Every single risk framework that applies to InfoSec talks about probability but doesn't offer much guidance on how to calculate or apply it. One could borrow from the common financial or manufacturing risk models, but those models do not apply to InfoSec because they are informed from past events. InfoSec risk needs to look forward without being informed by the past, and that drives the risk professional into very specific risk models. These models simplify probability calculations and there are proven ways to apply these models effectively, efficiently, and with high confidence in the results.
Originally presented at Vancouver SecSIG, Nov 13, 2015
How to Replace Your Legacy Antivirus Solution with CrowdStrikeAdam Barrera
The Time Has Come To Replace Your Antivirus Solution
After decades of frustration and failure, the security industry is ready to replace legacy antivirus systems with more effective solutions. As breaches continue to make headlines, we are left to wonder if anything can really stop modern threats. The answer is yes, but it requires us to approach the problem in a new way. Instead of continually adding functionality and complexity to legacy security architectures, we need a complete reset. This is exactly what CrowdStrike offers with its cloud-delivered endpoint protection platform.
The key to this new approach is going beyond malware to understanding and address cyber threats at every stage of the kill chain. CrowdStrike does this by combining next-gen antivirus, endpoint detection and response (EDR), and a managed threat hunting service – all cloud-delivered with a single lightweight agent.
In this CrowdCast, Dan Larson, Sr. Director of Technical Marketing, will discuss:
- The typical challenges with legacy antivirus implementations and how we solve them
- How CrowdStrike offers a greater level of protection, especially against modern threats
- How cloud-delivered endpoint protection reduces operational burden
- How to migrate from legacy antivirus to CrowdStrike Falcon
Link to on-demand webcast: https://www.crowdstrike.com/resources/crowdcasts/time-come-replace-antivirus-solution/
State of Endpoint Security: The Buyers MindsetCrowdStrike
Where is endpoint security headed? How do your priorities and capabilities compare to those of your peers?
As the battle against breaches rages on, many enterprises are focused on revamping their endpoint security strategy – from enhancing efficacy to reducing complexity and agent bloat. A new webcast, “State of the Endpoint: The Buyer Mindset,” discusses the current state of endpoint security and offers insights from an all-star panel of thought leaders, including Internationally recognized cybersecurity leader and CrowdStrike Co-founder Dmitri Alperovitch, VP of Product Marketing Dan Larson, and other experts as they discuss today’s most important security issues. Join them as they explore the findings from a new research report, “Trends in Endpoint Security: A State of Constant Change,” a study conducted by ESG and commissioned by CrowdStrike and other technology vendors. The panel will provide their impressions of the data in the survey and how the viewpoints revealed mesh with current technology trends, offering insights that can help inform your security strategy going forward.
Join this webcast to learn:
-The current state of Antivirus (AV) including how many organizations are choosing to change vendors and why
-Best of breed vs. comprehensive suites – which approach do your peers prefer and what are the advantages and challenges of each?
-How solutions are affecting endpoints and your IT Security peers, including the increase in agents installed and the impact of increased complexity
Once you have calculated risk to present to decision makers, your job is not yet done. The data you present is perceived through cognitive filters before a decision is made. Near-Miss Bias is a cognitive bias that affects risk decision-makers in particular and Risk Professionals need to know how to communicate risk in such a way as to account for this effect.
Information Security Risk QuantificationJoel Baese
Overview presentation given at the 8/16/2016 Fayetteville, Arkansas ISACA chapter meeting discussing quantifying risk in the information security field.
How to Replace Your Legacy Antivirus Solution with CrowdStrikeAdam Barrera
The Time Has Come To Replace Your Antivirus Solution
After decades of frustration and failure, the security industry is ready to replace legacy antivirus systems with more effective solutions. As breaches continue to make headlines, we are left to wonder if anything can really stop modern threats. The answer is yes, but it requires us to approach the problem in a new way. Instead of continually adding functionality and complexity to legacy security architectures, we need a complete reset. This is exactly what CrowdStrike offers with its cloud-delivered endpoint protection platform.
