Michael Roytman, profile picture
Uploaded byMichael Roytman
605 views

Fix What Matters: BSidesDetroit 2014

The document critiques the Common Vulnerability Scoring System (CVSS) and suggests that it fails to accurately assess risk due to empirical and analytical shortcomings. It emphasizes the need for better data-driven approaches to remediation, focused on the most risky vulnerabilities rather than relying solely on standardized scoring systems. The author advocates for a comprehensive understanding of vulnerabilities, including their practical implications and the necessity of adapting to changing attacker tactics.

Embed presentation

Download to read offline
Fix What Matters:
 ! Why CVSS Sucks And How To Do Better
Once Jailbroke an Iphone 3G Michael Roytman Proud Owner of Remote Controlled Airplane Recently a Naive Grad Student Data Scientist, Risk I/O Does Not Wake Up Before 11 CST qualifications:
15x better than CVSS
Probability A Vuln Having Property X Has Observed Breaches RandomVuln CVSS 10 Exploit DB Metasploit MSP+EDB 0.0 0.1 0.2 0.2 0.3
PART 1: ! YOU SUCK AT YOUR JOB ! (and don’t even know it yet)
Why Are We Here? Empirical Failures of CVSS Proper Remediation Frameworks CVSS SUCKS Analytical Failures of CVSS (+Data Driven Alternatives)
Remove the Threat Remediation Accept the Risk Repair the Vulnerability
C(ommon) V(ulnerability) S(coring) S(ystem) “CVSS is designed to rank information system vulnerabilities” Exploitability/Temporal (Likelihood) Impact/Environmental (Severity) The Good: Open, Standardized Scores
“It is a capital mistake to theorize before one has data. ! ! ! Insensibly, one begins to twist facts to suit theories, instead of theories to suit facts.”
FAIL 1: A Priori Modeling “Following up my previous email, I have tweaked my equation to try to achieve better separation between adjacent scores and to have CCC have a perfect (storm) 10 score...There is probably a way to optimize the problem numerically, but doing trial and error gives one plausible set of parameters...except that the scores of 9.21 and 9.54 are still too close together. I can adjust x.3 and x.7 to get a better separation . . .”
F2: Data Fundamentalism Don’t Ignore What a Vulnerability Is: Creation Bias http://blog.risk.io/2013/04/data-fundamentalism/ ! Jerico/Sushidude @ BlackHat https://www.blackhat.com/us-13/briefings.html#Martin ! Luca Allodi - CVSS DDOS http://disi.unitn.it/~allodi/allodi-12-badgers.pdf
F2: Data Fundamentalism Since 2006 Vulnerabilities have declined by 26 percent.” http://csrc.nist.gov/groups/SNS/rbac/documents/vulnerability-trends10.pdf ! ! The total number of vulnerabilities in 2013 is up 16 percent so far when compared to what we saw in the same time period in 2012. ” http://www.symantec.com/content/en/us/enterprise/other_resources/b- intelligence_report_06-2013.en-us.pdf
F3: Stochastic Ignorance Attackers Change Tactics Daily
F3: Stochastic Ignorance
Empirical Failures of CVSS Objective: Remediate the riskiest vulnerabilities Constraint: Can’t measure impact/priority Need: MOAR DATA!!!
Repair the Vulnerability
I Love It When You Call Me Big Data 50,000,000 Live Vulnerabilities 1,500,000 Assets 2,000 Organizations
I Love It When You Call Me Big Data 3,000,000 Breaches
Baseline Allthethings Probability (You Will Be Breached On A Particular Open Vulnerability)? =(Open Vulnerabilities | Breaches Occurred On Their CVE) /(Total Open Vulnerabilities) 2%
Probability A Vuln Having Property X Has Observed Breaches RANDOMVULN CVSS 10 CVSS 9 CVSS 8 CVSS 6 CVSS 7 CVSS 5 CVSS 4 Has Patch 0.000 0.010 0.020 0.030 0.040
PART 2: ! FIX WHAT MATTERS
Empirical Failures of CVSS Objective: Remediate the riskiest vulnerabilities Constraint: Can’t measure impact/priority Need: MOAR DATA!!!
Proper Framework Know which vulnerabilities put you most at risk.
Uh, Sports? Opposing Teams, Specific Players Gameplay Scouting Reports, Gametape Roster, Player Skills Learning from Losing
InfoSec?
Defend Like You’ve Done It Before Groups, Motivations Exploits Vulnerability Definitions Asset Topology, Actual Vulns on System Learning from Breaches
Work With What You’ve Got: Akamai, Safenet ExploitDB, Metasploit NVD, MITRE
Alternatives
Probability A Vuln Having Property X Has Observed Breaches RandomVuln CVSS 10 Exploit DB Metasploit MSP+EDB 0.0 0.1 0.2 0.2 0.3
Be Better Than The Gap
I Love It When You Call Me Big Data ! Spray and Pray => 2% ! CVSS 10 => 4% ! Metasploit + ExploitDB => 30%
Holler! www.risk.io @mroytman

