SlideShare une entreprise Scribd logo

One login enemy at the gates

Télécharger en tant que PPTX, PDF
Eoin Keary
Eoin Keary

Why hackers dont give a s*#t. Why the traditional penetration model is broken and how to fix it.

Internet
1  sur  27
Enemy at the Gates…Why traditional vulnerability management has failed. AKA “Why hackers don’t give a S*#t”
Agenda Effective, Scalable #Fullstack Vulnerability Management 2 Vuln Stats Report 2020 Keeping Pace with change Failed vulnerability Management Moving the Dial
What is Edgescan? Effective, Scalable #Fullstack Vulnerability Management 3 Edgescan Fullstack Vulnerability Management helps companies to get the most from their vulnerability scanning and management requirements. Edgescan provides unparalleled vulnerability management & system visibility.
Where’s the risk? - 2020 Vulnerability Stats Report 34.78% of all external web application vulnerabilities are a high or critical risk. 40.35% of all internal web application vulnerabilities are a high or critical risk. 4.79% of all public Internet facing network/host layer vulnerabilities discovered were high or critical risk. Risk is still in the Web/API /Layer 7 space. Focus needs to be on software security but not exclusively!! Effective, Scalable #Fullstack Vulnerability Management 4 RISK DENSITY – INFRASTRUCTURE VS LAYER 7
MOST COMMON VULNERABILITIES ACROSS THE FULL STACK 2019 Effective, Scalable #Fullstack Vulnerability Management 5 Crypto issues still very common XSS a common problem Exposed data/disclosure Patching/Maintenance
Clustering of CVE’s Effective, Scalable #Fullstack Vulnerability Management 6 CVE’s per Asset What’s a CVE?? Common Vulnerability and Exposure is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures
The old jokes are the best….. Effective, Scalable #Fullstack Vulnerability Management 7 Age Vs % of CVE’s Oldest CVE CVE-1999-0517 SNMP community name is the default (e.g. public), null, or missing. (CVSS 7.5) Most common CVE CVE- 2016-2183 DES and Triple DES ciphers - Sweet32 attack (CVSS 7.5)
Size doesn't matter….(phew what a relief!!!) • For small organisations (with 11- 100 staff) we can see the combined Medium + High + Critical Risk % of all vulnerabilities is 4.1%. • For larger organisations, the risk density is largely similar, i.e. for organisations with 100+ staff, a similar risk density profile can be found. • So organisation size does not appear to change risk posture. • Question is ratio of Security team(s) size Vs volume of assets to be secured and useful metric? Effective, Scalable #Fullstack Vulnerability Management 8 RISK DENSITY BY ORGANISATION SIZE
Keeping Pace with Change Effective, Scalable #Fullstack Vulnerability Management 9
Cyber Security: Keeping Pace with Change Change occurs when: A system does not change: Over time critical vulnerabilities are discovered. Patches are released. Yesterday I was secure, Today I’ve a Critical Risk. Need to patch/Redeploy. When a system changes: New features deployed, new services exposed, larger attack surface, more exposed, more to attack, more headaches.. Change gives rise to Risk Keeping pace: On-demand, Continuous, Integration, Fullstack Traditional tool based/consultant based approaches have failed to keep pace. Effective, Scalable #Fullstack Vulnerability Management 10
Cyber Security: Keeping Pace with Change Penetration Testing Manual assessment of a system. Coupling of usage of automated tools, scripts and expertise. • Strengths: Logical issues. Accurate / (should be) False positive free. Complex exploits, Support • Weaknesses: Not scalable, Expensive, Not on-demand, Does not fit with DevOps etc. Point-in-time scan. No Metrics??! Vulnerability Management Automation/Software testing software. • Strengths: Scale/Volume, On-demand, DevOps • Weaknesses: Accuracy, Risk Rating, Coverage, Depth (Logical vulnerabilities). Requires Expertise to validate output. Metrics are poor, require multiple tools. Hybrid Augmented with Expertise • Strengths: Complex issues, Logical exploits, False positive Free, Scale/Volume, On-demand, DevOps, Accuracy, Coverage, Metrics, Support. Effective, Scalable #Fullstack Vulnerability Management 11
Why is traditional Vulnerability Management Failing? • Reliance on Software to test software (scanners) alone is folly! – Scanners alone don’t work. • Automation accuracy is not a strong as human accuracy – Our attackers are humans. • Scale vs Depth – Scanners do scale, Humans “do” depth. – Our enemies do Depth every time and are focused. • Change is constant – Consultant based security does not keep pace with change. – Our enemies love change. Effective, Scalable #Fullstack Vulnerability Management 12
What vulnerability management should look like… On-demand: Assurance of coverage & depth of testing on demand. – DevOps, Security Team, Deployment process Continuous & Accurate: Continuous assessments detecting and validating new vulnerabilities all the time. Good for: Metrics, Risk lifecycle tracking, TTR Metrics, Root Cause etc etc Integration: Continuous flow of validated vulnerability intelligence into your SoC/Bug Tracker/GRC systems – Situational awareness. Fullstack: “Hackers don’t give a S*#t”. Risk can be in web or hosting infrastructure, internal or external systems. Multiple tools for the same purpose? Multiple data sets? No complete picture of risk. We need risk convergence. Effective, Scalable #Fullstack Vulnerability Management 13
Moving the Dial Effective, Scalable #Fullstack Vulnerability Management 14
Visibility
Visibility Ports Services Live hosts (Web, API’s, etc) Attack Surface - Exposure  Vulnerabilities (Infrastructure) CVE  Vulnerabilities (Unique) – Web Application  Logical Vulnerabilities "The U.S. Military Doesn't Know How Many Websites It Operates“ - Gizmodo (May 2019)
Visibility Continuous – Frequent – #Fullstack – Asset Profiling Alerting – What matters to me? API’s – Do we have any deployed? Where? New Deployments; Services, Firewalls, Web, API, Servers etc etc… Common Platform Enumeration CPE (https://nvd.nist.gov/products/cpe) “Bill of materials.” Components Versions - Instant CVE detection!! We cant secure what we don’t know about
2. Patching
2. Patching
Consider: Automated Component Patch Management: NuGet, CHEF,… Automated Configuration Management: Puppet 96% of applications contain Opensource Components. 57% of code is open source in an average codebase. - Blackduck
3. Secure Application Development
It’s all just software The 2020 Verizon DBIR also highlighted a year- over-year two-fold increase in web application breaches, to 43 percent’ [DBIR] Not just pushing left, need to push both directions. Eg A System is live, nothing changes but might be vulnerable tomorrow.
Push Left: Prevention. Catch Early Push Right: Detection, Vigilance Even the Risk profile of a static system can change. Today’s secure environment is at risk tomorrow via a vulnerability were not aware of yet. Push Left: Enable & Assist developers build and deploy secure code & systems Push Right: Detect “the next CVE” and also mop-up anything that we missed in pre-prod.
Augment, not replace =
Toolchains are great…. Automation – Wherever we can..but not at the cost of accuracy. Tools are Dumb; Risk is Human; Speed Vs Accuracy , Fast or Secure – Can we have both. We’re protecting our systems against breach by humans, not scanners right!!
Finally….Don’t sweat the 0-days
Thanks!! Eoin Keary eoin@bccriskadvisory.com @edgescan www.edgescan.com Effective, Scalable #Fullstack Vulnerability Management 27

