Ed Bellis, profile picture
Uploaded byEd Bellis
4,500 views

Palmer Symposium

The document discusses the challenges of performing comprehensive vulnerability assessments across hundreds of websites that are constantly changing. It then describes how automated vulnerability scanners were used to try to address this problem, but resulted in dumping large amounts of data without prioritization or context. The document proposes a "Moneyball" or sabermetrics approach to security intelligence by collecting and correlating vulnerability data from multiple sources and using attributes, trends, and outcomes to analyze risk, prioritize issues, and compare organizations. This approach would provide a centralized view of an organization's vulnerability posture and the external threat landscape.

Embed presentation

Download to read offline
A Moneyball Approach to Security Intelligence http://www.risk.io ed@risk.io
• CoFounder Risk I/O About Me About Risk I/O • Former CISO Orbitz • Contributing Author: Beautiful Security • CSO Magazine/Online Writer • Data-Driven Vulnerability Intelligence Platform • DataWeek 2012 Top Security Innovator • 3 Startups to Watch - Information Week • InfoSec Island Blogger • 16 Hot Startups - eWeek Nice to Meet You
Stage 1: Ignorance is Bliss
Stage 2: Where are all of my vulnerabilities? “Back in my Yahoo days I performed hundreds of web application vulnerability assessments. To streamline the workload, I created an assessment methodology consisting of a few thousand security tests averaging 40 hours to complete per website. Yahoo had over 600 websites enterprise-wide. To assess the security of every website would have taken over 11 years to complete and the other challenge was these websites would change all the time which decayed the value of my reports.” Jeremiah Grossman Founder,WhiteHat Security
Stage 3: Scan & Dump Enter the Age of the Automated Scanner...
Why This Occurs Lack ofVisibility Lack of Communication Lack of Coordination Silos, Silos, Everywhere
company name “vulnerability prioritization for remediation presents THE critical problem” -Anton Chuvakin, Gartner Research Director “Finding the flaws is only half of the battle. Fixing them -- sometimes called vulnerability remediation -- is often the hardest part” -Diana Kelley, Dark Reading “Businesses may be able to measure their performance through objective metrics such as sales growth, production efficiency or customer preference, but information security management too often boils down to a reaction to recent events or the well-known trio of fear, uncertainty and doubt.” -Scott Crawford, EMA Associates “Unless you work in a company that has unlimited resources and you have absolute support at all levels for remediating the vulnerabilities in your environment, you MUST prioritize the issues that cause the most risk to your IT environment.” -Clay Keller, Wal-Mart InfoSec “With the enormous amounts of data available, mining it — regardless of its source — and turning it into actionable information is really a strategic necessity, especially in the world of security.” -Chris Hoff, Juniper Networks IT Security Is Buried in Noise
SaberMetrics for InfoSec?
HD Moore’s Law - Josh Corman Example Use Case 1 aka Security Mendoza Line “Compute power grows at the rate of doubling about every 2 years” “Casual attacker power grows at the rate of Metasploit”
PredictingVulnerability (or even breach) Example Use Case 2 Key Attributes Trending Outcomes
CVE Trending Analysis Example Use Case 3 Gunnar’s Debt Clock
My(vuln posture X threat activity) / (other vuln posture X other threat activity) Example Use Case 4 Targets of Opportunity?
company name Data aggregation is necessary for everything we do Table Stakes Correlation, Normalization, De-Duplication Full risk views down the entire technology stack That’s So Meta
company name Assembly Line Workflow Putting The Robots To Work Bulk Ticketing & Bug Tracking Integration Automated ReTesting API “All The Things”
company name How do I know where to deploy my resources? Web Scale Visibility What matters when prioritizing remediation? What does the threat landscape look like outside of my 4 walls? How do I compare to peers?
VA Products • Dynamic Application • Network & Host • Static Analysis Manual Assessments Remediation • Trouble Ticketing • Bug Tracking • Configuration Management • Patch Management Integrating Disparate Solutions
Network Vulnerability Scanners Database Vulnerability Scanners Internal Remediation Systems Static Analysis Tools Application Vulnerability Scanners Pentesters/ Professional Services RiskDB Centralizing the Data
Predefined and Custom Security Metrics Filter by Hundreds of Attributes and Metadata Real-World Vulnerability Trending Custom Fields Full Featured RESTful API AutoFlagging based on “in the wild” Attack Traffic Benchmarking Across Industries Predictive Analytics & Machine Learning Security && Ops NOT || Ops Your Data, Your Way
Three Distinct Values
Vulnerability Scanners RiskDB Static & Binary Analysis Ticketing / Bug Tracking IPS / WAF SIEM External Data Faceted Search KnowledgeBaseCustom DashboardsAlerting Analyze & Prioritize Network Mapping Vulnerability Intelligence Platform
Vulnerability Intelligence Platform http://www.risk.io ed@risk.io Q&A

