SlideShare a Scribd company logo

Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - Remediation)

DevOps Indonesia
DevOps Indonesia

DevOps Indonesia "How Security with DevOps can Deliver more secure software" Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - Remediation) by Mr. Faisal Yahya

Technology
1 of 33
Download to read offline
PAGE1 DEVOPS INDONESIA DEVOPS INDONESIA Jakarta, 20 June 2019 DevOps Community in Indonesia Leveraging Vulnerability Management Beyond DPR (Discovery – Prioritization – Remediation) Presented by: Faisal Yahya
About Faisal Yahya, CISSP, CCISO, CCSK v3&4, CSX-P, ITIL-Fv3, CySA+, CEI CyberSecurity Nexus - Practitioner Top ASEAN CIOs to follow on Twitter https://www.cio.com/article/3342 397/top-asean-cios-to-follow-on- twitter.html Wrote for: Peerlyst | APACCIOOutlook | InfoKomputer | [ .. wait for this space .. ]
CVE-2019-0174 – RAMBleed Side Channel Attack The new attack methods described in this paper are not microprocessor-specific, they leverage known issues in DRAM memory. These attacks only impact DDR4 and DDR3 memory modules, and older generations DDR2 and DDR1 memory modules are not vulnerable to these attacks. (ORACLE, 11 June 2019) • Threat found in March 2016, and started to exploit in June 2019. (check http://www.thirdio.com/rowhammer.pdf) https://www.theregister.co.uk/2019/06 /11/rambleed_rowhammer_attack/ 16 June 2019 PAGE3DevOpsIndonesia
Global CyberSecurity Landscape The cyber attack surface has significantly increased through advances in automation and connected devices. Combined with the commercialization of attack tools that were once limited to a nation state’s arsenal, and you have the ingredients for significant disruption. The expected global cost of cybersecurity breaches across all sectors by 2021 is US$6 trillion. ey.com PAGE4DevOpsIndonesia
CyberCrime: Global Statistic 70 49 56 63 51 44 58 70 65 69 64 77 94 115 75 81 95 85 108 66 93 91 107 84 0 20 40 60 80 100 120 140 Jan Feb Mar Apr May June July Ags Sept Oct Nov Dec 2017 2018 Total: 736 1,094 49% AVG: 61 91 potential catastrophic events? source data from: https://www.hackmageddon.com PAGE5DevOpsIndonesia
The 4 Biggest Data Breach of 2018 1.1 billion records breached Date disclosed: Jan 3, 2018 340 million records breached Date disclosed: June 26, 2018 150 million records breached Date disclosed: May 25, 2018 500 million records breached Date disclosed: Nov 19, 2018 On average, it takes 120 days to discover a data breach PAGE6DevOpsIndonesia
Target Distribution – Global – Top Ten (2018) Hackmageddon, 2018 PAGE7DevOpsIndonesia
2018 Vulnerability by Impact Type Source: VulnDB, 2019 Integrity 61% Confidentiality 19% Availability 15% Unknown 5% PAGE8DevOpsIndonesia
Indonesia - CyberSecurity Positioning # Criteria Indonesia Worst (60) Best (1) 1 The percentage of mobiles infected with malware Position: 53/60 25.02% of users Bangladesh 35.91% of users Japan 1.34% of users 2 The percentage of computers infected with malware Position: 56/60 24.7% of users Algeria 32.41% Denmark 5.9% of users 3 The number of financial malware attacks Position: 54/60 1.8% of users Germany 3% of users Ukraine 0.3% of users 4 The percentage of telnet attacks (by originating country) Position: 49/60 1.51% of users China 27.15% Algeria, Uzbekistan, and Sri Lanka – 0.01% 5 The percentage of attacks by cryptominers Position: 57/60 8.8% of users Uzbekistan 14.23% of users Denmark 0.61% of users 6 The best-prepared countries for cyber attacks Position: 54/60 0.424 score Vietnam 0.245 score Singapore 0.925 score 7 The countries with the most up-to-date legislation Position: 36/60 4 key category covered Algeria 1 key category covered France, China, Russia, and Germany – all 7 categories covered https://www.comparitech.com PAGE9DevOpsIndonesia