The key to this new approach is going beyond malware to understanding and address cyber threats at every stage of the kill chain. CrowdStrike does this by combining next-gen antivirus, endpoint detection and response (EDR), and a managed threat hunting service – all cloud-delivered with a single lightweight agent.
In this CrowdCast, Dan Larson, Sr. Director of Technical Marketing, will discuss:
- The typical challenges with legacy antivirus implementations and how we solve them
- How CrowdStrike offers a greater level of protection, especially against modern threats
- How cloud-delivered endpoint protection reduces operational burden
- How to migrate from legacy antivirus to CrowdStrike Falcon
Link to on-demand webcast: https://www.crowdstrike.com/resources/crowdcasts/time-come-replace-antivirus-solution/
State of Endpoint Security: The Buyers MindsetCrowdStrike
Where is endpoint security headed? How do your priorities and capabilities compare to those of your peers?
As the battle against breaches rages on, many enterprises are focused on revamping their endpoint security strategy – from enhancing efficacy to reducing complexity and agent bloat. A new webcast, “State of the Endpoint: The Buyer Mindset,” discusses the current state of endpoint security and offers insights from an all-star panel of thought leaders, including Internationally recognized cybersecurity leader and CrowdStrike Co-founder Dmitri Alperovitch, VP of Product Marketing Dan Larson, and other experts as they discuss today’s most important security issues. Join them as they explore the findings from a new research report, “Trends in Endpoint Security: A State of Constant Change,” a study conducted by ESG and commissioned by CrowdStrike and other technology vendors. The panel will provide their impressions of the data in the survey and how the viewpoints revealed mesh with current technology trends, offering insights that can help inform your security strategy going forward.
Join this webcast to learn:
-The current state of Antivirus (AV) including how many organizations are choosing to change vendors and why
-Best of breed vs. comprehensive suites – which approach do your peers prefer and what are the advantages and challenges of each?
-How solutions are affecting endpoints and your IT Security peers, including the increase in agents installed and the impact of increased complexity
Once you have calculated risk to present to decision makers, your job is not yet done. The data you present is perceived through cognitive filters before a decision is made. Near-Miss Bias is a cognitive bias that affects risk decision-makers in particular and Risk Professionals need to know how to communicate risk in such a way as to account for this effect.
Information Security Risk QuantificationJoel Baese
Overview presentation given at the 8/16/2016 Fayetteville, Arkansas ISACA chapter meeting discussing quantifying risk in the information security field.
A brief run-through of the economics of controls, threats and how attackers and defenders think. Following an introduction to the current and next generation security analytics.
A common problem for information security professionals is that security is perceived as a business blocker; hindering the operational efficiency and adding controls that make everybody's life more difficult. But we don't have to accept that as a norm. The presentation focuses on avoiding activities that create that feeling, and alternative ways to approach information security board buy-in
Harnessing The Power Of (Claim Risk) Analytics Published Captive Review Sept 09paulmarshall
Risk analytics is revolutionizing the processes and tools employed by insurers to more quickly and accurately market, price and underwrite their products. Ad¬ditionally, these tools have the potential to enhance an insurer’s ability to manage claims more effectively. With improved management, insurers can lower overall costs, reduce premiums, reduce claims, gain competitive advantage and, ultimately, increase their market share. Through advances in technol¬ogy and data availability, many insurers are already benefiting from the use of data analytics and predictive modeling capabilities to better understand and identify risk.
Connecting Strategy to Execution, Jonathan Bertfield, Senior Faculty, Lean St...Lean Startup Co.
If you don't have a strategy in place for deploying Lean Startup, you'll end up with siloed efforts that fail to shift the organizational culture or capacity for experimentation. In this session, Jonathan Bertfield will unpack the connection between strategy, experimentation, and execution using core tools from the Lean Startup method. Attendees will unpack your business’ strategic hypothesis and use that as the starting point for defining an experimentation road map.
