Ed Bellis, profile picture
Uploaded byEd Bellis
KEY, PDF997 views

Bay threat2011

The document discusses the challenges of managing vulnerabilities across many websites without structured data and processes. It describes building a centralized "warehouse" to store vulnerability data in a structured format, including details about the vulnerabilities as well as metadata about the assets and organizations. This allows vulnerabilities to be tracked over time and correlated with internal and external threat data to help prioritize risks.

Embed presentation

Downloaded 10 times
From Shaman to Scientist: A Use Case in Data Driven Security
Nice To Meet You About Me CoFounder HoneyApps Former CISO Orbitz Contributing Author Beautiful Security CSO Magazine/Online Writer HoneyApps Vulnerability Management as a Service 16 Hot Startups - eWeek 3 Startups to Watch - Information Week
Stage 1: Ignorance is Bliss
Stage 2: Where are all of my vulnerabilities? “Back in my Yahoo days I performed hundreds of web application vulnerability assessments. To streamline the workload, I created an assessment methodology consisting of a few thousand security tests averaging 40 hours to complete per website. Yahoo had over 600 websites enterprise-wide. To assess the security of every website would have taken over 11 years to complete and the other challenge was these websites would change all the time which decayed the value of my reports.” Jeremiah Grossman Founder, WhiteHat Security
Stage 3: Scan & Dump “thanks for the 1000 page report, now what?!”
Why This Occurs Lack of Communication Lack of Data Lack of Coordination Silos, Silos, Everywhere
Stage 4: A New Beginning Or...... Using What You Got!
Vulnerability Management: A Case Study Building the Warehouse Structured Data Load WebApp Vulnerability Type: XSS Severity Threat Subtype: (persistent,reflected,etc) Asset URL/URI Confirmed? Dates Found/Opened Dates Closed Description Attack Parameters
Vulnerability Management: A Case Study Building the Warehouse Structured Data Load WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Threat Application Server Version Subtype: (persistent,reflected,etc) Database Version Asset URL/URI Confirmed? Dates Found/Opened Dates Closed Description Attack Parameters
Vulnerability Management: A Case Study Building the Warehouse Structured Data Load WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Threat Application Server Version Subtype: (persistent,reflected,etc) Database Version Asset URL/URI Confirmed? Asset:Host Dates Found/Opened Host Operating System Dates Closed Other Applications/Versions Description IP Addresses Attack Parameters Mac Address Open Services/Ports
Vulnerability Management: A Case Study Unstructured Data Load WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Threat Application Server Version Database Version Subtype: (persistent,reflected,etc) Asset URL/URI Asset:Host Confirmed? Dates Found/Opened Host Operating System Dates Closed Applications/Versions Other Description Addresses IP Attack Parameters Mac Address Open Services/Ports
Vulnerability Management: A Case Study Unstructured Data Load Meta Data WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Business Unit VERIS data Threat Application Server Version Internal IP Address Database Version Subtype: (persistent,reflected,etc) Geographic Location External IP Address Asset URL/URI Asset:Host Confirmed? Development Team Network Location Dates Found/Opened Host Operating System Ops Team Site Name Dates Closed Applications/Versions Other Compliance Regulation Description Addresses IP Security Policy Asset Group Attack Parameters Mac Address Open Services/Ports
Vulnerability Management: A Case Study Loosely Structured Data Load Meta Data WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version ThreatUnit Application Server Version Business VERIS data Database Version Subtype: (persistent,reflected,etc) Internal IP Address Asset URL/URI Geographic Location Confirmed? Asset:Host External IP Address DB HTTP Development Team Network Location Dates Found/Opened Host Operating System Dates Closed Applications/Versions Ops Team Other Site Name Description Addresses IP Compliance Regulation Attack Parameters Mac Address Security Policy Asset Group Open Services/Ports
Vulnerability Management: A Case Study Loosely Structured Data Load Meta Data WebApp Vulnerability Asset:URL Apply Internal Threat Data Type: XSS Platform / Code Severity Web Server Version ThreatUnit Application Server Version Business VERIS data Firewall Application Database Version Subtype: (persistent,reflected,etc) Internal IP Address Asset URL/URI Geographic Location Confirmed? Asset:Host External IP Address DB HTTP Development Team Network Location Dates Found/Opened Host Operating System Dates Closed Applications/Versions Ops Team Other Description Addresses IP Compliance Regulation Site Name IDS/IPS WAF Attack Parameters Mac Address Security Policy Asset Group Open Services/Ports
