SlideShare a Scribd company logo

Bay threat2011

Download as KEY, PDF
Ed Bellis
Ed Bellis
Technology
1 of 37
From Shaman to Scientist: A Use Case in Data Driven Security
Nice To Meet You About Me CoFounder HoneyApps Former CISO Orbitz Contributing Author Beautiful Security CSO Magazine/Online Writer HoneyApps Vulnerability Management as a Service 16 Hot Startups - eWeek 3 Startups to Watch - Information Week
Stage 1: Ignorance is Bliss
Stage 2: Where are all of my vulnerabilities? “Back in my Yahoo days I performed hundreds of web application vulnerability assessments. To streamline the workload, I created an assessment methodology consisting of a few thousand security tests averaging 40 hours to complete per website. Yahoo had over 600 websites enterprise-wide. To assess the security of every website would have taken over 11 years to complete and the other challenge was these websites would change all the time which decayed the value of my reports.” Jeremiah Grossman Founder, WhiteHat Security
Stage 3: Scan & Dump “thanks for the 1000 page report, now what?!”
Why This Occurs Lack of Communication Lack of Data Lack of Coordination Silos, Silos, Everywhere
Stage 4: A New Beginning Or...... Using What You Got!
Vulnerability Management: A Case Study Building the Warehouse Structured Data Load WebApp Vulnerability Type: XSS Severity Threat Subtype: (persistent,reflected,etc) Asset URL/URI Confirmed? Dates Found/Opened Dates Closed Description Attack Parameters
Vulnerability Management: A Case Study Building the Warehouse Structured Data Load WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Threat Application Server Version Subtype: (persistent,reflected,etc) Database Version Asset URL/URI Confirmed? Dates Found/Opened Dates Closed Description Attack Parameters
Vulnerability Management: A Case Study Building the Warehouse Structured Data Load WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Threat Application Server Version Subtype: (persistent,reflected,etc) Database Version Asset URL/URI Confirmed? Asset:Host Dates Found/Opened Host Operating System Dates Closed Other Applications/Versions Description IP Addresses Attack Parameters Mac Address Open Services/Ports
Vulnerability Management: A Case Study Unstructured Data Load WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Threat Application Server Version Database Version Subtype: (persistent,reflected,etc) Asset URL/URI Asset:Host Confirmed? Dates Found/Opened Host Operating System Dates Closed Applications/Versions Other Description Addresses IP Attack Parameters Mac Address Open Services/Ports
Vulnerability Management: A Case Study Unstructured Data Load Meta Data WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Business Unit VERIS data Threat Application Server Version Internal IP Address Database Version Subtype: (persistent,reflected,etc) Geographic Location External IP Address Asset URL/URI Asset:Host Confirmed? Development Team Network Location Dates Found/Opened Host Operating System Ops Team Site Name Dates Closed Applications/Versions Other Compliance Regulation Description Addresses IP Security Policy Asset Group Attack Parameters Mac Address Open Services/Ports
Vulnerability Management: A Case Study Loosely Structured Data Load Meta Data WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version ThreatUnit Application Server Version Business VERIS data Database Version Subtype: (persistent,reflected,etc) Internal IP Address Asset URL/URI Geographic Location Confirmed? Asset:Host External IP Address DB HTTP Development Team Network Location Dates Found/Opened Host Operating System Dates Closed Applications/Versions Ops Team Other Site Name Description Addresses IP Compliance Regulation Attack Parameters Mac Address Security Policy Asset Group Open Services/Ports
Vulnerability Management: A Case Study Loosely Structured Data Load Meta Data WebApp Vulnerability Asset:URL Apply Internal Threat Data Type: XSS Platform / Code Severity Web Server Version ThreatUnit Application Server Version Business VERIS data Firewall Application Database Version Subtype: (persistent,reflected,etc) Internal IP Address Asset URL/URI Geographic Location Confirmed? Asset:Host External IP Address DB HTTP Development Team Network Location Dates Found/Opened Host Operating System Dates Closed Applications/Versions Ops Team Other Description Addresses IP Compliance Regulation Site Name IDS/IPS WAF Attack Parameters Mac Address Security Policy Asset Group Open Services/Ports
Vulnerability Management: A Case Study Mixed Data Set Meta Data WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Apply Internal Threat Threat Unit Application Server Version Business Internal IP Address VERIS data Database Version Subtype: (persistent,reflected,etc) Asset URL/URI Geographic Location External IP Address Firew Asset:HostApplicati Confirmed? Team Development Network Location Dates Found/Opened Host Operating System Dates Team Other Applications/Versions Ops Closed Site Name IDS/ IPCompliance Regulation Description Addresses WA Asset Group Attack Parameters Security Mac Address Policy Open Services/Ports