Role of Data Science in ERM @ Nashville Analytics Summit Sep 2014John Liu
An overview of how organizations can leverage data science and predictive analytics to improve enterprise risk management. Applications for risk identification, mitigation and management will be discussed, as well as methods to facilitate strategic integration across an organization.
Applying advanced analytic techniques to enable rapid real-time enterprise threat intelligence and awareness. This presentation looks at how data + algorithms can help enterprises improve their overall threat posture.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
More Related Content
Similar to Laplacian Probability Models for InfoSec Likelihood Calculations
A brief run-through of the economics of controls, threats and how attackers and defenders think. Following an introduction to the current and next generation security analytics.
A common problem for information security professionals is that security is perceived as a business blocker; hindering the operational efficiency and adding controls that make everybody's life more difficult. But we don't have to accept that as a norm. The presentation focuses on avoiding activities that create that feeling, and alternative ways to approach information security board buy-in
Harnessing The Power Of (Claim Risk) Analytics Published Captive Review Sept 09paulmarshall
Risk analytics is revolutionizing the processes and tools employed by insurers to more quickly and accurately market, price and underwrite their products. Ad¬ditionally, these tools have the potential to enhance an insurer’s ability to manage claims more effectively. With improved management, insurers can lower overall costs, reduce premiums, reduce claims, gain competitive advantage and, ultimately, increase their market share. Through advances in technol¬ogy and data availability, many insurers are already benefiting from the use of data analytics and predictive modeling capabilities to better understand and identify risk.
Connecting Strategy to Execution, Jonathan Bertfield, Senior Faculty, Lean St...Lean Startup Co.
If you don't have a strategy in place for deploying Lean Startup, you'll end up with siloed efforts that fail to shift the organizational culture or capacity for experimentation. In this session, Jonathan Bertfield will unpack the connection between strategy, experimentation, and execution using core tools from the Lean Startup method. Attendees will unpack your business’ strategic hypothesis and use that as the starting point for defining an experimentation road map.
Role of Data Science in ERM @ Nashville Analytics Summit Sep 2014John Liu
An overview of how organizations can leverage data science and predictive analytics to improve enterprise risk management. Applications for risk identification, mitigation and management will be discussed, as well as methods to facilitate strategic integration across an organization.
Applying advanced analytic techniques to enable rapid real-time enterprise threat intelligence and awareness. This presentation looks at how data + algorithms can help enterprises improve their overall threat posture.
Similar to Laplacian Probability Models for InfoSec Likelihood Calculations (20)
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
2. INTRO
WHO AM I?
▸ Member of the GRC team at Visier, Inc
▸ Moderator of Security StackExchange
▸ Former teacher, actor, singer, director, Coast Guard Officer,
undertaker, database designer, tax preparer, business owner,
day trader
▸ http://www.linkedin.com/in/schroederjordan
▸ http://security.stackexchange.com/users/6253/schroeder
▸ https://gophishyourself.wordpress.com
3. INTRO
WHO AM I?
▸ NOT a formally trained Risk Professional
▸ but deep respect for Risk Professionals
▸ NOT a probabilities expert
▸ but deep respect for probabilities
▸ My experience as a day trader was affected by risk models
and probabilities
6. INTRO
MY INTRO TO INFOSEC RISK
▸ Risk models for organizations I worked in
▸ CISSP
▸ CISM
7. INTRO
RISK WAS TOO RISKY
▸ Big subject
▸ Lots of examples of risk gone wrong (e.g. 2008 credit
crisis)
▸ Simplistic formulas (ALE = ARO x SLE)
▸ Mixed with arcane incantations:
▸ My conclusion: leave it to the professionals
https://en.wikipedia.org/wiki/Black%E2%80%93Scholes_model
8. INTRO
LEAVING IT TO THE PROFESSIONALS
▸ Used existing models in the organization
▸ Tried to understand what the pros had done
▸ Lots of questions that didn’t add up
▸ “What we’ve done isn’t perfect, but it’s what the
organization can handle right now.”