Top 10 Vulnerabilities on 2018 – for …. 407 250 201 158 129 110 92 72 58 48 Google inc. Samsung SGP Tech. Adobe Systems Microsoft WECON Tech. Zoho Corp. LG Electronics Cisco Systems XEROX Corp. 258 248 201 130 129 127 109 97 69 Google Pixel / Nexus Samsung Mobile (Android OS) SilentOS Acrobat Reader DC Acrobat DC Acrobat LeviStudioU Chrome OS LG Mobile Devices (Android OS) Vendors Products n=1,525 n=1,495 CVVS score 9.0 – 10.0 CVVS score 9.0 – 10.0 Source: vulndb PAGE10DevOpsIndonesia
Current Prioritization Methods Don’t Help CVSS < 7 CVSS 7+ 1.3% resulted in a breach 6.9% resulted in a breach Kenna, 2019 PAGE11DevOpsIndonesia
Areas of Interest - 2018 … The number of software apps deployed by large firms across all industries world-wide has increased 68% over the past four years, reaching an average of 129 apps per company by the end of 2018…. (OKTA, 2019) https://www.wsj.com/articles/employees-are-accessing-more-and-more- business-apps-study-finds-11549580017 PAGE12DevOpsIndonesia
SQL injection and Cross- Site Scripting (XSS) vulnerabilities are still counted as the biggest threat for Web Applications. 2018 Web Vulnerabilities by Specified Type PAGE13DevOpsIndonesia
Top 5 Vulnerabilities by Attack Type PAGE14DevOpsIndonesia
Why Manually Managing Vulnerabilities is not Humanly Possible? 14350 15273 16126 22230 22022 0 5000 10000 15000 20000 25000 2014 2015 2016 2017 2018 VULNERABILITIES AVG days from Publish to Exploit: 19.68 days AVG days from Publish to Event: 27.36 days PAGE15DevOpsIndonesia
Security Challenges in DevOps Software security is often viewed as an impediment to DevOps • Barrier to velocity and innovation • Causes deadlines to slip • Time-consuming and doesn’t support hourly developments • Needs a lot of customization • No uniform way to provide continuous feedback • Scaling remains a challenge • Finally, no risk-based approach
The Three Biggest Challenges in Vulnerability Tracking Number of vulnerabilities reported are continuously increasing In 2010 < 10,000 vulnerabilities were reported. In 2018 > 22,000 vulnerabilities were disclosed. Two main reason: more software being created and a growing focus on vulnerability research. Vulnerability reporting becoming decentralized Too many sources that reported same vulnerability caused many disputes. The quality of vulnerability reports has generally fallen Some reports are simply invalid or duplicates of already known vulnerabilities. Numbers of invalid CVE are increasing. PAGE17 DevOpsIndonesia
Changing on the Thread Landscape Carmine Rimi, 2019 PAGE18DevOpsIndonesia
2.3 billion files exposed across online file storage technologies smb 46% ftp 20% rsync 16% s3 8% webindex 7% nas 3% smb ftp rsync s3 webindex nas smb 1,071,090,978 ftp 457,493,871 rsync 386,791,990 s3 182,142,197 webindex 163,568,453 nas 65,471,242 https://www.digitalshadows.com/blog-and-research/2- billion-files-exposed-across-online-file-storage-technologies/ PAGE19DevOpsIndonesia
Application Security Touchpoints • Security Requirements • Threat Models • Risk Analysis Planning • IDE Integration • Static Analysis • Pre-commit Coding • DAST / IAST • SAST • Fuzz testing Test • Secure configuration • Packaging for Deployment Release • Operational protections • Penetration testing Deploy BizTest (Operate / Monitor) Blue teaming | Bug-bounty | Red teaming DevOps ITOps PAGE20DevOpsIndonesia
Offence (TI) / Defence (TM) Defenders Processes Technology Threat Actors Technology & Tech. Indicators Method of Operations Information Exchanges Threat Intelligence Threat Modelling PAGE21DevOpsIndonesia
