A Moneyball Approach to Security Intelligencehttp://email@example.com
• CoFounder Risk I/OAbout MeAbout Risk I/O• Former CISO Orbitz• Contributing Author:Beautiful Security• CSO Magazine/Online Writer• Data-Driven Vulnerability Intelligence Platform• DataWeek 2012 Top Security Innovator• 3 Startups to Watch - Information Week• InfoSec Island Blogger• 16 Hot Startups - eWeekNice to Meet You
Stage 1: Ignorance is Bliss
Stage 2: Where are all of my vulnerabilities?“Back in my Yahoo days I performed hundreds of webapplication vulnerability assessments. To streamline theworkload, I created an assessment methodologyconsisting of a few thousand security tests averaging 40hours to complete per website. Yahoo had over 600websites enterprise-wide. To assess the security of everywebsite would have taken over 11 years to complete andthe other challenge was these websites would change allthe time which decayed the value of my reports.”Jeremiah GrossmanFounder,WhiteHat Security
Stage 3: Scan & DumpEnter the Age of the AutomatedScanner...
Why This OccursLack ofVisibilityLack of CommunicationLack of CoordinationSilos, Silos, Everywhere
company name“vulnerability prioritization for remediationpresents THE critical problem”-Anton Chuvakin, Gartner Research Director“Finding the ﬂaws is only half of the battle. Fixing them -- sometimes calledvulnerability remediation -- is often the hardest part”-Diana Kelley, Dark Reading“Businesses may be able to measure their performance through objective metrics such as salesgrowth, production eﬃciency or customer preference, but information securitymanagement too often boils down to a reaction torecent events or the well-known trio of fear, uncertaintyand doubt.”-Scott Crawford, EMA Associates“Unless you work in a company that has unlimited resources and you have absolute support at alllevels for remediating the vulnerabilities in your environment, you MUST prioritizethe issues that cause the most risk to your ITenvironment.” -Clay Keller, Wal-Mart InfoSec“With the enormous amounts of data available, mining it — regardless of itssource — and turning it into actionable information is really a strategicnecessity, especially in the world of security.” -Chris Hoﬀ, Juniper NetworksIT Security Is Buried in Noise
SaberMetrics for InfoSec?
HD Moore’s Law - Josh CormanExample Use Case 1aka Security Mendoza Line“Compute power grows at the rateof doubling about every 2 years”“Casual attacker power grows atthe rate of Metasploit”
PredictingVulnerability (or even breach)Example Use Case 2Key AttributesTrendingOutcomes
CVE Trending AnalysisExample Use Case 3Gunnar’s Debt Clock
My(vuln posture X threatactivity) / (other vuln postureX other threat activity)Example Use Case 4Targets of Opportunity?
company nameData aggregation is necessary for everything we doTable StakesCorrelation, Normalization, De-DuplicationFull risk views down the entiretechnology stackThat’s So Meta
company nameAssembly Line WorkﬂowPutting The Robots To WorkBulk Ticketing & Bug Tracking IntegrationAutomated ReTestingAPI “All The Things”
company nameHow do I know where to deploy my resources?Web Scale VisibilityWhat matters when prioritizing remediation?What does the threat landscape looklike outside of my 4 walls?How do I compare to peers?
NetworkVulnerabilityScannersDatabaseVulnerabilityScannersInternalRemediationSystemsStaticAnalysisToolsApplicationVulnerabilityScannersPentesters/ProfessionalServicesRiskDBCentralizing the Data
Predeﬁned and Custom Security MetricsFilter by Hundreds of Attributes and MetadataReal-World Vulnerability TrendingCustom FieldsFull Featured RESTful APIAutoFlagging based on “in the wild” Attack TrafﬁcBenchmarking Across IndustriesPredictive Analytics & Machine LearningSecurity && Ops NOT || OpsYour Data, Your Way