More Related Content

PPTX
Are Your IT Systems Secure?
byNex-Tech
 
PDF
Insider threats
byizoologic
 
PPTX
Lesson2.9 o u2l6 who cares about encryption
byLexume1
 
PDF
Phil Grimes - Penetrating the Perimeter: Tales from the Battlefield
bycentralohioissa
 
PPTX
Cyber Terrorism
byDeepak Pareek
 
PPTX
Mark Lomas - Taking a Holistic Approach to Cyber Threat Prevention #midscyber...
byPro Mrkt
 
PDF
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
byPukhraj Singh
 
PPTX
The What If's of Hostile:Evil Personas
byAllison Donatto
 
Are Your IT Systems Secure?
byNex-Tech
 
Insider threats
byizoologic
 
Lesson2.9 o u2l6 who cares about encryption
byLexume1
 
Phil Grimes - Penetrating the Perimeter: Tales from the Battlefield
bycentralohioissa
 
Cyber Terrorism
byDeepak Pareek
 
Mark Lomas - Taking a Holistic Approach to Cyber Threat Prevention #midscyber...
byPro Mrkt
 
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
byPukhraj Singh
 
The What If's of Hostile:Evil Personas
byAllison Donatto
 

What's hot

PPTX
We cant hack ourselves secure
byEoin Keary
 
PDF
Understanding the 'physics' of cyber-operations - Pukhraj Singh
byPukhraj Singh
 
PDF
Council rock-school-case-study
byCMR WORLD TECH
 
PPTX
Lesson2.9 p u2l6 cryptography and innovations
byLexume1
 
PPTX
Cyber Conflicts - Time for Reality Check
byJarno Limnéll
 
PDF
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
byWPICPE
 
PPTX
Are we ready for Cyberwarfare
byAurin Sheikh
 
PDF
Eliminating Security Uncertainty
byDell World
 
PDF
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
byPukhraj Singh
 
PPTX
2021-02-10_CogSecCollab_UBerkeley
bySara-Jayne Terp
 
PDF
In cyber, the generals should lead from behind - College of Air Warfare - Puk...
byPukhraj Singh
 
PDF
Application Security Trends and Issues
byDedi Dwianto
 
PPTX
Cyber terrorism
byHiren Selani
 
PDF
Computer Security Incident Handling Guide
byMuhammad FAHAD
 
PPTX
Backups and Disaster Recovery for Nonprofits
byCommunity IT Innovators
 
PDF
Cyberterrorism. Past, Present, Future
byPriyanka Aash
 
We cant hack ourselves secure
byEoin Keary
 
Understanding the 'physics' of cyber-operations - Pukhraj Singh
byPukhraj Singh
 
Council rock-school-case-study
byCMR WORLD TECH
 
Lesson2.9 p u2l6 cryptography and innovations
byLexume1
 
Cyber Conflicts - Time for Reality Check
byJarno Limnéll
 
Webinar - Cyber Hygiene: Stay Clean at Work and at Home
byWPICPE
 
Are we ready for Cyberwarfare
byAurin Sheikh
 
Eliminating Security Uncertainty
byDell World
 
BSides Delhi-2018 Keynote by Pukhraj Singh (Politics & Power in Cybersecurity)
byPukhraj Singh
 
2021-02-10_CogSecCollab_UBerkeley
bySara-Jayne Terp
 
In cyber, the generals should lead from behind - College of Air Warfare - Puk...
byPukhraj Singh
 
Application Security Trends and Issues
byDedi Dwianto
 
Cyber terrorism
byHiren Selani
 
Computer Security Incident Handling Guide
byMuhammad FAHAD
 
Backups and Disaster Recovery for Nonprofits
byCommunity IT Innovators
 
Cyberterrorism. Past, Present, Future
byPriyanka Aash
 

Similar to Palmer Symposium

KEY
An Economic Approach to Info Security
byEd Bellis
 
PPTX
ISAA PPt
byRishabhAgrawal695188
 
PDF
Defense In Depth Using NIST 800-30
byKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
PPT
Anton Chuvakin on Threat and Vulnerability Intelligence
byAnton Chuvakin
 