Requirements for Vulnerability Management Context Vulnerability scanners lack the context security teams require to prioritize what to remediate first. Visibility IT teams lack the visibility required to understand what to fix, how to fix, and why. Precision Poor reporting reduces visibility and reduces board confidence. Measure + Prioritize Predict more than just: Detection – Prioritization – Remediation PAGE22DevOpsIndonesia
Hands-On https://www.exploit- db.com/google- hacking-database PAGE23
Hands-On https://www.threatc rowd.org PAGE24 DevOpsIndonesia
Hands-On https://apility.io PAGE25 DevOpsIndonesia
Hands-On https://www.zoho.c om PAGE26 DevOpsIndonesia
Spoofing Identity Tampering with Data Repudiation Information Disclosure Denial of Service Elevation of Privilege Framework: Damage Potential  Reproducibility  Exploitability  Affected users  Discoverability  DREAD Calculation Formula: Threats D R E A D Rating Repudiation AVG from sub total 8.5 Attacker obtain authentication credentials by Phishing 10 9 7 8 10 9 SQL Command injection 8 8 8 9 7 8 … more Information Disclosure … … more Denial of Service … Elevation of Privilege … Rating = (D + R + E + A + D) / 5 Measure & Prioritize  UNIQUE Risk Rating PAGE27DevOpsIndonesia
Predict: Improving Current Landscape TA02 TA01 TA03 TA04 C02 C02 C01 C03 A01 A02 A03 A01 A02 A03 A04 Model sample taken from: https://michenriksen.com/blog/drawio-for-threat-modeling A04 A02 A03 Take Control of your risk posture CVSS XX? CVSS XX? CVSS XX? CVSS XX? CVSS XX? CVSS XX? PAGE28DevOpsIndonesia
Countermeasure Predict Prevent Detect Respond • Harden systems • Isolate systems • Prevent attacks • Risk-prioritized exposure assessment • Anticipate threat/attacks • Baseline systems & security posture • Remediate • Design/model policy change • Incident Retrospective analysis • Detect incidents • Confirm & prioritize risks • Contain incidents PAGE29DevOpsIndonesia
Why do we need to Leverage Vulnerability Management? 1. Reporting: Scan penetration reports are generated more faster and more contextual, reduction processing time of 57% (n=8, 2017). This achieved by combine the countermeasure strategy for the same threat sources. 2. Remediation: with this prioritization approach, it is significantly reducing vulnerabilities exposure and overall related risk. 3. Risk Metrics: reduction of Risk Score, and also median time to discover and remediate high risk issues. 4. Vulnerabilities Focus: contextual vulnerabilities help to mitigate the exposure leveraging reputational and financial risk to company. PAGE30 DevOpsIndonesia
So, what do we get ! • Eventually we are closing the gap between DevOps & Security teams. • Implement predictive from intelligence within pipeline by: • Matching the both DevOps and Security team’s velocity. • Providing contextual and intelligence changes on threat landscape. • Supporting organizations business demands at scale. PAGE31DevOpsIndonesia
Take away • Latest innovation of technologies highly possible to introduce new vulnerabilities and change the threat landscape. Exploits are keep coming. Be vigilant! • Developers can also introduce vulnerabilities outside of the code itself. Vulnerability Management involves finding flaws (or bugs). • Vulnerability Management alone is not enough, you need to have your own risk model. Be contextual or do more by: Measure, Prioritize, and Predict. PAGE32
PAGE33 DEVOPS INDONESIA Stay Connected @devopsindonesia http://www.devopsindonesia.com linkedin.com/in/mademulia/ IDDevOps fy@faisalyahya.com /FaisalYahya @faisal_yahya @faisaly @faisalyahya DevOpsIndonesia

