Published on May 14, 2013
A Moneyball Approach to Security Intelligencehttp://email@example.com
• CoFounder Risk I/OAbout MeAbout Risk I/O• Former CISO Orbitz• Contributing Author:Beautiful Security• CSO Magazine/Online Writer• Data-Driven Vulnerability Intelligence Platform• DataWeek 2012 Top Security Innovator• 3 Startups to Watch - Information Week• InfoSec Island Blogger• 16 Hot Startups - eWeekNice to Meet You
Stage 1: Ignorance is Bliss
Stage 2: Where are all of my vulnerabilities?“Back in my Yahoo days I performed hundreds of webapplication vulnerability assessments. To streamline theworkload, I created an assessment methodologyconsisting of a few thousand security tests averaging 40hours to complete per website. Yahoo had over 600websites enterprise-wide. To assess the security of everywebsite would have taken over 11 years to complete andthe other challenge was these websites would change allthe time which decayed the value of my reports.”Jeremiah GrossmanFounder,WhiteHat Security
Stage 3: Scan & DumpEnter the Age of the AutomatedScanner...
Why This OccursLack ofVisibilityLack of CommunicationLack of CoordinationSilos, Silos, Everywhere
company name“vulnerability prioritization for remediationpresents THE critical problem”-Anton Chuvakin, Gartner Research Director“Finding the ﬂaws is only half of the battle. Fixing them -- sometimes calledvulnerability remediation -- is often the hardest part”-Diana Kelley, Dark Reading“Businesses may be able to measure their performance through objective metrics such as salesgrowth, production eﬃciency or customer preference, but information securitymanagement too often boils down to a reaction torecent events or the well-known trio of fear, uncertaintyand doubt.”-Scott Crawford, EMA Associates“Unless you work in a company that has unlimited resources and you have absolute support at alllevels for remediating the vulnerabilities in your environment, you MUST prioritizethe issues that cause the most risk to your ITenvironment.” -Clay Keller, Wal-Mart InfoSec“With the enormous amounts of data available, mining it — regardless of itssource — and turning it into actionable information is really a strategicnecessity, especially in the world of security.” -Chris Hoﬀ, Juniper NetworksIT Security Is Buried in Noise
SaberMetrics for InfoSec?
HD Moore’s Law - Josh CormanExample Use Case 1aka Security Mendoza Line“Compute power grows at the rateof doubling about every 2 years”“Casual attacker power grows atthe rate of Metasploit”
PredictingVulnerability (or even breach)Example Use Case 2Key AttributesTrendingOutcomes
CVE Trending AnalysisExample Use Case 3Gunnar’s Debt Clock
My(vuln posture X threatactivity) / (other vuln postureX other threat activity)Example Use Case 4Targets of Opportunity?
company nameData aggregation is necessary for everything we doTable StakesCorrelation, Normalization, De-DuplicationFull risk views down the entiretechnology stackThat’s So Meta
company nameAssembly Line WorkﬂowPutting The Robots To WorkBulk Ticketing & Bug Tracking IntegrationAutomated ReTestingAPI “All The Things”
company nameHow do I know where to deploy my resources?Web Scale VisibilityWhat matters when prioritizing remediation?What does the threat landscape looklike outside of my 4 walls?How do I compare to peers?
VA Products• Dynamic Application• Network & Host• Static AnalysisManual AssessmentsRemediation• Trouble Ticketing• Bug Tracking• Conﬁguration Management• Patch ManagementIntegrating Disparate Solutions
NetworkVulnerabilityScannersDatabaseVulnerabilityScannersInternalRemediationSystemsStaticAnalysisToolsApplicationVulnerabilityScannersPentesters/ProfessionalServicesRiskDBCentralizing the Data
Predeﬁned and Custom Security MetricsFilter by Hundreds of Attributes and MetadataReal-World Vulnerability TrendingCustom FieldsFull Featured RESTful APIAutoFlagging based on “in the wild” Attack TrafﬁcBenchmarking Across IndustriesPredictive Analytics & Machine LearningSecurity && Ops NOT || OpsYour Data, Your Way
Three Distinct Values
VulnerabilityScannersRiskDBStatic &Binary AnalysisTicketing /Bug Tracking IPS / WAFSIEMExternal DataFaceted Search KnowledgeBaseCustom DashboardsAlerting Analyze & PrioritizeNetworkMappingVulnerability Intelligence Platform
Vulnerability Intelligence Platformhttp://firstname.lastname@example.orgQ&A
Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...
In this presentation we will describe our experience developing with a highly dyna...
Presentation to the LITA Forum 7th November 2014 Albuquerque, NM
Un recorrido por los cambios que nos generará el wearabletech en el futuro
Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...
Palmer Symposium. Each year, health care professionals gather to share the latest information in research at the Ruth K. Palmer Symposium. For decades ...
Palmer Symposium. of 21. Palmer Symposium. Ed Bellis. Published on: Mar 4, 2016. Published in: Technology . Transcripts - Palmer Symposium. 1.
Share what you've learned. The Morningside College Palmer Student Research Symposium and Maud Adams Nursing Research Day is a campus-wide celebration of ...
The 9th annual Mat-Su Salmon Science & Conservation Symposium will be November 17th & 18th, 2016 in Palmer, Alaska! Keynote speaker: Dr. Daniel Schindler ...
2016 Sports Symposium; History; Multi Media; ... Palmer Alumni. ... ©2016 Palmer Rugby / SportsEngine.
4 Thirteenth Annual Morningside College Palmer Student Research Symposium Schedule Wednesday, April 13th, 2016 Opening Remarks 7:45-8:00
Palmer College of Chiropractic offers a variety of continuing education programs and seminars. Access our course calendar for a complete schedule.
Find a detailed list of Palmer College of Chiropractic continuing education courses. Get information about the start date, CE hours, course name and location.
There are 152 professionals named Fred Palmer, who use LinkedIn to exchange information, ideas, and opportunities. LinkedIn Home ... Fred Palmer profiles.