measuring risk
play

Measuring Risk Ron Gula NSA Pen Tester Cloud Security Network IDS - PowerPoint PPT Presentation

Aug 29, 2022 •154 likes •458 views

Measuring Risk Ron Gula NSA Pen Tester Cloud Security Network IDS Who is Ron Gula??? Vuln Management Cyber Companies THREAT X VULNERABILITY = RISK THREAT X VULNERABILITY = RISK Out of date browser on server One

  1. Measuring Risk Ron Gula

  2. • NSA Pen Tester • Cloud Security • Network IDS Who is Ron Gula??? • Vuln Management • Cyber Companies

  4. THREAT X VULNERABILITY = RISK

  5. THREAT X VULNERABILITY = RISK

  6. • Out of date browser on server • One server with 10 vulns versus Ten servers with 1 vulns • “Low” and “Medium” vulns

  7. • Severity • Exploit • Asset • Malware • Age • Patch Rollups

  9. EVEN IF WE PATCHED 100% WE STILL HAVE ZERO DAYS

  10. • Patch Management • Vuln Scanners • System Hardening • Network Monitors • EDR & Forensics • Web Proxy • GRC & Compliance • SIEM & Logs • Authentication • Asset Management • IT Provisioning • NAC and Firewall • Procurement

  11. If you know the enemy and know yourself you need not fear the results of a hundred battles.

  12. If you know the enemy and know yourself you need not fear the results of a hundred battles. • Complex OSes • BYOD and Mobile • On-Prem Apps • Cloud Apps • All Users • User Access

  13. If you know the enemy and know yourself you need not fear the results of a hundred battles. • Complex OSes • Vulnerabilities • BYOD and Mobile • Activity Logging • On-Prem Apps • System Configurations • Cloud Apps • Network Monitoring • All Users • Change Detection • User Access • Privileged Access

  15. Can you build a list of all Access Control and Authentication enclaves Can you build a map of all ACLs and enclaves? and access control lists on them?

  16. Can you build a list of all users and their authorized apps?

  17. MONITORING AUDIT

  18. DATA DATA DATA & APPS & APPS & APPS DATA & APPS DATA & APPS DATA & APPS

  19. TELEMETRY Logs, Packets, Flows, Cloud APIs, Auth, Files, .etc LOOK FOR BADNESS NIDS, AV, BOTs, UBA, NBAD, APT, .etc AUDIT FOR GOODNESS Apps, Users, Transactions, Normal

  20. WHY CAN’T WE MODEL RISK? • Periodic & Imperfect Assessments • Imperfect Threat Model • Collection of Data • Lack of standards on “risk”

  21. RISK MEASURING ENABLES • Better Security Policy • Better Security Budgets • Fact based Security WHAT IS THE #1 THING?

  22. FRAMEWORKS • Vendor Neutral • Cross-Organizational • Prescriptive • Written by Pen Tests & I.R.

  27. CONCLUSIONS Conclusions

  28. CONCLUSIONS Conclusions

  29. CONCLUSIONS Conclusions

  30. Questions and Contact Information

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Asset Pricing Chapter IV. Measuring Risk and Risk Aversion June 20, 2006 Asset Pricing 4.1

Asset Pricing Chapter IV. Measuring Risk and Risk Aversion June 20, 2006 Asset Pricing 4.1

4.1 Measuring Risk Aversion 4.2 Interpreting the Measures of Risk Aversion 4.4 Risk Premium and Certainty Equivalence 4.5 Assessing an Investors Level of Relative Risk Aversion 4.6 The Concept of Stochastic Dominance 4.7 Mean Preserving

709 views • 23 slides
2012-03-20 Measuring per-mile risk for pay-as-you- drive automobile insurance Eric Minikel CAS

2012-03-20 Measuring per-mile risk for pay-as-you- drive automobile insurance Eric Minikel CAS

2012-03-20 Measuring per-mile risk for pay-as-you- drive automobile insurance Eric Minikel CAS Ratemaking & Product Management Seminar March 20, 2012 Professor Joseph Ferreira, Jr. and Eric Minikel Measuring per-mile risk for pay-as-

368 views • 15 slides
Measuring per-mile risk for pay-as-you- drive automobile insurance Eric Minikel CAS Ratemaking

Measuring per-mile risk for pay-as-you- drive automobile insurance Eric Minikel CAS Ratemaking

Measuring per-mile risk for pay-as-you- drive automobile insurance Eric Minikel CAS Ratemaking & Product Management Seminar March 20, 2012 Professor Joseph Ferreira, Jr. and Eric Minikel Measuring per-mile risk for pay-as- you-drive

591 views • 43 slides
Measuring Time from Identification of a New Risk to Regulatory Action: Focus on Signaling Tools

