Vulnerability Prioritization and Prediction

•Download as PPTX, PDF•

1 like•378 views

Delivered at Gartner SRM 2018 - Discusses original research from Kenna Security and the Cyentia Institute about which vulnerabilities are being targeted today, and what organizations can do to protect themselves. Presented with insight from Reid Shelton of CapitalOne.

Technology

Vulnerability
Prioritization &
Prediction in
Practice
Jonathan Cran, Research @ Kenna Security
Reid Shelton, Senior Director @ Capital One
Gartner Security & Risk
Management Summit 2018

2
2018 Vulnerability Management Challenges
1. Increasing Volume (both Vulnerabilities & Threat)
2. Highly Publicized Vulnerabilities
3. No Single Source of Vulnerability Information
4. DevSecOps Enablement

3
Challenge: Increasing Volume
Mitre CNA program signing up more CNAs and
fanning out responsibilities, thus enabling more
CVEs to be created & tracked (a good thing!)

4
Challenge: A Fast Moving ThreatExploitExists
At CVE assignment date (vs the later publish
date), just over 40% of CVEs from 2017 had
public exploit code. We need to move FASTER
to distribute vulnerability information.

5
Challenge: Highly Publicized Vulns
Defending prioritization to leadership, then re-
explaining when new patches arise took a significant
amount of time in early 2018. Teams need a
generally accepted data-backed process to prioritize.

6
Challenge: DevSecOps Enablement
Threat ModelingDevelop
Inherit
Build
Deploy
Operate
SCA
SAST
Container Scan, DAST
DAST, Bug Bounty, Penetration Testing
DevSec Ops Phase Vulnerability Data:
More layers and more testing techniques are
Driving an integration-first vuln mgmt
approach, integrated with each of the steps of
the emerging DevSecOps toolchain.
Credit @signalsciences, @samnewman

7
Approved
Gold Image
and AMI
(updated every 2
weeks)
APPROVE and
PUBLISH
ASSESS
ON DEV
INSTANCES
OS
Scanner
AUTOMATICALLY
ADD
CLOUD AGENT
OS
Detection
Agent
Public
Custom
AMAZON MACHINE
IMAGE (AMI)
Live Instances
(Rehydration – every 60 days)
Agents
DevSecOps in Practice
Actual process used by a Kenna Customer

8
Risk Based Vulnerability Management
(Network) Infrastructure Sources Application Sources
Risk Based Vuln Management integrates many sources – both
infrastructure and application data , along with current and relevant
threat information to prioritize the most highly targeted
vulnerabilities and configuration problems.
Threat Sources
Kenna Research Team
Global Threat Feeds
NIPS / NIDS & HIPS / HIDS
Antivirus and Endpoint Threat Data
WAF & RASP Threat Data
SEIM and Analytics

9
Risk Based Vulnerability Management
Vulnerability
Identified
Public
Exploit
Exists
In-The-Wild
Exploitation
Exploitation
In our Env
Takeaways:
Only ~2-5% of vulnerabilities are detected as targeted in
the wild today according to Kenna Security threat data.
A risk scoring system that progressively increases risk
scores as threats emerge and are activated helps vuln
mgmt teams prioritize risk.

10
External “Scannable” CVEs - Q1 2018
Apache Struts 2.3.x - CVE-2017-5638, CVE-2017-9791, CVE-2017-9805
Joomla! 3.7.1 - CVE-2017-8917
Oracle WebLogic 10.3.6, 12.1.x, 12.2.x - CVE-2017-10271
PHP 5.4.2 - CVE-2002-1149, CVE-2012-1823
Jenkins 2.56 - CVE-2017-1000353
Microsoft SMBv1 (ETERNALBLUE) - CVE-2017-0143/4/5
MASTER IPCAMERA (hardcoded password) - CVE-2018-5723
These specific CVEs saw significantly increased activity in Q1 2018 across Kenna Security threat data

11
Analysis of Remediation Strategies
Coverage: Of all vulnerabilities that
should be remediated, what
percentage was correctly identified
for remediation? (correctly applied
effort)
Efficiency: Of all vulnerabilities
identified for remediation, what
percentage should have been
remediated? (a measure of effort
wasted)
Takeaway: There’re no simple rule-based systems for choosing vulns to remediate. Aim to optimize coverage and efficiency.