More Related Content

PPTX
M6A1
byMatt Cooper
 
PPTX
Writ 112 project
bymarroquin_a
 
PDF
Iasi code camp 20 april 2013 did-your-mobile-app-crash-successfully
byCodecamp Romania
 
PPTX
Digital connection
by16ZimJ
 
PPTX
Tactics for Implementing Test Automation for Legacy Code
byJeff Gallimore
 
PPTX
Anatomy of a web page
bydharvey100
 
PDF
Making Data Useful
byJakub Uniejewski
 
PPTX
Rise presentation for workshop 2011 07-04
byRichard Nurse
 
M6A1
byMatt Cooper
 
Writ 112 project
bymarroquin_a
 
Iasi code camp 20 april 2013 did-your-mobile-app-crash-successfully
byCodecamp Romania
 
Digital connection
by16ZimJ
 
Tactics for Implementing Test Automation for Legacy Code
byJeff Gallimore
 
Anatomy of a web page
bydharvey100
 
Making Data Useful
byJakub Uniejewski
 
Rise presentation for workshop 2011 07-04
byRichard Nurse
 

What's hot

DOCX
My Portfolio
byEric Linden
 
PPTX
Contaminacion
bycristian197
 
PDF
Griffey "AI Possible Futures!"
byNational Information Standards Organization (NISO)
 
PDF
Eye anatomy part 1
byAndy Neill
 
PDF
Eye anatomy part 2
byAndy Neill
 
PPTX
Christopher rodriguez keep people on life support
bycrodz1634
 
My Portfolio
byEric Linden
 
Contaminacion
bycristian197
 
Griffey "AI Possible Futures!"
byNational Information Standards Organization (NISO)
 
Eye anatomy part 1
byAndy Neill
 
Eye anatomy part 2
byAndy Neill
 
Christopher rodriguez keep people on life support
bycrodz1634
 

Viewers also liked

PDF
BsidesSF 2014 Fix What Matters
byMichael Roytman
 
PDF
Data Science ATL Meetup - Risk I/O Security Data Science
byMichael Roytman
 
PPTX
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
byAdrian Sanabria
 
PDF
Attacker Behavior Boston Security Conference 2015
byMichael Roytman
 
PDF
SecurityScorecard_2016_Financial_Report
byAlex Himmelberg
 
PPTX
Using Threat Information to Build Your Cyber Risk Intelligence Program
bySurfWatch Labs
 
PPT
Completing the Risk Picture: Adding a business intelligence and collaborative...
bySurfWatch Labs
 
PDF
Risk IO Webisode 1: The Breach Landscape
byMichael Roytman
 
KEY
SecTor 2012 The Security Mendoza Line
byEd Bellis
 
PDF
Chicago Security Meetup 08/2016
byMichael Roytman
 
PDF
Fix What Matters: A Data Driven Approach to Vulnerability Management
byMichael Roytman
 
