A Moneyball Approach to Security Intelligencehttp://www.risk.ioed@risk.io
• CoFounder Risk I/OAbout MeAbout Risk I/O• Former CISO Orbitz• Contributing Author:Beautiful Security• CSO Magazine/Onlin...
Stage 1: Ignorance is Bliss
Stage 2: Where are all of my vulnerabilities?“Back in my Yahoo days I performed hundreds of webapplication vulnerability a...
Stage 3: Scan & DumpEnter the Age of the AutomatedScanner...
Why This OccursLack ofVisibilityLack of CommunicationLack of CoordinationSilos, Silos, Everywhere
company name“vulnerability prioritization for remediationpresents THE critical problem”-Anton Chuvakin, Gartner Research D...
SaberMetrics for InfoSec?
HD Moore’s Law - Josh CormanExample Use Case 1aka Security Mendoza Line“Compute power grows at the rateof doubling about e...
PredictingVulnerability (or even breach)Example Use Case 2Key AttributesTrendingOutcomes
CVE Trending AnalysisExample Use Case 3Gunnar’s Debt Clock
My(vuln posture X threatactivity) / (other vuln postureX other threat activity)Example Use Case 4Targets of Opportunity?
company nameData aggregation is necessary for everything we doTable StakesCorrelation, Normalization, De-DuplicationFull r...
company nameAssembly Line WorkflowPutting The Robots To WorkBulk Ticketing & Bug Tracking IntegrationAutomated ReTestingAPI...
company nameHow do I know where to deploy my resources?Web Scale VisibilityWhat matters when prioritizing remediation?What...
VA Products• Dynamic Application• Network & Host• Static AnalysisManual AssessmentsRemediation• Trouble Ticketing• Bug Tra...
NetworkVulnerabilityScannersDatabaseVulnerabilityScannersInternalRemediationSystemsStaticAnalysisToolsApplicationVulnerabi...
Predefined and Custom Security MetricsFilter by Hundreds of Attributes and MetadataReal-World Vulnerability TrendingCustom ...
Three Distinct Values
VulnerabilityScannersRiskDBStatic &Binary AnalysisTicketing /Bug Tracking IPS / WAFSIEMExternal DataFaceted Search Knowled...
Vulnerability Intelligence Platformhttp://www.risk.ioed@risk.ioQ&A
Upcoming SlideShare
Loading in …5
×

Palmer Symposium

4,122 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Palmer Symposium

  1. 1. A Moneyball Approach to Security Intelligencehttp://www.risk.ioed@risk.io
  2. 2. • CoFounder Risk I/OAbout MeAbout Risk I/O• Former CISO Orbitz• Contributing Author:Beautiful Security• CSO Magazine/Online Writer• Data-Driven Vulnerability Intelligence Platform• DataWeek 2012 Top Security Innovator• 3 Startups to Watch - Information Week• InfoSec Island Blogger• 16 Hot Startups - eWeekNice to Meet You
  3. 3. Stage 1: Ignorance is Bliss
  4. 4. Stage 2: Where are all of my vulnerabilities?“Back in my Yahoo days I performed hundreds of webapplication vulnerability assessments. To streamline theworkload, I created an assessment methodologyconsisting of a few thousand security tests averaging 40hours to complete per website. Yahoo had over 600websites enterprise-wide. To assess the security of everywebsite would have taken over 11 years to complete andthe other challenge was these websites would change allthe time which decayed the value of my reports.”Jeremiah GrossmanFounder,WhiteHat Security
  5. 5. Stage 3: Scan & DumpEnter the Age of the AutomatedScanner...
  6. 6. Why This OccursLack ofVisibilityLack of CommunicationLack of CoordinationSilos, Silos, Everywhere
  7. 7. company name“vulnerability prioritization for remediationpresents THE critical problem”-Anton Chuvakin, Gartner Research Director“Finding the flaws is only half of the battle. Fixing them -- sometimes calledvulnerability remediation -- is often the hardest part”-Diana Kelley, Dark Reading“Businesses may be able to measure their performance through objective metrics such as salesgrowth, production efficiency or customer preference, but information securitymanagement too often boils down to a reaction torecent events or the well-known trio of fear, uncertaintyand doubt.”-Scott Crawford, EMA Associates“Unless you work in a company that has unlimited resources and you have absolute support at alllevels for remediating the vulnerabilities in your environment, you MUST prioritizethe issues that cause the most risk to your ITenvironment.” -Clay Keller, Wal-Mart InfoSec“With the enormous amounts of data available, mining it — regardless of itssource — and turning it into actionable information is really a strategicnecessity, especially in the world of security.” -Chris Hoff, Juniper NetworksIT Security Is Buried in Noise
  8. 8. SaberMetrics for InfoSec?
  9. 9. HD Moore’s Law - Josh CormanExample Use Case 1aka Security Mendoza Line“Compute power grows at the rateof doubling about every 2 years”“Casual attacker power grows atthe rate of Metasploit”
  10. 10. PredictingVulnerability (or even breach)Example Use Case 2Key AttributesTrendingOutcomes
  11. 11. CVE Trending AnalysisExample Use Case 3Gunnar’s Debt Clock
  12. 12. My(vuln posture X threatactivity) / (other vuln postureX other threat activity)Example Use Case 4Targets of Opportunity?
  13. 13. company nameData aggregation is necessary for everything we doTable StakesCorrelation, Normalization, De-DuplicationFull risk views down the entiretechnology stackThat’s So Meta
  14. 14. company nameAssembly Line WorkflowPutting The Robots To WorkBulk Ticketing & Bug Tracking IntegrationAutomated ReTestingAPI “All The Things”
  15. 15. company nameHow do I know where to deploy my resources?Web Scale VisibilityWhat matters when prioritizing remediation?What does the threat landscape looklike outside of my 4 walls?How do I compare to peers?
  16. 16. VA Products• Dynamic Application• Network & Host• Static AnalysisManual AssessmentsRemediation• Trouble Ticketing• Bug Tracking• Configuration Management• Patch ManagementIntegrating Disparate Solutions
  17. 17. NetworkVulnerabilityScannersDatabaseVulnerabilityScannersInternalRemediationSystemsStaticAnalysisToolsApplicationVulnerabilityScannersPentesters/ProfessionalServicesRiskDBCentralizing the Data
  18. 18. Predefined and Custom Security MetricsFilter by Hundreds of Attributes and MetadataReal-World Vulnerability TrendingCustom FieldsFull Featured RESTful APIAutoFlagging based on “in the wild” Attack TrafficBenchmarking Across IndustriesPredictive Analytics & Machine LearningSecurity && Ops NOT || OpsYour Data, Your Way
  19. 19. Three Distinct Values
  20. 20. VulnerabilityScannersRiskDBStatic &Binary AnalysisTicketing /Bug Tracking IPS / WAFSIEMExternal DataFaceted Search KnowledgeBaseCustom DashboardsAlerting Analyze & PrioritizeNetworkMappingVulnerability Intelligence Platform
  21. 21. Vulnerability Intelligence Platformhttp://www.risk.ioed@risk.ioQ&A

×