Recommended

When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
Cam Fulton
 
Addressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayAddressing Healthcare Challenges Today
Addressing Healthcare Challenges Today
Ivanti
 
Symantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security SimulationSymantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security Simulation
Symantec
 
Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!
Outpost24
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
Priyanka Aash
 
Vulnerability Testing Services Case Study
Vulnerability Testing Services Case StudyVulnerability Testing Services Case Study
Vulnerability Testing Services Case Study
Nandita Nityanandam
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
newbie2019
 
Webinar Ivanti Neurons For Patch Intelligence
Webinar Ivanti Neurons For Patch IntelligenceWebinar Ivanti Neurons For Patch Intelligence
Webinar Ivanti Neurons For Patch Intelligence
Ivanti
 

Recommended

When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
Cam Fulton
 
Addressing Healthcare Challenges Today
Addressing Healthcare Challenges TodayAddressing Healthcare Challenges Today
Addressing Healthcare Challenges Today
Ivanti
 
Symantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security SimulationSymantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security Simulation
Symantec
 
Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!Vulnerability Management – Opportunities and Challenges!
Vulnerability Management – Opportunities and Challenges!
Outpost24
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
Priyanka Aash
 
Vulnerability Testing Services Case Study
Vulnerability Testing Services Case StudyVulnerability Testing Services Case Study
Vulnerability Testing Services Case Study
Nandita Nityanandam
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
newbie2019
 
Webinar Ivanti Neurons For Patch Intelligence
Webinar Ivanti Neurons For Patch IntelligenceWebinar Ivanti Neurons For Patch Intelligence
Webinar Ivanti Neurons For Patch Intelligence
Ivanti
 
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
NetEnrich, Inc.
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
 
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
Risk Analysis Consultants, s.r.o.
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
AlienVault
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
Dragos, Inc.
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Ulf Mattsson
 
A holistic approach to risk management 20210210 w acfe france &amp; cyber rea...
A holistic approach to risk management 20210210 w acfe france &amp; cyber rea...A holistic approach to risk management 20210210 w acfe france &amp; cyber rea...
A holistic approach to risk management 20210210 w acfe france &amp; cyber rea...
Judith Beckhard Cardoso
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)
Pöyry
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018
Dragos, Inc.
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
Candan BOLUKBAS
 
DHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber Resilience
Dawn Yankeelov
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019
Fidelis Cybersecurity
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
Dragos, Inc.
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
EnclaveSecurity
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Abhishek Goel
 
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
PECB
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security program
Outpost24
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security Landscape
Arrow ECS UK
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
Jisc
 
BNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdfBNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdf
Theresa Mammarella
 
Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019
Ivanti
 

More Related Content

What's hot

QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
Risk Analysis Consultants, s.r.o.
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
Dragos, Inc.
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Ulf Mattsson
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)
Pöyry
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
EnclaveSecurity
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
PECB
 
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
PECB
 

What's hot (20)

To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
To Build Or Not To Build: Can SOC-aaS Bridge Your Security Skills Gap?
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat ProtectionSymantec Cyber Security Solutions | MSS and Advanced Threat Protection
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
 
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
QualysGuard InfoDay 2013 - QualysGuard Security & Compliance Suite supporting...
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Dressing up the ICS Kill Chain
Dressing up the ICS Kill ChainDressing up the ICS Kill Chain
Dressing up the ICS Kill Chain
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
 
A holistic approach to risk management 20210210 w acfe france &amp; cyber rea...
A holistic approach to risk management 20210210 w acfe france &amp; cyber rea...A holistic approach to risk management 20210210 w acfe france &amp; cyber rea...
A holistic approach to risk management 20210210 w acfe france &amp; cyber rea...
 
Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)Pöyry ICS Cyber Security brochure (English)
Pöyry ICS Cyber Security brochure (English)
 
Dragos year in review (yir) 2018
Dragos year in review (yir) 2018Dragos year in review (yir) 2018
Dragos year in review (yir) 2018
 
CSIRT_16_Jun
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
 
DHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber Resilience
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
 
Utilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare TechnologyUtilizing the Critical Security Controls to Secure Healthcare Technology
Utilizing the Critical Security Controls to Secure Healthcare Technology
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
Challenges and Solution to Mitigate the cyber-attack on Critical Infrastruct...
 
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
Building Trust in Blockchain: How Blockchain Will Revolutionize Businesses in...
 