Vulnerability Management: A Case Study Mixed Data Set Meta Data WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Apply Internal Threat Threat Unit Application Server Version Business Internal IP Address VERIS data Database Version Subtype: (persistent,reflected,etc) Asset URL/URI Geographic Location External IP Address Firew Asset:HostApplicati Confirmed? Team Development Network Location Dates Found/Opened Host Operating System Dates Team Other Applications/Versions Ops Closed Site Name IDS/ IPCompliance Regulation Description Addresses WA Asset Group Attack Parameters Security Mac Address Policy Open Services/Ports
Vulnerability Management: A Case Study Mixed Data Set Apply External Threat Data Meta Data WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Apply Internal Threat Threat Unit Application Server Version Business Internal IP Address VERIS data Database Version Subtype: (persistent,reflected,etc) Asset URL/URI Geographic Location External IP Address Firew Asset:HostApplicati Confirmed? Team Development Network Location Dates Found/Opened Host Operating System Dates Team Other Applications/Versions Ops Closed Site Name IDS/ IPCompliance Regulation Description Addresses WA Asset Group Attack Parameters Security Mac Address Policy Open Services/Ports
Vulnerability Management: A Case Study Mixed Data Set Apply External Threat Data Meta Data WebApp Vulnerability Asset:URL Example Data Sources Type: XSS Platform / Code Severity Web Server Version Apply Internal Threat Threat Unit Application Server Version Business Internal IP Address VERIS data ❖DataLossDB Database Version Subtype: (persistent,reflected,etc) ❖Verizon DBIR Asset URL/URI Geographic Location External IP Address Firew Asset:HostApplicati Confirmed? Team ❖WHID Development Dates Found/Opened Host Operating System Network Location ❖Trustwave Global Security Report Dates Team Other Applications/Versions Ops Closed Site Name ❖FS-ISAC IDS/ IPCompliance Regulation Description Addresses ❖SANS ISC WA Asset Group Attack Parameters Security Mac Address ❖Veracode State of S/W Security Policy Open Services/Ports ❖ExploitDB
Vulnerability Management: A Case Study Unstructured Data Load WebApp Vulnerability Asset:URL Meta Data Type: XSS Platform / Code Severity Web Server Version Threat Application Server Version Apply Internal Threat Database Version Subtype: (persistent,reflected,etc) Business Unit Internal IP Address VERIS data Asset URL/URI Asset:Host Geographic Location External IP Address Confirmed? Firew Applicati Dates Found/Opened Network Location Host Operating System Development Team Dates Closed Applications/Versions Ops TeamOther Site Name Description Compliance Regulation IP Addresses IDS/ Attack Parameters Mac Address Asset Group WA Security Policy Open Services/Ports
Vulnerability Management: A Case Study Unstructured Data Load WebApp Vulnerability Asset:URL Meta Data Type: XSS Platform / Code Severity Web Server Version Remediation Statistics Threat Application Server Version Apply Internal Threat Database Version Subtype: (persistent,reflected,etc) Business Unit Internal IP Address VERIS data Asset URL/URI Internal Bug Tracking Reports Asset:Host Geographic Location External IP Address Confirmed? Firew Applicati Dates Found/Opened Network Location Host Operating System Development Team Denim Group Remediation Study Dates Closed Applications/Versions Ops TeamOther Site Name Description Compliance Regulation IP Addresses IDS/ Attack Parameters Mac Address Asset Group Build and Development Process WA Security Policy Open Services/Ports
Data Lenses: Views into the Warehouse
Low Hanging Fruit vulns >10% of external breaches >10% of our malicious traffic in scope for $regulation sort
Secure Code Training Metric all vulns by application* vulns opened before 12/31/10** vulns opened after 2/28/11** *sort by vulnerability class **secure code training rolled out 1/1/11 - 2/28/11
HD Moore’s Law
Vulns w/Ext Access
w/MetaSploit Modules
and connected systems
“Now sort by base, temporal & environmental”
Got MSSP? The Alex Hutton Formula My(vuln posture * other threat activity) / (other vuln posture * other threat activity)
Got MSSP? The Alex Hutton Formula My(vuln posture * other threat activity) / (other vuln posture * other threat activity) OR When Will Our Luck Run Out?
(we need more of this)
using what we have
The Twitter Poll
The Twitter Poll
The Twitter Poll
My Favorite Non-Sec Tools TeaLeaf GreenPlum Zettaset Ruby Selenium
Resources Referenced Verizon DBIR http://www.verizonbusiness.com/dbir/WASC Web App Security Stats http://projects.webappsec.org/w/page/ VERIS Framework https://www2.icsalabs.com/veris/ 13246989/Web-Application-Security-Statistics Denim Group - Real Cost of S/W FS-ISAC http://www.fsisac.com/ Remediation WHID http://projects.webappsec.org/w/page/ http://www.slideshare.net/denimgroup/real-cost-of- 13246995/Web-Hacking-Incident-Database/ software-remediation SANS Internet Storm Center DataLoss DB http://datalossdb.org/ http://isc.sans.org/ TrustWave Global Security Report XForce http://xforce.iss.net/ https://www.trustwave.com/GSR Veracode SOSS http://www.veracode.com/ images/pdf/soss/veracode-state-of-software- ExploitDB security-report-volume2.pdf http://www.exploit-db.com/
Q&A follow us the blog http://blog.honeyapps.com/ twitter @ebellis And one more thing.... @risk_io We’re Hiring! https://www.risk.io/jobs

