Predictive Prioritization Focusing On What Matters First Tas Jalali, CISSP, CISM, CEH Principal Security Engineer
Vulnerability Management In Brief A Assess – Legacy and A Modern Assets Remediate – Intelligent R Prioritization M R Manage – Measure M
Predictive Prioritization 3
Prioritization Is Critical Critical Critical High High Medium Risk-Driven Scoring Medium Low Low CVSS Cyber Exposure Score (risk-based) 4
THE THREE KEY QUESTIONS A R M Where are Where should How are we we we prioritize reducing exposure exposed? based on risk? over time ? 5
Number of Vulnerabilities During the Past Decade VULNERABILITIES DISCOVERED EACH YEAR 18000 16000 16555 14714 14000 12000 10000 8000 7946 6000 6610 6520 6484 6447 5632 5736 5297 5191 4935 4000 4652 4155 Source: NVD 2000 2451 894 1020 1677 2156 1527 1085 0 199920002001200220032004200520062007200820092010201120122013201420152016201720182019
16,500 VULNERABI LI TIES DISCLOSED IN 2018 7% 63% 12% of vulnerabilities had of vulnerabilities discovered of vulnerabilities disclosed in an exploit available in environments 2017 are CVSS 7+ were CVSS 9+ 7
IF EVERYTHING IS IMPORTANT – NOTHING IS 59% High or Critical Vulnerability Intelligence Report Tenable Research 8
Number of Vulnerabilities During the Past Decade * Gartner Market Guide for Vulnerability Assessment, Craig Lawson, Prateek Bhajanka, June 19, 2018
HAYSTACK GETTING BIGGER HARDER TO FIND THE NEEDLES - 1,500 vulnerabilities with exploits published - 28 exploitable vulnerabilities every week. Vulnerability Intelligence Report Tenable Research 10
REDUCING THE BURDEN - DRAMATICALLY Research Insights 97% Data science based analysis of over 109,000 vulnerabilities to differentiate between the real and theoretical risks vulnerabilities pose PREDICTIVE Threat Intelligence 11 PRIORITIZATION Insight into which vulnerabilities are actively Reduction in vulnerabilities being exploited by both targeted and to be remediated with the same opportunistic threat actors . impact to the attack surface Vulnerability Rating The criticality, ease of exploit and attack vectors associated with the flaw.
SOME OF WHAT’S IN THE MODEL • CVE Age • Distinct days with cyber exploits • Days since last ExploitDB entry • No. Words in NVD Description • Days since last cyber exploit • Days since first ExploitDB entry • Days Since NVD Last Modified • Total cyber exploit events • Days since last Metasploit entry • Number of References • Days since first cyber exploit • Total ExploitDB entries • CVSS v3 Base Score • Days since last cyber attack • Total Metasploit entries • CVSS v3 Exploitability Score • CVSS v3 Impact Score • Total Affected Software • CWE 13
VPR INSIGHT - 70 DAYS PRIOR TO CVSS SCORE VPR CVSS Linux Kernel Flaw 14
A DATA SCIENCE APPROACH UNDERSTANDING THE MODEL 150 different aspects in 7 feature groups ▪ Past threat pattern ▪ Past hostility ▪ CVSS ▪ Vulnerable software ▪ NVD ▪ Exploit code ▪ Past threat source Over 109,000 vulnerabilities tracked Forecast probability of exploit in near term future Updated daily
Identify What Matters 3%-5% Dynamic Prioritization
§ T The attack surface is expanding § AS MO M ICS/SCADA A Industrial IoT Enterprise IoT IoT EX § HI Cloud Container Cloud E TR HA Web app Virtual machine Mobile Laptop W GR IT Server Desktop Network infrastructure 17
§ T Creating a Cyber Exposure Gap ADDIT CY C AN ICS/SCADA Industrial IoT Enterprise IoT IoT § P P T Cloud Container Cloud N C AS Web app Virtual machine Mobile Laptop T SE IT Server Desktop Network infrastructure 18
19 Your Cyber Exposure Command Center Identify Business Context Prioritize Visualizations of the entire Benchmark by combining Advanced risk-based exposure modern attack surface to allow vulnerability data with asset scoring weighs vulnerabilities, anyone, from analyst to business criticality and threat threats, asset value and location, executive, to quickly understand context and focus on the issues providing clear guidance about and explore their organization’s that matter most to the business what to focus on Cyber Exposure Company Confidential: Do Not Distribute
Summary Address Longstanding VM Challenges Provide Greater Business Value ü Vulnerability overload ü Improve decision making ü Lack of visibility into global assets and Cyber ü Business context for vulnerability Exposure management ü Lack of quantitative approach to prioritize ü Present security information in business remediation & Measure reduction in Cyber terms Exposure
KEY QUESTIONS ü How many vulnerabilities do you deal with every month? ü Do you patch every vulnerability? ü What does that cost your organization? ü How do you prioritize? ü Do you use threat intelligence? ü Could staff be more efficient? 21
Thank You
Recommend
More recommend
