SlideShare a Scribd company logo

Bsides SP 2022 - EPSS - Final.pptx

Download as PPTX, PDF
Clavis Segurança da Informação
Clavis Segurança da Informação

17ª edição da Security BSides São Paulo, uma conferência gratuita sobre segurança da informação e cultura hacker, também conhecida como BSidesSP. Desta vez, estivemos duplamente representados pelo nosso Head de Produto, Leonardo Pinheiro e pelo nosso Head of Threat and Detection Research, Rodrigo Montoro. Imperdível! ;) Ambos apresentaram a palestra "Exploit Prediction Scoring System (EPSS) – Aperfeiçoando a priorização de vulnerabilidades de forma efetiva". Confira!

Technology
1 of 35
Exploit Prediction Scoring System (EPSS) Leonardo Pinheiro Head of Product Rodrigo Montoro Head of Threat & Detection Research @spookerlabs
About us Clavis Segurança da Informação ● Head of Threat & Detection Research at Clavis Security ● Living in Florianópolis (Silicon Island) ● Author of 2 patented technologies (US Patent Office) ● Speaker in different conferences (Brazil,USA,Canada) ● Proud Dad and Husband ● Full Ironman triathlon (2x) ● Crossfit and Powerlifting Rodrigo Montoro ● Head of Product at Clavis Security ● Living in Campinas ● Electrical Engineering at Unicamp with AI Specialization at Texas Tech University ● International work experience / exchange ● Software engineer by nature, Business developer by passion ● Gym Addicted Leonardo Pinheiro
Motivation
AGENDA Common Vulnerabilities and Exposures (CVE) & Common Vulnerability Scoring System v3 (CVSS) Vulnerability Management & Challenges Exploit Prediction Scoring System (EPSS) 1 1 Real world use and analysis 1 Conclusions
5 Clavis Segurança da Informação Common Vulnerability and Exposures (CVE) & Common Vulnerability Scoring System (CVSS)
What is a vulnerability ? Clavis Segurança da Informação Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. A code or tool used to take advantage of a vulnerability is called an exploit. source: https://csrc.nist.gov/glossary/term/vulnerability
Common Vulnerability Exposure (CVE) Clavis Segurança da Informação source: https://www.ondeso.com/wp-content/uploads/2020/09/cve-summary-freebie-ondeso.pdf
Some statistics about vulnerabilities (CVE) Clavis Segurança da Informação Source: https://www.cvedetails.com/browse-by-date.php
Top 25 vendors Clavis Segurança da Informação Source:https://www.cvedetails.com/top-50-vendors.php
Common Vulnerability Scoring System (CVSS) Clavis Segurança da Informação The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity. CVSS is not a measure of risk. CVSS consists of three metric groups: Base, Temporal, and Environmental. source: https://nvd.nist.gov/vuln-metrics/cvss https://www.first.org/cvss/calculator/3.0
How is calculate CVSS v3 ? Clavis Segurança da Informação
Base calculation sample Clavis Segurança da Informação
Some statistics Clavis Segurança da Informação source: https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=&product_id=&startdate=1999-01-01&enddate=2022-11-11 Baixa Médio Alto Critico Nem tudo é crítico
Top 25 vendors 2022 Clavis Segurança da Informação Source:https://www.cvedetails.com/top-50-vendors.php
15 Clavis Segurança da Informação Vulnerability Management & Challenges
What is vulnerability management ? Clavis Segurança da Informação source: https://blogs.gartner.com/augusto-barros/2019/10/25/new-vulnerability-management-guidance-framework/ Most companies prioritize vulnerabilities based on volume rather than business risk One of the biggest challenges in Continuous Vulnerability Management is not only mapping existing vulnerabilities within the park, but also where to start solving the problem