12
Prioritization To Prediction
https://www.kennasecurity.com/prioritization-to-prediction-report/
• Speed must be a priority.
• The number of CVEs published every year is
growing.
• Common strategies are about as effective as
rolling dice.
• A predictive model increases efficiency,
reduces workload, and increases coverage.
Dig into the research here:

Title: Welcome to the world of Cyber Threat Intelligence! Abstract: Welcome to the world of Cyber Threat Intelligence (CTI)! During this presentation, we will discuss about some of the basic concepts within CTI domain and we will have a look at the current threat landscape as observed from the trenches. The presentation is split into 3 parts: a) Intro to CTI, b) A view at the current threat landscape, and c) CTI analyst skillset. Short Bio: Andreas Sfakianakis is a Cyber Threat Intelligence and Incident Response professional and works for Standard and Poors' CTI team. He is also a member of ENISA’s CTI Stakeholders’ Group and Incident Response Working Group. He is the author of a number of CTI reports and an instructor of CTI. In the past, Andreas has worked within the Financial and Oil & Gas sectors as well as an external reviewer for European Commission. Andreas' Twitter handle is @asfakian and his website is www.threatintel.eu

Tech ThrowDown:Invincea FreeSpace vs EMET 5.0

Invincea, Inc.

CSS Trivia

Alert Logic

Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework

Outpost24

During the past years, cyber threat intelligence (CTI) discipline has been adopted by organisations worldwide. While CTI’s best practices are still developing, finding the right technology to support your CTI analysts’ workflows and daily activities is hard. And advertising from vendors makes it even harder. This session will cut through the propaganda: providing a vendor-agnostic look at the process of selecting the right tools by providing a primer on the CTI cycle. Second, hear an overview of the current threat intelligence platform (TIP) landscape and explore the limitations that have been spotted by researchers and practitioners. Finally, learn tangible recommendations related to TIPs for different user groups.

Light, Dark and... a Sunburst... dissection of a very sophisticated attack.

Stefano Maccaglia

The Sweet Spot of Cyber Intelligence

Tieu Luu

Malware self protection-matrix

Cyphort

In this Malware's Most Wanted, Cyphort Lab's Marion Marschalek will shed light on malware self-protection. The audience will get an overview of how malware evasion evolved over the years and how malware defense evolved with it, or vice versa as it occasionally happens in the digital arms race. The various observed anti-analysis tricks will be put in relation to the respective counter measures in order to showcase challenges of modern day security products. Marion recently won a speaking contest at Komintern Sect in Stockholm.

MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...

MITRE - ATT&CKcon

In the modern age, all organizations face threats from various types of cyber attacks. Although great strides have been made to consider human factors in cybersecurity and to become more proactive in threat analysis, security is still generally a reactive, technical field. The research presented in this talk seeks to develop a framework which adapts the existing MITRE ATT&CK framework to look at attacks in a less linear, more human-centered framework that focuses on the capabilities and decisions of the threat actor. The framework approaches threat analysis from a binary assessment of success vs. failure in order to see the entire attack and consider the potential for a number of methods and attempts made in a single attack. A detailed methodology and sample charts are included for a reference and a starting point in developing one’s own personalized charts, and recommendations are made for ways to integrate this methodology into the risk management process.

Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK

MITRE ATT&CK

From ATT&CKcon 3.0 By Haylee Mills, Splunk Having ATT&CK to identify threats, prioritize data sources, and improve security posture has been a huge step forward for our industry, but how do we actualize those insights for better detection and alerting? By shifting to observations of behavior over one-to-one direct alerts, noisy datasets become valuable treasure troves with ATT&CK metadata. Additionally, we can begin to look at detection and threat hunting on behavior instead of users or systems. In this presentation, Haylee will discuss the shift in mindset and the nuts and bolts of detections that leverage this metadata in Splunk, but the concept can be applied with custom tools to any valuable security dataset.

Threat Hunting Report

Morane Decriem

The Information Security Community on LinkedIn, with the support of Cybereason, conducted a comprehensive online research project to gain more insight into the state of threat hunting in security operation centers (SOCs). When the 330 cybersecurity and IT professionals were asked what keeps them up at night, many comments revolved around a central theme of undetected threats slipping through an organization’s defenses. Many responses included “unknown” and “advanced” when describing threats, indicating the respondents understand the challenges and fear those emerging threats. Read the full report here.