▸ … and then it happened …
12. RISKY BUSINESS
THE BASICS - THE PROBLEM
▸ Risk = Likelihood × Impact
▸ Annualized Loss Expectancy (ALE) = Likelihood × Value
ISO 31000
13. RISKY BUSINESS
VALUE PROPOSITION
▸ Value/Consequence/Impact is easy to understand and calculate
▸ Risk Frameworks spend large sections guiding the reader on
the useful ways to conceive of and update Value/
Consequence/Impact
▸ But … Likelihood?
▸ Brings to mind complex maths
▸ Where are those formulas?
▸ Non-math options kept being mentioned …
14. RISKY BUSINESS
ONE THING KEPT BUGGING ME
ISO 31000:
5.4.3 (Risk Analysis)
“Consequences and their likelihood can be determined by
modelling the outcomes of an event or set of events, or by
extrapolation from experimental studies or from available
data.”
15. RISKY BUSINESS
ONE THING KEPT BUGGING ME
ISO 31010:
Likelihood:
1. Historical data
2. Forecasts (fault tree analysis, simulations)
3. Opinion
16. RISKY BUSINESS
ONE THING KEPT BUGGING ME
NIST 800-39: “Managing Information Security Risk”
Likelihood determinations can be based on either threat assumptions
or actual threat data (e.g., historical data on cyber attacks, … or
specific information on adversary capabilities, intentions, and
targeting). When specific and credible threat data is available …
organizations can use the empirical data and statistical analyses to
determine more specific probabilities of threat events occurring.
In addition, some organizations prefer quantitative risk assessments
while other organizations, particularly when the assessment involves
a high degree of uncertainty, prefer qualitative risk assessments.
17. RISKY BUSINESS
ONE THING KEPT BUGGING ME
NIST 800-30 r1 “Guide for Conducting Risk Assessments”
Appendix G
The term likelihood, as discussed in this guideline, is not
likelihood in the strict sense of the term; rather, it is a
likelihood score. Risk assessors do not define a likelihood
function in the statistical sense. Instead, risk assessors assign
a score based on available evidence, experience, and expert
judgment.
18. RISKY BUSINESS
ONE THING KEPT BUGGING ME
OCTAVE Allegro
“However, because it is often difficult to accurately quantify
probability, especially with respect to security vulnerabilities
and events, probability is expressed in the OCTAVE Allegro
methodology qualitatively as high, medium, or low. “
19. RISKY BUSINESS
GAO SAVE US!!
General Accounting Office (GAO):
“Estimating the likelihood that such threats will materialize
based on historical information and judgment of
knowledgeable individuals.”
20. RISKY BUSINESS
LET’S RECAP
▸ Modeling
▸ Extrapolation
▸ Fault Tree Analysis
▸ Statistical Analysis
▸ Quantitative
▸ Opinion
▸ Personal judgement
▸ Estimate
▸ Assumption
▸ Qualitative
21. RISKY BUSINESS
DO YOU FEEL LUCKY?
http://andrewgelman.com/wp-content/uploads/2009/09/univ16.png
OR
https://www.pehub.com/wp-content/uploads/2013/02/dartboard.jpg
22. RISKY BUSINESS
THE Q’S
▸ Quantitative or Qualitative?
▸ Is Qualitative analysis just the lazy way out?
▸ I set upon a quest to understand the mathematically valid
approach of calculating likelihood in InfoSec Risk Analysis
▸ If I was confused, I figured others might be, too
▸ What I discovered surprised me
25. MARTIAN COIN FLIPS
THE LONGEST JOURNEY STARTS WITH THE FIRST STEP
▸ I started my quest looking to develop a mathematical
model that would be appropriate for the InfoSec field
▸ Started to develop a Bayesian Net that would
accommodate the unique challenges of InfoSec risk
▸ evolving threats
▸ 0-days
▸ weaknesses in patch processes
26. MARTIAN COIN FLIPS
DOWN BY THE BAYES
▸ Jaynes text led me to a discussion about the
difference between data and information when it
comes to probability calculation
27. MARTIAN COIN FLIPS
WHEN INFORMATION ATTACKS
▸ What is the probability that a coin will come up tails on the next toss?