Vulnerability Management: A Case Study Mixed Data Set Apply External Threat Data Meta Data WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Apply Internal Threat Threat Unit Application Server Version Business Internal IP Address VERIS data Database Version Subtype: (persistent,reflected,etc) Asset URL/URI Geographic Location External IP Address Firew Asset:HostApplicati Confirmed? Team Development Network Location Dates Found/Opened Host Operating System Dates Team Other Applications/Versions Ops Closed Site Name IDS/ IPCompliance Regulation Description Addresses WA Asset Group Attack Parameters Security Mac Address Policy Open Services/Ports
Vulnerability Management: A Case Study Mixed Data Set Apply External Threat Data Meta Data WebApp Vulnerability Asset:URL Example Data Sources Type: XSS Platform / Code Severity Web Server Version Apply Internal Threat Threat Unit Application Server Version Business Internal IP Address VERIS data ❖DataLossDB Database Version Subtype: (persistent,reflected,etc) ❖Verizon DBIR Asset URL/URI Geographic Location External IP Address Firew Asset:HostApplicati Confirmed? Team ❖WHID Development Dates Found/Opened Host Operating System Network Location ❖Trustwave Global Security Report Dates Team Other Applications/Versions Ops Closed Site Name ❖FS-ISAC IDS/ IPCompliance Regulation Description Addresses ❖SANS ISC WA Asset Group Attack Parameters Security Mac Address ❖Veracode State of S/W Security Policy Open Services/Ports ❖ExploitDB
Vulnerability Management: A Case Study Unstructured Data Load WebApp Vulnerability Asset:URL Meta Data Type: XSS Platform / Code Severity Web Server Version Threat Application Server Version Apply Internal Threat Database Version Subtype: (persistent,reflected,etc) Business Unit Internal IP Address VERIS data Asset URL/URI Asset:Host Geographic Location External IP Address Confirmed? Firew Applicati Dates Found/Opened Network Location Host Operating System Development Team Dates Closed Applications/Versions Ops TeamOther Site Name Description Compliance Regulation IP Addresses IDS/ Attack Parameters Mac Address Asset Group WA Security Policy Open Services/Ports
Vulnerability Management: A Case Study Unstructured Data Load WebApp Vulnerability Asset:URL Meta Data Type: XSS Platform / Code Severity Web Server Version Remediation Statistics Threat Application Server Version Apply Internal Threat Database Version Subtype: (persistent,reflected,etc) Business Unit Internal IP Address VERIS data Asset URL/URI Internal Bug Tracking Reports Asset:Host Geographic Location External IP Address Confirmed? Firew Applicati Dates Found/Opened Network Location Host Operating System Development Team Denim Group Remediation Study Dates Closed Applications/Versions Ops TeamOther Site Name Description Compliance Regulation IP Addresses IDS/ Attack Parameters Mac Address Asset Group Build and Development Process WA Security Policy Open Services/Ports
Data Lenses: Views into the Warehouse
Low Hanging Fruit vulns >10% of external breaches >10% of our malicious traffic in scope for $regulation sort
Secure Code Training Metric all vulns by application* vulns opened before 12/31/10** vulns opened after 2/28/11** *sort by vulnerability class **secure code training rolled out 1/1/11 - 2/28/11
HD Moore’s Law
Vulns w/Ext Access
w/MetaSploit Modules
and connected systems
“Now sort by base, temporal & environmental”
Got MSSP? The Alex Hutton Formula My(vuln posture * other threat activity) / (other vuln posture * other threat activity)
Got MSSP? The Alex Hutton Formula My(vuln posture * other threat activity) / (other vuln posture * other threat activity) OR When Will Our Luck Run Out?
(we need more of this)
using what we have
The Twitter Poll
The Twitter Poll
The Twitter Poll
My Favorite Non-Sec Tools TeaLeaf GreenPlum Zettaset Ruby Selenium
Resources Referenced Verizon DBIR http://www.verizonbusiness.com/dbir/WASC Web App Security Stats http://projects.webappsec.org/w/page/ VERIS Framework https://www2.icsalabs.com/veris/ 13246989/Web-Application-Security-Statistics Denim Group - Real Cost of S/W FS-ISAC http://www.fsisac.com/ Remediation WHID http://projects.webappsec.org/w/page/ http://www.slideshare.net/denimgroup/real-cost-of- 13246995/Web-Hacking-Incident-Database/ software-remediation SANS Internet Storm Center DataLoss DB http://datalossdb.org/ http://isc.sans.org/ TrustWave Global Security Report XForce http://xforce.iss.net/ https://www.trustwave.com/GSR Veracode SOSS http://www.veracode.com/ images/pdf/soss/veracode-state-of-software- ExploitDB security-report-volume2.pdf http://www.exploit-db.com/
Q&A follow us the blog http://blog.honeyapps.com/ twitter @ebellis And one more thing.... @risk_io We’re Hiring! https://www.risk.io/jobs