PDF
Big Data Analytics & Insights
byListenLogic
 
PPTX
Shining a Light on Cyber Threats from the Dark Web
bySurfWatch Labs
 
KEY
Bay threat2011
byEd Bellis
 
PDF
Measure What You FIx: Asset Risk Management Done Right
byMichael Roytman
 
PDF
Amateur Hour: Why APTs Are The Least Of Your Worries
byEd Bellis
 
PDF
Less is More: Behind the Data at Risk I/O
byMichael Roytman
 
PPT
Treat Cyber Like a Disease
bySurfWatch Labs
 
PDF
Palmer Symposium
byEd Bellis
 
PPT
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
bySurfWatch Labs
 
BsidesSF 2014 Fix What Matters
byMichael Roytman
 
Data Science ATL Meetup - Risk I/O Security Data Science
byMichael Roytman
 
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
byAdrian Sanabria
 
Attacker Behavior Boston Security Conference 2015
byMichael Roytman
 
SecurityScorecard_2016_Financial_Report
byAlex Himmelberg
 
Using Threat Information to Build Your Cyber Risk Intelligence Program
bySurfWatch Labs
 
Completing the Risk Picture: Adding a business intelligence and collaborative...
bySurfWatch Labs
 
Risk IO Webisode 1: The Breach Landscape
byMichael Roytman
 
SecTor 2012 The Security Mendoza Line
byEd Bellis
 
Chicago Security Meetup 08/2016
byMichael Roytman
 
Fix What Matters: A Data Driven Approach to Vulnerability Management
byMichael Roytman
 
Big Data Analytics & Insights
byListenLogic
 
Shining a Light on Cyber Threats from the Dark Web
bySurfWatch Labs
 
Bay threat2011
byEd Bellis
 
Measure What You FIx: Asset Risk Management Done Right
byMichael Roytman
 
Amateur Hour: Why APTs Are The Least Of Your Worries
byEd Bellis
 
Less is More: Behind the Data at Risk I/O
byMichael Roytman
 
Treat Cyber Like a Disease
bySurfWatch Labs
 
Palmer Symposium
byEd Bellis
 
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
bySurfWatch Labs
 

Similar to Fix What Matters: BSidesDetroit 2014

PDF
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
byEd Bellis
 
PDF
Fix What Matters
byEd Bellis
 
PDF
BSidesLV Vulnerability & Exploit Trends
byEd Bellis
 
PPT
CVSS
byChristian Heinrich
 
PPTX
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
byAlexander Leonov
 
PDF
Vulnerability & Exploit Trends: A Deep Look Inside the Data
byKenna
 
PPTX
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
byKymberlee Price
 
PDF
Verizon 2015 DBIR VM portion
byTawnia Beckwith
 
PDF
O'Reilly Security New York - Predicting Exploitability Final
byMichael Roytman
 
PDF
Health-ISAC Risk-Based Approach to Vulnerability Prioritization [EN].pdf
bySnarky Security
 
PDF
Effective Prioritization Through Exploit Prediction
byJonathan Cran
 
PPTX
Classification of vulnerabilities
byMayur Mehta
 
PDF
Predicting exploitability-forecasts-for-vulnerability-management
byPriyanka Aash
 
PPTX
DOES14 - Joshua Corman - Sonatype
byGene Kim
 
PPTX
16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS.pptx
byabhimannyubanerjee
 
PDF
Cvss guide file
bymudyna
 
PPTX
Bsides SP 2022 - EPSS - Final.pptx
byClavis Segurança da Informação
 
PPTX
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
bylior mazor
 
PPTX
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
byEndgameInc
 
PPTX
Vulnerability Management: What You Need to Know to Prioritize Risk
byAlienVault
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
byEd Bellis
 
Fix What Matters
byEd Bellis
 
BSidesLV Vulnerability & Exploit Trends
byEd Bellis
 
CVSS
byChristian Heinrich
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
byAlexander Leonov
 
Vulnerability & Exploit Trends: A Deep Look Inside the Data
byKenna
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
byKymberlee Price
 
Verizon 2015 DBIR VM portion
byTawnia Beckwith
 
O'Reilly Security New York - Predicting Exploitability Final
byMichael Roytman
 
Health-ISAC Risk-Based Approach to Vulnerability Prioritization [EN].pdf
bySnarky Security
 