▸ P = 0.5
▸ What if you examined the coin (more data) to ensure it was a normal
coin?
▸ P = 0.5
▸ What if you knew more about the design on the coin, when it was
made, etc.?
▸ P = 0.5
▸ What if the coin had already been flipped 5 times and it came up tails
each time?
28. MARTIAN COIN FLIPS
WHEN INFORMATION ATTACKS
▸More data about the coin’s flip history
does not affect the expectation of
probability
Jaynes pg 558
29. MARTIAN COIN FLIPS
WHEN INFORMATION ATTACKS
▸ What about the likelihood that there used to be life on Mars?
▸ Maybe yes, maybe no
▸ Let’s set it to P = 0.5
▸ New data radically alters the probability one way or the other
▸ One new piece of information can make the difference
▸ What if the coin we were flipping was found in the sands of
Mars?
30. MARTIAN COIN FLIPS
WHEN INFORMATION ATTACKS
▸New data about Mars affects the
expectation of the probability
Jaynes pg 558
31. MARTIAN COIN FLIPS
WHEN INFORMATION ATTACKS
▸ Calculating probability by itself is not enough
▸ One must know a system’s resilience to new data
▸ How new data affects probability is the key
▸ Requires knowledge of the system
▸ We know how a coin flip works
▸ Uncertainty and probability
32. MARTIAN COIN FLIPS
WHEN INFORMATION ATTACKS
▸ We can apply this to calculating the likelihood
of a web server compromise
▸ WordPress installation
▸ 2 compromises last year
▸ each by a different vulnerable plug-in
▸ now fully patched
33. MARTIAN COIN FLIPS
WHEN INFORMATION ATTACKS
▸ What is the likelihood that my server will be
compromised this year?
▸ How do you set up that calculation?
▸ What data do you use?
▸ What historical data do you use?
▸ What new data might throw off your calculations?
▸ 0-days?
34. MARTIAN COIN FLIPS
A FEW NOTES ON HISTORY …
▸ Can you use historical data when the system
changes?
▸ Patches, configuration changes, new mitigations
▸ The number of 0-days in the past is not indicative of
0-days in the future
▸ Historical data is useful when the system is unaltered:
▸ Threats, costs, unpatched systems
35. MARTIAN COIN FLIPS
WHEN INFORMATION ATTACKS
▸ How can you perform Quantitative probability
analysis when:
▸ there is not enough data (can’t use history in a
changing system)?
▸ every new piece of data radically alters the
probability calculation?
▸ Maybe “more data” is not the point
39. LAPLACE
LAPLACE’S FOLLY
▸ (5000 × 365.25 + 1) : 1 = 1,826,251 : 1 in favour of the sun
rising tomorrow
▸ Under the assumption that the earth was 5000 years old
▸ The whole “sunrise” example was a huge mistake…
40. LAPLACE
LAPLACE’S SANITY
▸ “But [the probability of the sun rising tomorrow] is far
greater for him who, seeing in the totality of
phenomena the principle regulating the days and
seasons, realizes that nothing at the present moment
can arrest the course of it.”
▸ Translation:
▸ Don’t blindly throw numbers into a formula
▸ Knowledge trumps “more data”
41. LAPLACE
LAPLACE’S HOPE
▸ What does this mean for us?
▸ More historical data about the number of days the
sun has risen changes the probability calculation
▸ More historical data does not alter the probability of
the sun rising tomorrow, since we understand the
principles
▸ Knowledge of the “principles” can override the
importance of statistical data
42. LAPLACE
FAILURE ANALYSIS
▸ What’s our risk in regards to email infections?
▸ How many email infection attempts last year?
▸ How many successful email infections last year?
▸ Infections / Attempts = Likelihood per attempt this
year?
43. LAPLACE
FAILURE IN ANALYSIS
▸ Infections / Attempts = Likelihood?