Recommended

Metricon 6 That's So Meta
Metricon 6 That's So MetaMetricon 6 That's So Meta
Metricon 6 That's So MetaEd Bellis
 
SecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeSecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeEd Bellis
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningCA API Management
 
Antigen tdm
Antigen tdmAntigen tdm
Antigen tdmZiemek Borowski
 
Hafnium attack
Hafnium attackHafnium attack
Hafnium attackHappiest Minds Technologies
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeTUESDAY Business Network
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
 

Recommended

Metricon 6 That's So Meta
Metricon 6 That's So MetaMetricon 6 That's So Meta
Metricon 6 That's So MetaEd Bellis
 
SecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeSecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeEd Bellis
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)Adam Nurudini
 
Layer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningLayer 7 Technologies: Web Services Hacking And Hardening
Layer 7 Technologies: Web Services Hacking And HardeningCA API Management
 
Antigen tdm
Antigen tdmAntigen tdm
Antigen tdmZiemek Borowski
 
Hafnium attack
Hafnium attackHafnium attack
Hafnium attackHappiest Minds Technologies
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeTUESDAY Business Network
 
Dave Carroll Application Services Salesforce
Dave Carroll Application Services SalesforceDave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforcedeimos
 
Cloud Security
Cloud Security Cloud Security
Cloud Security Giovanni Mazzeo
 
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml FirewallLayer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml FirewallCA API Management
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Sampath Bhargav Pinnam
 
Microsoft Forefront - Security for Communications Server Datasheet
Microsoft Forefront - Security for Communications Server DatasheetMicrosoft Forefront - Security for Communications Server Datasheet
Microsoft Forefront - Security for Communications Server DatasheetMicrosoft Private Cloud
 
Virtualization for Development
Virtualization for DevelopmentVirtualization for Development
Virtualization for Developmentelliando dias
 
Microsoft Forefront - Protection 2010 for Exchange Server Datasheet
Microsoft Forefront - Protection 2010 for Exchange Server DatasheetMicrosoft Forefront - Protection 2010 for Exchange Server Datasheet
Microsoft Forefront - Protection 2010 for Exchange Server DatasheetMicrosoft Private Cloud
 
Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItJamieWilliams130
 
Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaAlexander Hutton
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...patmisasi
 
How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013BSidesQuebec2013
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea LeavesEd Bellis
 
An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info SecurityEd Bellis
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesEd Bellis
 
SecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineSecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineEd Bellis
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksBSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksEd Bellis
 
Security as Code
Security as CodeSecurity as Code
Security as CodeEd Bellis
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 
BSidesTO 2016 - Incident Tracking
BSidesTO 2016 - Incident TrackingBSidesTO 2016 - Incident Tracking
BSidesTO 2016 - Incident TrackingJudy Nowak, OSCP, GCIH, CISSP
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 
Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 

More Related Content

What's hot

Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml FirewallLayer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml FirewallCA API Management
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the CloudAlert Logic
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Sampath Bhargav Pinnam
 
Microsoft Forefront - Security for Communications Server Datasheet
Microsoft Forefront - Security for Communications Server DatasheetMicrosoft Forefront - Security for Communications Server Datasheet
Microsoft Forefront - Security for Communications Server DatasheetMicrosoft Private Cloud
 
Virtualization for Development
Virtualization for DevelopmentVirtualization for Development
Virtualization for Developmentelliando dias
 
Microsoft Forefront - Protection 2010 for Exchange Server Datasheet
Microsoft Forefront - Protection 2010 for Exchange Server DatasheetMicrosoft Forefront - Protection 2010 for Exchange Server Datasheet
Microsoft Forefront - Protection 2010 for Exchange Server DatasheetMicrosoft Private Cloud
 
Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItJamieWilliams130
 

What's hot (8)

Cloud Security
Cloud Security Cloud Security
Cloud Security
 
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml FirewallLayer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017
 
Microsoft Forefront - Security for Communications Server Datasheet
Microsoft Forefront - Security for Communications Server DatasheetMicrosoft Forefront - Security for Communications Server Datasheet
Microsoft Forefront - Security for Communications Server Datasheet
 
Virtualization for Development
Virtualization for DevelopmentVirtualization for Development
Virtualization for Development
 
Microsoft Forefront - Protection 2010 for Exchange Server Datasheet
Microsoft Forefront - Protection 2010 for Exchange Server DatasheetMicrosoft Forefront - Protection 2010 for Exchange Server Datasheet
Microsoft Forefront - Protection 2010 for Exchange Server Datasheet
 
Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against It
 

Viewers also liked

Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaAlexander Hutton
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...patmisasi
 
How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013BSidesQuebec2013
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea LeavesEd Bellis
 
An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info SecurityEd Bellis
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesEd Bellis
 
SecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineSecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineEd Bellis
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksBSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksEd Bellis
 
Security as Code
Security as CodeSecurity as Code
Security as CodeEd Bellis
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsWill Schroeder
 

Viewers also liked (13)

Hutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelonaHutton/Miller SourceBarcelona
Hutton/Miller SourceBarcelona
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
 
How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013How to VERISize v2 - BSidesQuebec2013
How to VERISize v2 - BSidesQuebec2013
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea Leaves
 
An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info Security
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your Worries
 
SecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineSecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza Line
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksBSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
 
Security as Code
Security as CodeSecurity as Code
Security as Code
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
 
BSidesTO 2016 - Incident Tracking
BSidesTO 2016 - Incident TrackingBSidesTO 2016 - Incident Tracking
BSidesTO 2016 - Incident Tracking
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 
Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 

Similar to Bay threat2011

Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligenceBrendaly Marcano
 
Cisco Connect 2018 Thailand - Cybersecurity strategy an integrated approach k...
Cisco Connect 2018 Thailand - Cybersecurity strategy an integrated approach k...Cisco Connect 2018 Thailand - Cybersecurity strategy an integrated approach k...
Cisco Connect 2018 Thailand - Cybersecurity strategy an integrated approach k...NetworkCollaborators
 
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Michael Noel
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Prathan Phongthiproek
 
Threat management lifecycle in ottica GDPR
Threat management lifecycle in ottica GDPRThreat management lifecycle in ottica GDPR
Threat management lifecycle in ottica GDPRJürgen Ambrosi
 
Evaluating Network and Security Devices
Evaluating Network and Security DevicesEvaluating Network and Security Devices
Evaluating Network and Security Devicesponealmickelson
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hackingblake101
 
HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010Michael Noel
 
A great api is hard to find
A great api is hard to findA great api is hard to find
A great api is hard to findDan Diephouse
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Building & Leveraging White Database for Antivirus Testing
Building & Leveraging White Database for Antivirus TestingBuilding & Leveraging White Database for Antivirus Testing
Building & Leveraging White Database for Antivirus Testingfrisksoftware
 
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 Michael Noel
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
Week Topic Code Access vs Event Based.pptx
Week Topic Code Access vs Event Based.pptxWeek Topic Code Access vs Event Based.pptx
Week Topic Code Access vs Event Based.pptxArjayBalberan1
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 

Similar to Bay threat2011 (20)

Redefining siem to real time security intelligence
Redefining siem to real time security intelligenceRedefining siem to real time security intelligence
Redefining siem to real time security intelligence
 
Cisco Connect 2018 Thailand - Cybersecurity strategy an integrated approach k...
Cisco Connect 2018 Thailand - Cybersecurity strategy an integrated approach k...Cisco Connect 2018 Thailand - Cybersecurity strategy an integrated approach k...
Cisco Connect 2018 Thailand - Cybersecurity strategy an integrated approach k...
 
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
Collaborating with Extranet Partners on SharePoint 2010 - SharePoint Connecti...
 
Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]Mobile Application Pentest [Fast-Track]
Mobile Application Pentest [Fast-Track]
 
Threat management lifecycle in ottica GDPR
Threat management lifecycle in ottica GDPRThreat management lifecycle in ottica GDPR
Threat management lifecycle in ottica GDPR
 
Evaluating Network and Security Devices
Evaluating Network and Security DevicesEvaluating Network and Security Devices
Evaluating Network and Security Devices
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hacking
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010HAD05: Collaborating with Extranet Partners on SharePoint 2010
HAD05: Collaborating with Extranet Partners on SharePoint 2010
 
A great api is hard to find
A great api is hard to findA great api is hard to find
A great api is hard to find
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Building & Leveraging White Database for Antivirus Testing
Building & Leveraging White Database for Antivirus TestingBuilding & Leveraging White Database for Antivirus Testing
Building & Leveraging White Database for Antivirus Testing
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010 SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
SEASPC 2011 - Collaborating with Extranet Partners on SharePoint 2010
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Week Topic Code Access vs Event Based.pptx
Week Topic Code Access vs Event Based.pptxWeek Topic Code Access vs Event Based.pptx
Week Topic Code Access vs Event Based.pptx
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Novinky F5
Novinky F5Novinky F5
Novinky F5
 
gofortution
gofortutiongofortution
gofortution
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 

Recently uploaded

Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 

Recently uploaded (20)

Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 

Bay threat2011

  • 1. From Shaman to Scientist: A Use Case in Data Driven Security
  • 2. Nice To Meet You About Me CoFounder HoneyApps Former CISO Orbitz Contributing Author Beautiful Security CSO Magazine/Online Writer HoneyApps Vulnerability Management as a Service 16 Hot Startups - eWeek 3 Startups to Watch - Information Week
  • 4. Stage 2: Where are all of my vulnerabilities? “Back in my Yahoo days I performed hundreds of web application vulnerability assessments. To streamline the workload, I created an assessment methodology consisting of a few thousand security tests averaging 40 hours to complete per website. Yahoo had over 600 websites enterprise-wide. To assess the security of every website would have taken over 11 years to complete and the other challenge was these websites would change all the time which decayed the value of my reports.” Jeremiah Grossman Founder, WhiteHat Security
  • 5. Stage 3: Scan & Dump “thanks for the 1000 page report, now what?!”
  • 6. Why This Occurs Lack of Communication Lack of Data Lack of Coordination Silos, Silos, Everywhere
  • 7. Stage 4: A New Beginning Or...... Using What You Got!
  • 8. Vulnerability Management: A Case Study Building the Warehouse Structured Data Load WebApp Vulnerability Type: XSS Severity Threat Subtype: (persistent,reflected,etc) Asset URL/URI Confirmed? Dates Found/Opened Dates Closed Description Attack Parameters
  • 9. Vulnerability Management: A Case Study Building the Warehouse Structured Data Load WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Threat Application Server Version Subtype: (persistent,reflected,etc) Database Version Asset URL/URI Confirmed? Dates Found/Opened Dates Closed Description Attack Parameters
  • 10. Vulnerability Management: A Case Study Building the Warehouse Structured Data Load WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Threat Application Server Version Subtype: (persistent,reflected,etc) Database Version Asset URL/URI Confirmed? Asset:Host Dates Found/Opened Host Operating System Dates Closed Other Applications/Versions Description IP Addresses Attack Parameters Mac Address Open Services/Ports
  • 11. Vulnerability Management: A Case Study Unstructured Data Load WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Threat Application Server Version Database Version Subtype: (persistent,reflected,etc) Asset URL/URI Asset:Host Confirmed? Dates Found/Opened Host Operating System Dates Closed Applications/Versions Other Description Addresses IP Attack Parameters Mac Address Open Services/Ports
  • 12. Vulnerability Management: A Case Study Unstructured Data Load Meta Data WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Business Unit VERIS data Threat Application Server Version Internal IP Address Database Version Subtype: (persistent,reflected,etc) Geographic Location External IP Address Asset URL/URI Asset:Host Confirmed? Development Team Network Location Dates Found/Opened Host Operating System Ops Team Site Name Dates Closed Applications/Versions Other Compliance Regulation Description Addresses IP Security Policy Asset Group Attack Parameters Mac Address Open Services/Ports
  • 13. Vulnerability Management: A Case Study Loosely Structured Data Load Meta Data WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version ThreatUnit Application Server Version Business VERIS data Database Version Subtype: (persistent,reflected,etc) Internal IP Address Asset URL/URI Geographic Location Confirmed? Asset:Host External IP Address DB HTTP Development Team Network Location Dates Found/Opened Host Operating System Dates Closed Applications/Versions Ops Team Other Site Name Description Addresses IP Compliance Regulation Attack Parameters Mac Address Security Policy Asset Group Open Services/Ports
  • 14. Vulnerability Management: A Case Study Loosely Structured Data Load Meta Data WebApp Vulnerability Asset:URL Apply Internal Threat Data Type: XSS Platform / Code Severity Web Server Version ThreatUnit Application Server Version Business VERIS data Firewall Application Database Version Subtype: (persistent,reflected,etc) Internal IP Address Asset URL/URI Geographic Location Confirmed? Asset:Host External IP Address DB HTTP Development Team Network Location Dates Found/Opened Host Operating System Dates Closed Applications/Versions Ops Team Other Description Addresses IP Compliance Regulation Site Name IDS/IPS WAF Attack Parameters Mac Address Security Policy Asset Group Open Services/Ports
  • 15. Vulnerability Management: A Case Study Mixed Data Set Meta Data WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Apply Internal Threat Threat Unit Application Server Version Business Internal IP Address VERIS data Database Version Subtype: (persistent,reflected,etc) Asset URL/URI Geographic Location External IP Address Firew Asset:HostApplicati Confirmed? Team Development Network Location Dates Found/Opened Host Operating System Dates Team Other Applications/Versions Ops Closed Site Name IDS/ IPCompliance Regulation Description Addresses WA Asset Group Attack Parameters Security Mac Address Policy Open Services/Ports