More Related Content

PPTX
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
byAdam Nurudini
 
PDF
Hafnium attack
byHappiest Minds Technologies
 
PDF
Dave Carroll Application Services Salesforce
bydeimos
 
KEY
Metricon 6 That's So Meta
byEd Bellis
 
KEY
SecTor - The Search For Intelligent Life
byEd Bellis
 
PPT
Layer 7 Technologies: Web Services Hacking And Hardening
byCA API Management
 
PDF
Nebezpecny Internet Novejsi Verze
byTUESDAY Business Network
 
PDF
Antigen tdm
byZiemek Borowski
 
Unrestricted file upload CWE-434 - Adam Nurudini (ISACA)
byAdam Nurudini
 
Hafnium attack
byHappiest Minds Technologies
 
Dave Carroll Application Services Salesforce
bydeimos
 
Metricon 6 That's So Meta
byEd Bellis
 
SecTor - The Search For Intelligent Life
byEd Bellis
 
Layer 7 Technologies: Web Services Hacking And Hardening
byCA API Management
 
Nebezpecny Internet Novejsi Verze
byTUESDAY Business Network
 
Antigen tdm
byZiemek Borowski
 

What's hot

PDF
Which Came First: The Phish or the Opportunity to Defend Against It
byJamieWilliams130
 