▸ Only valid if the system does not change!
▸ Were the infections due to a specific vulnerability?
▸ Was there a spear-phishing campaign?
▸ Was there a single user clicking every spam email they got?
▸ Knowing the principles of the system overrides a strict
statistical analysis
44. LAPLACE
EQUIVALENT TO A SUNRISE?
▸ What about a situation where, despite a changing
system, failures appear to be predictable?
▸ What about InfoSec failures that are as sure as a
sunrise?
45. LAPLACE
THAT’S NOT A NET, THAT’S A STRING
▸ My Bayes Net was looking shoddy
▸ Historical data disappeared
▸ I was left with the ‘conditionals’ to the statistical
probabilities
▸ borne from expert knowledge of the systems
▸ What I had left looked a lot like a pure Qualitative
analysis
47. BE CHOOSEY
QUALIFIED ANALYSIS
▸ Qualitative Likelihood Analysis no longer appeared
to be the lazy way out
▸ Perhaps the Qualitative approach might even be the
better way
▸ How to make a valid choice?
48. BE CHOOSEY
QUALIFIED ANALYSIS
▸ Quantitative Likelihood Analysis means using some
form of statistical analysis
▸ For InfoSec Risk in a changing system, this appears
to be invalid
▸ Qualitative Likelihood Analysis allows you to use your
judgement and knowledge of the system
▸ The defensive technologies, the patch history, the
people, configuration changes
49. BE CHOOSEY
QUALITATIVE VS QUANTITATIVE
▸ Risk Frameworks offer the choice
▸ but little guidance on the choice
▸ Quantitative analysis produces numbers
▸ with decimal points!
▸ Qualitative analysis “feels” wrong
50. BE CHOOSEY
ENORMOUS CONFUSION OUT THERE
▸ https://en.wikipedia.org/wiki/Risk_assessment [accessed Oct 30, 2015]
▸ “Risk assessment is the determination of quantitative or qualitative
estimate of risk …”
▸ Talks about quantitative then never mentions qualitative assessments …
▸ http://www.sans.edu/research/leadership-laboratory/article/risk-
assessment
▸ “We now have a quantitative risk assessment value of $15 million and a
qualitative risk level of High.”
▸ author confuses the events in the ALE formula
51. BE CHOOSEY
CLEAR THE CONFUSION
▸ It is important to understand that one can calculate
▸ Likelihood
▸ Impact
▸ using either
▸ Qualitative Analysis
▸ Quantitative Analysis
52. BE CHOOSEY
WHEN TO USE QUANTITATIVE PROBABILITY
▸ It is entirely possible to determine a Quantitative
probability
▸ Used in Finance and Manufacturing all the time
▸ Perfect for when you have lots of historical data
▸ The subjects need to be comparable
▸ 1000 servers all configured the same way
▸ (ISO 31010 Annex B presents a full analysis of methods)
https://www.flickr.com/photos/trevmeister/8413196866
53. BE CHOOSEY
QUANTITATIVELY PROBLEMATIC - STAMP
“… for hazards associated with standard systems with abundant
historical data, it may be possible to define likelihood using a
quantitative probability of occurrence. However, for most complex
socio-technical** systems with little or no historical experience …
a qualitative assessment of likelihood is the best that can be
achieved.”
[Dulac, 2007]
STAMP (Systems-Theoretic Accident Model and Processes) is
based entirely on a Qualitative approach
[**social-technical: technology used by people]
54. BE CHOOSEY
QUANTITATIVELY PROBLEMATIC - NIST
“In addition, some organizations prefer quantitative risk
assessments while other organizations, particularly when the
assessment involves a high degree of uncertainty, prefer
qualitative risk assessments.” [NIST 800-39]
“Consideration of uncertainty is especially important when
organizations consider advanced persistent threats (APT)
since assessments of the likelihood of threat event occurrence
can have a great degree of uncertainty.” [NIST 800-30 r1]
55. BE CHOOSEY
QUANTITATIVELY PROBLEMATIC - ISO 31010
“Full quantitative analysis may not always be possible or
desirable due to insufficient information about the system or
activity being analysed, lack of data, influence of human
factors, etc. ” [5.3.1]
56. BE CHOOSEY
QUANTITATIVELY PROBLEMATIC - GAO
“… the availability of data can affect the extent to which risk
assessment results can be reliably quantified.”