Building an application security program
Building an application security programBuilding an application security program
Building an application security program
 
The Changing Security Landscape
The Changing Security LandscapeThe Changing Security Landscape
The Changing Security Landscape
 
An introduction to Cyber Essentials
An introduction to Cyber EssentialsAn introduction to Cyber Essentials
An introduction to Cyber Essentials
 

Similar to Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - Remediation)

SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
Norm Barber
 

Similar to Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - Remediation) (20)

BNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdfBNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdf
 
Patch Management Best Practices 2019
Patch Management Best Practices 2019Patch Management Best Practices 2019
Patch Management Best Practices 2019
 
Research Paper
Research PaperResearch Paper
Research Paper
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Research Article On Web Application Security
Research Article On Web Application SecurityResearch Article On Web Application Security
Research Article On Web Application Security
 
Zero-day Vulnerabilities
Zero-day VulnerabilitiesZero-day Vulnerabilities
Zero-day Vulnerabilities
 
Presentation on vulnerability analysis
Presentation on vulnerability analysisPresentation on vulnerability analysis
Presentation on vulnerability analysis
 
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
Disrupting the Malware Kill Chain - What's New from Palo Alto Networks.
 
2019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 20202019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 2020
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
 
Rational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentRational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability Assessment
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics Report
 
2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
 
A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...A study on securing cloud environment from d do s attack to preserve data ava...
A study on securing cloud environment from d do s attack to preserve data ava...
 
Everything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeepEverything You Need to Know About BlueKeep
Everything You Need to Know About BlueKeep
 
LonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdfLonghornPHP - CVE 101.pdf
LonghornPHP - CVE 101.pdf
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 

More from DevOps Indonesia

API Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingAPI Security Webinar - Credential Stuffing
API Security Webinar - Credential Stuffing
DevOps Indonesia
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIsAPI Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIs
DevOps Indonesia
 

More from DevOps Indonesia (20)

DevSecOps Implementation Journey
DevSecOps Implementation JourneyDevSecOps Implementation Journey
DevSecOps Implementation Journey
 
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
DevOps Indonesia X Palo Alto and Dkatalis Roadshow to DevOpsDays Jakarta 2022
 
Securing an NGINX deployment for K8s
Securing an NGINX deployment for K8sSecuring an NGINX deployment for K8s
Securing an NGINX deployment for K8s
 
Observability in highly distributed systems
Observability in highly distributed systemsObservability in highly distributed systems
Observability in highly distributed systems
 
DevOps Indonesia Meetup #52 - announcement
DevOps Indonesia Meetup #52 - announcementDevOps Indonesia Meetup #52 - announcement
DevOps Indonesia Meetup #52 - announcement
 
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
Dev ops meetup 51 : Securing DevOps Lifecycle - AnnouncementDev ops meetup 51 : Securing DevOps Lifecycle - Announcement
Dev ops meetup 51 : Securing DevOps Lifecycle - Announcement
 
Securing DevOps Lifecycle
Securing DevOps LifecycleSecuring DevOps Lifecycle
Securing DevOps Lifecycle
 
DevOps Meetup 50 : Securing your Application - Announcement
DevOps Meetup 50 : Securing your Application - AnnouncementDevOps Meetup 50 : Securing your Application - Announcement
DevOps Meetup 50 : Securing your Application - Announcement
 
Secure your Application with Google cloud armor
Secure your Application with Google cloud armorSecure your Application with Google cloud armor
Secure your Application with Google cloud armor
 
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps IndonesiaDevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
DevOps Meetup 49 Aws Copilot and Gitops - announcement by DevOps Indonesia
 
Operate Containers with AWS Copilot
Operate Containers with AWS CopilotOperate Containers with AWS Copilot
Operate Containers with AWS Copilot
 
Continuously Deploy Your CDK Application by Petra novandi barus
Continuously Deploy Your CDK Application by Petra novandi barusContinuously Deploy Your CDK Application by Petra novandi barus
Continuously Deploy Your CDK Application by Petra novandi barus
 
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
DevOps indonesia (online) meetup 46 aws with payfazz in devops indonesia - a...
 