PPT
Layer 7 Technologies: What Is An Xml Firewall
byCA API Management
 
PDF
Microsoft Forefront - Protection 2010 for Exchange Server Datasheet
byMicrosoft Private Cloud
 
PDF
Virtualization for Development
byelliando dias
 
PDF
Realities of Security in the Cloud
byAlert Logic
 
PPTX
Owasp top 10 web application security risks 2017
bySampath Bhargav Pinnam
 
PDF
Microsoft Forefront - Security for Communications Server Datasheet
byMicrosoft Private Cloud
 
PPTX
Cloud Security
byGiovanni Mazzeo
 
Which Came First: The Phish or the Opportunity to Defend Against It
byJamieWilliams130
 
Layer 7 Technologies: What Is An Xml Firewall
byCA API Management
 
Microsoft Forefront - Protection 2010 for Exchange Server Datasheet
byMicrosoft Private Cloud
 
Virtualization for Development
byelliando dias
 
Realities of Security in the Cloud
byAlert Logic
 
Owasp top 10 web application security risks 2017
bySampath Bhargav Pinnam
 
Microsoft Forefront - Security for Communications Server Datasheet
byMicrosoft Private Cloud
 
Cloud Security
byGiovanni Mazzeo
 

Viewers also liked

PPTX
How to VERISize v2 - BSidesQuebec2013
byBSidesQuebec2013
 
PPTX
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
bypatmisasi
 
KEY
SecTor 2012 The Security Mendoza Line
byEd Bellis
 
PDF
Security as Code: DOES15
byEd Bellis
 
PPTX
Security as Code
byEd Bellis
 
PPTX
BSidesTO 2016 - Incident Tracking
byJudy Nowak, OSCP, GCIH, CISSP
 
PPTX
BH Arsenal '14 TurboTalk: The Veil-framework
byVeilFramework
 
KEY
An Economic Approach to Info Security
byEd Bellis
 
PPT
Reading the Security Tea Leaves
byEd Bellis
 
PDF
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
byEd Bellis
 
PPTX
Drilling deeper with Veil's PowerTools
byWill Schroeder
 
PDF
Hutton/Miller SourceBarcelona
byAlexander Hutton
 
PDF
Amateur Hour: Why APTs Are The Least Of Your Worries
byEd Bellis
 
How to VERISize v2 - BSidesQuebec2013
byBSidesQuebec2013
 
Task Incident Readiness with Veris, Judy Nowak at TASK Toronto, April 27, 2...
bypatmisasi
 
SecTor 2012 The Security Mendoza Line
byEd Bellis
 
Security as Code: DOES15
byEd Bellis
 
Security as Code
byEd Bellis
 
BSidesTO 2016 - Incident Tracking
byJudy Nowak, OSCP, GCIH, CISSP
 
BH Arsenal '14 TurboTalk: The Veil-framework
byVeilFramework
 
An Economic Approach to Info Security
byEd Bellis
 
Reading the Security Tea Leaves
byEd Bellis
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
byEd Bellis
 
Drilling deeper with Veil's PowerTools
byWill Schroeder
 
Hutton/Miller SourceBarcelona
byAlexander Hutton
 
Amateur Hour: Why APTs Are The Least Of Your Worries
byEd Bellis
 

Similar to Bay threat2011

PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
PDF
Dan Guido SOURCE Boston 2011
bySource Conference
 
PPTX
Network penetration testing
byImaginea
 
PPT
Web Application Security
byColin English
 
PPTX
Vulnerability Management
byjustinkallhoff
 
PDF
Security Intelligence
byIBMGovernmentCA
 
PPTX
Anatomy of an Attack
byspoofyroot
 
PPTX
DC612 Day - Hands on Penetration Testing 101
bydc612
 
PPTX
Combating "Smash and Grab" Hacking with Tripwire Cybercrime Controls
byTripwire
 
PDF
Redefining siem to real time security intelligence
byBrendaly Marcano
 
PPT
Kunal - Introduction to backtrack - ClubHack2008
byClubHack
 
PPT
Kunal - Introduction to BackTrack - ClubHack2008
byClubHack
 
PPS
Workshop on BackTrack live CD
byamiable_indian
 
PDF
Web hackingtools cf-summit2014
byColdFusionConference
 
PDF
DSS ITSEC Conference 2012 - Radware WAF
byAndris Soroka
 
PPTX
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
byDigital Defense Inc
 
PDF
Cso oow12-summit-sonny-sing hv4
byOracleIDM
 
PPT
Nomura UCCSC 2009
bydnomura
 
PDF
New approaches to vulnerability management
byInterop
 
PDF
C:\Fakepath-6 09 10 Financial Fraud Webinar
byTechBiz Forense Digital
 
Web App Security Presentation by Ryan Holland - 05-31-2017
byTriNimbus
 
Dan Guido SOURCE Boston 2011
bySource Conference
 
Network penetration testing
byImaginea
 
Web Application Security
byColin English
 
Vulnerability Management
byjustinkallhoff
 
Security Intelligence
byIBMGovernmentCA
 
Anatomy of an Attack
byspoofyroot
 
DC612 Day - Hands on Penetration Testing 101
bydc612
 
Combating "Smash and Grab" Hacking with Tripwire Cybercrime Controls
byTripwire
 
Redefining siem to real time security intelligence
byBrendaly Marcano
 
Kunal - Introduction to backtrack - ClubHack2008
byClubHack
 
Kunal - Introduction to BackTrack - ClubHack2008
byClubHack
 
Workshop on BackTrack live CD
byamiable_indian
 
Web hackingtools cf-summit2014
byColdFusionConference
 
DSS ITSEC Conference 2012 - Radware WAF
byAndris Soroka
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
byDigital Defense Inc
 
