A Deep Look Inside the Data
Vulnerability & Exploit Trends: A Deep Look Inside the DataKenna
 
BSidesLV Vulnerability & Exploit Trends
BSidesLV Vulnerability & Exploit TrendsBSidesLV Vulnerability & Exploit Trends
BSidesLV Vulnerability & Exploit TrendsEd Bellis
 
Data Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceData Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceMichael Roytman
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesEd Bellis
 
1st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 20081st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 2008Anton Chuvakin
 
Black ops 2012
Black ops 2012Black ops 2012
Black ops 2012Dan Kaminsky
 
BSides SF Security Mendoza Line
BSides SF Security Mendoza LineBSides SF Security Mendoza Line
BSides SF Security Mendoza LineEd Bellis
 
The cyber security hype cycle is upon us
The cyber security hype cycle is upon usThe cyber security hype cycle is upon us
The cyber security hype cycle is upon usJonathan Sinclair
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thUnited Technology Group (UTG)
 
Artificial Intelligence (AI) – Two Paths to ISO Compliance
Artificial Intelligence (AI) – Two Paths to ISO ComplianceArtificial Intelligence (AI) – Two Paths to ISO Compliance
Artificial Intelligence (AI) – Two Paths to ISO CompliancePECB
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
SecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineSecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineEd Bellis
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Alex Pinto
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksBSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksEd Bellis
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea LeavesEd Bellis
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...Alexander Leonov
 
Risk Management Metrics That Matter
Risk Management Metrics That MatterRisk Management Metrics That Matter
Risk Management Metrics That MatterEd Bellis
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 

More Related Content

Similar to Fix What Matters

Fix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementFix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementMichael Roytman
 
Vulnerability & Exploit Trends: A Deep Look Inside the Data
Vulnerability & Exploit Trends: A Deep Look Inside the DataVulnerability & Exploit Trends: A Deep Look Inside the Data
Vulnerability & Exploit Trends: A Deep Look Inside the DataKenna
 
BSidesLV Vulnerability & Exploit Trends
BSidesLV Vulnerability & Exploit TrendsBSidesLV Vulnerability & Exploit Trends
BSidesLV Vulnerability & Exploit TrendsEd Bellis
 
Data Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceData Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceMichael Roytman
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesEd Bellis
 
1st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 20081st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 2008Anton Chuvakin
 
BSides SF Security Mendoza Line
BSides SF Security Mendoza LineBSides SF Security Mendoza Line
BSides SF Security Mendoza LineEd Bellis
 
The cyber security hype cycle is upon us
The cyber security hype cycle is upon usThe cyber security hype cycle is upon us
The cyber security hype cycle is upon usJonathan Sinclair
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thUnited Technology Group (UTG)
 
Artificial Intelligence (AI) – Two Paths to ISO Compliance
Artificial Intelligence (AI) – Two Paths to ISO ComplianceArtificial Intelligence (AI) – Two Paths to ISO Compliance
Artificial Intelligence (AI) – Two Paths to ISO CompliancePECB
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
SecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineSecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineEd Bellis
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Alex Pinto
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksBSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksEd Bellis
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea LeavesEd Bellis
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...Alexander Leonov
 

Similar to Fix What Matters (20)

Fix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementFix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability Management
 
Vulnerability & Exploit Trends: A Deep Look Inside the Data
Vulnerability & Exploit Trends: A Deep Look Inside the DataVulnerability & Exploit Trends: A Deep Look Inside the Data
Vulnerability & Exploit Trends: A Deep Look Inside the Data
 
BSidesLV Vulnerability & Exploit Trends
BSidesLV Vulnerability & Exploit TrendsBSidesLV Vulnerability & Exploit Trends
BSidesLV Vulnerability & Exploit Trends
 
Data Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceData Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data Science
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your Worries
 
1st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 20081st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 2008
 
Black ops 2012
Black ops 2012Black ops 2012
Black ops 2012
 
BSides SF Security Mendoza Line
BSides SF Security Mendoza LineBSides SF Security Mendoza Line
BSides SF Security Mendoza Line
 