Securing Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB CredentialsSecuring Your Database Dynamic DB Credentials
Securing Your Database Dynamic DB Credentials
 
DevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia (online) meetup 45 - AnnouncementDevOps Indonesia (online) meetup 45 - Announcement
DevOps Indonesia (online) meetup 45 - Announcement
 
The Death and Rise of Enterprise DevOps
The Death and Rise of Enterprise DevOpsThe Death and Rise of Enterprise DevOps
The Death and Rise of Enterprise DevOps
 
API Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingAPI Security Webinar - Credential Stuffing
API Security Webinar - Credential Stuffing
 
API Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIsAPI Security Webinar - Security Guidelines for Providing and Consuming APIs
API Security Webinar - Security Guidelines for Providing and Consuming APIs
 
API Security Webinar - Hendra Tanto
API Security Webinar - Hendra TantoAPI Security Webinar - Hendra Tanto
API Security Webinar - Hendra Tanto
 
API Security Webinar : Credential Stuffing
API Security Webinar : Credential StuffingAPI Security Webinar : Credential Stuffing
API Security Webinar : Credential Stuffing
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - Remediation)

  • 1. PAGE1 DEVOPS INDONESIA DEVOPS INDONESIA Jakarta, 20 June 2019 DevOps Community in Indonesia Leveraging Vulnerability Management Beyond DPR (Discovery – Prioritization – Remediation) Presented by: Faisal Yahya
  • 2. About Faisal Yahya, CISSP, CCISO, CCSK v3&4, CSX-P, ITIL-Fv3, CySA+, CEI CyberSecurity Nexus - Practitioner Top ASEAN CIOs to follow on Twitter https://www.cio.com/article/3342 397/top-asean-cios-to-follow-on- twitter.html Wrote for: Peerlyst | APACCIOOutlook | InfoKomputer | [ .. wait for this space .. ]
  • 3. CVE-2019-0174 – RAMBleed Side Channel Attack The new attack methods described in this paper are not microprocessor-specific, they leverage known issues in DRAM memory. These attacks only impact DDR4 and DDR3 memory modules, and older generations DDR2 and DDR1 memory modules are not vulnerable to these attacks. (ORACLE, 11 June 2019) • Threat found in March 2016, and started to exploit in June 2019. (check http://www.thirdio.com/rowhammer.pdf) https://www.theregister.co.uk/2019/06 /11/rambleed_rowhammer_attack/ 16 June 2019 PAGE3DevOpsIndonesia
  • 4. Global CyberSecurity Landscape The cyber attack surface has significantly increased through advances in automation and connected devices. Combined with the commercialization of attack tools that were once limited to a nation state’s arsenal, and you have the ingredients for significant disruption. The expected global cost of cybersecurity breaches across all sectors by 2021 is US$6 trillion. ey.com PAGE4DevOpsIndonesia
  • 5. CyberCrime: Global Statistic 70 49 56 63 51 44 58 70 65 69 64 77 94 115 75 81 95 85 108 66 93 91 107 84 0 20 40 60 80 100 120 140 Jan Feb Mar Apr May June July Ags Sept Oct Nov Dec 2017 2018 Total: 736 1,094 49% AVG: 61 91 potential catastrophic events? source data from: https://www.hackmageddon.com PAGE5DevOpsIndonesia
  • 6. The 4 Biggest Data Breach of 2018 1.1 billion records breached Date disclosed: Jan 3, 2018 340 million records breached Date disclosed: June 26, 2018 150 million records breached Date disclosed: May 25, 2018 500 million records breached Date disclosed: Nov 19, 2018 On average, it takes 120 days to discover a data breach PAGE6DevOpsIndonesia
  • 7. Target Distribution – Global – Top Ten (2018) Hackmageddon, 2018 PAGE7DevOpsIndonesia
  • 8. 2018 Vulnerability by Impact Type Source: VulnDB, 2019 Integrity 61% Confidentiality 19% Availability 15% Unknown 5% PAGE8DevOpsIndonesia