The Modern Malware Review March 2013

- Mark - Fullbright

MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET

MITRE - ATT&CKcon

Malware Most Wanted: Security Ecosystem

Cyphort

Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)

Open Analytics

How to assign a CVE to yourself?

Ramin Farajpour Cami

New wave of attacks in Ukraine 2016

Marina Krotofil

Mc afee conectando las piezas

Software Guru

En la actualidad el crecimiento exponencial del malware sofisticado y los métodos de evasión utilizados por cibercriminales se han convertido en una combinación letal para las organizaciones. Los silos de información y la carencia de automatización entre ellos, convierte a las empresas en foco fácil de los atacantes. Hoy las empresas no solo buscan llenar el “check” de Compliance, sino realmente mitigar sus riesgos de seguridad de manera más eficiente y proactiva. Una seguridad conectada, a través de diferentes componentes tecnológicos mediante los cuales se “comparte” la información para tomar conciencia y reaccionar de manera inmediata hace la diferencia entre ser uno más de las estadísticas de incidentes de seguridad o no serlo. Dirigido a: Jefes o Coordinadores de TI, Gerentes de Sistemas o TI, CIO, CISO, CTO

Threat intel- -content-curation-organizing-the-path-to-successful-detection

Priyanka Aash

Want to detect threats in your organization? Stop reading every feed and curate your threat intel and content so they actually work for your security architecture. By managing meaningful threat intelligence so the external intel maps to internal threat models and curating your content sensibly, you can create a high-functioning SOC that both detects and defends against cyberattacks. (Source: RSA Conference USA 2018)

Diagnosis SOC-Atrophy: What To Do When Your SOC Is Sick

Priyanka Aash

Applied cognitive security complementing the security analyst

Priyanka Aash

Security incidents are increasing dramatically and becoming more sophisticated, making it almost impossible for security analysts to keep up. A cognitive solution that can learn about security from structured and unstructured information sources is essential. It can be applied to empower security analysts with insights to qualify incidents and investigate risks quickly and accurately. (Source : RSA Conference 2017)

Oh... that's ransomware and... look behind you a three-headed Monkey

Stefano Maccaglia

Sans cyber-threat-intelligence-survey-2015

Roy Ramkrishna

BSides IR in Heterogeneous Environment

Stefano Maccaglia

Bsides SP 2022 - EPSS - Final.pptx

Clavis Segurança da Informação

17ª edição da Security BSides São Paulo, uma conferência gratuita sobre segurança da informação e cultura hacker, também conhecida como BSidesSP. Desta vez, estivemos duplamente representados pelo nosso Head de Produto, Leonardo Pinheiro e pelo nosso Head of Threat and Detection Research, Rodrigo Montoro. Imperdível! ;) Ambos apresentaram a palestra "Exploit Prediction Scoring System (EPSS) – Aperfeiçoando a priorização de vulnerabilidades de forma efetiva". Confira!

One login enemy at the gates

Eoin Keary

What's hot

Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021

Andreas Sfakianakis

Light, Dark and... a Sunburst... dissection of a very sophisticated attack.

Stefano Maccaglia

The Sweet Spot of Cyber Intelligence

Tieu Luu

Malware self protection-matrix

Cyphort

MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...

MITRE - ATT&CKcon

Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK

MITRE ATT&CK

Threat Hunting Report

Morane Decriem

The Modern Malware Review March 2013

- Mark - Fullbright

MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET

MITRE - ATT&CKcon

Malware Most Wanted: Security Ecosystem

Cyphort

Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)

Open Analytics

How to assign a CVE to yourself?

Ramin Farajpour Cami

New wave of attacks in Ukraine 2016

Marina Krotofil

Mc afee conectando las piezas

Software Guru

Threat intel- -content-curation-organizing-the-path-to-successful-detection

Priyanka Aash

Diagnosis SOC-Atrophy: What To Do When Your SOC Is Sick

Priyanka Aash

Applied cognitive security complementing the security analyst

Priyanka Aash

Oh... that's ransomware and... look behind you a three-headed Monkey

Stefano Maccaglia

Sans cyber-threat-intelligence-survey-2015

Roy Ramkrishna

BSides IR in Heterogeneous Environment

Stefano Maccaglia

What's hot (20)

Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021

Light, Dark and... a Sunburst... dissection of a very sophisticated attack.

The Sweet Spot of Cyber Intelligence

Malware self protection-matrix

MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...

Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK

Threat Hunting Report

The Modern Malware Review March 2013

MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET

Malware Most Wanted: Security Ecosystem

Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)

How to assign a CVE to yourself?

New wave of attacks in Ukraine 2016

Mc afee conectando las piezas

Threat intel- -content-curation-organizing-the-path-to-successful-detection

Diagnosis SOC-Atrophy: What To Do When Your SOC Is Sick

Applied cognitive security complementing the security analyst

Oh... that's ransomware and... look behind you a three-headed Monkey

Sans cyber-threat-intelligence-survey-2015

BSides IR in Heterogeneous Environment

Similar to Vulnerability Prioritization and Prediction

Bsides SP 2022 - EPSS - Final.pptx

Clavis Segurança da Informação

One login enemy at the gates

Eoin Keary

OSB340: Disrupting an Advanced Attack

Ivanti

OSB340R: Disrupting an Advanced Attack

Ivanti

Monitoring threats for pci compliance

Shiva Hullavarad

Vulnerability is a weakness in the application or a design flaw that allows an attacker to exploit for potential harm or financial benefits. Though it is practically impossible to have vulnerability free system, one can implement tools to identify the nature of vulnerabilities and mitigate the potential risk they pose. As an institution, it is very important for business managers, administrators, and IT security personnel to pay attention to those security warnings. The talk will identify types, sources, and mitigation of external and internal threats. The talk will review Vulnerability Assessment and Penetration Testing (VAPT) tools available in the market and their benefits. Presenters will engage the audience in interactive style discussion on the available tools to detect vulnerabilities and threats and the steps needed to mitigate.

Monitoring threats for pci compliance

Shiva Hullavarad

Vulnerability Management Nirvana - Seattle Agora - 18Mar16

Kymberlee Price

Vulnerability Management Nirvana: A Study in Predicting Exploitability When everything is a priority, nothing is. 15% or 10,000 vulnerabilities have a CVSS score of 10. Vendors and practitioners alike use CVSS or their own threat intelligence models to predict which vulnerabilities will be exploited next. We review current options, present a predictive data-driven prioritization model, and how attendees can get started using our approach in their vulnerability management program.

edgescan vulnerability stats report (2018)

Eoin Keary

Protect Against 85% of Cyberattacks

Ivanti

The CIS Top 5 provide the building blocks of a solid security foundation and provide the essential cybersecurity hygiene all companies should have in place. Follow their recommendations and you’ll be able to prevent 85% of modern cyberattacks. But sometimes that’s easier said than done. Let Ivanti IT security expert Chris Goettl guide you through the CIS framework and share best practices for boosting your security defenses.

Patch Management Best Practices 2019

Ivanti

Patching is a hot topic in security breach after security breach. Patch management is likely the most well established security control out there, so why do so many companies struggle to achieve a good patch management strategy? Join us as we discuss the pitfalls of patching, the complications that still plague us, and best practices to help you fine tune your process—with a dash of just plain common sense thrown in. We will also look at ways Ivanti can help you get a handle on patch management using our latest security innovation, Patch Intelligence.

Best Practices and ROI for Risk-based Vulnerability Management

Resolver Inc.

Software Vulnerabilities Risk Remediation

Bruce Hafner

ClearArmor CSRP - 01.01 SOFTWARE BASED VULNERABILITIES CyberSecurity is a Business Issue, not a Technology Issue CyberSecurity is not just about reacting. It includes Risk Management, Audit, Compliance, and training. It also requires continuous attention to Cyber Hygiene. CyberSecurity requires continuous measurement, monitoring, and remediation. Is your organization reactive or proactive? Move to proactive CyberSecurity. To comply with the intent of the NIST CyberSecurity Framework (CSF), Cyber Hygiene is a requirement. To Comply with NIST 800-53, 800-171, DFARS, NY State DFS Part 500, and a plethora of other frameworks and compliance guidelines requires continuous risk reduction through vulnerability remediation. ClearArmor CyberSecurity Resource Planning (CSRP) enables your organization to meet those requirements.

