BSidesLV Vulnerability & Exploit Trends

43 %
57 %
Information about BSidesLV Vulnerability & Exploit Trends
Technology

Published on August 5, 2013

Author: ebellis

Source: slideshare.net

Description

A deep dive inside the data.

Vulnerability & Exploit Trends: A Deep Look Inside the Data BSides Las Vegas Ed Bellis & Michael Roytman

Nice To Meet You • CoFounder Risk I/O About Us About Risk I/O • Former CISO Orbitz • Contributing Author: Beautiful Security • CSO Magazine/Online Writer • Data-Driven Vulnerability Intelligence Platform • DataWeek 2012 Top Security Innovator • 3 Startups to Watch - Information Week • InfoSec Island Blogger • 16 Hot Startups - eWeek Ed Bellis • Naive Grad Student • Still Plays With Legos • Barely Passed Regression Analysis • Once Jailbroke His iPhone 3G • Has Coolest Job In InfoSec Michael Roytman

Starting From Scratch Academia! • GScholar! • JSTOR! • IEEE! • ProQuest! InfoSec Blogs! • CSIOs! • Pen Testers! • Threat Reports! • SOTI/DBIR! ! Twitter! • Thought Leaders (you know who you are)! • BlackHats! • Vuln Researchers! Primary Sources! • MITRE! • OSVDB! • NIST CVSS Committee(s)! • Internal Message Boards for ^! Text CISOs

#DoingItWrong Data Fundamentalism Don’t Ignore What a Vuln Is: Creation Bias (http://blog.risk.io/2013/04/data-fundamentalism/) <Shameless(ful) Self-Promotion Jerico/Sushidude @ BlackHat (https://www.blackhat.com/us-13/briefings.html#Martin) Luca Allodi (https://securitylab.disi.unitn.it/lib/exe/fetch.php?media=seminar-unimi-apr-13.pdf): Protip: http://disi.unitn.it/~allodi/allodi-12-badgers.pdf

#DoingItWrong ”Since 2006 Vulnerabilities have declined by 26 percent.” ! -http://csrc.nist.gov/groups/SNS/rbac/documents/vulnerability-trends10.pdf “The total number of vulnerabilities in 2013 is up 16 percent so far when compared to what we saw in the same time period in 2012. ” -http://www.symantec.com/content/en/us/enterprise/other_resources/b-intelligence_report_06-2013.en-us.pdf

What’s Good? Bad For Vulnerability Statistics: NVD, OSVDB, ExploitDB, CVSS, Patches, Microsoft Reports, etc, et al, and so on. Good For Vulnerability Statistics: Vulnerabilities.

Adding Some Flavor

Defend Like You’ve Done It Before

Counterterrorism Known Groups Surveillance Threat Intel, Analysts Targets, Layouts Past Incidents, Close Calls

Uh, Sports? Opposing Teams, Specific Players Gameplay Scouting Reports, Gametape Roster, Player Skills Learning from Losing

InfoSec?

What It Should Be Groups, Motivations Exploits Vulnerability Definitions Asset Topology, Actual Vulns on System Learning from Breaches

Work With What You’ve Got: Akamai, Safenet ExploitDB, Metasploit NVD, MITRE

Show Me The Money 23,000,000 Vulnerabilities! Across 1,000,000 Assets! Representing 9,500 Companies! Using 22 Unique Scanners!

Whatchu Know About Data? Duplication Vulnerability Density Remediation

Duplication 0 225,000 450,000 675,000 900,000 1,125,000 1,350,000 1,575,000 1,800,000 2,025,000 2,250,000 2 or more scanners 3 or more 4 or more 5 or more 6 or more

Duplication - Lessons From a CISO We Have: F(Number of Scanners) => Number of Duplicate Vulnerabilities We Want: F(Number of Scanners) => Vulnerability Coverage Make Decisions At The Margins! <---------Good Luck! 0 25.0 50.0 75.0 100.0 0 1 2 3 4 5 6

Density Type of Asset ~Count Hostname 20,000 Netbios 1000 IP Address 200,000 File 10,000 Url 5,000 Hostname Netbios IP File Url 0 22.5 45.0 67.5 90.0

CVSS And Remediation Metrics 0 375.0 750.0 1125.0 1500.0 1 2 3 4 5 6 7 8 9 10 Average Time To Close By Severity OldestVulnerability By Severity

CVSS And Remediation - Lessons From A CISO 1 2 3 4 5 6 7 8 9 10 Remediation/Lack Thereof, by CVSS NVD Distribution by CVSS

The Kicker - Live Breach Data 1,500,000 ! Vulnerabilities Related to Live Breaches Recorded! June, July 2013 !

