Jonathan Cran, profile picture
Uploaded byJonathan Cran
PPTX, PDF413 views

Vulnerability Prioritization and Prediction

The document discusses vulnerability prioritization and prediction challenges in cybersecurity, highlighting increasing volumes of vulnerabilities and the need for a data-backed prioritization process. It emphasizes the importance of integrating multiple data sources for risk-based vulnerability management and the emerging need for effective remediation strategies. The document also advocates for using predictive models to enhance efficiency and coverage in vulnerability management efforts.

Embed presentation

Downloaded 12 times
Vulnerability Prioritization & Prediction in Practice Jonathan Cran, Research @ Kenna Security Reid Shelton, Senior Director @ Capital One Gartner Security & Risk Management Summit 2018
2 2018 Vulnerability Management Challenges 1. Increasing Volume (both Vulnerabilities & Threat) 2. Highly Publicized Vulnerabilities 3. No Single Source of Vulnerability Information 4. DevSecOps Enablement
3 Challenge: Increasing Volume Mitre CNA program signing up more CNAs and fanning out responsibilities, thus enabling more CVEs to be created & tracked (a good thing!)
4 Challenge: A Fast Moving ThreatExploitExists At CVE assignment date (vs the later publish date), just over 40% of CVEs from 2017 had public exploit code. We need to move FASTER to distribute vulnerability information.
5 Challenge: Highly Publicized Vulns Defending prioritization to leadership, then re- explaining when new patches arise took a significant amount of time in early 2018. Teams need a generally accepted data-backed process to prioritize.
6 Challenge: DevSecOps Enablement Threat ModelingDevelop Inherit Build Deploy Operate SCA SAST Container Scan, DAST DAST, Bug Bounty, Penetration Testing DevSec Ops Phase Vulnerability Data: More layers and more testing techniques are Driving an integration-first vuln mgmt approach, integrated with each of the steps of the emerging DevSecOps toolchain. Credit @signalsciences, @samnewman
7 Approved Gold Image and AMI (updated every 2 weeks) APPROVE and PUBLISH ASSESS ON DEV INSTANCES OS Scanner AUTOMATICALLY ADD CLOUD AGENT OS Detection Agent Public Custom AMAZON MACHINE IMAGE (AMI) Live Instances (Rehydration – every 60 days) Agents DevSecOps in Practice Actual process used by a Kenna Customer
8 Risk Based Vulnerability Management (Network) Infrastructure Sources Application Sources Risk Based Vuln Management integrates many sources – both infrastructure and application data , along with current and relevant threat information to prioritize the most highly targeted vulnerabilities and configuration problems. Threat Sources Kenna Research Team Global Threat Feeds NIPS / NIDS & HIPS / HIDS Antivirus and Endpoint Threat Data WAF & RASP Threat Data SEIM and Analytics
9 Risk Based Vulnerability Management Vulnerability Identified Public Exploit Exists In-The-Wild Exploitation Exploitation In our Env Takeaways: Only ~2-5% of vulnerabilities are detected as targeted in the wild today according to Kenna Security threat data. A risk scoring system that progressively increases risk scores as threats emerge and are activated helps vuln mgmt teams prioritize risk.
10 External “Scannable” CVEs - Q1 2018 Apache Struts 2.3.x - CVE-2017-5638, CVE-2017-9791, CVE-2017-9805 Joomla! 3.7.1 - CVE-2017-8917 Oracle WebLogic 10.3.6, 12.1.x, 12.2.x - CVE-2017-10271 PHP 5.4.2 - CVE-2002-1149, CVE-2012-1823 Jenkins 2.56 - CVE-2017-1000353 Microsoft SMBv1 (ETERNALBLUE) - CVE-2017-0143/4/5 MASTER IPCAMERA (hardcoded password) - CVE-2018-5723 These specific CVEs saw significantly increased activity in Q1 2018 across Kenna Security threat data
11 Analysis of Remediation Strategies Coverage: Of all vulnerabilities that should be remediated, what percentage was correctly identified for remediation? (correctly applied effort) Efficiency: Of all vulnerabilities identified for remediation, what percentage should have been remediated? (a measure of effort wasted) Takeaway: There’re no simple rule-based systems for choosing vulns to remediate. Aim to optimize coverage and efficiency.
12 Prioritization To Prediction https://www.kennasecurity.com/prioritization-to-prediction-report/ • Speed must be a priority. • The number of CVEs published every year is growing. • Common strategies are about as effective as rolling dice. • A predictive model increases efficiency, reduces workload, and increases coverage. Dig into the research here:
Questions? hello@kennasecurity.com