  • 9. Indonesia - CyberSecurity Positioning # Criteria Indonesia Worst (60) Best (1) 1 The percentage of mobiles infected with malware Position: 53/60 25.02% of users Bangladesh 35.91% of users Japan 1.34% of users 2 The percentage of computers infected with malware Position: 56/60 24.7% of users Algeria 32.41% Denmark 5.9% of users 3 The number of financial malware attacks Position: 54/60 1.8% of users Germany 3% of users Ukraine 0.3% of users 4 The percentage of telnet attacks (by originating country) Position: 49/60 1.51% of users China 27.15% Algeria, Uzbekistan, and Sri Lanka – 0.01% 5 The percentage of attacks by cryptominers Position: 57/60 8.8% of users Uzbekistan 14.23% of users Denmark 0.61% of users 6 The best-prepared countries for cyber attacks Position: 54/60 0.424 score Vietnam 0.245 score Singapore 0.925 score 7 The countries with the most up-to-date legislation Position: 36/60 4 key category covered Algeria 1 key category covered France, China, Russia, and Germany – all 7 categories covered https://www.comparitech.com PAGE9DevOpsIndonesia
  • 10. Top 10 Vulnerabilities on 2018 – for …. 407 250 201 158 129 110 92 72 58 48 Google inc. Samsung SGP Tech. Adobe Systems Microsoft WECON Tech. Zoho Corp. LG Electronics Cisco Systems XEROX Corp. 258 248 201 130 129 127 109 97 69 Google Pixel / Nexus Samsung Mobile (Android OS) SilentOS Acrobat Reader DC Acrobat DC Acrobat LeviStudioU Chrome OS LG Mobile Devices (Android OS) Vendors Products n=1,525 n=1,495 CVVS score 9.0 – 10.0 CVVS score 9.0 – 10.0 Source: vulndb PAGE10DevOpsIndonesia
  • 11. Current Prioritization Methods Don’t Help CVSS < 7 CVSS 7+ 1.3% resulted in a breach 6.9% resulted in a breach Kenna, 2019 PAGE11DevOpsIndonesia
  • 12. Areas of Interest - 2018 … The number of software apps deployed by large firms across all industries world-wide has increased 68% over the past four years, reaching an average of 129 apps per company by the end of 2018…. (OKTA, 2019) https://www.wsj.com/articles/employees-are-accessing-more-and-more- business-apps-study-finds-11549580017 PAGE12DevOpsIndonesia
  • 13. SQL injection and Cross- Site Scripting (XSS) vulnerabilities are still counted as the biggest threat for Web Applications. 2018 Web Vulnerabilities by Specified Type PAGE13DevOpsIndonesia
  • 14. Top 5 Vulnerabilities by Attack Type PAGE14DevOpsIndonesia
  • 15. Why Manually Managing Vulnerabilities is not Humanly Possible? 14350 15273 16126 22230 22022 0 5000 10000 15000 20000 25000 2014 2015 2016 2017 2018 VULNERABILITIES AVG days from Publish to Exploit: 19.68 days AVG days from Publish to Event: 27.36 days PAGE15DevOpsIndonesia
  • 16. Security Challenges in DevOps Software security is often viewed as an impediment to DevOps • Barrier to velocity and innovation • Causes deadlines to slip • Time-consuming and doesn’t support hourly developments • Needs a lot of customization • No uniform way to provide continuous feedback • Scaling remains a challenge • Finally, no risk-based approach
  • 17. The Three Biggest Challenges in Vulnerability Tracking Number of vulnerabilities reported are continuously increasing In 2010 < 10,000 vulnerabilities were reported. In 2018 > 22,000 vulnerabilities were disclosed. Two main reason: more software being created and a growing focus on vulnerability research. Vulnerability reporting becoming decentralized Too many sources that reported same vulnerability caused many disputes. The quality of vulnerability reports has generally fallen Some reports are simply invalid or duplicates of already known vulnerabilities. Numbers of invalid CVE are increasing. PAGE17 DevOpsIndonesia
  • 18. Changing on the Thread Landscape Carmine Rimi, 2019 PAGE18DevOpsIndonesia
  • 19. 2.3 billion files exposed across online file storage technologies smb 46% ftp 20% rsync 16% s3 8% webindex 7% nas 3% smb ftp rsync s3 webindex nas smb 1,071,090,978 ftp 457,493,871 rsync 386,791,990 s3 182,142,197 webindex 163,568,453 nas 65,471,242 https://www.digitalshadows.com/blog-and-research/2- billion-files-exposed-across-online-file-storage-technologies/ PAGE19DevOpsIndonesia