“Reliably assessing information security risks can be more difficult
than assessing other types of risks, because the data on the
likelihood and costs associated with information security risk
factors are often more limited and because risk factors are
constantly changing.”
“Even if precise information were available, it would soon be out
of date due to fast-paced changes in technology and factors such
as improvements in tools available to would-be intruders. ”
57. BE CHOOSEY
MOST INFORMATION SYSTEMS ARE
▸ Complex
▸ Socio-technical (those darn people!)
▸ In a state of change
▸ With high degrees of uncertainty
58. BE CHOOSEY
DATA YOU NEED FOR QUANTITATIVE LIKELIHOOD ANALYSIS
▸ Already stale
▸ About a previous state of the system
▸ Unnecessary (perhaps misleading)
▸ Trumped by knowledge of the system
61. BE QUALITATIVE
QUALITATIVE LIKELIHOOD ASSESSMENTS
▸ Low
▸ Medium
▸ High
▸ Improbable
▸ Remote
▸ Occasional
▸ Probable
▸ Frequent
▸ Highly unlikely
▸ Unlikely
▸ Somewhat likely
▸ Highly likely
▸ Almost certain
▸ Very Low
▸ Low
▸ Moderate
▸ High
▸ Very High
62. BE QUALITATIVE
CRITIQUES OF QUALITY ASSESSMENTS
▸ Too broad to properly compare
▸ With a detailed assessment, it is easier to rank mitigating options!
▸ Response: be careful that you are not trusting in false accuracy
▸ Response: get stakeholders together and prioritize
▸ Misleading labels between assets or departments can cause
confusion
▸ What does “High” mean to you?
▸ Response: central management and guidance/training can help
63. BE QUALITATIVE
HOW DO I SELL THIS TO OTHERS?
▸ “Someone is going to want a Quantitative Likelihood calculation.
How do I tell them that Qualitative is the valid approach?”
▸ Simply this:
▸ “Since our systems and the threats to those systems are in a
constant state of change, historical statistical data is not
relevant to complete a Quantitative Likelihood calculation.
Risk frameworks for InfoSec systems recommend a Qualitative
approach, which leverages the expert judgement of those
close to the objects of risk, who are best able to estimate
future likelihood.”
65. QUALITY
WHEN QUALITATIVE PROBABILITY HAS BEEN USED
▸ GAO did a study on organizations that relied on their ERM,
and where the ERM was perceived by the organization to
be effective (Risk done right)
▸ Risk Assessment methods were:
▸ Simple
▸ Mostly Qualitative
66. QUALITY
GAO TIPS
▸ Segment Risk Assessments into smaller units to limit the scope (easier
to re-assess when necessary)
▸ Make the Risk Assessors the ones who are close to the objects of
risk
▸ System admins, help desk managers, etc.
▸ Use tables, questionnaires (multiple choice) and standardized report
formats
▸ Define the scale to keep it consistent across the organization
▸ Training, guidance documents
67. QUALITY
GAO TIPS
▸ Business Units responsible for
▸ reassessments
▸ following up on recommendations
▸ Encourages a bottom-up approach to Risk Management
▸ Risk becomes a mindset at the bottom
▸ Controls are better understood and adopted by those
implementing them
68. THE END
ACKNOWLEDGEMENTS
▸ Dan Bühler, MSc (Mathematics)
▸ Anton Smessaert, PhD (Data Scientist)
▸ Prof. David Wagner (UC Berkeley)
69. PROBABLY:
THE BEST WAY TO CALCULATE
INFOSEC RISK
JORDAN SCHROEDER, CISSP, CISM