Fix What Matters

Transcript

1. Fix What Matters Michael Roytman SIRAcon October 21, 2013

2. Why You Should(n’t) Listen • Naive Grad Student Not Too

   Long Ago • Still Plays With Legos • Barely Passed Regression Analysis • MS Operations Research, Georgia Tech Michael Roytman • Data Scientist, Risk I/O • Fraud Detection, Large Bank

3. Roadmap • The Struggle • What’s Good? • Data Driven

   Insights • Framework • Decision-Making • What’s Bad?

4. Starting From Scratch “It is a capital mistake to theorize

   before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.” -Sir Arthur Conan Doyle, 1887

5. Starting From Scratch

6. Starting From Scratch Academia! • GScholar! • JSTOR! • IEEE! • ProQuest! InfoSec Blogs!

   • CSIOs! • Pen Testers! • Threat Reports! • SOTI/DBIR! ! Twitter! • Thought Leaders (you know who you are)! • BlackHats! • Vuln Researchers! Primary Sources! • MITRE! • OSVDB! • NIST CVSS Committee(s)! • Internal Message Boards for ^! Text CISOs

7. Data Fundamentalism Don’t Ignore What a Vulnerability Is: Creation Bias

   ! (http://blog.risk.io/2013/04/data-fundamentalism/) ! Jerico/Sushidude @ BlackHat ! (https://www.blackhat.com/us-13/briefings.html#Martin)! Luca Allodi - CVSS DDOS ! (http://disi.unitn.it/~allodi/allodi-12-badgers.pdf):!

8. Data Fundamentalism - What’s The Big Deal? ! ”Since 2006

   Vulnerabilities have declined by 26 percent.” ! (http://csrc.nist.gov/groups/SNS/rbac/documents/vulnerability-trends10.pdf)! ! ! “The total number of vulnerabilities in 2013 is up 16 percent so far when compared to what we saw in the same time period in 2012. ”! (http://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_06-2013.en-us.pdf)! ! !

9. What’s Good? Bad For Vulnerability Statistics:! ! NVD, OSVDB, ExploitDB,

   CVSS, Patches, Microsoft Reports, etc, et al, and so on. ! Good For Vulnerability Statistics:! ! Vulnerabilities. !

10. Data Is Everything And Everything Is Data.

11. What’s Good?

12. What’s Good?

13. What’s Good?

14. What’s Good?

15. What’s Good?

16. What’s Good?

17. Counterterrorism Known Groups Surveillance Threat Intel, Analysts Targets, Layouts Past

    Incidents, Close Calls

18. What’s Good?

19. Uh, Sports? Opposing Teams, Specific Players Gameplay Scouting Reports, Gametape

    Roster, Player Skills Learning from Losing

20. InfoSec?

21. Defend Like You’ve Done It Before Groups, Motivations Exploits Vulnerability

    Definitions Asset Topology, Actual Vulns on System Learning from Breaches

22. Work With What You’ve Got: Akamai, Safenet ExploitDB, Metasploit NVD,

    MITRE

23. Add Some Spice

24. Show Me The Money 23,000,000 Vulnerabilities! Across 1,000,000 Assets! Representing

    9,500 Companies! Using 22 Unique Scanners!

25. Whatchu Know About Dat?(a) ! Duplication Vulnerability Density Remediation

26. Duplication 0 225,000 450,000 675,000 900,000 1,125,000 1,350,000 1,575,000 1,800,000

    2,025,000 2,250,000 2 or more scanners 3 or more 4 or more 5 or more 6 or more

27. Duplication We Have: F(Number of Scanners) => Number of Duplicate

    Vulnerabilities We Want: F(Number of Scanners) => Vulnerability Coverage Make Decisions At The Margins! <---------Good Luck! 0.0 25.0 50.0 75.0 100.0 0 1 2 3 4 5 6

28. Density Type of Asset ~Count Hostname 20,000 Netbios 1000 IP

    Address 200,000 File 10,000 Url 5,000 Hostname Netbios IP File Url 0.0 22.5 45.0 67.5 90.0

29. CVSS And Remediation Metrics 0.0 350.0 700.0 1050.0 1400.0 1

    2 3 4 5 6 7 8 9 10 Average Time To Close By Severity Oldest Vulnerability By Severity

30. CVSS And Remediation - Lessons From A CISO Remediation/Lack Thereof,

    by CVSS 1 2 3 4 5 6 7 8 9 10 NVD Distribution by CVSS

31. The Kicker - Live Breach Data 1,500,000 ! Vulnerabilities Related

    to Live Breaches Recorded! June, July 2013 !

32. CVSS And Remediation - Nope 0.0 1750.0 3500.0 5250.0 7000.0

    1 2 3 4 5 6 7 8 9 10 Oldest Breached Vulnerability By Severity

33. CVSS - A VERY General Guide For Remediation - Yep

    0.0 40000.0 80000.0 120000.0 160000.0 1 2 3 4 5 6 7 8 9 10 Open Vulns With Breaches Occuring By Severity

34. The One Billion Dollar Question Probability(You Will Be Breached On

    A Particular Open Vulnerability)? 1.98% =(Open Vulnerabilities | Breaches Occurred On Their CVE)/(Total Open Vulnerabilities)

35. I Love It When You Call Me Big Data Probability

    A Vulnerability Having Property X Has Observed Breaches RANDOM VULN CVSS 10 CVSS 9 CVSS 8 CVSS 6 CVSS 7 CVSS 5 CVSS 4 Has Patch 0.00000 0.01000 0.02000 0.03000 0.04000

36. What’s the Alternative?

37. I Love It When You Call Me Big Data Probability

    A Vulnerability Having Property X Has Observed Breaches Random Vuln CVSS 10 Exploit DB Metasploit MSP+EDB 0.0 0.1 0.2 0.2 0.3

38. Data Is Everything And Everything Is Data.

39. Be Better Than The Gap

40. I Love It When You Call Me Big Data Spray

    and Pray => 2% ! CVSS 10 => 4% ! Metasploit + ExploitDB => 30% ! A Good Model That’s Not Built By One Kid Without Hadoop => ???!

41. Thank You Don’t Be A Stranger Blog: http://blog.risk.io Twitter: @mroytman