  • 20. Application Security Touchpoints • Security Requirements • Threat Models • Risk Analysis Planning • IDE Integration • Static Analysis • Pre-commit Coding • DAST / IAST • SAST • Fuzz testing Test • Secure configuration • Packaging for Deployment Release • Operational protections • Penetration testing Deploy BizTest (Operate / Monitor) Blue teaming | Bug-bounty | Red teaming DevOps ITOps PAGE20DevOpsIndonesia
  • 21. Offence (TI) / Defence (TM) Defenders Processes Technology Threat Actors Technology & Tech. Indicators Method of Operations Information Exchanges Threat Intelligence Threat Modelling PAGE21DevOpsIndonesia
  • 22. Requirements for Vulnerability Management Context Vulnerability scanners lack the context security teams require to prioritize what to remediate first. Visibility IT teams lack the visibility required to understand what to fix, how to fix, and why. Precision Poor reporting reduces visibility and reduces board confidence. Measure + Prioritize Predict more than just: Detection – Prioritization – Remediation PAGE22DevOpsIndonesia
  • 27. Spoofing Identity Tampering with Data Repudiation Information Disclosure Denial of Service Elevation of Privilege Framework: Damage Potential  Reproducibility  Exploitability  Affected users  Discoverability  DREAD Calculation Formula: Threats D R E A D Rating Repudiation AVG from sub total 8.5 Attacker obtain authentication credentials by Phishing 10 9 7 8 10 9 SQL Command injection 8 8 8 9 7 8 … more Information Disclosure … … more Denial of Service … Elevation of Privilege … Rating = (D + R + E + A + D) / 5 Measure & Prioritize  UNIQUE Risk Rating PAGE27DevOpsIndonesia
  • 28. Predict: Improving Current Landscape TA02 TA01 TA03 TA04 C02 C02 C01 C03 A01 A02 A03 A01 A02 A03 A04 Model sample taken from: https://michenriksen.com/blog/drawio-for-threat-modeling A04 A02 A03 Take Control of your risk posture CVSS XX? CVSS XX? CVSS XX? CVSS XX? CVSS XX? CVSS XX? PAGE28DevOpsIndonesia
  • 29. Countermeasure Predict Prevent Detect Respond • Harden systems • Isolate systems • Prevent attacks • Risk-prioritized exposure assessment • Anticipate threat/attacks • Baseline systems & security posture • Remediate • Design/model policy change • Incident Retrospective analysis • Detect incidents • Confirm & prioritize risks • Contain incidents PAGE29DevOpsIndonesia
  • 30. Why do we need to Leverage Vulnerability Management? 1. Reporting: Scan penetration reports are generated more faster and more contextual, reduction processing time of 57% (n=8, 2017). This achieved by combine the countermeasure strategy for the same threat sources. 2. Remediation: with this prioritization approach, it is significantly reducing vulnerabilities exposure and overall related risk. 3. Risk Metrics: reduction of Risk Score, and also median time to discover and remediate high risk issues. 4. Vulnerabilities Focus: contextual vulnerabilities help to mitigate the exposure leveraging reputational and financial risk to company. PAGE30 DevOpsIndonesia
  • 31. So, what do we get ! • Eventually we are closing the gap between DevOps & Security teams. • Implement predictive from intelligence within pipeline by: • Matching the both DevOps and Security team’s velocity. • Providing contextual and intelligence changes on threat landscape. • Supporting organizations business demands at scale. PAGE31DevOpsIndonesia
  • 32. Take away • Latest innovation of technologies highly possible to introduce new vulnerabilities and change the threat landscape. Exploits are keep coming. Be vigilant! • Developers can also introduce vulnerabilities outside of the code itself. Vulnerability Management involves finding flaws (or bugs). • Vulnerability Management alone is not enough, you need to have your own risk model. Be contextual or do more by: Measure, Prioritize, and Predict. PAGE32