Challenge - How to prioritize ? Clavis Segurança da Informação
Not always CVSS higher means bigger problems Clavis Segurança da Informação Impact Probability
19 Clavis Segurança da Informação Exploit Prediction Scoring System (EPSS)
Motivation around EPSS Clavis Segurança da Informação Past research has shown that firms are able to fix between 5% and 20% of known vulnerabilities per month. Secondly, only a small subset (2%-7% of published vulnerabilities are ever seen to be exploited in the wild)
What is EPSS ? Clavis Segurança da Informação The Exploit Prediction Scoring System (EPSS) is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. The EPSS model produces a probability score between 0 and 1 (0% and 100%). The higher the score, the greater the probability that a vulnerability will be exploited (in the next 30 days).
EPSS | Data Architecture Clavis Segurança da Informação MITRE’s CVE List “Tags” Days published Published Exploit Security Scanners CVSS v3 Vector Vendor Real Attacks XG Boost | Poisson Regression EPSS
EPSS | Log4Shell Example Clavis Segurança da Informação
EPSS Model performance Clavis Segurança da Informação Coverage => number of exploited vulnerabilities prioritized (TP) divided by the total number of exploited vulnerabilities (TP + FN) Efficiency => number of exploited vulnerabilities prioritized (TP) divided by the total number of prioritized vulnerabilities (TP+FP).
Evolution (CVSSv3, EPSSv1 & EPSSv2) Clavis Segurança da Informação
EPSS Data Driven (part of) sources Clavis Segurança da Informação
CVSS versus EPSS Clavis Segurança da Informação
EPSS x CVSS Clavis Segurança da Informação CVE 2019-11580 Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. CVE 2017-0061 A use-after-free vulnerability can occur during XSL transformations when the source document for the transformation is manipulated by script content during the transformation. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58.
29 Clavis Segurança da Informação Real world data analysis
Analysis … Clavis Segurança da Informação Variação da volumetria baseado na criticidade Of the 40,037 critical vulnerabilities, 2,000 have an EPSS > 0.9
Analysis | CVSS X EPSS Clavis Segurança da Informação Prioritize Deprioritize
Analysis | Priorização Clavis Segurança da Informação Vulnerability CVSS Microsoft Internet Explorer Unsupported Version Detection 10 SSL Version 2 and 3 Protocol Detection 9,8 Microsoft XML Parser (MSXML) and XML Core Services Unsupported 10 Google Chrome < 107.0.5304.110 Multiple Vulnerabilities 9,6 FortiClient Windows Unquoted Service Path vulnerability(FG-IR-19-281) 10 Vulnerability CVSS EPSS Apache < 2.4.49 Multiple Vulnerabilities 10 0.97 Apache Tomcat AJP Connector Request Injection (Ghostcat) 9.8 0.96 Windows Server 2012 June 2017 Security Updates 9.8 0.96 Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725) 9.8 0.96 KB4499175: Windows 7 and Windows Server 2008 R2 May 2019 Security Update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) (BlueKeep) 9.8 0.96 Prioritization based on CVSS and volumetry Prioritization based on EPSS and CVSS
33 Clavis Segurança da Informação Conclusions
Conclusions Clavis Segurança da Informação ● Prioritization is hard, make your life easier ● You won't get everything fix ● Fix what really matters ● Add other contexts to prioritization ● Don't rely ONLY on EPSS
Obrigado Leonardo Pinheiro leonardo.pinheiro@clavis.com.br Rodrigo Montoro rodrigo.montoro@clavis.com.br

