Vulnerability risk, management for everyone

Содержание

Слайд 2

the open Net mobilize technical Internet community provide technical expertise talk to other stakeholders

the open Net

mobilize technical Internet community
provide technical expertise
talk to other stakeholders

Слайд 3

Why bother Risk Management is the essence and purpose of all

Why bother

Risk Management is the essence and purpose of all Information

Security activities
Everything you do for Information Security is some kind of risk management!
Слайд 4

Who cares? 60% of respondents stated company executives are only “somewhat”

Who cares?
60% of respondents stated company executives are only “somewhat” to

“not at all” informed about the risk posed to their business from today’s security threats

(NopSec 2016 Outlook: Vulnerability Risk Management and Remediation Trends)

Слайд 5

What is risk management GRC: Governance, Risk management and Compliance Stage

What is risk management

GRC: Governance, Risk management and Compliance
Stage 0: ad

hoc
Stage 1: missing! (a lot of bad stuff happens just here)
Stage 2: compliance driven (things that cannot be ignored)
Слайд 6

Nature of risk management gap Cultural (“It is compliance driven stuff,

Nature of risk management gap
Cultural (“It is compliance driven stuff, we

do not care, we have business to do”)
Financial (“Only wealthy companies can afford this”)
Technological (“We have no resources to waste on your complicated toys”)
Слайд 7

Measurement: Quantitative? Risk = Impact ($) * Probability Both variables are

Measurement: Quantitative?

Risk = Impact ($) * Probability
Both variables are mostly unknown,

yet estimated. The formula might get complicated if you add more variables (means, motive, controls, whatever)
Reliability of data sources is questionable, yet if you present any numbers rather than none it looks more convincing
Слайд 8

Measurement: Qualitative? Better for decision making You may or may not

Measurement: Qualitative?

Better for decision making
You may or may not have real

quantitative data as input

Google deeper: Cox’s risk matrix theorem

Слайд 9

Threat Intelligence “What’s happening out there”? Understanding risk through external context.

Threat Intelligence

“What’s happening out there”? Understanding risk through external context.
Not just

about 0-days and IoCs for IPS/SIEM
Both APT-like actors and opportunistic attackers matter
Слайд 10

Network operators as natural data source for threat intel Huge coverage

Network operators as natural data source for threat intel

Huge coverage
Already having

tools (IDS, traffic analysis, DPI, DNS request data, etc)
Managed security services for customers
Слайд 11

Creating effective collaboration How should joint CERT work? Anything is always

Creating effective collaboration

How should joint CERT work?
Anything is always better than

nothing.
Coordinate, aggregate, analyse and share.
Distributed tasks are easier.
Слайд 12

Three functions of joint CERT CC: coordinate effort and promote information

Three functions of joint CERT

CC: coordinate effort and promote information exchange

(here we start!)
CSIRT: incident investigation, response and tactical analysis (easier!)
SOC: realtime and retrospective event processing (harder!)
Слайд 13

Let’s get practical Why vulnerability management? Most of the breaches involve

Let’s get practical

Why vulnerability management?
Most of the breaches involve vulnerability of

some kind
Manageable and measurable (involves less social context, as we know machines are easy and humans are hard)
Слайд 14

Vulnerability Management Stage 0: none Stage 0.5: [a]periodic scans, huge vulnerabilities

Vulnerability Management

Stage 0: none
Stage 0.5: [a]periodic scans, huge vulnerabilities lists,

panic and depression (significant human effort is required in this struggle)
Stage 1: continuous vulnerability management and first attempts to prioritise on the fly (here VM vendors jump in and ask for big $$)
Stage 2: more or less futile attempt to bring both variables into the risk equation (RM vendors jump in and ask for even more $$)
Слайд 15

Why pay premium price Because it is obviously valuable. And there

Why pay premium price

Because it is obviously valuable. And there is

(or at least seems to be) no alternative.
51% of organizations are suffering from data overload (and I think many more either have massively incomplete data or do not admit their difficulties)
24% do not know how to prioritize
22% use CVSS and maybe some internal data
21% do manual correlation with threat intel
31% use commercial tools
(NopSec 2016 Outlook: Vulnerability Risk Management and Remediation Trends)
Слайд 16

Notable players (VM) Nessus one of best yet cheapest security scanners,

Notable players (VM)
Nessus one of best yet cheapest security scanners, but

continuous vulnerability management (SecurityCenter) is expensive. Risk management capabilities are limited.
A nice try to integrate threat intelligence and advanced asset management into vulnerability scanning, again, big $$
As authors of Metasploit, the penetraion testing tool, Rapid7 is notable for highly practical approach to vulnerability management.
Слайд 17

Notable players (RM) An Israeli start-up, first (known to me) attempt

Notable players (RM)
An Israeli start-up, first (known to me) attempt to

break vendor lock-in for the vulnerability risk management. Has connectors to multiple scanners. Starts with $30K or so.
If you are not from Russia, you probably never heard about this one. It’s a shame because the capabilities are impressive.
GRC vendors without specific focus on VM (like RSA etc) are not listed here for obvious reason.
Слайд 18

Industry’s Dirty Little Secret

Industry’s Dirty Little Secret

Слайд 19

As easy as that “Continuous vulnerability management” requires a database backend,

As easy as that

“Continuous vulnerability management” requires a database backend, vulnerability

scanner connectors and a few reporting tools. And it is already here (Seccubus project, developed by Schuberg Philis)
“Vulnerability risk management” requires (surprisingly) an asset management tool with good heuristics to assist evaluation (think hostnames, software inventory, LDAP lookups etc), a method to integrate environmental factors (firewall configuration, protective tools,..), possible threat intelligence data and vulnerability assessment as is.
(if you are interested in risk assessment methodology per se, refer to Open Group’s FAIR (*), it simple)

(*) Factor Analysis of Information Risk

Слайд 20

How to evaluate vulnerability Like hackers (well, or pentesters ;-) do!

