Vulnerability Risk management for everyone · • “Vulnerability risk management” requires...
Transcript of Vulnerability Risk management for everyone · • “Vulnerability risk management” requires...
Vulnerability Risk management for everyone
theopenNet
• mobilizetechnicalInternetcommunity• providetechnicalexper@se• talktootherstakeholders
Whybother
RiskManagementistheessenceandpurposeofallInforma@onSecurityac@vi@esEverythingyoudoforInforma@onSecurityissomekindofriskmanagement!
Whocares?
• 60%ofrespondentsstatedcompanyexecu@vesareonly“somewhat”to“notatall”informedabouttheriskposedtotheirbusinessfromtoday’ssecuritythreats
(NopSec 2016 Outlook: Vulnerability Risk Management and Remediation Trends)
Whatisriskmanagement
• GRC:Governance,RiskmanagementandCompliance
• Stage0:adhoc• Stage1:missing!(alotofbadstuffhappensjusthere)
• Stage2:compliancedriven(thingsthatcannotbeignored)
Natureofriskmanagementgap
• Cultural(“Itiscompliancedrivenstuff,wedonotcare,wehavebusinesstodo”)
• Financial(“Onlywealthycompaniescanaffordthis”)
• Technological(“Wehavenoresourcestowasteonyourcomplicatedtoys”)
Measurement:Quan@ta@ve?
Risk=Impact($)*Probability
Bothvariablesaremostlyunknown,[email protected](means,mo@ve,controls,whatever)
Reliabilityofdatasourcesisques@onable,yetifyoupresentanynumbersratherthannoneitlooksmoreconvincing
Measurement:Qualita@ve?
• Be`erfordecisionmaking• Youmayormaynothaverealquan@ta@vedataasinput
Googledeeper:Cox’sriskmatrixtheorem
ThreatIntelligence
“What’shappeningoutthere”?Understandingriskthroughexternalcontext.
Notjustabout0-daysandIoCsforIPS/SIEMBothAPT-likeactorsandopportunis@ca`ackersma`er
Networkoperatorsasnaturaldatasourceforthreatintel
HugecoverageAlreadyhavingtools(IDS,trafficanalysis,DPI,DNSrequestdata,etc)
Managedsecurityservicesforcustomers
Crea@ngeffec@vecollabora@on
HowshouldjointCERTwork?Anythingisalwaysbe`erthannothing.Coordinate,aggregate,analyseandshare.Distributedtasksareeasier.
Threefunc@onsofjointCERT
1. CC:coordinateeffortandpromoteinforma@onexchange(herewestart!)
2. CSIRT:incidentinves@ga@on,responseandtac@calanalysis(easier!)
3. SOC:real@meandretrospec@veeventprocessing(harder!)
Let’sgetprac@cal
Whyvulnerabilitymanagement?Mostofthebreachesinvolvevulnerabilityofsomekind
Manageableandmeasurable(involveslesssocialcontext,asweknowmachinesareeasyandhumansarehard)
VulnerabilityManagement
• Stage0:none• Stage0.5:[a]periodicscans,hugevulnerabili@eslists,panicanddepression(significanthumaneffortisrequiredinthisstruggle)
• Stage1:con@nuousvulnerabilitymanagementandfirsta`emptstopriori@seonthefly(hereVMvendorsjumpinandaskforbig$$)
• Stage2:moreorlessfu@lea`empttobringbothvariablesintotheriskequa@on(RMvendorsjumpinandaskforevenmore$$)
Whypaypremiumprice
Becauseitisobviouslyvaluable.Andthereis(oratleastseemstobe)noalterna@ve.
51%oforganiza@onsaresufferingfromdataoverload(andI
thinkmanymoreeitherhavemassivelyincompletedataordonotadmittheirdifficul@es)
24%donotknowhowtopriori@ze22%useCVSSandmaybesomeinternaldata21%domanualcorrela@onwiththreatintel31%usecommercialtools(NopSec 2016 Outlook: Vulnerability Risk Management and Remediation Trends)
Notableplayers(VM)Nessusoneofbestyetcheapestsecurityscanners,butcon@nuous
vulnerabilitymanagement(SecurityCenter)isexpensive.Riskmanagementcapabili@esarelimited.