Recommended

7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 

Recommended

7 Steps to Threat Modeling
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat ModelingDanny Wong
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling EverythingAnne Oikarinen
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021Adam Shostack
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
Zero Trust : How to Get Started
Zero Trust : How to Get StartedZero Trust : How to Get Started
Zero Trust : How to Get StartedEyesOpen Association
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat ModelingMiriam Celi, CISSP, GISP, MSCS, MBA
 
Cloud Summit Canada com Rodrigo Montoro
Cloud Summit Canada com Rodrigo MontoroCloud Summit Canada com Rodrigo Montoro
Cloud Summit Canada com Rodrigo MontoroClavis Segurança da Informação
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Vaticle
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Lost in Translation - Blackhat Brazil 2014
Lost in Translation - Blackhat Brazil 2014Lost in Translation - Blackhat Brazil 2014
Lost in Translation - Blackhat Brazil 2014Rodrigo Montoro
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeamDan Vasile
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Detecting AWS control plane abuse in an actionable way using Det{R}ails
Detecting AWS control plane abuse in an actionable way using Det{R}ailsDetecting AWS control plane abuse in an actionable way using Det{R}ails
Detecting AWS control plane abuse in an actionable way using Det{R}ailsTenchi Security
 
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMUpgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMElasticsearch
 
Entendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento SeguroEntendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento SeguroKleitor Franklint Correa Araujo
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...lior mazor
 

More Related Content

What's hot

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsLearningwithRayYT
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Vaticle
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Lost in Translation - Blackhat Brazil 2014
Lost in Translation - Blackhat Brazil 2014Lost in Translation - Blackhat Brazil 2014
Lost in Translation - Blackhat Brazil 2014Rodrigo Montoro
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeamDan Vasile
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Detecting AWS control plane abuse in an actionable way using Det{R}ails
Detecting AWS control plane abuse in an actionable way using Det{R}ailsDetecting AWS control plane abuse in an actionable way using Det{R}ails
Detecting AWS control plane abuse in an actionable way using Det{R}ailsTenchi Security
 
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMUpgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMElasticsearch
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 

What's hot (20)

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Zero Trust : How to Get Started
Zero Trust : How to Get StartedZero Trust : How to Get Started
Zero Trust : How to Get Started
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
Cloud Summit Canada com Rodrigo Montoro
Cloud Summit Canada com Rodrigo MontoroCloud Summit Canada com Rodrigo Montoro
Cloud Summit Canada com Rodrigo Montoro
 
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
Building a Cyber Threat Intelligence Knowledge Management System (Paris Augus...
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
Lost in Translation - Blackhat Brazil 2014
Lost in Translation - Blackhat Brazil 2014Lost in Translation - Blackhat Brazil 2014
Lost in Translation - Blackhat Brazil 2014
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeam
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Detecting AWS control plane abuse in an actionable way using Det{R}ails
Detecting AWS control plane abuse in an actionable way using Det{R}ailsDetecting AWS control plane abuse in an actionable way using Det{R}ails
Detecting AWS control plane abuse in an actionable way using Det{R}ails
 
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEMUpgrade Your SOC with Cortex XSOAR & Elastic SIEM
Upgrade Your SOC with Cortex XSOAR & Elastic SIEM
 
Entendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento SeguroEntendendo o Ciclo de Desenvolvimento Seguro
Entendendo o Ciclo de Desenvolvimento Seguro
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 

Similar to Bsides SP 2022 - EPSS - Final.pptx

Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...lior mazor
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftEoin Keary
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learningBryan Fendley
 
Protect Against 85% of Cyberattacks
Protect Against 85% of CyberattacksProtect Against 85% of Cyberattacks
Protect Against 85% of CyberattacksIvanti
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) Eoin Keary
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 
Vulnerability scanning project
Vulnerability scanning projectVulnerability scanning project
Vulnerability scanning projectChirag Dhamecha
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Cybersecurity Education and Research Centre
 
Vulnerability Prioritization and Prediction
Vulnerability Prioritization and PredictionVulnerability Prioritization and Prediction
Vulnerability Prioritization and PredictionJonathan Cran
 
Understanding Vulnerabilities in Software
Understanding Vulnerabilities in SoftwareUnderstanding Vulnerabilities in Software
Understanding Vulnerabilities in SoftwareNicole Gaehle, MSIST
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools usedZoe Gilbert
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 

Similar to Bsides SP 2022 - EPSS - Final.pptx (20)

Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
 
Fendley how secure is your e learning
Fendley how secure is your e learningFendley how secure is your e learning
Fendley how secure is your e learning
 
Protect Against 85% of Cyberattacks
Protect Against 85% of CyberattacksProtect Against 85% of Cyberattacks
Protect Against 85% of Cyberattacks
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 
Vulnerability scanning project
Vulnerability scanning projectVulnerability scanning project
Vulnerability scanning project
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
 