Effective Prioritization Through Exploit Prediction
byJonathan Cran
 
Classification of vulnerabilities
byMayur Mehta
 
Predicting exploitability-forecasts-for-vulnerability-management
byPriyanka Aash
 
DOES14 - Joshua Corman - Sonatype
byGene Kim
 
16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS16 CVSS.pptx
byabhimannyubanerjee
 
Cvss guide file
bymudyna
 
Bsides SP 2022 - EPSS - Final.pptx
byClavis Segurança da Informação
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
bylior mazor
 
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defens...
byEndgameInc
 
Vulnerability Management: What You Need to Know to Prioritize Risk
byAlienVault
 

More from Michael Roytman

PPTX
CyberTechEurope.pptx
byMichael Roytman
 
PDF
RSA 2017 - Predicting Exploitability - With Predictions
byMichael Roytman
 
PDF
Predicting Exploitability
byMichael Roytman
 
PDF
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
byMichael Roytman
 
PDF
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
byMichael Roytman
 
PDF
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
byMichael Roytman
 
CyberTechEurope.pptx
byMichael Roytman
 
RSA 2017 - Predicting Exploitability - With Predictions
byMichael Roytman
 
Predicting Exploitability
byMichael Roytman
 
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
byMichael Roytman
 
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
byMichael Roytman
 
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
byMichael Roytman
 

Recently uploaded

PPTX
Competitive Positioning - All HCI Competitors vs HPE PCBE dHCI _ SimpliVity w...
byyosefemiru123
 
PDF
Networking 2 Syllabus using cisco packet tracer simulator
byODINARARCH
 
PPTX
Human Aspects of Information Security: The People Factor.pptx
byOmar Fernandez
 
PDF
Beacon Kit paper foundation tech framework pdf
bySteven McGee
 
PDF
Front-End vs Back-End Development: Roles, Tools, Skills & Career Guide
byIndian Website Company
 
PPTX
Cybersecurity cyber incident Weeks_7_to_9.pptx
byriaz59
 
PDF
galakticki fudbal galactic football.pdf...
byStefanFilipovic9
 
PDF
HYBRID APP DEVELOPMENT AND TECHNOLOGY 01
bydavidjohansen1597
 
PPTX
How Big Brands are Taking Your Traffic in Alberta [Data Inside].pptx
byVisibility Drip
 
PPTX
A QUIZ ABOUT THE HISTORY OF MICROSOFT WORD
byzoenadiajara1
 
Competitive Positioning - All HCI Competitors vs HPE PCBE dHCI _ SimpliVity w...
byyosefemiru123
 
Networking 2 Syllabus using cisco packet tracer simulator
byODINARARCH
 
Human Aspects of Information Security: The People Factor.pptx
byOmar Fernandez
 
Beacon Kit paper foundation tech framework pdf
bySteven McGee
 
Front-End vs Back-End Development: Roles, Tools, Skills & Career Guide
byIndian Website Company
 
Cybersecurity cyber incident Weeks_7_to_9.pptx
byriaz59
 
galakticki fudbal galactic football.pdf...
byStefanFilipovic9
 
HYBRID APP DEVELOPMENT AND TECHNOLOGY 01
bydavidjohansen1597
 
How Big Brands are Taking Your Traffic in Alberta [Data Inside].pptx
byVisibility Drip
 