PPTX
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
byImXaib
 
PDF
Fix What Matters
byEd Bellis
 
PPT
Challenges in implementating cyber security
byInderjeet Singh
 
PDF
Cybersecurity risk assessments help organizations identify.pdf
byTheWalkerGroup1
 
PDF
[Bucharest] Attack is easy, let's talk defence
byOWASP EEE
 
PDF
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
byCam Fulton
 
PPT
Reading the Security Tea Leaves
byEd Bellis
 
PDF
CNIT 121: 2 IR Management Handbook
bySam Bowne
 
PPTX
Vulnerability Management: What You Need to Know to Prioritize Risk
byAlienVault
 
PPTX
IS-lecture-risk-management-security.pptx
bysyedatoobaaftab1
 
PPT
Vuln_Man_91003.ppt
byKRISHNARAJ207
 
PPT
Vuln.ppt
bykarthikvcyber
 
PPTX
My Keynote from BSidesTampa 2015 (video in description)
byAndrew Case
 
PPTX
Operationalizing Security Intelligence
bySplunk
 
PDF
User Guide for Risk Insight 1.1
byProtect724gopi
 
PDF
It risk assessment
byHappiest Minds Technologies
 
An Economic Approach to Info Security
byEd Bellis
 
ISAA PPt
byRishabhAgrawal695188
 
Defense In Depth Using NIST 800-30
byKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Anton Chuvakin on Threat and Vulnerability Intelligence
byAnton Chuvakin
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
byImXaib
 
Fix What Matters
byEd Bellis
 
Challenges in implementating cyber security
byInderjeet Singh
 
Cybersecurity risk assessments help organizations identify.pdf
byTheWalkerGroup1
 
[Bucharest] Attack is easy, let's talk defence
byOWASP EEE
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
byCam Fulton
 
Reading the Security Tea Leaves
byEd Bellis
 
CNIT 121: 2 IR Management Handbook
bySam Bowne
 
Vulnerability Management: What You Need to Know to Prioritize Risk
byAlienVault
 
IS-lecture-risk-management-security.pptx
bysyedatoobaaftab1
 
Vuln_Man_91003.ppt
byKRISHNARAJ207
 
Vuln.ppt
bykarthikvcyber
 
My Keynote from BSidesTampa 2015 (video in description)
byAndrew Case
 
Operationalizing Security Intelligence
bySplunk
 
User Guide for Risk Insight 1.1
byProtect724gopi
 
It risk assessment
byHappiest Minds Technologies
 

More from Ed Bellis

PDF
Risk Management Metrics That Matter
byEd Bellis
 
PDF
Amateur Hour: Why APTs Are The Least Of Your Worries
byEd Bellis
 
PDF
Security as Code: DOES15
byEd Bellis
 
PPTX
Security as Code
byEd Bellis
 
PDF
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
byEd Bellis
 
PDF
BSidesLV Vulnerability & Exploit Trends
byEd Bellis
 
PDF
BSides SF Security Mendoza Line
byEd Bellis
 
KEY
SecTor 2012 The Security Mendoza Line
byEd Bellis
 
KEY
Bay threat2011
byEd Bellis
 
KEY
SecTor - The Search For Intelligent Life
byEd Bellis
 
KEY
Metricon 6 That's So Meta
byEd Bellis
 
Risk Management Metrics That Matter
byEd Bellis
 
Amateur Hour: Why APTs Are The Least Of Your Worries
byEd Bellis
 
Security as Code: DOES15
byEd Bellis
 
Security as Code
byEd Bellis
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
byEd Bellis
 
BSidesLV Vulnerability & Exploit Trends
byEd Bellis
 
BSides SF Security Mendoza Line
byEd Bellis
 
SecTor 2012 The Security Mendoza Line
byEd Bellis
 
Bay threat2011
byEd Bellis
 
SecTor - The Search For Intelligent Life
byEd Bellis
 
Metricon 6 That's So Meta
byEd Bellis
 

Recently uploaded

PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
final.pdf
byomarbishtawi04
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Workflow and decision Automation with Flowable
bychakib ch
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 