Measuring Time from Identification of a New Risk to Regulatory Action: Focus on Signaling Tools

Measuring Time from Identification of a New Risk to Regulatory Action: Focus on Signaling Tools and Processes 06 December 2016 Amie Goulbourne, MPH, MT(ASCP) Safety & Benefit Risk Management (SABR) Biogen, Inc. Disclaimer: The information

119 views • 9 slides
Risk minimisation activities measuring effectiveness Dr Jane Cook Branch Head

Risk minimisation activities measuring effectiveness Dr Jane Cook Branch Head

Risk minimisation activities measuring effectiveness Dr Jane Cook Branch Head Pharmacovigilance and Special Access Branch 11 November 2015 Risk Minimisation Programme You have identified the risks to be mitigated. You have

219 views • 17 slides
Regulatory initiatives for measuring the impact of risk minimisation measures EMA Workshop, 5-6

Regulatory initiatives for measuring the impact of risk minimisation measures EMA Workshop, 5-6

Regulatory initiatives for measuring the impact of risk minimisation measures EMA Workshop, 5-6 December 2016 Dolores Montero Division of Pharmacoepidemiology and Pharmacovigilance Department of Human Medicines Evaluation on the

824 views • 16 slides
Measuring Climate Risk from the Bottom-Up Fossil companies that remain fossil are unattractive

Measuring Climate Risk from the Bottom-Up Fossil companies that remain fossil are unattractive

Measuring Climate Risk from the Bottom-Up Fossil companies that remain fossil are unattractive for investors Henrik Jeppesen, CFA, CAIA Head of Investor Outreach North America Carbon Tracker Initiative June 13, 2018

489 views • 14 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Session 15: Crime and Protection Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla, Esther Han Beol Jang Richard Anderson, Tadayoshi Kohno, Kurtis Heimerl University of Washington

525 views • 18 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Session 15: Crime and Protection Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla, Esther Han Beol Jang Richard Anderson, Tadayoshi Kohno, Kurtis Heimerl University of Washington Presented

504 views • 29 slides
Measuring Year-to-Year Improvement in Risk-Adjusted Outcome Measures: Filling a Methods Gap

Measuring Year-to-Year Improvement in Risk-Adjusted Outcome Measures: Filling a Methods Gap

Measuring Year-to-Year Improvement in Risk-Adjusted Outcome Measures: Filling a Methods Gap Academy Health ARM June 27, 2016 1 Funding and Disclosures This work was funded by a contract with the Centers for Medicare & Medicaid

745 views • 27 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Qualifying Evaluation Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla University of Washington Understanding Web Communication Browse to www.cutepuppies.ext (

806 views • 42 slides
Measuring Systemic Risk and Assessing Systemic Importance in Global and Regional Financial Markets

Measuring Systemic Risk and Assessing Systemic Importance in Global and Regional Financial Markets

Technische Universitt Mnchen Measuring Systemic Risk and Assessing Systemic Importance in Global and Regional Financial Markets Using the Expected Systemic Shortfall (ESS) Indicator Lahmann / Kaserer (2011) 11 th Annual Bank Research

207 views • 20 slides
Give me $ 1M Give me $ 1M -$ 3M -$ 10M Quantifying Risk QCon SF 2019 Markus De Shon

Give me $ 1M Give me $ 1M -$ 3M -$ 10M Quantifying Risk QCon SF 2019 Markus De Shon

Give me $ 1M Give me $ 1M -$ 3M -$ 10M Quantifying Risk QCon SF 2019 Markus De Shon (mdeshon@netflix.com) How to Measure anything in Cybersecurity Risk Douglas W. Hubbard & Richard Siersen Measuring and Managing Information Risk

792 views • 41 slides
Measuring Risk QUAN TITATIVE RIS K MAN AGEMEN T IN P YTH ON Jamsheed Shorish CEO, Shorish

Measuring Risk QUAN TITATIVE RIS K MAN AGEMEN T IN P YTH ON Jamsheed Shorish CEO, Shorish

Measuring Risk QUAN TITATIVE RIS K MAN AGEMEN T IN P YTH ON Jamsheed Shorish CEO, Shorish Research The Loss Distribution Forex Example : Loss distribution : Random realizations of r => Portfolio value in U.S. dollars is USD 100 distribution

507 views • 50 slides
MEASURING PRIVACY RISK IN ONLINE SOCIAL NETWORKS Justin Becker, Hao Chen UC Davis May 2009 1

MEASURING PRIVACY RISK IN ONLINE SOCIAL NETWORKS Justin Becker, Hao Chen UC Davis May 2009 1

