vulnerability risk management for everyone · • “vulnerability risk management” requires...
TRANSCRIPT
![Page 2: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/2.jpg)
theopenNet
• mobilizetechnicalInternetcommunity• providetechnicalexper@se• talktootherstakeholders
![Page 3: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/3.jpg)
Whybother
RiskManagementistheessenceandpurposeofallInforma@onSecurityac@vi@esEverythingyoudoforInforma@onSecurityissomekindofriskmanagement!
![Page 4: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/4.jpg)
Whocares?
• 60%ofrespondentsstatedcompanyexecu@vesareonly“somewhat”to“notatall”informedabouttheriskposedtotheirbusinessfromtoday’ssecuritythreats
(NopSec 2016 Outlook: Vulnerability Risk Management and Remediation Trends)
![Page 5: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/5.jpg)
Whatisriskmanagement
• GRC:Governance,RiskmanagementandCompliance
• Stage0:adhoc• Stage1:missing!(alotofbadstuffhappensjusthere)
• Stage2:compliancedriven(thingsthatcannotbeignored)
![Page 6: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/6.jpg)
Natureofriskmanagementgap
• Cultural(“Itiscompliancedrivenstuff,wedonotcare,wehavebusinesstodo”)
• Financial(“Onlywealthycompaniescanaffordthis”)
• Technological(“Wehavenoresourcestowasteonyourcomplicatedtoys”)
![Page 7: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/7.jpg)
Measurement:Quan@ta@ve?
Risk=Impact($)*Probability
Bothvariablesaremostlyunknown,[email protected](means,mo@ve,controls,whatever)
Reliabilityofdatasourcesisques@onable,yetifyoupresentanynumbersratherthannoneitlooksmoreconvincing
![Page 8: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/8.jpg)
Measurement:Qualita@ve?
• Be`erfordecisionmaking• Youmayormaynothaverealquan@ta@vedataasinput
Googledeeper:Cox’sriskmatrixtheorem
![Page 9: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/9.jpg)
ThreatIntelligence
“What’shappeningoutthere”?Understandingriskthroughexternalcontext.
Notjustabout0-daysandIoCsforIPS/SIEMBothAPT-likeactorsandopportunis@ca`ackersma`er
![Page 10: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/10.jpg)
Networkoperatorsasnaturaldatasourceforthreatintel
HugecoverageAlreadyhavingtools(IDS,trafficanalysis,DPI,DNSrequestdata,etc)
Managedsecurityservicesforcustomers
![Page 11: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/11.jpg)
Crea@ngeffec@vecollabora@on
HowshouldjointCERTwork?Anythingisalwaysbe`erthannothing.Coordinate,aggregate,analyseandshare.Distributedtasksareeasier.
![Page 12: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/12.jpg)
Threefunc@onsofjointCERT
1. CC:coordinateeffortandpromoteinforma@onexchange(herewestart!)
2. CSIRT:incidentinves@ga@on,responseandtac@calanalysis(easier!)
3. SOC:real@meandretrospec@veeventprocessing(harder!)
![Page 13: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/13.jpg)
Let’sgetprac@cal
Whyvulnerabilitymanagement?Mostofthebreachesinvolvevulnerabilityofsomekind
Manageableandmeasurable(involveslesssocialcontext,asweknowmachinesareeasyandhumansarehard)
![Page 14: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/14.jpg)
VulnerabilityManagement
• Stage0:none• Stage0.5:[a]periodicscans,hugevulnerabili@eslists,panicanddepression(significanthumaneffortisrequiredinthisstruggle)
• Stage1:con@nuousvulnerabilitymanagementandfirsta`emptstopriori@seonthefly(hereVMvendorsjumpinandaskforbig$$)
• Stage2:moreorlessfu@lea`empttobringbothvariablesintotheriskequa@on(RMvendorsjumpinandaskforevenmore$$)
![Page 15: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/15.jpg)
Whypaypremiumprice
Becauseitisobviouslyvaluable.Andthereis(oratleastseemstobe)noalterna@ve.
51%oforganiza@onsaresufferingfromdataoverload(andI
thinkmanymoreeitherhavemassivelyincompletedataordonotadmittheirdifficul@es)
24%donotknowhowtopriori@ze22%useCVSSandmaybesomeinternaldata21%domanualcorrela@onwiththreatintel31%usecommercialtools(NopSec 2016 Outlook: Vulnerability Risk Management and Remediation Trends)
![Page 16: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/16.jpg)
Notableplayers(VM)Nessusoneofbestyetcheapestsecurityscanners,butcon@nuous
vulnerabilitymanagement(SecurityCenter)isexpensive.Riskmanagementcapabili@esarelimited.
Anicetrytointegratethreatintelligenceandadvancedasset
managementintovulnerabilityscanning,again,big$$AsauthorsofMetasploit,thepenetraiontes@ngtool,Rapid7is
notableforhighlyprac@calapproachtovulnerabilitymanagement.
