There’s a gap between the hacker’s view and the defender’s view of an attack. The defender strives to break down the complex whole to simple components that can be assessed individually while the hacker thrives on complexity and sees opportunities in the white space between assessments.

1. Putting Security in Context
A risk-based approach to security assessments
Bob Egner, CMO
be@outpost24.com
1

2. 2
Helping customers improve security posture since 2001
Over 2,000 customers in all regions of the world
Really good at breaking technology

3. Today’s topic
3
Reality check for security
Risk based approach to cyber
security assessments
Takeaways

4. 1,000,000

5. discovered
1,000,000
infrastructure vulnerabilities

6. 6,000

7. discovered
6,000
web applications

8. 8
What is important?
What is real?
What is dangerous?
Can we use this information
to prioritize?
Context
Photo:
https://news.iu.edu/stories/2018/03/iu/releases/21-joint-cyber-security-operations-center-launches.html

9. Reality check for security

10. Security balance
10
Increased cyber attacks
Cloud workloads
Faster development cycles
Mobile device proliferation
More privacy rules across
larger data sets
Limited budget
Under-staffed teams
Missing skill sets
Distributed IT responsibility
Mismatched expectations

11. Align with business
11
Gaps result from
• Technical knowledge
• Misunderstood objectives
• Exclusion from planning
• Practical view of pace
• Different opinions of risk

12. Empower security
12
• Focus on risks that are
likely to occur
• Manage risks that have
the greatest impact
• Address risks that disrupt
the business
• Work on things that
provide benefit
Gartner: Answer three questions to move from overwhelmed to empowered, Jeffrey Wheatman, 20-Sep-2018

13. Security assessments drive activity
13
Normal process
• Identify what you own
• Assess where it is weak
• Focus on risk reduction
Shift the focus away from
• Latest headline
• Zero-day
• Easy to fix
Measure and
shrink the attack
surface…
and maintain it at
the smallest level

14. Risk based approach

15. Full stack cyber security assessment
Business value
• increases with each layer of the stack
Assessments
• Made at each layer
• Infrastructure can be owned (legacy) or rented (cloud)
• Application security testing differs for home-built apps,
externally built apps, and COTS customization
• Data assessments focus on access rights
• User assessments focus on behaviors
Networks
Applications
Data
User
Devices
Business Value

16. NIST Cyber Security Framework
16
Identify
• What you own
• How it supports your business
• Regulatory requirements
• Where it is weak
• How you will remediate or compensate

17. Assessment
Tools
17
Source: Momentum Cyber
September 12, 2018
Identify technical
severity
• Infrastructure
• Cloud
• Applications
But not risk!

18. Risk calculation
18
Simple risk = f( likelihood, impact)
• Not directly calculated from test result
Likelihood
• Combine test results with threat
intelligence feed
Impact
• Combines business criticality with
business impact
Very Low
(1)
Low
(2)
Medium
(3)
High
(4)
Very High
(5)
Very Low
(1)
Low
(2)
Medium
(3)
High
(4)
Very High
(5)
Impact
Likelihood

19. What about ?
19
Common framework to compare vulnerabilities
• Applications
• Infrastructure
• Data
State of the art
• Still somewhat blunt

20. What about ?
20
Common framework to compare vulnerabilities
• Applications
• Infrastructure
• Data
State of the art
• Still somewhat blunt
May not reflect
active exploitation
Does not reflect
business impact

21. Assessment life cycle
21
Security
assessment
Security
Ops
Business
CMDB
Enrich asset
catalog with
criticality
Enrich
finding with
threat intel
Prioritized
remediation
Low frequency updates
• Business impact of all assets
Coordinated update maps to pace of change
• Recurring assessments
• Risk-based prioritization
• Management reporting
Risk-based
management
reports

22. Assessment life cycle
22
Security
assessment
Security
Ops
Business
CMDB
Enrich asset
catalog with
criticality
Enrich
finding with
threat intel
Prioritized
remediation
Low frequency updates
• Business impact of all assets
Coordinated update maps to pace of change
• Recurring assessments
• Risk-based prioritization
• Management reporting
Benefits
• Aligns with business
• Objective prioritization
• Common language for
all stakeholders
Risk-based
management
reports

23. NIST Cyber Security Framework
23
Risk Assessment
• Testing tools
• Infrastructure vulnerability assessment
• Cloud security posture management
• Application security testing
Results typically show technical severity

24. Infrastructure assessments
24
Vulnerabilities eventually exploited
• ~12.5%
• Consistent with security research
results
Patch the regularly exploited
vulnerabilities to make the biggest
security improvement
Gartner: Implement a risk-based approach to vulnerability management, Prateek Bhjanka, Craig Lawson, 21-Aug-2018

25. Cloud assessments
25
Traditional infrastructure
assessment
+ workload analytics
Container assessment +
workload analytics

26. Application assessments
26
OWASP Top 10
• Mostly ranked medium severity
• Make up about 40% of all vulnerabilities
• Highly application dependent
• Easy to exploit and common attack for
large data exfiltration
OWASP risk model
• www.owasp.org Risk Rating Methodology

27. Additional tools
27
Security analytics
• Microsoft PowerBI
• Elastic Stack
• Splunk
Risk assessment
• Kenna Security
Outpost24.com/blog

28. Takeaways

29. 29
Takeaways
Work on the things that provide benefit
• Focus on risks that are likely to occur
• Manage risks that have the greatest impact
• Address risks that disrupt the business
Assess the full stack at a pace that matches frequency of change

30. Q & A Thanks!
Bob Egner, CMO
be@outpost24.com