  • 16. Vulnerability Management: A Case Study Mixed Data Set Apply External Threat Data Meta Data WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Apply Internal Threat Threat Unit Application Server Version Business Internal IP Address VERIS data Database Version Subtype: (persistent,reflected,etc) Asset URL/URI Geographic Location External IP Address Firew Asset:HostApplicati Confirmed? Team Development Network Location Dates Found/Opened Host Operating System Dates Team Other Applications/Versions Ops Closed Site Name IDS/ IPCompliance Regulation Description Addresses WA Asset Group Attack Parameters Security Mac Address Policy Open Services/Ports
  • 17. Vulnerability Management: A Case Study Mixed Data Set Apply External Threat Data Meta Data WebApp Vulnerability Asset:URL Example Data Sources Type: XSS Platform / Code Severity Web Server Version Apply Internal Threat Threat Unit Application Server Version Business Internal IP Address VERIS data ❖DataLossDB Database Version Subtype: (persistent,reflected,etc) ❖Verizon DBIR Asset URL/URI Geographic Location External IP Address Firew Asset:HostApplicati Confirmed? Team ❖WHID Development Dates Found/Opened Host Operating System Network Location ❖Trustwave Global Security Report Dates Team Other Applications/Versions Ops Closed Site Name ❖FS-ISAC IDS/ IPCompliance Regulation Description Addresses ❖SANS ISC WA Asset Group Attack Parameters Security Mac Address ❖Veracode State of S/W Security Policy Open Services/Ports ❖ExploitDB
  • 18. Vulnerability Management: A Case Study Unstructured Data Load WebApp Vulnerability Asset:URL Meta Data Type: XSS Platform / Code Severity Web Server Version Threat Application Server Version Apply Internal Threat Database Version Subtype: (persistent,reflected,etc) Business Unit Internal IP Address VERIS data Asset URL/URI Asset:Host Geographic Location External IP Address Confirmed? Firew Applicati Dates Found/Opened Network Location Host Operating System Development Team Dates Closed Applications/Versions Ops TeamOther Site Name Description Compliance Regulation IP Addresses IDS/ Attack Parameters Mac Address Asset Group WA Security Policy Open Services/Ports
  • 19. Vulnerability Management: A Case Study Unstructured Data Load WebApp Vulnerability Asset:URL Meta Data Type: XSS Platform / Code Severity Web Server Version Remediation Statistics Threat Application Server Version Apply Internal Threat Database Version Subtype: (persistent,reflected,etc) Business Unit Internal IP Address VERIS data Asset URL/URI Internal Bug Tracking Reports Asset:Host Geographic Location External IP Address Confirmed? Firew Applicati Dates Found/Opened Network Location Host Operating System Development Team Denim Group Remediation Study Dates Closed Applications/Versions Ops TeamOther Site Name Description Compliance Regulation IP Addresses IDS/ Attack Parameters Mac Address Asset Group Build and Development Process WA Security Policy Open Services/Ports
  • 20. Data Lenses: Views into the Warehouse
  • 21. Low Hanging Fruit vulns >10% of external breaches >10% of our malicious traffic in scope for $regulation sort
  • 22. Secure Code Training Metric all vulns by application* vulns opened before 12/31/10** vulns opened after 2/28/11** *sort by vulnerability class **secure code training rolled out 1/1/11 - 2/28/11
  • 27. “Now sort by base, temporal & environmental”
  • 28. Got MSSP? The Alex Hutton Formula My(vuln posture * other threat activity) / (other vuln posture * other threat activity)
  • 29. Got MSSP? The Alex Hutton Formula My(vuln posture * other threat activity) / (other vuln posture * other threat activity) OR When Will Our Luck Run Out?
  • 30. (we need more of this)
  • 35. My Favorite Non-Sec Tools TeaLeaf GreenPlum Zettaset Ruby Selenium
  • 36. Resources Referenced Verizon DBIR http://www.verizonbusiness.com/dbir/WASC Web App Security Stats http://projects.webappsec.org/w/page/ VERIS Framework https://www2.icsalabs.com/veris/ 13246989/Web-Application-Security-Statistics Denim Group - Real Cost of S/W FS-ISAC http://www.fsisac.com/ Remediation WHID http://projects.webappsec.org/w/page/ http://www.slideshare.net/denimgroup/real-cost-of- 13246995/Web-Hacking-Incident-Database/ software-remediation SANS Internet Storm Center DataLoss DB http://datalossdb.org/ http://isc.sans.org/ TrustWave Global Security Report XForce http://xforce.iss.net/ https://www.trustwave.com/GSR Veracode SOSS http://www.veracode.com/ images/pdf/soss/veracode-state-of-software- ExploitDB security-report-volume2.pdf http://www.exploit-db.com/
  • 37. Q&A follow us the blog http://blog.honeyapps.com/ twitter @ebellis And one more thing.... @risk_io We’re Hiring! https://www.risk.io/jobs