Palmer Symposium

  • 1.
    A Moneyball Approachto Security Intelligence http://www.risk.io ed@risk.io
  • 2.
    • CoFounder RiskI/O About Me About Risk I/O • Former CISO Orbitz • Contributing Author: Beautiful Security • CSO Magazine/Online Writer • Data-Driven Vulnerability Intelligence Platform • DataWeek 2012 Top Security Innovator • 3 Startups to Watch - Information Week • InfoSec Island Blogger • 16 Hot Startups - eWeek Nice to Meet You
  • 3.
  • 4.
    Stage 2: Whereare all of my vulnerabilities? “Back in my Yahoo days I performed hundreds of web application vulnerability assessments. To streamline the workload, I created an assessment methodology consisting of a few thousand security tests averaging 40 hours to complete per website. Yahoo had over 600 websites enterprise-wide. To assess the security of every website would have taken over 11 years to complete and the other challenge was these websites would change all the time which decayed the value of my reports.” Jeremiah Grossman Founder,WhiteHat Security
  • 5.
    Stage 3: Scan& Dump Enter the Age of the Automated Scanner...
  • 6.
    Why This Occurs LackofVisibility Lack of Communication Lack of Coordination Silos, Silos, Everywhere
  • 7.
    company name “vulnerability prioritizationfor remediation presents THE critical problem” -Anton Chuvakin, Gartner Research Director “Finding the flaws is only half of the battle. Fixing them -- sometimes called vulnerability remediation -- is often the hardest part” -Diana Kelley, Dark Reading “Businesses may be able to measure their performance through objective metrics such as sales growth, production efficiency or customer preference, but information security management too often boils down to a reaction to recent events or the well-known trio of fear, uncertainty and doubt.” -Scott Crawford, EMA Associates “Unless you work in a company that has unlimited resources and you have absolute support at all levels for remediating the vulnerabilities in your environment, you MUST prioritize the issues that cause the most risk to your IT environment.” -Clay Keller, Wal-Mart InfoSec “With the enormous amounts of data available, mining it — regardless of its source — and turning it into actionable information is really a strategic necessity, especially in the world of security.” -Chris Hoff, Juniper Networks IT Security Is Buried in Noise
  • 8.
  • 9.
    HD Moore’s Law- Josh Corman Example Use Case 1 aka Security Mendoza Line “Compute power grows at the rate of doubling about every 2 years” “Casual attacker power grows at the rate of Metasploit”
  • 10.
    PredictingVulnerability (or evenbreach) Example Use Case 2 Key Attributes Trending Outcomes
  • 11.
    CVE Trending Analysis ExampleUse Case 3 Gunnar’s Debt Clock
  • 12.
    My(vuln posture Xthreat activity) / (other vuln posture X other threat activity) Example Use Case 4 Targets of Opportunity?
  • 13.
    company name Data aggregationis necessary for everything we do Table Stakes Correlation, Normalization, De-Duplication Full risk views down the entire technology stack That’s So Meta
  • 14.
    company name Assembly LineWorkflow Putting The Robots To Work Bulk Ticketing & Bug Tracking Integration Automated ReTesting API “All The Things”
  • 15.
    company name How doI know where to deploy my resources? Web Scale Visibility What matters when prioritizing remediation? What does the threat landscape look like outside of my 4 walls? How do I compare to peers?
  • 16.
    VA Products • DynamicApplication • Network & Host • Static Analysis Manual Assessments Remediation • Trouble Ticketing • Bug Tracking • Configuration Management • Patch Management Integrating Disparate Solutions
  • 17.
  • 18.
    Predefined and CustomSecurity Metrics Filter by Hundreds of Attributes and Metadata Real-World Vulnerability Trending Custom Fields Full Featured RESTful API AutoFlagging based on “in the wild” Attack Traffic Benchmarking Across Industries Predictive Analytics & Machine Learning Security && Ops NOT || Ops Your Data, Your Way
  • 19.
  • 20.
    Vulnerability Scanners RiskDB Static & Binary Analysis Ticketing/ Bug Tracking IPS / WAF SIEM External Data Faceted Search KnowledgeBaseCustom DashboardsAlerting Analyze & Prioritize Network Mapping Vulnerability Intelligence Platform
  • 21.