Fix What Matters - Speaker Deck

Fix What Matters

by Michael Roytman

Slide 1

Slide 1 text

Fix What Matters Michael Roytman SIRAcon October 21, 2013

Slide 2

Slide 2 text

Why You Should(n’t) Listen • Naive Grad Student Not Too Long Ago • Still Plays With Legos • Barely Passed Regression Analysis • MS Operations Research, Georgia Tech Michael Roytman • Data Scientist, Risk I/O • Fraud Detection, Large Bank

Slide 3

Slide 3 text

Roadmap • The Struggle • What’s Good? • Data Driven Insights • Framework • Decision-Making • What’s Bad?

Slide 4

Slide 4 text

Starting From Scratch “It is a capital mistake to theorize before one has data. Insensibly one begins to twist facts to suit theories, instead of theories to suit facts.” -Sir Arthur Conan Doyle, 1887

Slide 5

Slide 5 text

Starting From Scratch

Slide 6

Slide 6 text

Starting From Scratch Academia! • GScholar! • JSTOR! • IEEE! • ProQuest! InfoSec Blogs! • CSIOs! • Pen Testers! • Threat Reports! • SOTI/DBIR! ! Twitter! • Thought Leaders (you know who you are)! • BlackHats! • Vuln Researchers! Primary Sources! • MITRE! • OSVDB! • NIST CVSS Committee(s)! • Internal Message Boards for ^! Text CISOs

Slide 7

Slide 7 text

Data Fundamentalism Don’t Ignore What a Vulnerability Is: Creation Bias ! (http://blog.risk.io/2013/04/data-fundamentalism/) ! Jerico/Sushidude @ BlackHat ! (https://www.blackhat.com/us-13/brieﬁngs.html#Martin)! Luca Allodi - CVSS DDOS ! (http://disi.unitn.it/~allodi/allodi-12-badgers.pdf):!

Slide 8

Slide 8 text

Data Fundamentalism - What’s The Big Deal? ! ”Since 2006 Vulnerabilities have declined by 26 percent.” ! (http://csrc.nist.gov/groups/SNS/rbac/documents/vulnerability-trends10.pdf)! ! ! “The total number of vulnerabilities in 2013 is up 16 percent so far when compared to what we saw in the same time period in 2012. ”! (http://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_06-2013.en-us.pdf)! ! !

Slide 9

Slide 9 text

What’s Good? Bad For Vulnerability Statistics:! ! NVD, OSVDB, ExploitDB, CVSS, Patches, Microsoft Reports, etc, et al, and so on. ! Good For Vulnerability Statistics:! ! Vulnerabilities. !

Slide 10

Slide 10 text

Data Is Everything And Everything Is Data.

Slide 11

Slide 11 text

What’s Good?

Slide 12

Slide 12 text

What’s Good?

Slide 13

Slide 13 text

What’s Good?

Slide 14

Slide 14 text

What’s Good?

Slide 15

Slide 15 text

What’s Good?

Slide 16

Slide 16 text

What’s Good?

Slide 17

Slide 17 text

Counterterrorism Known Groups Surveillance Threat Intel, Analysts Targets, Layouts Past Incidents, Close Calls

Slide 18

Slide 18 text

What’s Good?

Slide 19

Slide 19 text

Uh, Sports? Opposing Teams, Speciﬁc Players Gameplay Scouting Reports, Gametape Roster, Player Skills Learning from Losing

Slide 20

Slide 20 text

InfoSec?

Slide 21

Slide 21 text

Defend Like You’ve Done It Before Groups, Motivations Exploits Vulnerability Deﬁnitions Asset Topology, Actual Vulns on System Learning from Breaches

Slide 22

Slide 22 text

Work With What You’ve Got: Akamai, Safenet ExploitDB, Metasploit NVD, MITRE

Slide 23

Slide 23 text

Add Some Spice

Slide 24

Slide 24 text

Show Me The Money 23,000,000 Vulnerabilities! Across 1,000,000 Assets! Representing 9,500 Companies! Using 22 Unique Scanners!

Slide 25

Slide 25 text

Whatchu Know About Dat?(a) ! Duplication Vulnerability Density Remediation

Slide 26

Slide 26 text

Duplication 0 225,000 450,000 675,000 900,000 1,125,000 1,350,000 1,575,000 1,800,000 2,025,000 2,250,000 2 or more scanners 3 or more 4 or more 5 or more 6 or more

Slide 27

Slide 27 text

Duplication We Have: F(Number of Scanners) => Number of Duplicate Vulnerabilities We Want: F(Number of Scanners) => Vulnerability Coverage Make Decisions At The Margins! <---------Good Luck! 0.0 25.0 50.0 75.0 100.0 0 1 2 3 4 5 6

Slide 28

Slide 28 text

Density Type of Asset ~Count Hostname 20,000 Netbios 1000 IP Address 200,000 File 10,000 Url 5,000 Hostname Netbios IP File Url 0.0 22.5 45.0 67.5 90.0

Slide 29

Slide 29 text

CVSS And Remediation Metrics 0.0 350.0 700.0 1050.0 1400.0 1 2 3 4 5 6 7 8 9 10 Average Time To Close By Severity Oldest Vulnerability By Severity

Slide 30

Slide 30 text

CVSS And Remediation - Lessons From A CISO Remediation/Lack Thereof, by CVSS 1 2 3 4 5 6 7 8 9 10 NVD Distribution by CVSS

Slide 31

Slide 31 text

The Kicker - Live Breach Data 1,500,000 ! Vulnerabilities Related to Live Breaches Recorded! June, July 2013 !

Slide 32

Slide 32 text

CVSS And Remediation - Nope 0.0 1750.0 3500.0 5250.0 7000.0 1 2 3 4 5 6 7 8 9 10 Oldest Breached Vulnerability By Severity

Slide 33

Slide 33 text

CVSS - A VERY General Guide For Remediation - Yep 0.0 40000.0 80000.0 120000.0 160000.0 1 2 3 4 5 6 7 8 9 10 Open Vulns With Breaches Occuring By Severity

Slide 34

Slide 34 text

The One Billion Dollar Question Probability(You Will Be Breached On A Particular Open Vulnerability)? 1.98% =(Open Vulnerabilities | Breaches Occurred On Their CVE)/(Total Open Vulnerabilities)

Slide 35

Slide 35 text

I Love It When You Call Me Big Data Probability A Vulnerability Having Property X Has Observed Breaches RANDOM VULN CVSS 10 CVSS 9 CVSS 8 CVSS 6 CVSS 7 CVSS 5 CVSS 4 Has Patch 0.00000 0.01000 0.02000 0.03000 0.04000

Slide 36

Slide 36 text

What’s the Alternative?

Slide 37

Slide 37 text

I Love It When You Call Me Big Data Probability A Vulnerability Having Property X Has Observed Breaches Random Vuln CVSS 10 Exploit DB Metasploit MSP+EDB 0.0 0.1 0.2 0.2 0.3

Slide 38

Slide 38 text

Data Is Everything And Everything Is Data.

Slide 39

Slide 39 text

Be Better Than The Gap

Slide 40

Slide 40 text

I Love It When You Call Me Big Data Spray and Pray => 2% ! CVSS 10 => 4% ! Metasploit + ExploitDB => 30% ! A Good Model That’s Not Built By One Kid Without Hadoop => ???!

Slide 41

Slide 41 text

Thank You Don’t Be A Stranger Blog: http://blog.risk.io Twitter: @mroytman