Vulnerability Prioritization and Prediction
Vulnerability Prioritization and PredictionVulnerability Prioritization and Prediction
Vulnerability Prioritization and Prediction
 
Data Science for Cyber Risk
Data Science for Cyber RiskData Science for Cyber Risk
Data Science for Cyber Risk
 
Understanding Vulnerabilities in Software
Understanding Vulnerabilities in SoftwareUnderstanding Vulnerabilities in Software
Understanding Vulnerabilities in Software
 
Sophos
SophosSophos
Sophos
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools used
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 

More from Clavis Segurança da Informação

Resposta a Incidentes | Mind The Sec 2022 com Rodrigo Montoro
Resposta a Incidentes | Mind The Sec 2022 com Rodrigo MontoroResposta a Incidentes | Mind The Sec 2022 com Rodrigo Montoro
Resposta a Incidentes | Mind The Sec 2022 com Rodrigo MontoroClavis Segurança da Informação
 
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - Apresentação
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - ApresentaçãoDesenvolvimento Seguro de Software - 10o Workshop SegInfo - Apresentação
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - ApresentaçãoClavis Segurança da Informação
 
Big Data e Segurança da Informação - 10o Workshop SegInfo - Apresentação
Big Data e Segurança da Informação - 10o Workshop SegInfo - ApresentaçãoBig Data e Segurança da Informação - 10o Workshop SegInfo - Apresentação
Big Data e Segurança da Informação - 10o Workshop SegInfo - ApresentaçãoClavis Segurança da Informação
 
A maldição do local admin - 10o Workshop SegInfo - Apresentação
A maldição do local admin - 10o Workshop SegInfo - ApresentaçãoA maldição do local admin - 10o Workshop SegInfo - Apresentação
A maldição do local admin - 10o Workshop SegInfo - ApresentaçãoClavis Segurança da Informação
 
Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoAdoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoClavis Segurança da Informação
 
Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...
Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...
Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...Clavis Segurança da Informação
 
Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401
Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401
Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401Clavis Segurança da Informação
 
Manobras Evasivas: Técnicas de Evasão para Varreduras com o Nmap
Manobras Evasivas: Técnicas de Evasão para Varreduras com o NmapManobras Evasivas: Técnicas de Evasão para Varreduras com o Nmap
Manobras Evasivas: Técnicas de Evasão para Varreduras com o NmapClavis Segurança da Informação
 
Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...
Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...
Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...Clavis Segurança da Informação
 
Testes de Invasão ajudam a alcançar a conformidade - Segurança da Informação
Testes de Invasão ajudam a alcançar a conformidade - Segurança da InformaçãoTestes de Invasão ajudam a alcançar a conformidade - Segurança da Informação
Testes de Invasão ajudam a alcançar a conformidade - Segurança da InformaçãoClavis Segurança da Informação
 
Entendendo como as Mídias Socias Revolucionaram os Ataques de Força Bruta
Entendendo como as Mídias Socias Revolucionaram os Ataques de Força BrutaEntendendo como as Mídias Socias Revolucionaram os Ataques de Força Bruta
Entendendo como as Mídias Socias Revolucionaram os Ataques de Força BrutaClavis Segurança da Informação
 
Descobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o Wmap
Descobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o WmapDescobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o Wmap
Descobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o WmapClavis Segurança da Informação
 
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DF
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DFGerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DF
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DFClavis Segurança da Informação
 
Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...
Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...
Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...Clavis Segurança da Informação
 
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ Clavis Segurança da Informação
 

More from Clavis Segurança da Informação (20)

Resposta a Incidentes | Mind The Sec 2022 com Rodrigo Montoro
Resposta a Incidentes | Mind The Sec 2022 com Rodrigo MontoroResposta a Incidentes | Mind The Sec 2022 com Rodrigo Montoro
Resposta a Incidentes | Mind The Sec 2022 com Rodrigo Montoro
 