The CISO Problems Risk Compliance Management in a Software Development 030420...

lior mazor

A Comparative Study between Vulnerability Assessment and Penetration Testing

YogeshIJTSRD

The Internet has drastically changed in the past decade. Now internet has more business than before and therefore there is a increase in Advanced Persistent Threat groups and Adversaries. After all the advancement in technology and innovation Web application Security is still a challenge for most of the organization all over the world, Because every time APT’s groups and Threat actors uses different Tactics Techniques and Procedure TTPs for exploiting any organization. There can be many techniques to mitigate such attacks such as defensive coding, hardening system firewall, implementing IDS and IPS using of SIEM tools etc. The solution contains monitoring different logs, events and regular assessment of organizations network which is known as Vulnerability Assessment which is a generalized or a sequenced review of a security system and the other one is penetration testing also known popularly as ethical hacking or red teaming assessment where the client’s poses themselves as real Hackers and try to penetrate into the company’s network to check if it’s really secure or not.In this paper we will be comparing these two methods and techniques and also decide at the end which of the above two method is more superior and why. Sharique Raza | Feon Jaison "A Comparative Study between Vulnerability Assessment and Penetration Testing" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-3 , April 2021, URL: https://www.ijtsrd.com/papers/ijtsrd41145.pdf Paper URL: https://www.ijtsrd.com/engineering/computer-engineering/41145/a-comparative-study-between-vulnerability-assessment-and-penetration-testing/sharique-raza

Using an Open Source Threat Model for Prioritized Defense

EnclaveSecurity

Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...

Cybersecurity Education and Research Centre

Ivanti Insights Podcast - FireEye Breach

Ivanti

Key Strategies to Address Rising Application Risk in Your EnterpriseLumension

Threats, Threat Modeling and Analysis

Ian G

Security in the age of open source - Myths and misperceptions

Tim Mackey

As delivered at Interop ITX 2017. The security of open source software is a function of the security of its components. For most applications, open source technologies are at their core, but security related issues may not be disclosed directly against the application because its use of the open-source component is hidden. In this talk, I explored how information flow benefits attackers, but how awareness can help defenders. I presented key attributes any vulnerability solution should have - including deep understanding of how open source development works and being DevOps aware.

Similar to Vulnerability Prioritization and Prediction (20)

Bsides SP 2022 - EPSS - Final.pptx

One login enemy at the gates

OSB340: Disrupting an Advanced Attack

OSB340R: Disrupting an Advanced Attack

Monitoring threats for pci compliance

Vulnerability Management Nirvana - Seattle Agora - 18Mar16

edgescan vulnerability stats report (2018)

Protect Against 85% of Cyberattacks

Patch Management Best Practices 2019

Best Practices and ROI for Risk-based Vulnerability Management

Software Vulnerabilities Risk Remediation

The CISO Problems Risk Compliance Management in a Software Development 030420...

A Comparative Study between Vulnerability Assessment and Penetration Testing

Using an Open Source Threat Model for Prioritized Defense

Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...

Ivanti Insights Podcast - FireEye Breach

Key Strategies to Address Rising Application Risk in Your Enterprise

Threats, Threat Modeling and Analysis

Security in the age of open source - Myths and misperceptions

Recently uploaded

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

Neo4j

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Nexer Digital

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance

PHP Frameworks: I want to break free (IPC Berlin 2024)

Ralf Eggert

In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development. This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

A tale of scale & speed: How the US Navy is enabling software delivery from l...

sonjaschweigert1

Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved: - Reduction in onboarding time from 5 weeks to 1 day - Improved developer experience and productivity through actionable findings and reduction of false positives - Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO) Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production. We will cover: - How to remove silos in DevSecOps - How to build efficient development pipeline roles and component templates - How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence) - How to streamline operations with automated policy checks on container images

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

DevOps and Testing slides at DASA Connect

Kari Kakkonen

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Albert Hoitingh

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

20240605 QFM017 Machine Intelligence Reading List May 2024

Matthew Sinclair

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

91mobiles

Recently uploaded (20)

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

Elizabeth Buie - Older adults: Are we really designing for our future selves?

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

PHP Frameworks: I want to break free (IPC Berlin 2024)

Removing Uninteresting Bytes in Software Fuzzing

A tale of scale & speed: How the US Navy is enabling software delivery from l...

Securing your Kubernetes cluster_ a step-by-step guide to success !

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

Epistemic Interaction - tuning interfaces to provide information for AI support

Introduction to CHERI technology - Cybersecurity

The Art of the Pitch: WordPress Relationships and Sales

DevOps and Testing slides at DASA Connect

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...