![Page 17: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/17.jpg)
Notableplayers(RM)AnIsraelistart-up,first(knowntome)a`empttobreakvendor
lock-inforthevulnerabilityriskmanagement.Hasconnectorstomul@plescanners.Startswith$30Korso.
IfyouarenotfromRussia,youprobablyneverheardaboutthis
one.It’sashamebecausethecapabili@esareimpressive.GRCvendorswithoutspecificfocusonVM(likeRSAetc)arenot
listedhereforobviousreason.
![Page 18: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/18.jpg)
Industry’sDirtyLi`leSecret
![Page 19: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/19.jpg)
Aseasyasthat• “Con@nuousvulnerabilitymanagement”requiresadatabase
backend,vulnerabilityscannerconnectorsandafewrepor@ngtools.Anditisalreadyhere(Seccubusproject,developedbySchubergPhilis)
• “Vulnerabilityriskmanagement”requires(surprisingly)anassetmanagementtoolwithgoodheuris@cstoassistevalua@on(thinkhostnames,souwareinventory,LDAPlookupsetc),amethodtointegrateenvironmentalfactors(firewallconfigura@on,protec@vetools,..),possiblethreatintelligencedataandvulnerabilityassessmentasis.
• (ifyouareinterestedinriskassessmentmethodologyperse,refertoOpenGroup’sFAIR(*),itsimple)
(*)FactorAnalysisofInforma@onRisk
![Page 20: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/20.jpg)
HowtoevaluatevulnerabilityLikehackers(well,orpentesters;-)do!• Theonlythingsyouneedtoknoware:• Isthisvulnerabilityexploitableinyourconfigura,on?• Isthereapre-builtexploitforyoursystemavailable?• Whatistherealimpact?• • Ifyouknowthat,[email protected]
otherpartsaretheassetvalue,protec@oncountermeasuresandyouchancestobea`acked.
![Page 21: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/21.jpg)
Areallifeexample
● Winshock(MS14-066)vulnerability● Unauthen@catedRCEinWindowsSChannelcode
● “Exploitsareavailable”,giventopprioritybyallvulnerabilityscanners
● MaximumposibleCVSSscoreof10.0● ActuallynoRCEexploitsinthewild,justDoS!
![Page 22: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/22.jpg)
Simplyput
Tradi@onalvulnerabilityscanningsouwarescaresyouintothinkingyouhaveanimmediateandimminentthreatandyoushouldconcentrateyoureffortsonfixingthat.Whilethereactuallycouldbemoreimportantthingsforyoutodo,becausethecostandcomplexityofthea`ackismuchhigherthanwasimplied!
![Page 23: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/23.jpg)
EnterVulners
Asearchengineforexploitsandsecuritybulle@ns,contains60+Kexploitstodate
Non-profitandfreetouse
![Page 24: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/24.jpg)
But,wait
● Vulnersexploitsearchisforhumans● Noformaldefini@onexistsforexploitcapabili@es
● Timetofixthat!
![Page 25: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/25.jpg)
EnterECDMLandEACVSS
● ExploitCapabilityDefini@onMarkupLanguage–describeexploitproper@esviaCVE,CPEandsupplementaryinforma@on(CCE,commonconfigura@onenumera@onisdead,sorry)
● EACVSS–ExploitAdjustedCVSS–evaluaterealexploitcapability
![Page 26: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/26.jpg)
Sorryfornon-readabletext;-)
![Page 27: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/27.jpg)
BacktoriskanalysisandFAIRmethodology
![Page 28: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/28.jpg)
What’snext
● AugmentriskintelligencewithThreatEventFrequency
● Implement(mostly)automatedriskassessmentsusingFAIRmethodology
● That’swherejointCERTcouldprovideextremelyvaluableinforma@on!
![Page 29: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/29.jpg)
Dreams;-)
● ●
Howstateoftheartriskanalysisshouldwork
![Page 30: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/30.jpg)
Notcoveredhere
• Advancedvulnerabilitymanagementissueslikedetec@ngandavoidingvulnerabilityscangaps,“scannerless”datacollec@on,etcetc
• Seccubusimplementa@onanddeploymentdetails(askmeifyouwanttodiscussanyofthoselater)
• FAIRmethodologyindepth• Privacyissuesforthreatintel• Threatintelinforma@onexchangeformats
![Page 31: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/31.jpg)
Usefullinks
• h`p://theopennet.ru• h`ps://www.vulners.com• h`ps://www.seccubus.com
![Page 32: Vulnerability Risk management for everyone · • “Vulnerability risk management” requires (surprisingly) an asset management tool with good heuris@cs to assist evaluaon (think](https://reader036.vdocuments.net/reader036/viewer/2022081611/5f0267f67e708231d4041eb6/html5/thumbnails/32.jpg)
Thank you! Questions?