A QUIZ ABOUT THE HISTORY OF MICROSOFT WORD
byzoenadiajara1
 

Fix What Matters: BSidesDetroit 2014

  • 1.
    Fix What Matters:
 ! WhyCVSS Sucks And How To Do Better
  • 2.
    Once Jailbroke anIphone 3G Michael Roytman Proud Owner of Remote Controlled Airplane Recently a Naive Grad Student Data Scientist, Risk I/O Does Not Wake Up Before 11 CST qualifications:
  • 3.
  • 4.
    Probability A VulnHaving Property X Has Observed Breaches RandomVuln CVSS 10 Exploit DB Metasploit MSP+EDB 0.0 0.1 0.2 0.2 0.3
  • 5.
    PART 1: ! YOU SUCKAT YOUR JOB ! (and don’t even know it yet)
  • 6.
    Why Are WeHere? Empirical Failures of CVSS Proper Remediation Frameworks CVSS SUCKS Analytical Failures of CVSS (+Data Driven Alternatives)
  • 7.
    Remove the Threat Remediation Acceptthe Risk Repair the Vulnerability
  • 8.
    C(ommon) V(ulnerability) S(coring)S(ystem) “CVSS is designed to rank information system vulnerabilities” Exploitability/Temporal (Likelihood) Impact/Environmental (Severity) The Good: Open, Standardized Scores
  • 9.
    “It is acapital mistake to theorize before one has data. ! ! ! Insensibly, one begins to twist facts to suit theories, instead of theories to suit facts.”
  • 10.
    FAIL 1: APriori Modeling “Following up my previous email, I have tweaked my equation to try to achieve better separation between adjacent scores and to have CCC have a perfect (storm) 10 score...There is probably a way to optimize the problem numerically, but doing trial and error gives one plausible set of parameters...except that the scores of 9.21 and 9.54 are still too close together. I can adjust x.3 and x.7 to get a better separation . . .”
  • 11.
    F2: Data Fundamentalism Don’tIgnore What a Vulnerability Is: Creation Bias http://blog.risk.io/2013/04/data-fundamentalism/ ! Jerico/Sushidude @ BlackHat https://www.blackhat.com/us-13/briefings.html#Martin ! Luca Allodi - CVSS DDOS http://disi.unitn.it/~allodi/allodi-12-badgers.pdf
  • 12.
    F2: Data Fundamentalism Since2006 Vulnerabilities have declined by 26 percent.” http://csrc.nist.gov/groups/SNS/rbac/documents/vulnerability-trends10.pdf ! ! The total number of vulnerabilities in 2013 is up 16 percent so far when compared to what we saw in the same time period in 2012. ” http://www.symantec.com/content/en/us/enterprise/other_resources/b- intelligence_report_06-2013.en-us.pdf
  • 13.
  • 14.
  • 15.
    Empirical Failures ofCVSS Objective: Remediate the riskiest vulnerabilities Constraint: Can’t measure impact/priority Need: MOAR DATA!!!
  • 16.
  • 17.
    I Love ItWhen You Call Me Big Data 50,000,000 Live Vulnerabilities 1,500,000 Assets 2,000 Organizations
  • 18.
    I Love ItWhen You Call Me Big Data 3,000,000 Breaches
  • 19.
    Baseline Allthethings Probability (You WillBe Breached On A Particular Open Vulnerability)? =(Open Vulnerabilities | Breaches Occurred On Their CVE) /(Total Open Vulnerabilities) 2%
  • 20.
    Probability A VulnHaving Property X Has Observed Breaches RANDOMVULN CVSS 10 CVSS 9 CVSS 8 CVSS 6 CVSS 7 CVSS 5 CVSS 4 Has Patch 0.000 0.010 0.020 0.030 0.040
  • 21.
  • 22.
    Empirical Failures ofCVSS Objective: Remediate the riskiest vulnerabilities Constraint: Can’t measure impact/priority Need: MOAR DATA!!!
  • 23.
    Proper Framework Know whichvulnerabilities put you most at risk.
  • 31.
  • 32.
  • 33.
    Defend Like You’veDone It Before Groups, Motivations Exploits Vulnerability Definitions Asset Topology, Actual Vulns on System Learning from Breaches
  • 34.
    Work With WhatYou’ve Got: Akamai, Safenet ExploitDB, Metasploit NVD, MITRE
  • 35.
  • 36.
    Probability A VulnHaving Property X Has Observed Breaches RandomVuln CVSS 10 Exploit DB Metasploit MSP+EDB 0.0 0.1 0.2 0.2 0.3
  • 37.
  • 38.
    I Love ItWhen You Call Me Big Data ! Spray and Pray => 2% ! CVSS 10 => 4% ! Metasploit + ExploitDB => 30%
  • 39.