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - Apresentação
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - ApresentaçãoDesenvolvimento Seguro de Software - 10o Workshop SegInfo - Apresentação
Desenvolvimento Seguro de Software - 10o Workshop SegInfo - Apresentação
 
Big Data e Segurança da Informação - 10o Workshop SegInfo - Apresentação
Big Data e Segurança da Informação - 10o Workshop SegInfo - ApresentaçãoBig Data e Segurança da Informação - 10o Workshop SegInfo - Apresentação
Big Data e Segurança da Informação - 10o Workshop SegInfo - Apresentação
 
A maldição do local admin - 10o Workshop SegInfo - Apresentação
A maldição do local admin - 10o Workshop SegInfo - ApresentaçãoA maldição do local admin - 10o Workshop SegInfo - Apresentação
A maldição do local admin - 10o Workshop SegInfo - Apresentação
 
Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoAdoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
 
Palestra GlobalSign
Palestra GlobalSignPalestra GlobalSign
Palestra GlobalSign
 
Palestra Clavis - Octopus
Palestra Clavis - OctopusPalestra Clavis - Octopus
Palestra Clavis - Octopus
 
Palestra Exceda - Clavis 2016
Palestra Exceda - Clavis 2016Palestra Exceda - Clavis 2016
Palestra Exceda - Clavis 2016
 
Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...
Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...
Clavis e Cyberark promovem almoço para sobre soluções para a área de Seguranç...
 
Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401
Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401
Webinar #27 - Curso Permanente ComPTIA Security+ Exame SY0 401
 
Webinar # 21 – Análise Forense de Redes
Webinar # 21 – Análise Forense de Redes Webinar # 21 – Análise Forense de Redes
Webinar # 21 – Análise Forense de Redes
 
Manobras Evasivas: Técnicas de Evasão para Varreduras com o Nmap
Manobras Evasivas: Técnicas de Evasão para Varreduras com o NmapManobras Evasivas: Técnicas de Evasão para Varreduras com o Nmap
Manobras Evasivas: Técnicas de Evasão para Varreduras com o Nmap
 
Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...
Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...
Tutorial: Principais Vulnerabilidades em Aplicações Web – Rafael Soares Ferre...
 
Testes de Invasão ajudam a alcançar a conformidade - Segurança da Informação
Testes de Invasão ajudam a alcançar a conformidade - Segurança da InformaçãoTestes de Invasão ajudam a alcançar a conformidade - Segurança da Informação
Testes de Invasão ajudam a alcançar a conformidade - Segurança da Informação
 
Entendendo como as Mídias Socias Revolucionaram os Ataques de Força Bruta
Entendendo como as Mídias Socias Revolucionaram os Ataques de Força BrutaEntendendo como as Mídias Socias Revolucionaram os Ataques de Força Bruta
Entendendo como as Mídias Socias Revolucionaram os Ataques de Força Bruta
 
Descobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o Wmap
Descobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o WmapDescobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o Wmap
Descobrindo (e Explorando) Vulnerabilidades em Aplicações Web com o Wmap
 
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DF
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DFGerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DF
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI - DF
 
Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...
Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...
Impacto sobre o Negócio da Exploração de Vulnerabilidades de Injeção em Aplic...
 
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ
Gerenciamento de Vulnerabilidades em Redes Corporativas - CNASI RJ
 
Webinar #18 – A Nova Lei de Cibercrimes
Webinar #18 – A Nova Lei de CibercrimesWebinar #18 – A Nova Lei de Cibercrimes
Webinar #18 – A Nova Lei de Cibercrimes
 

Recently uploaded

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Recently uploaded (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Bsides SP 2022 - EPSS - Final.pptx

