Understanding Asset Risk Via Vulnerability Prioritization
0 likes973 views
The document discusses the prioritization of asset risk through vulnerability assessment, emphasizing the importance of data in understanding security threats. It highlights the need for correlating and analyzing various types of data regarding breaches, exploits, and vulnerabilities, while critiquing common data handling flaws. The content also introduces mathematical models to assess breach probabilities based on vulnerabilities and poses critical questions regarding risk modeling and data requirements.
Understanding Asset Risk Via Vulnerability Prioritization
- 1. UNDERSTANDING ASSET RISK VIA VULNERABILITY PRIORITIZATIONUnderstanding Asset Risk Via Vulnerability Prioritization
- 2. LAW 1 SECURITY IS A DATA PROBLEM
- 3. FLAW 1: DATA FUNDAMENTALISM
- 4. FLAW 2: STOCHASTIC IGNORANCE
- 5. ATTACKERS CHANGE TACTICS DAILY
- 7. TODO 1: CORRELATE AND CLEAN
- 8. TODO 2: FIND GROUND TRUTH 1. Breaches 2. Exploits 3. Global Attack 4. Local Attack 5. Zero Days 6. Trends 7. Impact • Alienvault, Dell, Internal(Snort) • EDB, MSP, EKITS, Symatec, Internal(Scraper) • SixScan, ISC, Dell, CarbonBlack, iSight, ThreatStream, PaloAlto, FireEye, Imperva, Norse • Snort • iDefense, ExodusIntel • Internal, Interal(Attack Velocity), BitSight • DBIR, NetDiligence, Config (Qualys)
- 9. TODO 3: RELATE TYPES OF RISK
- 10. “It is a capital mistake to theorize before one has data. Insensibly, one begins to twist facts to suit theories, instead of theories to suit facts.”
- 11. I Love It When You Call Me Big Data 150,000,000 Live Vulnerabilities 1,500,000 Assets 2,000 Organizations
- 12. I Love It When You Call Me Big Data 200,000,000 BREACHES
- 13. Baseline Allthethings Probability (You Will Be Breached On A Particular Open Vulnerability)? =(Open Vulnerabilities | Breaches Occurred On Their CVE) /(Total Open Vulnerabilities) 6%
- 14. Probability A Vuln Having Property X Has Observed Breaches 0 2 4 6 8 10 12 0 1 2 3 4 5 6 7 8 9 10 Breach1Probability1(%) CVSS1Base
- 15. Probability A Vuln Having Property X Has Observed Breaches 0 5 10 15 20 25 30 35 40 CVSS*10 EDB MSP EDB+MSP Breach*Probability*(%)
- 16. Not So Secret Sauce CVSS$Base Normalize$Base$ Score Metasploit? ExploitDB? Exploit$Source$ 3,4,5,6...N? Active$Breach$ Velocity Asset$ Internal/External? Vulnerability$ Trending? Zero$Days? Risk$Meter$Score
- 17. 0 5 10 15 20 25 30 35 40 0 1 2 3 4 5 6 7 8 9 10 Positive2Predictive2Value Score Positive2Predictive2Value2as2a2Function2of2Score2Cutoff CVSS2Base CVSS2Temporal Risk2Meter
- 20. BREACH SIZE BY RECORDS LOST P(Breach involves X records) = X^-1.31
- 21. BREACH FREQUENCY BY CVE TYPE P(CVE has breach volume X) = X^-1.5
- 23. ASSET RISK MODEL
- 26. APPLES TO APPLES, RISKS TO RISKS
- 27. MODEL DATA ASSET RISK QUESTIONS: VULN PRIORITY QUESTIONS: How do we model risk? Does topology matter? How good is our current model? What data do we need about exploits? What data do we need about live vulns? How good is your asset inventory?