Cso oow12-summit-sonny-sing hv4
byOracleIDM
 
Nomura UCCSC 2009
bydnomura
 
New approaches to vulnerability management
byInterop
 
C:\Fakepath-6 09 10 Financial Fraud Webinar
byTechBiz Forense Digital
 

Recently uploaded

PDF
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PDF
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
PDF
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
PDF
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
PDF
Best 10 Dedicated Servers in Amsterdam, Netherlands (2026 Enterprise Edition)...
byAtal Networks
 
PDF
A paper in the leading academic journal Telecommunication Policy cited Scott ...
byScott M. Graffius
 
PDF
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PDF
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PDF
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
PDF
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PDF
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
PDF
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
PPT
connectives-linking words in English.ppt
byAmrMohammed82
 
PPTX
WIFI Enabled 8 by 32 Matrix.pptx for final year project
bymdsabbirhossain524856
 
PPTX
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PPTX
About Computer Hardware ................
bymaratiakshaya07
 
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
Top 5 Best Dedicated Server Providers in Los Angeles (Updated Edition)
byAtal Networks
 
Best 10 Dedicated Servers in Amsterdam, Netherlands (2026 Enterprise Edition)...
byAtal Networks
 
A paper in the leading academic journal Telecommunication Policy cited Scott ...
byScott M. Graffius
 
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
Special Reeling Cable Specification _ Anhui Feichun Special Cable Co., Ltd_.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
Mercury Computer Systems & The Cell Broadband Engine
bySlide_N
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
Philippine Agricultural Engineering Standard_Hand Tractor .pdf
by6xfrnmdp4b
 
Intro to CrafterQ - AI Agent Platform for the Enterprise.pdf
byCrafterQ
 
connectives-linking words in English.ppt
byAmrMohammed82
 
WIFI Enabled 8 by 32 Matrix.pptx for final year project
bymdsabbirhossain524856
 
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
About Computer Hardware ................
bymaratiakshaya07
 