20240605 QFM017 Machine Intelligence Reading List May 2024

By Design, not by Accident - Agile Venture Bolzano 2024

20240607 QFM018 Elixir Reading List May 2024

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

Vulnerability Prioritization and Prediction

1. Vulnerability Prioritization & Prediction in Practice Jonathan Cran, Research @ Kenna Security Reid Shelton, Senior Director @ Capital One Gartner Security & Risk Management Summit 2018

2. 2 2018 Vulnerability Management Challenges 1. Increasing Volume (both Vulnerabilities & Threat) 2. Highly Publicized Vulnerabilities 3. No Single Source of Vulnerability Information 4. DevSecOps Enablement

3. 3 Challenge: Increasing Volume Mitre CNA program signing up more CNAs and fanning out responsibilities, thus enabling more CVEs to be created & tracked (a good thing!)

4. 4 Challenge: A Fast Moving ThreatExploitExists At CVE assignment date (vs the later publish date), just over 40% of CVEs from 2017 had public exploit code. We need to move FASTER to distribute vulnerability information.

5. 5 Challenge: Highly Publicized Vulns Defending prioritization to leadership, then re- explaining when new patches arise took a significant amount of time in early 2018. Teams need a generally accepted data-backed process to prioritize.

6. 6 Challenge: DevSecOps Enablement Threat ModelingDevelop Inherit Build Deploy Operate SCA SAST Container Scan, DAST DAST, Bug Bounty, Penetration Testing DevSec Ops Phase Vulnerability Data: More layers and more testing techniques are Driving an integration-first vuln mgmt approach, integrated with each of the steps of the emerging DevSecOps toolchain. Credit @signalsciences, @samnewman

7. 7 Approved Gold Image and AMI (updated every 2 weeks) APPROVE and PUBLISH ASSESS ON DEV INSTANCES OS Scanner AUTOMATICALLY ADD CLOUD AGENT OS Detection Agent Public Custom AMAZON MACHINE IMAGE (AMI) Live Instances (Rehydration – every 60 days) Agents DevSecOps in Practice Actual process used by a Kenna Customer

8. 8 Risk Based Vulnerability Management (Network) Infrastructure Sources Application Sources Risk Based Vuln Management integrates many sources – both infrastructure and application data , along with current and relevant threat information to prioritize the most highly targeted vulnerabilities and configuration problems. Threat Sources Kenna Research Team Global Threat Feeds NIPS / NIDS & HIPS / HIDS Antivirus and Endpoint Threat Data WAF & RASP Threat Data SEIM and Analytics

9. 9 Risk Based Vulnerability Management Vulnerability Identified Public Exploit Exists In-The-Wild Exploitation Exploitation In our Env Takeaways: Only ~2-5% of vulnerabilities are detected as targeted in the wild today according to Kenna Security threat data. A risk scoring system that progressively increases risk scores as threats emerge and are activated helps vuln mgmt teams prioritize risk.

10. 10 External “Scannable” CVEs - Q1 2018 Apache Struts 2.3.x - CVE-2017-5638, CVE-2017-9791, CVE-2017-9805 Joomla! 3.7.1 - CVE-2017-8917 Oracle WebLogic 10.3.6, 12.1.x, 12.2.x - CVE-2017-10271 PHP 5.4.2 - CVE-2002-1149, CVE-2012-1823 Jenkins 2.56 - CVE-2017-1000353 Microsoft SMBv1 (ETERNALBLUE) - CVE-2017-0143/4/5 MASTER IPCAMERA (hardcoded password) - CVE-2018-5723 These specific CVEs saw significantly increased activity in Q1 2018 across Kenna Security threat data

11. 11 Analysis of Remediation Strategies Coverage: Of all vulnerabilities that should be remediated, what percentage was correctly identified for remediation? (correctly applied effort) Efficiency: Of all vulnerabilities identified for remediation, what percentage should have been remediated? (a measure of effort wasted) Takeaway: There’re no simple rule-based systems for choosing vulns to remediate. Aim to optimize coverage and efficiency.

12. 12 Prioritization To Prediction https://www.kennasecurity.com/prioritization-to-prediction-report/ • Speed must be a priority. • The number of CVEs published every year is growing. • Common strategies are about as effective as rolling dice. • A predictive model increases efficiency, reduces workload, and increases coverage. Dig into the research here:

13. Questions? hello@kennasecurity.com

Vulnerability Prioritization and Prediction

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Vulnerability Prioritization and Prediction

Similar to Vulnerability Prioritization and Prediction (20)

Recently uploaded

Recently uploaded (20)

Vulnerability Prioritization and Prediction