More Related Content

PDF
Vulnerability Management
byasherad
 
PDF
DevSecOps
bySpv Reddy
 
PPTX
DEVSECOPS.pptx
byMohammadSaif904342
 
PPTX
Introduction to DevSecOps
byabhimanyubhogwan
 
PPTX
Secure Software Development Lifecycle
by1&1
 
PPTX
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
PDF
Microservice Architecture
bytyrantbrian
 
Vulnerability Management
byasherad
 
DevSecOps
bySpv Reddy
 
DEVSECOPS.pptx
byMohammadSaif904342
 
Introduction to DevSecOps
byabhimanyubhogwan
 
Secure Software Development Lifecycle
by1&1
 
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
Microservice Architecture
bytyrantbrian
 

What's hot

PDF
Practical Microservice Architecture (edition 2022).pdf
byAhmed Misbah
 
PPTX
Observability
byMaganathin Veeraragaloo
 
PDF
Migrating to Microservices Patterns and Technologies (edition 2023)
byAhmed Misbah
 
PPSX
Microservices Testing Strategies JUnit Cucumber Mockito Pact
byAraf Karsh Hamid
 
PPTX
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
PPTX
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
bySimplilearn
 
PPTX
Cloud security and security architecture
byVladimir Jirasek
 
PPTX
Introduction to microservices
byPaulo Gandra de Sousa
 
PPTX
An introduction to SOC (Security Operation Center)
byAhmad Haghighi
 
PPTX
How to Get Started with DevSecOps
byCYBRIC
 
PPTX
Cloud computing and Cloud security fundamentals
byViresh Suri
 
PPTX
DevOps: Age Of CI/CD
byMoogleLabs default
 
PPTX
Security system in banks
byuniversity of education,Lahore
 
PPTX
DevOps introduction
byMettje Heegstra
 
PPTX
cloud security ppt
byDevyani Vaidya
 
PDF
Getting started with Spring Security
byKnoldus Inc.
 
PDF
Introduction to DevSecOps
bySetu Parimi
 
PDF
Designing Virtual Network Security Architectures
byPriyanka Aash
 
PDF
Microservices with Java, Spring Boot and Spring Cloud
byEberhard Wolff
 
PPTX
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
byMohamed Nizzad
 
Practical Microservice Architecture (edition 2022).pdf
byAhmed Misbah
 
Observability
byMaganathin Veeraragaloo
 
Migrating to Microservices Patterns and Technologies (edition 2023)
byAhmed Misbah
 
Microservices Testing Strategies JUnit Cucumber Mockito Pact
byAraf Karsh Hamid
 
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
Introduction To DevOps | Devops Tutorial For Beginners | DevOps Training For ...
bySimplilearn
 
Cloud security and security architecture
byVladimir Jirasek
 
Introduction to microservices
byPaulo Gandra de Sousa
 
An introduction to SOC (Security Operation Center)
byAhmad Haghighi
 
How to Get Started with DevSecOps
byCYBRIC
 
Cloud computing and Cloud security fundamentals
byViresh Suri
 
DevOps: Age Of CI/CD
byMoogleLabs default
 
Security system in banks
byuniversity of education,Lahore
 
DevOps introduction
byMettje Heegstra
 
cloud security ppt
byDevyani Vaidya
 
Getting started with Spring Security
byKnoldus Inc.
 
Introduction to DevSecOps
bySetu Parimi
 
Designing Virtual Network Security Architectures
byPriyanka Aash
 
Microservices with Java, Spring Boot and Spring Cloud
byEberhard Wolff
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
byMohamed Nizzad
 

Similar to Vulnerability Prioritization and Prediction

PPTX
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
byKymberlee Price
 
PDF
Effective Prioritization Through Exploit Prediction
byJonathan Cran
 
PDF
CyberCentral Summit 2018 in Prague
byAlexander Leonov
 
PDF
Container Security Scanning by Timo Pagel
byContainerDay Security 2023
 
PDF
Container Security Scanning by Timo Pagel
byContainerDay Security 2023
 
PDF
Risksense: 7 Experts on Threat and Vulnerability Management
byMighty Guides, Inc.
 