Bay threat2011

  • 1.
    From Shaman toScientist: A Use Case in Data Driven Security
  • 2.
    Nice To MeetYou About Me CoFounder HoneyApps Former CISO Orbitz Contributing Author Beautiful Security CSO Magazine/Online Writer HoneyApps Vulnerability Management as a Service 16 Hot Startups - eWeek 3 Startups to Watch - Information Week
  • 3.
  • 4.
    Stage 2: Whereare all of my vulnerabilities? “Back in my Yahoo days I performed hundreds of web application vulnerability assessments. To streamline the workload, I created an assessment methodology consisting of a few thousand security tests averaging 40 hours to complete per website. Yahoo had over 600 websites enterprise-wide. To assess the security of every website would have taken over 11 years to complete and the other challenge was these websites would change all the time which decayed the value of my reports.” Jeremiah Grossman Founder, WhiteHat Security
  • 5.
    Stage 3: Scan& Dump “thanks for the 1000 page report, now what?!”
  • 6.
    Why This Occurs Lackof Communication Lack of Data Lack of Coordination Silos, Silos, Everywhere
  • 7.
    Stage 4: ANew Beginning Or...... Using What You Got!
  • 8.
    Vulnerability Management: ACase Study Building the Warehouse Structured Data Load WebApp Vulnerability Type: XSS Severity Threat Subtype: (persistent,reflected,etc) Asset URL/URI Confirmed? Dates Found/Opened Dates Closed Description Attack Parameters
  • 9.
    Vulnerability Management: ACase Study Building the Warehouse Structured Data Load WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Threat Application Server Version Subtype: (persistent,reflected,etc) Database Version Asset URL/URI Confirmed? Dates Found/Opened Dates Closed Description Attack Parameters
  • 10.
    Vulnerability Management: ACase Study Building the Warehouse Structured Data Load WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Threat Application Server Version Subtype: (persistent,reflected,etc) Database Version Asset URL/URI Confirmed? Asset:Host Dates Found/Opened Host Operating System Dates Closed Other Applications/Versions Description IP Addresses Attack Parameters Mac Address Open Services/Ports
  • 11.
    Vulnerability Management: ACase Study Unstructured Data Load WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Threat Application Server Version Database Version Subtype: (persistent,reflected,etc) Asset URL/URI Asset:Host Confirmed? Dates Found/Opened Host Operating System Dates Closed Applications/Versions Other Description Addresses IP Attack Parameters Mac Address Open Services/Ports
  • 12.
    Vulnerability Management: ACase Study Unstructured Data Load Meta Data WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Business Unit VERIS data Threat Application Server Version Internal IP Address Database Version Subtype: (persistent,reflected,etc) Geographic Location External IP Address Asset URL/URI Asset:Host Confirmed? Development Team Network Location Dates Found/Opened Host Operating System Ops Team Site Name Dates Closed Applications/Versions Other Compliance Regulation Description Addresses IP Security Policy Asset Group Attack Parameters Mac Address Open Services/Ports
  • 13.
    Vulnerability Management: ACase Study Loosely Structured Data Load Meta Data WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version ThreatUnit Application Server Version Business VERIS data Database Version Subtype: (persistent,reflected,etc) Internal IP Address Asset URL/URI Geographic Location Confirmed? Asset:Host External IP Address DB HTTP Development Team Network Location Dates Found/Opened Host Operating System Dates Closed Applications/Versions Ops Team Other Site Name Description Addresses IP Compliance Regulation Attack Parameters Mac Address Security Policy Asset Group Open Services/Ports
  • 14.
    Vulnerability Management: ACase Study Loosely Structured Data Load Meta Data WebApp Vulnerability Asset:URL Apply Internal Threat Data Type: XSS Platform / Code Severity Web Server Version ThreatUnit Application Server Version Business VERIS data Firewall Application Database Version Subtype: (persistent,reflected,etc) Internal IP Address Asset URL/URI Geographic Location Confirmed? Asset:Host External IP Address DB HTTP Development Team Network Location Dates Found/Opened Host Operating System Dates Closed Applications/Versions Ops Team Other Description Addresses IP Compliance Regulation Site Name IDS/IPS WAF Attack Parameters Mac Address Security Policy Asset Group Open Services/Ports
  • 15.
    Vulnerability Management: ACase Study Mixed Data Set Meta Data WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Apply Internal Threat Threat Unit Application Server Version Business Internal IP Address VERIS data Database Version Subtype: (persistent,reflected,etc) Asset URL/URI Geographic Location External IP Address Firew Asset:HostApplicati Confirmed? Team Development Network Location Dates Found/Opened Host Operating System Dates Team Other Applications/Versions Ops Closed Site Name IDS/ IPCompliance Regulation Description Addresses WA Asset Group Attack Parameters Security Mac Address Policy Open Services/Ports
  • 16.
    Vulnerability Management: ACase Study Mixed Data Set Apply External Threat Data Meta Data WebApp Vulnerability Asset:URL Type: XSS Platform / Code Severity Web Server Version Apply Internal Threat Threat Unit Application Server Version Business Internal IP Address VERIS data Database Version Subtype: (persistent,reflected,etc) Asset URL/URI Geographic Location External IP Address Firew Asset:HostApplicati Confirmed? Team Development Network Location Dates Found/Opened Host Operating System Dates Team Other Applications/Versions Ops Closed Site Name IDS/ IPCompliance Regulation Description Addresses WA Asset Group Attack Parameters Security Mac Address Policy Open Services/Ports
  • 17.
    Vulnerability Management: ACase Study Mixed Data Set Apply External Threat Data Meta Data WebApp Vulnerability Asset:URL Example Data Sources Type: XSS Platform / Code Severity Web Server Version Apply Internal Threat Threat Unit Application Server Version Business Internal IP Address VERIS data ❖DataLossDB Database Version Subtype: (persistent,reflected,etc) ❖Verizon DBIR Asset URL/URI Geographic Location External IP Address Firew Asset:HostApplicati Confirmed? Team ❖WHID Development Dates Found/Opened Host Operating System Network Location ❖Trustwave Global Security Report Dates Team Other Applications/Versions Ops Closed Site Name ❖FS-ISAC IDS/ IPCompliance Regulation Description Addresses ❖SANS ISC WA Asset Group Attack Parameters Security Mac Address ❖Veracode State of S/W Security Policy Open Services/Ports ❖ExploitDB
  • 18.
    Vulnerability Management: ACase Study Unstructured Data Load WebApp Vulnerability Asset:URL Meta Data Type: XSS Platform / Code Severity Web Server Version Threat Application Server Version Apply Internal Threat Database Version Subtype: (persistent,reflected,etc) Business Unit Internal IP Address VERIS data Asset URL/URI Asset:Host Geographic Location External IP Address Confirmed? Firew Applicati Dates Found/Opened Network Location Host Operating System Development Team Dates Closed Applications/Versions Ops TeamOther Site Name Description Compliance Regulation IP Addresses IDS/ Attack Parameters Mac Address Asset Group WA Security Policy Open Services/Ports
  • 19.
    Vulnerability Management: ACase Study Unstructured Data Load WebApp Vulnerability Asset:URL Meta Data Type: XSS Platform / Code Severity Web Server Version Remediation Statistics Threat Application Server Version Apply Internal Threat Database Version Subtype: (persistent,reflected,etc) Business Unit Internal IP Address VERIS data Asset URL/URI Internal Bug Tracking Reports Asset:Host Geographic Location External IP Address Confirmed? Firew Applicati Dates Found/Opened Network Location Host Operating System Development Team Denim Group Remediation Study Dates Closed Applications/Versions Ops TeamOther Site Name Description Compliance Regulation IP Addresses IDS/ Attack Parameters Mac Address Asset Group Build and Development Process WA Security Policy Open Services/Ports
  • 20.
  • 21.
    Low Hanging Fruit vulns>10% of external breaches >10% of our malicious traffic in scope for $regulation sort
  • 22.
    Secure Code TrainingMetric all vulns by application* vulns opened before 12/31/10** vulns opened after 2/28/11** *sort by vulnerability class **secure code training rolled out 1/1/11 - 2/28/11
  • 23.
  • 24.
  • 25.
  • 26.
  • 27.
    “Now sort bybase, temporal & environmental”
  • 28.
    Got MSSP? The AlexHutton Formula My(vuln posture * other threat activity) / (other vuln posture * other threat activity)
  • 29.
    Got MSSP? The AlexHutton Formula My(vuln posture * other threat activity) / (other vuln posture * other threat activity) OR When Will Our Luck Run Out?
  • 30.
    (we need moreof this)
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
    My Favorite Non-SecTools TeaLeaf GreenPlum Zettaset Ruby Selenium
  • 36.
    Resources Referenced Verizon DBIRhttp://www.verizonbusiness.com/dbir/WASC Web App Security Stats http://projects.webappsec.org/w/page/ VERIS Framework https://www2.icsalabs.com/veris/ 13246989/Web-Application-Security-Statistics Denim Group - Real Cost of S/W FS-ISAC http://www.fsisac.com/ Remediation WHID http://projects.webappsec.org/w/page/ http://www.slideshare.net/denimgroup/real-cost-of- 13246995/Web-Hacking-Incident-Database/ software-remediation SANS Internet Storm Center DataLoss DB http://datalossdb.org/ http://isc.sans.org/ TrustWave Global Security Report XForce http://xforce.iss.net/ https://www.trustwave.com/GSR Veracode SOSS http://www.veracode.com/ images/pdf/soss/veracode-state-of-software- ExploitDB security-report-volume2.pdf http://www.exploit-db.com/
  • 37.
    Q&A follow us theblog http://blog.honeyapps.com/ twitter @ebellis And one more thing.... @risk_io We’re Hiring! https://www.risk.io/jobs