Editor's Notes

  1. From Shaman to Scientist - A Use Case in Data Driven Security\n
  2. \n
  3. An increasingly rare species, dominant in the 90’s and around the turn of the century.\n
  4. \n
  5. Enter the age of the automated scanners! \n
  6. We NEED more New School! There is data out there to be had but a Lack of communication & coordination create this perceived\n“lack of data”\n
  7. the first step towards the New School of Information Security. Baby steps towards a quant approach. Using less secrecy & religion and more \nopenness and information sharing. In order to take the first steps, we have to get our own house in order.\n
  8. Vulnerability management is an easy use case for taking these first steps. Let’s start walking through these steps.\n
  9. Vulnerability management is an easy use case for taking these first steps. Let’s start walking through these steps.\n
  10. \n
  11. \n
  12. \n
  13. \n
  14. Time to Fix by team, by class, by severity, by biz unit,etc,etc\nSDLC - Build Schedule - testing process - etc,etc\nTech Remediation Stats from Denim Report - factor in bug tracking reports & build/dev process\n
  15. convert this into a visual funnel to produce same queries \n\nhd moores law should be shown as a node map highlighted.\n
  16. Insert Alex Hutton formula\n4:14:40 PM Alex Hutton: once the data hits catwalk we decision and the threat is funneled off....\n4:15:46 PM Ed Bellis: haha its a new risk language\n4:16:05 PM Ed Bellis: you guys pull a lot of public sources of data?\n4:16:16 PM Alex Hutton: not yet\n4:16:21 PM Alex Hutton: some but not a ton\n4:16:24 PM Ed Bellis: also any insight on whether VERIS taking off?\n4:16:41 PM Alex Hutton: there's a broader vision (you can fit) that would make a lot of sense\n4:17:02 PM Alex Hutton: but that would take cooperation from various sources which is going to be hard, and why VERIS is a bit stalled\n4:17:17 PM Alex Hutton: there are lots of folks using VERIS, but not sharing data\n4:17:31 PM Ed Bellis:\n4:17:51 PM Ed Bellis: i'd love to tap into that\n4:19:34 PM Alex Hutton: well, the better vision is for you to feed data along with threat (and incident data) into decision making on a daily or even hourly basis\n4:19:50 PM Alex Hutton: In a sense, you hold not only the orgs perimeter, but a broad sample of perimeters\n4:20:04 PM Alex Hutton: and their\n4:20:12 PM Alex Hutton: vuln posture\n4:20:38 PM Alex Hutton: So\n4:21:07 PM Ed Bellis: right we want to move into a position where our data becomes the primary asset to help make better security decisions\n4:21:16 PM Ed Bellis: *not a verb*\n4:21:49 PM Alex Hutton: My(vuln posture * other threat activity) / (other vuln posture * other threat activity) = a much better metric than just vuln data\n4:22:24 PM Ed Bellis: meaning am i safer than my neighbor?\n4:22:25 PM Alex Hutton: in fact, a very interesting likelihood data point to do some degree of probabilistic analysis on that I don't have the time to really explore yet, but is very, very interesting\n4:23:10 PM Alex Hutton: that may be a byproduct, more about establishing a rate at which I can expect my luck to run out.\n4:23:23 PM Ed Bellis: i see\n4:23:35 PM Alex Hutton: so you're the CSO of Orbitz, you know you have a vuln. to specific threat activity.  So far, you're lucky\n4:24:02 PM Alex Hutton: but what about establishing rate of threat activity vs. how pervasive that same vuln is around other orgs?\n4:24:31 PM Ed Bellis: where do we get the rate of threat activity?\n4:24:42 PM Ed Bellis: breach db's?\n4:24:51 PM Alex Hutton: High Threat Activity + Low pervasiveness in the aggregate population = Luck running out.\n4:25:06 PM Alex Hutton: nope.  that's part of your exit strategy\n4:25:19 PM Ed Bellis: bought by verizon ?\n4:25:33 PM Alex Hutton: Some MSSP who is running or aggregating WAF data, Firewall/IDS/IPS data\n4:25:58 PM Alex Hutton: you as "Yet another managed service" well, that's a scenario I believe in, yes.\n4:26:20 PM Alex Hutton: But you as "Next generation in managed services by data aggregation" is going to be very, very compelling, I think\n4:26:46 PM Alex Hutton: what you have to understand (and I think you do) is how to leverage your data into "decision" (the verb)\n
  17. \n
  18. talk about infosec vs fraud\n
  19. talk about infosec vs fraud\n
  20. talk about infosec vs fraud\n
  21. talk about infosec vs fraud\n
  22. talk about infosec vs fraud\n
  23. talk about infosec vs fraud\n
  24. talk about infosec vs fraud\n
  25. talk about infosec vs fraud\n
  26. talk about infosec vs fraud\n
  27. Insert Alex Hutton formula\n4:14:40 PM Alex Hutton: once the data hits catwalk we decision and the threat is funneled off....\n4:15:46 PM Ed Bellis: haha its a new risk language\n4:16:05 PM Ed Bellis: you guys pull a lot of public sources of data?\n4:16:16 PM Alex Hutton: not yet\n4:16:21 PM Alex Hutton: some but not a ton\n4:16:24 PM Ed Bellis: also any insight on whether VERIS taking off?\n4:16:41 PM Alex Hutton: there's a broader vision (you can fit) that would make a lot of sense\n4:17:02 PM Alex Hutton: but that would take cooperation from various sources which is going to be hard, and why VERIS is a bit stalled\n4:17:17 PM Alex Hutton: there are lots of folks using VERIS, but not sharing data\n4:17:31 PM Ed Bellis:\n4:17:51 PM Ed Bellis: i'd love to tap into that\n4:19:34 PM Alex Hutton: well, the better vision is for you to feed data along with threat (and incident data) into decision making on a daily or even hourly basis\n4:19:50 PM Alex Hutton: In a sense, you hold not only the orgs perimeter, but a broad sample of perimeters\n4:20:04 PM Alex Hutton: and their\n4:20:12 PM Alex Hutton: vuln posture\n4:20:38 PM Alex Hutton: So\n4:21:07 PM Ed Bellis: right we want to move into a position where our data becomes the primary asset to help make better security decisions\n4:21:16 PM Ed Bellis: *not a verb*\n4:21:49 PM Alex Hutton: My(vuln posture * other threat activity) / (other vuln posture * other threat activity) = a much better metric than just vuln data\n4:22:24 PM Ed Bellis: meaning am i safer than my neighbor?\n4:22:25 PM Alex Hutton: in fact, a very interesting likelihood data point to do some degree of probabilistic analysis on that I don't have the time to really explore yet, but is very, very interesting\n4:23:10 PM Alex Hutton: that may be a byproduct, more about establishing a rate at which I can expect my luck to run out.\n4:23:23 PM Ed Bellis: i see\n4:23:35 PM Alex Hutton: so you're the CSO of Orbitz, you know you have a vuln. to specific threat activity.  So far, you're lucky\n4:24:02 PM Alex Hutton: but what about establishing rate of threat activity vs. how pervasive that same vuln is around other orgs?\n4:24:31 PM Ed Bellis: where do we get the rate of threat activity?\n4:24:42 PM Ed Bellis: breach db's?\n4:24:51 PM Alex Hutton: High Threat Activity + Low pervasiveness in the aggregate population = Luck running out.\n4:25:06 PM Alex Hutton: nope.  that's part of your exit strategy\n4:25:19 PM Ed Bellis: bought by verizon ?\n4:25:33 PM Alex Hutton: Some MSSP who is running or aggregating WAF data, Firewall/IDS/IPS data\n4:25:58 PM Alex Hutton: you as "Yet another managed service" well, that's a scenario I believe in, yes.\n4:26:20 PM Alex Hutton: But you as "Next generation in managed services by data aggregation" is going to be very, very compelling, I think\n4:26:46 PM Alex Hutton: what you have to understand (and I think you do) is how to leverage your data into "decision" (the verb)\n
