Palmer Symposium

100 %
0 %
Information about Palmer Symposium
Technology

Published on May 14, 2013

Author: ebellis

Source: slideshare.net

A Moneyball Approach to Security Intelligencehttp://www.risk.ioed@risk.io

• CoFounder Risk I/OAbout MeAbout Risk I/O• Former CISO Orbitz• Contributing Author:Beautiful Security• CSO Magazine/Online Writer• Data-Driven Vulnerability Intelligence Platform• DataWeek 2012 Top Security Innovator• 3 Startups to Watch - Information Week• InfoSec Island Blogger• 16 Hot Startups - eWeekNice to Meet You

Stage 1: Ignorance is Bliss

Stage 2: Where are all of my vulnerabilities?“Back in my Yahoo days I performed hundreds of webapplication vulnerability assessments. To streamline theworkload, I created an assessment methodologyconsisting of a few thousand security tests averaging 40hours to complete per website. Yahoo had over 600websites enterprise-wide. To assess the security of everywebsite would have taken over 11 years to complete andthe other challenge was these websites would change allthe time which decayed the value of my reports.”Jeremiah GrossmanFounder,WhiteHat Security

Stage 3: Scan & DumpEnter the Age of the AutomatedScanner...

Why This OccursLack ofVisibilityLack of CommunicationLack of CoordinationSilos, Silos, Everywhere

company name“vulnerability prioritization for remediationpresents THE critical problem”-Anton Chuvakin, Gartner Research Director“Finding the flaws is only half of the battle. Fixing them -- sometimes calledvulnerability remediation -- is often the hardest part”-Diana Kelley, Dark Reading“Businesses may be able to measure their performance through objective metrics such as salesgrowth, production efficiency or customer preference, but information securitymanagement too often boils down to a reaction torecent events or the well-known trio of fear, uncertaintyand doubt.”-Scott Crawford, EMA Associates“Unless you work in a company that has unlimited resources and you have absolute support at alllevels for remediating the vulnerabilities in your environment, you MUST prioritizethe issues that cause the most risk to your ITenvironment.” -Clay Keller, Wal-Mart InfoSec“With the enormous amounts of data available, mining it — regardless of itssource — and turning it into actionable information is really a strategicnecessity, especially in the world of security.” -Chris Hoff, Juniper NetworksIT Security Is Buried in Noise

SaberMetrics for InfoSec?

HD Moore’s Law - Josh CormanExample Use Case 1aka Security Mendoza Line“Compute power grows at the rateof doubling about every 2 years”“Casual attacker power grows atthe rate of Metasploit”

PredictingVulnerability (or even breach)Example Use Case 2Key AttributesTrendingOutcomes

CVE Trending AnalysisExample Use Case 3Gunnar’s Debt Clock

My(vuln posture X threatactivity) / (other vuln postureX other threat activity)Example Use Case 4Targets of Opportunity?

company nameData aggregation is necessary for everything we doTable StakesCorrelation, Normalization, De-DuplicationFull risk views down the entiretechnology stackThat’s So Meta

company nameAssembly Line WorkflowPutting The Robots To WorkBulk Ticketing & Bug Tracking IntegrationAutomated ReTestingAPI “All The Things”

company nameHow do I know where to deploy my resources?Web Scale VisibilityWhat matters when prioritizing remediation?What does the threat landscape looklike outside of my 4 walls?How do I compare to peers?

VA Products• Dynamic Application• Network & Host• Static AnalysisManual AssessmentsRemediation• Trouble Ticketing• Bug Tracking• Configuration Management• Patch ManagementIntegrating Disparate Solutions

NetworkVulnerabilityScannersDatabaseVulnerabilityScannersInternalRemediationSystemsStaticAnalysisToolsApplicationVulnerabilityScannersPentesters/ProfessionalServicesRiskDBCentralizing the Data

Predefined and Custom Security MetricsFilter by Hundreds of Attributes and MetadataReal-World Vulnerability TrendingCustom FieldsFull Featured RESTful APIAutoFlagging based on “in the wild” Attack TrafficBenchmarking Across IndustriesPredictive Analytics & Machine LearningSecurity && Ops NOT || OpsYour Data, Your Way

Three Distinct Values

VulnerabilityScannersRiskDBStatic &Binary AnalysisTicketing /Bug Tracking IPS / WAFSIEMExternal DataFaceted Search KnowledgeBaseCustom DashboardsAlerting Analyze & PrioritizeNetworkMappingVulnerability Intelligence Platform

Vulnerability Intelligence Platformhttp://www.risk.ioed@risk.ioQ&A

Add a comment

Related presentations

Related pages

Palmer Symposium: Loyola University Chicago

Palmer Symposium. Each year, health care professionals gather to share the latest information in research at the Ruth K. Palmer Symposium. For decades ...
Read more

Palmer Symposium - HubSlide

Palmer Symposium. of 21. Palmer Symposium. Ed Bellis. Published on: Mar 4, 2016. Published in: Technology . Transcripts - Palmer Symposium. 1.
Read more

Palmer Research Symposium | Morningside College

Share what you've learned. The Morningside College Palmer Student Research Symposium and Maud Adams Nursing Research Day is a campus-wide celebration of ...
Read more

2015 Symposium - Mat-Su Basin Salmon Habitat Partnership

The 9th annual Mat-Su Salmon Science & Conservation Symposium will be November 17th & 18th, 2016 in Palmer, Alaska! Keynote speaker: Dr. Daniel Schindler ...
Read more

Palmer Rugby

2016 Sports Symposium; History; Multi Media; ... Palmer Alumni. ... ©2016 Palmer Rugby / SportsEngine.
Read more

Palmer Research Symposium - Morningside College

4 Thirteenth Annual Morningside College Palmer Student Research Symposium Schedule Wednesday, April 13th, 2016 Opening Remarks 7:45-8:00
Read more

Chiropractic Continuing Education - Palmer College of ...

Palmer College of Chiropractic offers a variety of continuing education programs and seminars. Access our course calendar for a complete schedule.
Read more

Continuing Education Courses – Palmer - Palmer College

Find a detailed list of Palmer College of Chiropractic continuing education courses. Get information about the start date, CE hours, course name and location.
Read more

Top 10 Fred Palmer profiles | LinkedIn

There are 152 professionals named Fred Palmer, who use LinkedIn to exchange information, ideas, and opportunities. LinkedIn Home ... Fred Palmer profiles.
Read more