Editor's Notes

  • #2 From Shaman to Scientist - A Use Case in Data Driven Security\n
  • #3 \n
  • #4 An increasingly rare species, dominant in the 90’s and around the turn of the century.\n
  • #5 \n
  • #6 Enter the age of the automated scanners! \n
  • #7 We NEED more New School! There is data out there to be had but a Lack of communication & coordination create this perceived\n“lack of data”\n
  • #8 the first step towards the New School of Information Security. Baby steps towards a quant approach. Using less secrecy & religion and more \nopenness and information sharing. In order to take the first steps, we have to get our own house in order.\n
  • #9 Vulnerability management is an easy use case for taking these first steps. Let’s start walking through these steps.\n
  • #10 Vulnerability management is an easy use case for taking these first steps. Let’s start walking through these steps.\n
  • #11 \n
  • #12 \n
  • #13 \n
  • #14 \n
  • #15 Time to Fix by team, by class, by severity, by biz unit,etc,etc\nSDLC - Build Schedule - testing process - etc,etc\nTech Remediation Stats from Denim Report - factor in bug tracking reports & build/dev process\n
  • #16 convert this into a visual funnel to produce same queries \n\nhd moores law should be shown as a node map highlighted.\n
  • #17 Insert Alex Hutton formula\n4:14:40 PM Alex Hutton: once the data hits catwalk we decision and the threat is funneled off....\n4:15:46 PM Ed Bellis: haha its a new risk language\n4:16:05 PM Ed Bellis: you guys pull a lot of public sources of data?\n4:16:16 PM Alex Hutton: not yet\n4:16:21 PM Alex Hutton: some but not a ton\n4:16:24 PM Ed Bellis: also any insight on whether VERIS taking off?\n4:16:41 PM Alex Hutton: there's a broader vision (you can fit) that would make a lot of sense\n4:17:02 PM Alex Hutton: but that would take cooperation from various sources which is going to be hard, and why VERIS is a bit stalled\n4:17:17 PM Alex Hutton: there are lots of folks using VERIS, but not sharing data\n4:17:31 PM Ed Bellis:\n4:17:51 PM Ed Bellis: i'd love to tap into that\n4:19:34 PM Alex Hutton: well, the better vision is for you to feed data along with threat (and incident data) into decision making on a daily or even hourly basis\n4:19:50 PM Alex Hutton: In a sense, you hold not only the orgs perimeter, but a broad sample of perimeters\n4:20:04 PM Alex Hutton: and their\n4:20:12 PM Alex Hutton: vuln posture\n4:20:38 PM Alex Hutton: So\n4:21:07 PM Ed Bellis: right we want to move into a position where our data becomes the primary asset to help make better security decisions\n4:21:16 PM Ed Bellis: *not a verb*\n4:21:49 PM Alex Hutton: My(vuln posture * other threat activity) / (other vuln posture * other threat activity) = a much better metric than just vuln data\n4:22:24 PM Ed Bellis: meaning am i safer than my neighbor?\n4:22:25 PM Alex Hutton: in fact, a very interesting likelihood data point to do some degree of probabilistic analysis on that I don't have the time to really explore yet, but is very, very interesting\n4:23:10 PM Alex Hutton: that may be a byproduct, more about establishing a rate at which I can expect my luck to run out.\n4:23:23 PM Ed Bellis: i see\n4:23:35 PM Alex Hutton: so you're the CSO of Orbitz, you know you have a vuln. to specific threat activity.  So far, you're lucky\n4:24:02 PM Alex Hutton: but what about establishing rate of threat activity vs. how pervasive that same vuln is around other orgs?\n4:24:31 PM Ed Bellis: where do we get the rate of threat activity?\n4:24:42 PM Ed Bellis: breach db's?\n4:24:51 PM Alex Hutton: High Threat Activity + Low pervasiveness in the aggregate population = Luck running out.\n4:25:06 PM Alex Hutton: nope.  that's part of your exit strategy\n4:25:19 PM Ed Bellis: bought by verizon ?\n4:25:33 PM Alex Hutton: Some MSSP who is running or aggregating WAF data, Firewall/IDS/IPS data\n4:25:58 PM Alex Hutton: you as "Yet another managed service" well, that's a scenario I believe in, yes.\n4:26:20 PM Alex Hutton: But you as "Next generation in managed services by data aggregation" is going to be very, very compelling, I think\n4:26:46 PM Alex Hutton: what you have to understand (and I think you do) is how to leverage your data into "decision" (the verb)\n
  • #18 \n
  • #19 talk about infosec vs fraud\n
  • #20 talk about infosec vs fraud\n
  • #21 talk about infosec vs fraud\n
  • #22 talk about infosec vs fraud\n
  • #23 talk about infosec vs fraud\n
  • #24 talk about infosec vs fraud\n
  • #25 talk about infosec vs fraud\n
  • #26 talk about infosec vs fraud\n
  • #27 talk about infosec vs fraud\n
  • #28 Insert Alex Hutton formula\n4:14:40 PM Alex Hutton: once the data hits catwalk we decision and the threat is funneled off....\n4:15:46 PM Ed Bellis: haha its a new risk language\n4:16:05 PM Ed Bellis: you guys pull a lot of public sources of data?\n4:16:16 PM Alex Hutton: not yet\n4:16:21 PM Alex Hutton: some but not a ton\n4:16:24 PM Ed Bellis: also any insight on whether VERIS taking off?\n4:16:41 PM Alex Hutton: there's a broader vision (you can fit) that would make a lot of sense\n4:17:02 PM Alex Hutton: but that would take cooperation from various sources which is going to be hard, and why VERIS is a bit stalled\n4:17:17 PM Alex Hutton: there are lots of folks using VERIS, but not sharing data\n4:17:31 PM Ed Bellis:\n4:17:51 PM Ed Bellis: i'd love to tap into that\n4:19:34 PM Alex Hutton: well, the better vision is for you to feed data along with threat (and incident data) into decision making on a daily or even hourly basis\n4:19:50 PM Alex Hutton: In a sense, you hold not only the orgs perimeter, but a broad sample of perimeters\n4:20:04 PM Alex Hutton: and their\n4:20:12 PM Alex Hutton: vuln posture\n4:20:38 PM Alex Hutton: So\n4:21:07 PM Ed Bellis: right we want to move into a position where our data becomes the primary asset to help make better security decisions\n4:21:16 PM Ed Bellis: *not a verb*\n4:21:49 PM Alex Hutton: My(vuln posture * other threat activity) / (other vuln posture * other threat activity) = a much better metric than just vuln data\n4:22:24 PM Ed Bellis: meaning am i safer than my neighbor?\n4:22:25 PM Alex Hutton: in fact, a very interesting likelihood data point to do some degree of probabilistic analysis on that I don't have the time to really explore yet, but is very, very interesting\n4:23:10 PM Alex Hutton: that may be a byproduct, more about establishing a rate at which I can expect my luck to run out.\n4:23:23 PM Ed Bellis: i see\n4:23:35 PM Alex Hutton: so you're the CSO of Orbitz, you know you have a vuln. to specific threat activity.  So far, you're lucky\n4:24:02 PM Alex Hutton: but what about establishing rate of threat activity vs. how pervasive that same vuln is around other orgs?\n4:24:31 PM Ed Bellis: where do we get the rate of threat activity?\n4:24:42 PM Ed Bellis: breach db's?\n4:24:51 PM Alex Hutton: High Threat Activity + Low pervasiveness in the aggregate population = Luck running out.\n4:25:06 PM Alex Hutton: nope.  that's part of your exit strategy\n4:25:19 PM Ed Bellis: bought by verizon ?\n4:25:33 PM Alex Hutton: Some MSSP who is running or aggregating WAF data, Firewall/IDS/IPS data\n4:25:58 PM Alex Hutton: you as "Yet another managed service" well, that's a scenario I believe in, yes.\n4:26:20 PM Alex Hutton: But you as "Next generation in managed services by data aggregation" is going to be very, very compelling, I think\n4:26:46 PM Alex Hutton: what you have to understand (and I think you do) is how to leverage your data into "decision" (the verb)\n