How to evaluate vulnerability

Like hackers (well, or pentesters ;-) do!
The only

things you need to know are:
Is this vulnerability exploitable in your configuration?
Is there a pre-built exploit for your system available?
What is the real impact?
If you know that, you get part of the equation solved. The other parts are the asset value, protection countermeasures and you chances to be attacked.
Слайд 21

A real life example Winshock (MS14-066) vulnerability Unauthenticated RCE in Windows

A real life example

Winshock (MS14-066) vulnerability
Unauthenticated RCE in Windows SChannel code
“Exploits

are available”, given top priority by all vulnerability scanners
Maximum posible CVSS score of 10.0
Actually no RCE exploits in the wild, just DoS!
Слайд 22

Simply put Traditional vulnerability scanning software scares you into thinking you

Simply put

Traditional vulnerability scanning software scares you into thinking you have

an immediate and imminent threat and you should concentrate your efforts on fixing that. While there actually could be more important things for you to do, because the cost and complexity of the attack is much higher than was implied!
Слайд 23

Enter Vulners A search engine for exploits and security bulletins, contains

Enter Vulners


A search engine for exploits and security bulletins, contains

60+K exploits to date

Non-profit and free to use

Слайд 24

But, wait Vulners exploit search is for humans No formal definition

But, wait


Vulners exploit search is for humans
No formal definition exists

for exploit capabilities
Time to fix that!
Слайд 25

Enter ECDML and EACVSS Exploit Capability Definition Markup Language – describe

Enter ECDML and EACVSS


Exploit Capability Definition Markup Language –

describe exploit properties via CVE, CPE and supplementary information (CCE, common configuration enumeration is dead, sorry)
EACVSS – Exploit Adjusted CVSS – evaluate real exploit capability
Слайд 26

Sorry for non-readable text ;-)

Sorry for non-readable text ;-)

Слайд 27

Back to risk analysis and FAIR methodology

Back to risk analysis and FAIR methodology


Слайд 28

What’s next Augment risk intelligence with Threat Event Frequency Implement (mostly)

What’s next


Augment risk intelligence with Threat Event Frequency
Implement (mostly)

automated risk assessments using FAIR methodology
That’s where joint CERT could provide extremely valuable information!
Слайд 29

Dreams ;-) How state of the art risk analysis should work

Dreams ;-)


How state of the art risk analysis should

work
Слайд 30

Not covered here Advanced vulnerability management issues like detecting and avoiding

Not covered here

Advanced vulnerability management issues like detecting and

avoiding vulnerability scan gaps, “scannerless” data collection ,etc etc
Seccubus implementation and deployment details (ask me if you want to discuss any of those later)
FAIR methodology in depth
Privacy issues for threat intel
Threat intel information exchange formats
Слайд 31

Useful links http://theopennet.ru https://www.vulners.com https://www.seccubus.com

Useful links

http://theopennet.ru
https://www.vulners.com
https://www.seccubus.com

- Предыдущая
Музееведение. Туризм
Следующая -
Контрольная работа №3. Теоретические основы управления фармацевтической организацией

Похожие презентации

Корпоративная социальная ответственность и ее реализация в современных российских нефтегазовых компаниях
Лидерство и стиль руководства
Основы управления персоналом
Классификация услуг общественного питания. Порядок оказания услуг. Права потребителя услуг предприятия общественного питания
Elementy postępowania strategicznego. Analiza otoczenia i organizacji
Прохождение опроса в системе АСМА
Tréning na PDR (Prehľad hodnotenia výkonnosti a rozvoja)
Организационное консультирование
Характеристика имиджа. Имидж органа власти, как средство воздействия на массовое сознание и управленческий ресурс
Аттестация и оценка персонала
Кадровая политика организации
Сущность и содержание организации как функции менеджмента
Развитие профессиональной культуры современного государственного служащего на основе технологий проектного управления
Функциональные обязанности
Методы преодоления сопротивления изменениям
Nauka o organizacji i przedsiębiorstwie. Potencjał organizacji technologia. (Wyklad 5)
Тайм-менеджмент для семьи
Поняття та класифікація управлінських рішень, вимоги до них
Адаптация на новом рабочем месте
Понятие и расчёт абсентеизма
Microsoft Dynamics NAV – система автоматизации деятельности предприятия
Проблемы устойчивого развития предприятия
Целевая аудитория
Выбор оптимального варианта складской системы
Как укротить время. Основные принципы тайм-менеджмента
Команда Rosa салон красоты
Социологические методы в административно-государственном управлении
Учебное предприятие Развитие маркетинга
Вы можете прислать нам Вашу презентацию и мы опубликуем ее на сайте.
Обратная связь
Для правообладателей
Email: Нажмите что бы посмотреть