MEASURING PRIVACY RISK IN ONLINE SOCIAL NETWORKS Justin Becker, Hao Chen UC Davis May 2009 1 Motivating example College admission Kaplan surveyed 320 admissions offices in 2008 1 in 10 admissions officers viewed applicants online

440 views • 28 slides
Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk

Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk

FREE Lifelong Learning Event for Fasset Members Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk assessment control matrix management process Governance Risk appetite Agenda for and risk Risk

1.28k views • 105 slides
Dual Language Learner Pilot Study Progress Update and New Findings First 5 California Commission

Dual Language Learner Pilot Study Progress Update and New Findings First 5 California Commission

Item # 6 Attachment C Dual Language Learner Pilot Study Progress Update and New Findings First 5 California Commission Meeting October 22, 2020 Heather Quick, Karen Manship The American Institutes for Research Dual Language Learner r Pi

349 views • 20 slides
UNDERSTANDING THE RED SEA EXODUS 14-15 1. THE SET UP a. God traps Israel EXODUS 14:1-2 Then

UNDERSTANDING THE RED SEA EXODUS 14-15 1. THE SET UP a. God traps Israel EXODUS 14:1-2 Then

UNDERSTANDING THE RED SEA EXODUS 14-15 1. THE SET UP a. God traps Israel EXODUS 14:1-2 Then the Lord spoke to Moses: Tell the Israelites to turn back and camp in front of Pi- hahiroth, between Migdol and the sea; you must camp in front of

792 views • 43 slides
Reviewing Your Data at Upload: Tools Within the RSR Web System Ryan White Services Report (RSR)

Reviewing Your Data at Upload: Tools Within the RSR Web System Ryan White Services Report (RSR)

Reviewing Your Data at Upload: Tools Within the RSR Web System Ryan White Services Report (RSR) Health Resources and Services Administration HIV/AIDS Bureau March 11, 2020 Welcome to todays Webcast. Thank you so much for joining us today!

763 views • 48 slides
THE CHURCH ON THE MOVE JOLYNN GOWER SPRING 2017 217/493-6151 JGOWER@GUARDINGTHETRUTH.ORG

THE CHURCH ON THE MOVE JOLYNN GOWER SPRING 2017 217/493-6151 JGOWER@GUARDINGTHETRUTH.ORG

THE CHURCH ON THE MOVE JOLYNN GOWER SPRING 2017 217/493-6151 JGOWER@GUARDINGTHETRUTH.ORG WORD FOR THE JOURNEY James 1:21-22 Therefore, putting aside all filthiness and all that remains of wickedness, in humility receive the word

154 views • 12 slides
THE MEANING OF MARRIAGE The Essence of Marriage (Part 1) THE MEANING OF MARRIAGE Love and the

THE MEANING OF MARRIAGE The Essence of Marriage (Part 1) THE MEANING OF MARRIAGE Love and the

3/5/2017 THE MEANING OF MARRIAGE The Essence of Marriage (Part 1) THE MEANING OF MARRIAGE Love and the Piece of Paper Why do we need a piece of paper in order to love one another? I dont need a piece of paper to love you! It only

331 views • 9 slides
Designing Your VMware Virtual Infrastructure for Optimal Performance, Resilience and Availability

Designing Your VMware Virtual Infrastructure for Optimal Performance, Resilience and Availability

Designing Your VMware Virtual Infrastructure for Optimal Performance, Resilience and Availability Straight from the Source Deji Akomolafe VMware David Klee Heraflux Technologies Cody Chapman Heraflux Technologies December

1.11k views • 108 slides
Understanding Complex Developmental Trauma in Children and Adolescents Rashmi Sabu, MD October

Understanding Complex Developmental Trauma in Children and Adolescents Rashmi Sabu, MD October

Understanding Complex Developmental Trauma in Children and Adolescents Rashmi Sabu, MD October , 2015 COMPLEX DEVELOPMENTAL TRAUMA THE TWO CASES OF TRAUMA I. A child of eight is badly mauled by a neighbors pet. The initial attack is

391 views • 27 slides
DCS 530 SECTION ON NATURAL LANGUAGE UNDERSTANDING JAMES ALLEN FALL, 2017 THE HAPPY DOG RAN IN

DCS 530 SECTION ON NATURAL LANGUAGE UNDERSTANDING JAMES ALLEN FALL, 2017 THE HAPPY DOG RAN IN

DCS 530 SECTION ON NATURAL LANGUAGE UNDERSTANDING JAMES ALLEN FALL, 2017 THE HAPPY DOG RAN IN THE FIELD WITH ITS TONGUE HANGING OUT LANGUAGE STRUCTURE AND FUNCTION THE HAPPY DOG RAN IN THE FIELD WITH ITS TONGUE HANGING OUT REFERENCE TO

824 views • 55 slides

More recommend