PPTX
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
byImXaib
 
PPTX
Vulnerability_Management.pptx
byShriya Rai
 
PDF
Outpost24 webinar - risk based vulnerability management - what's in a risk score
byOutpost24
 
PDF
Verizon 2015 DBIR VM portion
byTawnia Beckwith
 
PDF
edgescan vulnerability stats report (2019)
byEoin Keary
 
PPTX
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
byAlexander Leonov
 
PDF
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
byOutpost24
 
PDF
Webinar–5 ways to risk rank your vulnerabilities
bySynopsys Software Integrity Group
 
PPTX
Outpost24 webinar - Cybersecurity readiness in the post Covid-19 world
byOutpost24
 
PDF
Is Your Vulnerability Management Program Irrelevant?
bySkybox Security
 
PPT
Vuln_Man_91003.ppt
byKRISHNARAJ207
 
PPT
Vuln.ppt
bykarthikvcyber
 
PPTX
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
byRafal Los
 
PPTX
Network Situational Awareness using Tripwire IP360
byTripwire
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
byKymberlee Price
 
Effective Prioritization Through Exploit Prediction
byJonathan Cran
 
CyberCentral Summit 2018 in Prague
byAlexander Leonov
 
Container Security Scanning by Timo Pagel
byContainerDay Security 2023
 
Container Security Scanning by Timo Pagel
byContainerDay Security 2023
 
Risksense: 7 Experts on Threat and Vulnerability Management
byMighty Guides, Inc.
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
byImXaib
 
Vulnerability_Management.pptx
byShriya Rai
 
Outpost24 webinar - risk based vulnerability management - what's in a risk score
byOutpost24
 
Verizon 2015 DBIR VM portion
byTawnia Beckwith
 
edgescan vulnerability stats report (2019)
byEoin Keary
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
byAlexander Leonov
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
byOutpost24
 
Webinar–5 ways to risk rank your vulnerabilities
bySynopsys Software Integrity Group
 
Outpost24 webinar - Cybersecurity readiness in the post Covid-19 world
byOutpost24
 
Is Your Vulnerability Management Program Irrelevant?
bySkybox Security
 
Vuln_Man_91003.ppt
byKRISHNARAJ207
 
Vuln.ppt
bykarthikvcyber
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
byRafal Los
 
Network Situational Awareness using Tripwire IP360
byTripwire
 

More from Jonathan Cran

PDF
Intrigue Core: Scaling Assessment Automation
byJonathan Cran
 
PPTX
RSA 2018: Recon For the Defender - You know nothing (about your assets)
byJonathan Cran
 
PDF
Attack Surface Discovery with Intrigue
byJonathan Cran
 
PPTX
2019 Cybersecurity Retrospective and a look forward to 2020
byJonathan Cran
 
PPTX
Top 10 exploited vulnerabilities 2019 (thus far...)
byJonathan Cran
 
PDF
Practical mitm for_pentesters
byJonathan Cran
 
ZIP
Ear
byJonathan Cran
 
Intrigue Core: Scaling Assessment Automation
byJonathan Cran
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
byJonathan Cran
 
Attack Surface Discovery with Intrigue
byJonathan Cran
 
2019 Cybersecurity Retrospective and a look forward to 2020
byJonathan Cran
 
Top 10 exploited vulnerabilities 2019 (thus far...)
byJonathan Cran
 
Practical mitm for_pentesters
byJonathan Cran
 
Ear
byJonathan Cran
 

Recently uploaded

PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PDF
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
PDF
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
PPTX
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
PDF
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PDF
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
PDF
KM World 2025 Enterprises, KM, & Agentic AI
byEnterprise Knowledge
 
PPTX
Full course that Prymehat uploads for you version 2
byOhenebaManu1
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PDF
Learn about the AI revolution in 2026.pdf
byrokoy68327
 
PDF
2006 IEEE International Solid-State Circuits Conference
bySlide_N
 
PPTX
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PPTX
Flutter & Firebase Session Slides - GDG VESIT
bygdgcodecellcmpn
 
PPTX
Why GEO Is the Next Big Shift in Content Marketing.pptx
bySambitParhi2
 
PPTX
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
PPTX
Basics-of-Electronics-and-Core-Components-of-IoT-Systems.pptx
byMuhammedNihal54
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
Are AI Hallucinations Getting Better or Worse? We Analyzed the Data.
byScott M. Graffius
 
Presentation of Cybersecurity and data protection
bytarikaityahya2
 
The Abomination of AI – keynote at ICoSCI 2026
byAlan Dix
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
KM World 2025 Enterprises, KM, & Agentic AI
byEnterprise Knowledge
 
Full course that Prymehat uploads for you version 2
byOhenebaManu1
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
Learn about the AI revolution in 2026.pdf
byrokoy68327
 
2006 IEEE International Solid-State Circuits Conference
bySlide_N
 
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
Flutter & Firebase Session Slides - GDG VESIT
bygdgcodecellcmpn
 