Anicetrytointegratethreatintelligenceandadvancedasset
managementintovulnerabilityscanning,again,big$$AsauthorsofMetasploit,thepenetraiontes@ngtool,Rapid7is
notableforhighlyprac@calapproachtovulnerabilitymanagement.
Notableplayers(RM)AnIsraelistart-up,first(knowntome)a`empttobreakvendor
lock-inforthevulnerabilityriskmanagement.Hasconnectorstomul@plescanners.Startswith$30Korso.
IfyouarenotfromRussia,youprobablyneverheardaboutthis
one.It’sashamebecausethecapabili@esareimpressive.GRCvendorswithoutspecificfocusonVM(likeRSAetc)arenot
listedhereforobviousreason.
Industry’sDirtyLi`leSecret
Aseasyasthat• “Con@nuousvulnerabilitymanagement”requiresadatabase
backend,vulnerabilityscannerconnectorsandafewrepor@ngtools.Anditisalreadyhere(Seccubusproject,developedbySchubergPhilis)
• “Vulnerabilityriskmanagement”requires(surprisingly)anassetmanagementtoolwithgoodheuris@cstoassistevalua@on(thinkhostnames,souwareinventory,LDAPlookupsetc),amethodtointegrateenvironmentalfactors(firewallconfigura@on,protec@vetools,..),possiblethreatintelligencedataandvulnerabilityassessmentasis.
• (ifyouareinterestedinriskassessmentmethodologyperse,refertoOpenGroup’sFAIR(*),itsimple)
(*)FactorAnalysisofInforma@onRisk
HowtoevaluatevulnerabilityLikehackers(well,orpentesters;-)do!• Theonlythingsyouneedtoknoware:• Isthisvulnerabilityexploitableinyourconfigura,on?• Isthereapre-builtexploitforyoursystemavailable?• Whatistherealimpact?• • Ifyouknowthat,[email protected]
otherpartsaretheassetvalue,protec@oncountermeasuresandyouchancestobea`acked.
Areallifeexample
● Winshock(MS14-066)vulnerability● Unauthen@catedRCEinWindowsSChannelcode
● “Exploitsareavailable”,giventopprioritybyallvulnerabilityscanners
● MaximumposibleCVSSscoreof10.0● ActuallynoRCEexploitsinthewild,justDoS!
Simplyput
Tradi@onalvulnerabilityscanningsouwarescaresyouintothinkingyouhaveanimmediateandimminentthreatandyoushouldconcentrateyoureffortsonfixingthat.Whilethereactuallycouldbemoreimportantthingsforyoutodo,becausethecostandcomplexityofthea`ackismuchhigherthanwasimplied!
EnterVulners
Asearchengineforexploitsandsecuritybulle@ns,contains60+Kexploitstodate
Non-profitandfreetouse
But,wait
● Vulnersexploitsearchisforhumans● Noformaldefini@onexistsforexploitcapabili@es
● Timetofixthat!
EnterECDMLandEACVSS
● ExploitCapabilityDefini@onMarkupLanguage–describeexploitproper@esviaCVE,CPEandsupplementaryinforma@on(CCE,commonconfigura@onenumera@onisdead,sorry)
● EACVSS–ExploitAdjustedCVSS–evaluaterealexploitcapability
Sorryfornon-readabletext;-)
BacktoriskanalysisandFAIRmethodology
What’snext
● AugmentriskintelligencewithThreatEventFrequency
● Implement(mostly)automatedriskassessmentsusingFAIRmethodology
● That’swherejointCERTcouldprovideextremelyvaluableinforma@on!
Dreams;-)
● ●
Howstateoftheartriskanalysisshouldwork
Notcoveredhere
• Advancedvulnerabilitymanagementissueslikedetec@ngandavoidingvulnerabilityscangaps,“scannerless”datacollec@on,etcetc
• Seccubusimplementa@onanddeploymentdetails(askmeifyouwanttodiscussanyofthoselater)
• FAIRmethodologyindepth• Privacyissuesforthreatintel• Threatintelinforma@onexchangeformats
Usefullinks
• h`p://theopennet.ru• h`ps://www.vulners.com• h`ps://www.seccubus.com
Thank you! Questions?