CVSS And Remediation - Nope 0 1750.0 3500.0 5250.0 7000.0 1 2 3 4 5 6 7 8 9 10 Oldest BreachedVulnerability By Severity

CVSS - A VERY General Guide For Remediation - Yep 0 37500.0 75000.0 112500.0 150000.0 1 2 3 4 5 6 7 8 9 10 OpenVulns With Breaches Occuring By Severity

The One Billion Dollar Question Probability(You Will Be Breached On A Particular Open Vulnerability)? 1.98% =(Open Vulnerabilities | Breaches Occurred On Their CVE)/(Total Open Vulnerabilities)

I Love It When You Call Me Big Data RANDOMVULN CVSS 10 CVSS 9 CVSS 8 CVSS 6 CVSS 7 CVSS 5 CVSS 4 0 0.01000 0.02000 0.03000 0.04000 Probability AVulnerability Having Property X Has Observed Breaches

Enter The Security Mendoza Line Wouldn’t it be nice if we had something that helped us divide who we considered “Amateur” and who we considered “Professional”? http://riskmanagementinsight.com/riskanalysis/? p=294 Josh Corman expands the Security Mendoza Line “Compute power grows at the rate of doubling about every 2 years” “Casual attacker power grows at the rate of Metasploit” http://blog.cognitivedissidents.com/2011/11/01/intro- to-hdmoores-law/ Alex Hutton comes up with Security Mendoza Line

I Love It When You Call Me Big Data RandomVuln CVSS 10 Exploit DB Metasploit MSP+EDB 0 0.08 0.15 0.23 0.30 Probability AVulnerability Having Property X Has Observed Breaches

I Love It When You Call Me Big Data P(Breaches Observed On That Vuln | Random Vuln) 1.98%

Thank You Follow Us Blog: http://blog.risk.io Twitter: @mroytman @ebellis @riskio We’re Hiring! http://www.risk.io/jobs

Add a comment

Related presentations

Related pages

Vulnerability & Exploit Trends Presentation | Kenna ...

Vulnerability & Exploit Trends: A Deep Look Inside the Data. Michael Roytman, Data Scientist, Kenna & Ed Bellis, CEO, Kenna (BSidesLV, 2013)
Read more

Stop Fixing All The Things – Our BSidesLV Talk – Kenna Blog

Last week at BSidesLV, ... tells one nothing about which vulnerability trends ... exploit kits? What can live vulnerability statistics do to ...
Read more

Vulnerability, exploit to metasploit - Technology

Vulnerability, exploit to metasploit May 17, 2015 Technology ... BSidesLV Vulnerability & Exploit Trends. Creación de exploits 4: De Exploit a Metasploit.
Read more

BSidesLV 2013 - YouTube

BSidesLV 2013 Adrian Crenshaw; 63 videos; 289 views; ... BSidesLV 2013 2 1 2 Vulnerability & Exploit Trends A Deep Look Inside The Data Ed Bellis, Michae
Read more

Common Ground « BSidesLV

Common Ground « Get ready for the Next Big Thing. Common Ground. ... Ed Bellis and Michael Roytman - Vulnerability & Exploit Trends: A Deep Look Inside ...
Read more

BSides Las Vegas 2013 : Free Download & Streaming ...

BSides Las Vegas 2013. Skip to main content. Search the history of over 510 billion pages on the Internet. search Search the Wayback Machine. Featured ...
Read more

Schedule « BSidesLV

Schedule « Get ready for the Next Big Thing. Schedule. ... Vulnerability & Exploit Trends: A Deep Look Inside The Data. Franklin Tallah (Wendy Nather)
Read more