Why GEO Is the Next Big Shift in Content Marketing.pptx
bySambitParhi2
 
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
Basics-of-Electronics-and-Core-Components-of-IoT-Systems.pptx
byMuhammedNihal54
 

Vulnerability Prioritization and Prediction

  • 1.
    Vulnerability Prioritization & Prediction in Practice JonathanCran, Research @ Kenna Security Reid Shelton, Senior Director @ Capital One Gartner Security & Risk Management Summit 2018
  • 2.
    2 2018 Vulnerability ManagementChallenges 1. Increasing Volume (both Vulnerabilities & Threat) 2. Highly Publicized Vulnerabilities 3. No Single Source of Vulnerability Information 4. DevSecOps Enablement
  • 3.
    3 Challenge: Increasing Volume MitreCNA program signing up more CNAs and fanning out responsibilities, thus enabling more CVEs to be created & tracked (a good thing!)
  • 4.
    4 Challenge: A FastMoving ThreatExploitExists At CVE assignment date (vs the later publish date), just over 40% of CVEs from 2017 had public exploit code. We need to move FASTER to distribute vulnerability information.
  • 5.
    5 Challenge: Highly PublicizedVulns Defending prioritization to leadership, then re- explaining when new patches arise took a significant amount of time in early 2018. Teams need a generally accepted data-backed process to prioritize.
  • 6.
    6 Challenge: DevSecOps Enablement ThreatModelingDevelop Inherit Build Deploy Operate SCA SAST Container Scan, DAST DAST, Bug Bounty, Penetration Testing DevSec Ops Phase Vulnerability Data: More layers and more testing techniques are Driving an integration-first vuln mgmt approach, integrated with each of the steps of the emerging DevSecOps toolchain. Credit @signalsciences, @samnewman
  • 7.
    7 Approved Gold Image and AMI (updatedevery 2 weeks) APPROVE and PUBLISH ASSESS ON DEV INSTANCES OS Scanner AUTOMATICALLY ADD CLOUD AGENT OS Detection Agent Public Custom AMAZON MACHINE IMAGE (AMI) Live Instances (Rehydration – every 60 days) Agents DevSecOps in Practice Actual process used by a Kenna Customer
  • 8.
    8 Risk Based VulnerabilityManagement (Network) Infrastructure Sources Application Sources Risk Based Vuln Management integrates many sources – both infrastructure and application data , along with current and relevant threat information to prioritize the most highly targeted vulnerabilities and configuration problems. Threat Sources Kenna Research Team Global Threat Feeds NIPS / NIDS & HIPS / HIDS Antivirus and Endpoint Threat Data WAF & RASP Threat Data SEIM and Analytics
  • 9.
    9 Risk Based VulnerabilityManagement Vulnerability Identified Public Exploit Exists In-The-Wild Exploitation Exploitation In our Env Takeaways: Only ~2-5% of vulnerabilities are detected as targeted in the wild today according to Kenna Security threat data. A risk scoring system that progressively increases risk scores as threats emerge and are activated helps vuln mgmt teams prioritize risk.
  • 10.
    10 External “Scannable” CVEs- Q1 2018 Apache Struts 2.3.x - CVE-2017-5638, CVE-2017-9791, CVE-2017-9805 Joomla! 3.7.1 - CVE-2017-8917 Oracle WebLogic 10.3.6, 12.1.x, 12.2.x - CVE-2017-10271 PHP 5.4.2 - CVE-2002-1149, CVE-2012-1823 Jenkins 2.56 - CVE-2017-1000353 Microsoft SMBv1 (ETERNALBLUE) - CVE-2017-0143/4/5 MASTER IPCAMERA (hardcoded password) - CVE-2018-5723 These specific CVEs saw significantly increased activity in Q1 2018 across Kenna Security threat data
  • 11.
    11 Analysis of RemediationStrategies Coverage: Of all vulnerabilities that should be remediated, what percentage was correctly identified for remediation? (correctly applied effort) Efficiency: Of all vulnerabilities identified for remediation, what percentage should have been remediated? (a measure of effort wasted) Takeaway: There’re no simple rule-based systems for choosing vulns to remediate. Aim to optimize coverage and efficiency.
  • 12.
    12 Prioritization To Prediction https://www.kennasecurity.com/prioritization-to-prediction-report/ •Speed must be a priority. • The number of CVEs published every year is growing. • Common strategies are about as effective as rolling dice. • A predictive model increases efficiency, reduces workload, and increases coverage. Dig into the research here:
  • 13.