The cyber security hype cycle is upon us
The cyber security hype cycle is upon usThe cyber security hype cycle is upon us
The cyber security hype cycle is upon us
 
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10thCYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
CYBERSECURITY: Game Planning for Success lunch and learn event, April 10th
 
Artificial Intelligence (AI) – Two Paths to ISO Compliance
Artificial Intelligence (AI) – Two Paths to ISO ComplianceArtificial Intelligence (AI) – Two Paths to ISO Compliance
Artificial Intelligence (AI) – Two Paths to ISO Compliance
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
SecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineSecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza Line
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
 
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksBSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea Leaves
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
 

More from Ed Bellis

Risk Management Metrics That Matter
Risk Management Metrics That MatterRisk Management Metrics That Matter
Risk Management Metrics That MatterEd Bellis
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
Security as Code
Security as CodeSecurity as Code
Security as CodeEd Bellis
 
Palmer Symposium
Palmer SymposiumPalmer Symposium
Palmer SymposiumEd Bellis
 
An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info SecurityEd Bellis
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011Ed Bellis
 
SecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeSecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeEd Bellis
 
Metricon 6 That's So Meta
Metricon 6 That's So MetaMetricon 6 That's So Meta
Metricon 6 That's So MetaEd Bellis
 

More from Ed Bellis (8)

Risk Management Metrics That Matter
Risk Management Metrics That MatterRisk Management Metrics That Matter
Risk Management Metrics That Matter
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 
Security as Code
Security as CodeSecurity as Code
Security as Code
 
Palmer Symposium
Palmer SymposiumPalmer Symposium
Palmer Symposium
 
An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info Security
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011
 
SecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeSecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent Life
 
Metricon 6 That's So Meta
Metricon 6 That's So MetaMetricon 6 That's So Meta
Metricon 6 That's So Meta
 

Recently uploaded

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Recently uploaded (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Fix What Matters