  • #29 Insert Alex Hutton formula\n4:14:40 PM Alex Hutton: once the data hits catwalk we decision and the threat is funneled off....\n4:15:46 PM Ed Bellis: haha its a new risk language\n4:16:05 PM Ed Bellis: you guys pull a lot of public sources of data?\n4:16:16 PM Alex Hutton: not yet\n4:16:21 PM Alex Hutton: some but not a ton\n4:16:24 PM Ed Bellis: also any insight on whether VERIS taking off?\n4:16:41 PM Alex Hutton: there's a broader vision (you can fit) that would make a lot of sense\n4:17:02 PM Alex Hutton: but that would take cooperation from various sources which is going to be hard, and why VERIS is a bit stalled\n4:17:17 PM Alex Hutton: there are lots of folks using VERIS, but not sharing data\n4:17:31 PM Ed Bellis:\n4:17:51 PM Ed Bellis: i'd love to tap into that\n4:19:34 PM Alex Hutton: well, the better vision is for you to feed data along with threat (and incident data) into decision making on a daily or even hourly basis\n4:19:50 PM Alex Hutton: In a sense, you hold not only the orgs perimeter, but a broad sample of perimeters\n4:20:04 PM Alex Hutton: and their\n4:20:12 PM Alex Hutton: vuln posture\n4:20:38 PM Alex Hutton: So\n4:21:07 PM Ed Bellis: right we want to move into a position where our data becomes the primary asset to help make better security decisions\n4:21:16 PM Ed Bellis: *not a verb*\n4:21:49 PM Alex Hutton: My(vuln posture * other threat activity) / (other vuln posture * other threat activity) = a much better metric than just vuln data\n4:22:24 PM Ed Bellis: meaning am i safer than my neighbor?\n4:22:25 PM Alex Hutton: in fact, a very interesting likelihood data point to do some degree of probabilistic analysis on that I don't have the time to really explore yet, but is very, very interesting\n4:23:10 PM Alex Hutton: that may be a byproduct, more about establishing a rate at which I can expect my luck to run out.\n4:23:23 PM Ed Bellis: i see\n4:23:35 PM Alex Hutton: so you're the CSO of Orbitz, you know you have a vuln. to specific threat activity.  So far, you're lucky\n4:24:02 PM Alex Hutton: but what about establishing rate of threat activity vs. how pervasive that same vuln is around other orgs?\n4:24:31 PM Ed Bellis: where do we get the rate of threat activity?\n4:24:42 PM Ed Bellis: breach db's?\n4:24:51 PM Alex Hutton: High Threat Activity + Low pervasiveness in the aggregate population = Luck running out.\n4:25:06 PM Alex Hutton: nope.  that's part of your exit strategy\n4:25:19 PM Ed Bellis: bought by verizon ?\n4:25:33 PM Alex Hutton: Some MSSP who is running or aggregating WAF data, Firewall/IDS/IPS data\n4:25:58 PM Alex Hutton: you as "Yet another managed service" well, that's a scenario I believe in, yes.\n4:26:20 PM Alex Hutton: But you as "Next generation in managed services by data aggregation" is going to be very, very compelling, I think\n4:26:46 PM Alex Hutton: what you have to understand (and I think you do) is how to leverage your data into "decision" (the verb)\n
  • #30 Insert Alex Hutton formula\n4:14:40 PM Alex Hutton: once the data hits catwalk we decision and the threat is funneled off....\n4:15:46 PM Ed Bellis: haha its a new risk language\n4:16:05 PM Ed Bellis: you guys pull a lot of public sources of data?\n4:16:16 PM Alex Hutton: not yet\n4:16:21 PM Alex Hutton: some but not a ton\n4:16:24 PM Ed Bellis: also any insight on whether VERIS taking off?\n4:16:41 PM Alex Hutton: there's a broader vision (you can fit) that would make a lot of sense\n4:17:02 PM Alex Hutton: but that would take cooperation from various sources which is going to be hard, and why VERIS is a bit stalled\n4:17:17 PM Alex Hutton: there are lots of folks using VERIS, but not sharing data\n4:17:31 PM Ed Bellis:\n4:17:51 PM Ed Bellis: i'd love to tap into that\n4:19:34 PM Alex Hutton: well, the better vision is for you to feed data along with threat (and incident data) into decision making on a daily or even hourly basis\n4:19:50 PM Alex Hutton: In a sense, you hold not only the orgs perimeter, but a broad sample of perimeters\n4:20:04 PM Alex Hutton: and their\n4:20:12 PM Alex Hutton: vuln posture\n4:20:38 PM Alex Hutton: So\n4:21:07 PM Ed Bellis: right we want to move into a position where our data becomes the primary asset to help make better security decisions\n4:21:16 PM Ed Bellis: *not a verb*\n4:21:49 PM Alex Hutton: My(vuln posture * other threat activity) / (other vuln posture * other threat activity) = a much better metric than just vuln data\n4:22:24 PM Ed Bellis: meaning am i safer than my neighbor?\n4:22:25 PM Alex Hutton: in fact, a very interesting likelihood data point to do some degree of probabilistic analysis on that I don't have the time to really explore yet, but is very, very interesting\n4:23:10 PM Alex Hutton: that may be a byproduct, more about establishing a rate at which I can expect my luck to run out.\n4:23:23 PM Ed Bellis: i see\n4:23:35 PM Alex Hutton: so you're the CSO of Orbitz, you know you have a vuln. to specific threat activity.  So far, you're lucky\n4:24:02 PM Alex Hutton: but what about establishing rate of threat activity vs. how pervasive that same vuln is around other orgs?\n4:24:31 PM Ed Bellis: where do we get the rate of threat activity?\n4:24:42 PM Ed Bellis: breach db's?\n4:24:51 PM Alex Hutton: High Threat Activity + Low pervasiveness in the aggregate population = Luck running out.\n4:25:06 PM Alex Hutton: nope.  that's part of your exit strategy\n4:25:19 PM Ed Bellis: bought by verizon ?\n4:25:33 PM Alex Hutton: Some MSSP who is running or aggregating WAF data, Firewall/IDS/IPS data\n4:25:58 PM Alex Hutton: you as "Yet another managed service" well, that's a scenario I believe in, yes.\n4:26:20 PM Alex Hutton: But you as "Next generation in managed services by data aggregation" is going to be very, very compelling, I think\n4:26:46 PM Alex Hutton: what you have to understand (and I think you do) is how to leverage your data into "decision" (the verb)\n
  • #31 talk about infosec vs fraud\n
  • #32 talk about infosec vs fraud\n
  • #33 \n
  • #34 \n
  • #35 \n
  • #36 \n
  • #37 \n
  • #38 \n