Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

RSA 2017 - Predicting Exploitability - With Predictions

304 vues

Publié le

Data driven decision making can be retrospective, real-time, or predictive. We use Amazon Machine Learning to predict the probability that a vulnerability will become exploited, using only the data available when a vulnerability is released.

Publié dans : Internet
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

RSA 2017 - Predicting Exploitability - With Predictions

  1. 1. PREDICTING EXPLOITABILITY @MROYTMAN
  2. 2. “Prediction is very difficult, especially about the future.” -Neils Bohr
  3. 3. 3 Types of “Data-Driven”
  4. 4. Too many vulnerabilities. How do we derive risk from vulnerability in a data-driven manner? PROBLEM
  5. 5. EXPLOITABILITY 1. RETROSPECTIVE 2. REAL-TIME 3. PREDICTIVE
  6. 6. EXPLOITABILITY 1. RETROSPECTIVE 2. REAL-TIME 3. PREDICTIVE
  7. 7. Analyst Input Vulnerability Management Programs Augmenting Data Retrospective Temporal Score Estimation Vulnerability Researchers
  8. 8. EXPLOITABILITY 1. RETROSPECTIVE 2. REAL-TIME 3. PREDICTIVE
  9. 9. ATTACKERS ARE FAST
  10. 10. 0 5 10 15 20 25 30 35 CVSS*10 EDB MSP EDB+MSP Breach*Probability*(%) Positive Predictive Value of remediating a vulnerability with property X:
  11. 11. DATA OF FUTURE PAST Q: “Of my current vulnerabilities, which ones should I remediate?” A: Old ones with stable, weaponized exploits
  12. 12. FUTURE OF DATA PAST Q: “A new vulnerability was just released. Do we scramble?” A:
  13. 13. EXPLOITABILITY 1. RETROSPECTIVE 2. REAL-TIME 3. PREDICTIVE
  14. 14. Machine Learning?
  15. 15. Enter: AWS ML
  16. 16. 70% Training, 30% Evaluation Split N = 81303 All Models: L2 regularizer 1 gb 100 passes over the data Receiver operating characteristics for comparisons
  17. 17. Model 1: Baseline -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date
  18. 18. LMGTFY:
  19. 19. Moar Simple?
  20. 20. Model 2: Patches -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists
  21. 21. Model 3: Affected Software -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists -Vendors -Products
  22. 22. Model 4: Words! -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists -Vendors -Products -Description, Ngrams 1-5
  23. 23. Model 5: Vulnerability Prevalence -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists -Vendors -Products -Description, Ngrams 1-5 -Vulnerability Prevalence -Number of References
  24. 24. Moar Simple?
  25. 25. Moar Simple?
  26. 26. Exploitability
  27. 27. -Track Predictions vs. Real Exploits -Integrate 20+ BlackHat Exploit Kits - FP reduction? -Find better vulnerability descriptions - mine advisories for content? FN reduction? Future Work -Predict Breaches, not Exploits -Attempt Models by Vendor -There are probably two exploitation processes here.
  28. 28. PREDICTIONS 1. CVE-2017-0003 2. CVE-2017-2963 3. CVE-2016-7256 These will have exploits in 2017: Sharepoint Enterprise Server, Word 2016 Adobe Acrobat Reader Windows Server 2008, 2012, 2016, Windows 7, 8, 10
  29. 29. Scan Data Is Overwhelming Finding Vulnerabilities – Needlessly Difficult Impossible to Know What to Prioritize Not Integrated with Threat Intelligence Communication Is Painful—No Single Pane of Glass Suits All Stakeholders
  30. 30. CISO Sec Ops IT Ops How Kenna Works Exploit Intel 10+ Threat Feeds Enterprise 21+ Connectors
  31. 31. Thanks! @MROYTMAN

×