  • 1. Exploit Prediction Scoring System (EPSS) Leonardo Pinheiro Head of Product Rodrigo Montoro Head of Threat & Detection Research @spookerlabs
  • 2. About us Clavis Segurança da Informação ● Head of Threat & Detection Research at Clavis Security ● Living in Florianópolis (Silicon Island) ● Author of 2 patented technologies (US Patent Office) ● Speaker in different conferences (Brazil,USA,Canada) ● Proud Dad and Husband ● Full Ironman triathlon (2x) ● Crossfit and Powerlifting Rodrigo Montoro ● Head of Product at Clavis Security ● Living in Campinas ● Electrical Engineering at Unicamp with AI Specialization at Texas Tech University ● International work experience / exchange ● Software engineer by nature, Business developer by passion ● Gym Addicted Leonardo Pinheiro
  • 4. AGENDA Common Vulnerabilities and Exposures (CVE) & Common Vulnerability Scoring System v3 (CVSS) Vulnerability Management & Challenges Exploit Prediction Scoring System (EPSS) 1 1 Real world use and analysis 1 Conclusions
  • 5. 5 Clavis Segurança da Informação Common Vulnerability and Exposures (CVE) & Common Vulnerability Scoring System (CVSS)
  • 6. What is a vulnerability ? Clavis Segurança da Informação Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. A code or tool used to take advantage of a vulnerability is called an exploit. source: https://csrc.nist.gov/glossary/term/vulnerability
  • 7. Common Vulnerability Exposure (CVE) Clavis Segurança da Informação source: https://www.ondeso.com/wp-content/uploads/2020/09/cve-summary-freebie-ondeso.pdf
  • 8. Some statistics about vulnerabilities (CVE) Clavis Segurança da Informação Source: https://www.cvedetails.com/browse-by-date.php
  • 9. Top 25 vendors Clavis Segurança da Informação Source:https://www.cvedetails.com/top-50-vendors.php
  • 10. Common Vulnerability Scoring System (CVSS) Clavis Segurança da Informação The Common Vulnerability Scoring System (CVSS) is a method used to supply a qualitative measure of severity. CVSS is not a measure of risk. CVSS consists of three metric groups: Base, Temporal, and Environmental. source: https://nvd.nist.gov/vuln-metrics/cvss https://www.first.org/cvss/calculator/3.0
  • 11. How is calculate CVSS v3 ? Clavis Segurança da Informação
  • 12. Base calculation sample Clavis Segurança da Informação
  • 13. Some statistics Clavis Segurança da Informação source: https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=&product_id=&startdate=1999-01-01&enddate=2022-11-11 Baixa Médio Alto Critico Nem tudo é crítico
  • 14. Top 25 vendors 2022 Clavis Segurança da Informação Source:https://www.cvedetails.com/top-50-vendors.php
  • 15. 15 Clavis Segurança da Informação Vulnerability Management & Challenges
  • 16. What is vulnerability management ? Clavis Segurança da Informação source: https://blogs.gartner.com/augusto-barros/2019/10/25/new-vulnerability-management-guidance-framework/ Most companies prioritize vulnerabilities based on volume rather than business risk One of the biggest challenges in Continuous Vulnerability Management is not only mapping existing vulnerabilities within the park, but also where to start solving the problem
  • 17. Challenge - How to prioritize ? Clavis Segurança da Informação
  • 18. Not always CVSS higher means bigger problems Clavis Segurança da Informação Impact Probability
  • 19. 19 Clavis Segurança da Informação Exploit Prediction Scoring System (EPSS)
  • 20. Motivation around EPSS Clavis Segurança da Informação Past research has shown that firms are able to fix between 5% and 20% of known vulnerabilities per month. Secondly, only a small subset (2%-7% of published vulnerabilities are ever seen to be exploited in the wild)
  • 21. What is EPSS ? Clavis Segurança da Informação The Exploit Prediction Scoring System (EPSS) is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. The EPSS model produces a probability score between 0 and 1 (0% and 100%). The higher the score, the greater the probability that a vulnerability will be exploited (in the next 30 days).
  • 22. EPSS | Data Architecture Clavis Segurança da Informação MITRE’s CVE List “Tags” Days published Published Exploit Security Scanners CVSS v3 Vector Vendor Real Attacks XG Boost | Poisson Regression EPSS
  • 23. EPSS | Log4Shell Example Clavis Segurança da Informação
  • 24. EPSS Model performance Clavis Segurança da Informação Coverage => number of exploited vulnerabilities prioritized (TP) divided by the total number of exploited vulnerabilities (TP + FN) Efficiency => number of exploited vulnerabilities prioritized (TP) divided by the total number of prioritized vulnerabilities (TP+FP).
  • 25. Evolution (CVSSv3, EPSSv1 & EPSSv2) Clavis Segurança da Informação
  • 26. EPSS Data Driven (part of) sources Clavis Segurança da Informação
  • 27. CVSS versus EPSS Clavis Segurança da Informação
  • 28. EPSS x CVSS Clavis Segurança da Informação CVE 2019-11580 Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. CVE 2017-0061 A use-after-free vulnerability can occur during XSL transformations when the source document for the transformation is manipulated by script content during the transformation. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox < 58.
  • 29. 29 Clavis Segurança da Informação Real world data analysis
  • 30. Analysis … Clavis Segurança da Informação Variação da volumetria baseado na criticidade Of the 40,037 critical vulnerabilities, 2,000 have an EPSS > 0.9
  • 31. Analysis | CVSS X EPSS Clavis Segurança da Informação Prioritize Deprioritize
  • 32. Analysis | Priorização Clavis Segurança da Informação Vulnerability CVSS Microsoft Internet Explorer Unsupported Version Detection 10 SSL Version 2 and 3 Protocol Detection 9,8 Microsoft XML Parser (MSXML) and XML Core Services Unsupported 10 Google Chrome < 107.0.5304.110 Multiple Vulnerabilities 9,6 FortiClient Windows Unquoted Service Path vulnerability(FG-IR-19-281) 10 Vulnerability CVSS EPSS Apache < 2.4.49 Multiple Vulnerabilities 10 0.97 Apache Tomcat AJP Connector Request Injection (Ghostcat) 9.8 0.96 Windows Server 2012 June 2017 Security Updates 9.8 0.96 Oracle WebLogic Server Remote Code Execution Vulnerability (Oracle Security Alert Advisory - CVE-2019-2725) 9.8 0.96 KB4499175: Windows 7 and Windows Server 2008 R2 May 2019 Security Update (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) (BlueKeep) 9.8 0.96 Prioritization based on CVSS and volumetry Prioritization based on EPSS and CVSS
  • 33. 33 Clavis Segurança da Informação Conclusions
  • 34. Conclusions Clavis Segurança da Informação ● Prioritization is hard, make your life easier ● You won't get everything fix ● Fix what really matters ● Add other contexts to prioritization ● Don't rely ONLY on EPSS