  28. Insert Alex Hutton formula\n4:14:40 PM Alex Hutton: once the data hits catwalk we decision and the threat is funneled off....\n4:15:46 PM Ed Bellis: haha its a new risk language\n4:16:05 PM Ed Bellis: you guys pull a lot of public sources of data?\n4:16:16 PM Alex Hutton: not yet\n4:16:21 PM Alex Hutton: some but not a ton\n4:16:24 PM Ed Bellis: also any insight on whether VERIS taking off?\n4:16:41 PM Alex Hutton: there's a broader vision (you can fit) that would make a lot of sense\n4:17:02 PM Alex Hutton: but that would take cooperation from various sources which is going to be hard, and why VERIS is a bit stalled\n4:17:17 PM Alex Hutton: there are lots of folks using VERIS, but not sharing data\n4:17:31 PM Ed Bellis:\n4:17:51 PM Ed Bellis: i'd love to tap into that\n4:19:34 PM Alex Hutton: well, the better vision is for you to feed data along with threat (and incident data) into decision making on a daily or even hourly basis\n4:19:50 PM Alex Hutton: In a sense, you hold not only the orgs perimeter, but a broad sample of perimeters\n4:20:04 PM Alex Hutton: and their\n4:20:12 PM Alex Hutton: vuln posture\n4:20:38 PM Alex Hutton: So\n4:21:07 PM Ed Bellis: right we want to move into a position where our data becomes the primary asset to help make better security decisions\n4:21:16 PM Ed Bellis: *not a verb*\n4:21:49 PM Alex Hutton: My(vuln posture * other threat activity) / (other vuln posture * other threat activity) = a much better metric than just vuln data\n4:22:24 PM Ed Bellis: meaning am i safer than my neighbor?\n4:22:25 PM Alex Hutton: in fact, a very interesting likelihood data point to do some degree of probabilistic analysis on that I don't have the time to really explore yet, but is very, very interesting\n4:23:10 PM Alex Hutton: that may be a byproduct, more about establishing a rate at which I can expect my luck to run out.\n4:23:23 PM Ed Bellis: i see\n4:23:35 PM Alex Hutton: so you're the CSO of Orbitz, you know you have a vuln. to specific threat activity.  So far, you're lucky\n4:24:02 PM Alex Hutton: but what about establishing rate of threat activity vs. how pervasive that same vuln is around other orgs?\n4:24:31 PM Ed Bellis: where do we get the rate of threat activity?\n4:24:42 PM Ed Bellis: breach db's?\n4:24:51 PM Alex Hutton: High Threat Activity + Low pervasiveness in the aggregate population = Luck running out.\n4:25:06 PM Alex Hutton: nope.  that's part of your exit strategy\n4:25:19 PM Ed Bellis: bought by verizon ?\n4:25:33 PM Alex Hutton: Some MSSP who is running or aggregating WAF data, Firewall/IDS/IPS data\n4:25:58 PM Alex Hutton: you as "Yet another managed service" well, that's a scenario I believe in, yes.\n4:26:20 PM Alex Hutton: But you as "Next generation in managed services by data aggregation" is going to be very, very compelling, I think\n4:26:46 PM Alex Hutton: what you have to understand (and I think you do) is how to leverage your data into "decision" (the verb)\n
  29. Insert Alex Hutton formula\n4:14:40 PM Alex Hutton: once the data hits catwalk we decision and the threat is funneled off....\n4:15:46 PM Ed Bellis: haha its a new risk language\n4:16:05 PM Ed Bellis: you guys pull a lot of public sources of data?\n4:16:16 PM Alex Hutton: not yet\n4:16:21 PM Alex Hutton: some but not a ton\n4:16:24 PM Ed Bellis: also any insight on whether VERIS taking off?\n4:16:41 PM Alex Hutton: there's a broader vision (you can fit) that would make a lot of sense\n4:17:02 PM Alex Hutton: but that would take cooperation from various sources which is going to be hard, and why VERIS is a bit stalled\n4:17:17 PM Alex Hutton: there are lots of folks using VERIS, but not sharing data\n4:17:31 PM Ed Bellis:\n4:17:51 PM Ed Bellis: i'd love to tap into that\n4:19:34 PM Alex Hutton: well, the better vision is for you to feed data along with threat (and incident data) into decision making on a daily or even hourly basis\n4:19:50 PM Alex Hutton: In a sense, you hold not only the orgs perimeter, but a broad sample of perimeters\n4:20:04 PM Alex Hutton: and their\n4:20:12 PM Alex Hutton: vuln posture\n4:20:38 PM Alex Hutton: So\n4:21:07 PM Ed Bellis: right we want to move into a position where our data becomes the primary asset to help make better security decisions\n4:21:16 PM Ed Bellis: *not a verb*\n4:21:49 PM Alex Hutton: My(vuln posture * other threat activity) / (other vuln posture * other threat activity) = a much better metric than just vuln data\n4:22:24 PM Ed Bellis: meaning am i safer than my neighbor?\n4:22:25 PM Alex Hutton: in fact, a very interesting likelihood data point to do some degree of probabilistic analysis on that I don't have the time to really explore yet, but is very, very interesting\n4:23:10 PM Alex Hutton: that may be a byproduct, more about establishing a rate at which I can expect my luck to run out.\n4:23:23 PM Ed Bellis: i see\n4:23:35 PM Alex Hutton: so you're the CSO of Orbitz, you know you have a vuln. to specific threat activity.  So far, you're lucky\n4:24:02 PM Alex Hutton: but what about establishing rate of threat activity vs. how pervasive that same vuln is around other orgs?\n4:24:31 PM Ed Bellis: where do we get the rate of threat activity?\n4:24:42 PM Ed Bellis: breach db's?\n4:24:51 PM Alex Hutton: High Threat Activity + Low pervasiveness in the aggregate population = Luck running out.\n4:25:06 PM Alex Hutton: nope.  that's part of your exit strategy\n4:25:19 PM Ed Bellis: bought by verizon ?\n4:25:33 PM Alex Hutton: Some MSSP who is running or aggregating WAF data, Firewall/IDS/IPS data\n4:25:58 PM Alex Hutton: you as "Yet another managed service" well, that's a scenario I believe in, yes.\n4:26:20 PM Alex Hutton: But you as "Next generation in managed services by data aggregation" is going to be very, very compelling, I think\n4:26:46 PM Alex Hutton: what you have to understand (and I think you do) is how to leverage your data into "decision" (the verb)\n
  30. talk about infosec vs fraud\n
  31. talk about infosec vs fraud\n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n