  • 1. Fix What Matters Ed Bellis & Michael Roytman
  • 2. Nice To Meet You • CoFounder Risk I/O About Us Risk I/O • Former CISO Orbitz • Contributing Author: Beautiful Security • CSO Magazine/Online Writer • Data-Driven Vulnerability Intelligence Platform • DataWeek 2012 Top Security Innovator • 3 Startups to Watch - Information Week • InfoSec Island Blogger • 16 Hot Startups - eWeek Ed Bellis • Naive Grad Student • Still Plays With Legos • Barely Passed Regression Analysis • Once Jailbroke His iPhone 3G • Has Coolest Job In InfoSec Michael Roytman
  • 3. Starting From Scratch “It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.” -Sir Arthur Conan Doyle, 1887
  • 5. Starting From Scratch Academia! • GScholar! • JSTOR! • IEEE! • ProQuest! InfoSec Blogs! • CSIOs! • Pen Testers! • Threat Reports! • SOTI/DBIR! ! Twitter! • Thought Leaders (you know who you are)! • BlackHats! • Vuln Researchers! Primary Sources! • MITRE! • OSVDB! • NIST CVSS Committee(s)! • Internal Message Boards for ^! Text CISOs
  • 6. Data Fundamentalism Don’t Ignore What a Vulnerability Is: Creation Bias (http://blog.risk.io/2013/04/data-fundamentalism/) Jerico/Sushidude @ BlackHat (https://www.blackhat.com/us-13/briefings.html#Martin) Luca Allodi - CVSS DDOS (http://disi.unitn.it/~allodi/allodi-12-badgers.pdf):
  • 7. Data Fundamentalism - What’s The Big Deal? ”Since 2006 Vulnerabilities have declined by 26 percent.” (http://csrc.nist.gov/groups/SNS/rbac/documents/vulnerability-trends10.pdf) “The total number of vulnerabilities in 2013 is up 16 percent so far when compared to what we saw in the same time period in 2012. ” (http://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_06-2013.en-us.pdf)
  • 8. What’s Good? Bad For Vulnerability Statistics: NVD, OSVDB, ExploitDB, CVSS, Patches, Microsoft Reports, etc, et al, and so on. Good For Vulnerability Statistics: Vulnerabilities.
  • 19. Defend Like You’ve Done It Before Groups, Motivations Exploits Vulnerability Definitions Asset Topology, Actual Vulns on System Learning from Breaches
  • 20. Work With What You’ve Got: Akamai, Safenet ExploitDB, Metasploit NVD, MITRE
  • 22. Show Me The Money 23,000,000 Vulnerabilities! Across 1,000,000 Assets! Representing 9,500 Companies! Using 22 Unique Scanners!
  • 23. Whatchu Know About Dat?(a) Duplication Vulnerability Density Remediation
  • 25. Duplication - Lessons From a CISO We Have: F(Number of Scanners) => Number of Duplicate Vulnerabilities We Want: F(Number of Scanners) => Vulnerability Coverage Make Decisions At The Margins! <---------Good Luck! 0 25.0 50.0 75.0 100.0 0 1 2 3 4 5 6
  • 26. Density Type of Asset ~Count Hostname 20,000 Netbios 1000 IP Address 200,000 File 10,000 Url 5,000 Hostname Netbios IP File Url 0 22.5 45.0 67.5 90.0
  • 27. CVSS And Remediation Metrics 0 375.0 750.0 1125.0 1500.0 1 2 3 4 5 6 7 8 9 10 Average Time To Close By Severity OldestVulnerability By Severity
  • 28. CVSS And Remediation - Lessons From A CISO 1 2 3 4 5 6 7 8 9 10 Remediation/Lack Thereof, by CVSS NVD Distribution by CVSS
  • 29. The Kicker - Live Breach Data 1,500,000 ! Vulnerabilities Related to Live Breaches Recorded! June, July 2013 !
  • 30. CVSS And Remediation - Nope 0 1750.0 3500.0 5250.0 7000.0 1 2 3 4 5 6 7 8 9 10 Oldest BreachedVulnerability By Severity
  • 31. CVSS - A VERY General Guide For Remediation - Yep 0 37500.0 75000.0 112500.0 150000.0 1 2 3 4 5 6 7 8 9 10 OpenVulns With Breaches Occuring By Severity
  • 32. The One Billion Dollar Question Probability(You Will Be Breached On A Particular Open Vulnerability)? 1.98% =(Open Vulnerabilities | Breaches Occurred On Their CVE)/(Total Open Vulnerabilities)
  • 33. I Love It When You Call Me Big Data RANDOMVULN CVSS 10 CVSS 9 CVSS 8 CVSS 6 CVSS 7 CVSS 5 CVSS 4 Has Patch 0 0.01000 0.02000 0.03000 0.04000 Probability AVulnerability Having Property X Has Observed Breaches
  • 34. Enter The Security Mendoza Line Wouldn’t it be nice if we had something that helped us divide who we considered “Amateur” and who we considered “Professional”? http://riskmanagementinsight.com/riskanalysis/? p=294 Josh Corman expands the Security Mendoza Line “Compute power grows at the rate of doubling about every 2 years” “Casual attacker power grows at the rate of Metasploit” http://blog.cognitivedissidents.com/2011/11/01/intro- to-hdmoores-law/ Alex Hutton comes up with Security Mendoza Line
  • 35. I Love It When You Call Me Big Data RandomVuln CVSS 10 Exploit DB Metasploit MSP+EDB 0 0.1 0.2 0.2 0.3 Probability AVulnerability Having Property X Has Observed Breaches
  • 36. Be Better Than The Gap
  • 37. I Love It When You Call Me Big Data Spray and Pray => 2% CVSS 10 => 4% Metasploit + ExploitDB => 30%
  • 38. Thank You Follow Us Blog: http://blog.risk.io Twitter: @mroytman @ebellis @riskio We’re Hiring! http://www.risk.io/jobs