Editor's Notes

  1. Vulnerabilities (CVE) & Common Vulnerability Scoring System v3 (CVSS)
  2. https://gist.github.com/noamsdahan/928aafbcca71f95b07472f22e35dc93c
  3. https://www.ondeso.com/wp-content/uploads/2020/09/cve-summary-freebie-ondeso.pdf
  4. https://gist.github.com/noamsdahan/928aafbcca71f95b07472f22e35dc93c
  5. https://gist.github.com/noamsdahan/928aafbcca71f95b07472f22e35dc93c
  6. https://nvd.nist.gov/vuln-metrics/cvss
  7. https://www.first.org/cvss/v3.0/specification-document#1-2-Scoring
  8. https://www.first.org/cvss/v3.0/specification-document#1-2-Scoring
  9. https://gist.github.com/noamsdahan/928aafbcca71f95b07472f22e35dc93c
  10. https://gist.github.com/noamsdahan/928aafbcca71f95b07472f22e35dc93c
  11. source: https://blogs.gartner.com/augusto-barros/2019/10/25/new-vulnerability-management-guidance-framework/
  12. https://gist.github.com/noamsdahan/928aafbcca71f95b07472f22e35dc93c
  13. https://gist.github.com/noamsdahan/928aafbcca71f95b07472f22e35dc93c
  14. https://www.first.org/epss/model
  15. https://www.cyentia.com/epss-version-2-is-out/
  16. https://www.first.org/epss/model