Recommandé

Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
Dennis Chaupis
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain Visibility
Sonatype
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
SBWebinars
 
Information Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaInformation Security Incidents Survey in Russia
Information Security Incidents Survey in Russia
Positive Hack Days
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
Eoin Keary
 
Agentless Patch Management for the Data Center
Agentless Patch Management for the Data CenterAgentless Patch Management for the Data Center
Agentless Patch Management for the Data Center
Ivanti
 

Recommandé

Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Kymberlee Price
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
Dennis Chaupis
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24
 
Strengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain VisibilityStrengthening cyber resilience with Software Supply Chain Visibility
Strengthening cyber resilience with Software Supply Chain Visibility
Sonatype
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
SBWebinars
 
Information Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaInformation Security Incidents Survey in Russia
Information Security Incidents Survey in Russia
Positive Hack Days
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
Eoin Keary
 
Agentless Patch Management for the Data Center
Agentless Patch Management for the Data CenterAgentless Patch Management for the Data Center
Agentless Patch Management for the Data Center
Ivanti
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
SentinelOne Buyers Guide
SentinelOne Buyers GuideSentinelOne Buyers Guide
SentinelOne Buyers Guide
Exclusive Networks ME
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Pitfalls of Cyber Data
Pitfalls of Cyber DataPitfalls of Cyber Data
Pitfalls of Cyber Data
Phil Huggins FBCS CITP
 
Skillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxSkillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant flux
Eoin Keary
 
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity RiskGlobal CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
EC-Council
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED
bugcrowd
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource Webinar
WhiteSource
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM Assessment
Cigital
 
Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021
Alexandre Rebert
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
Alexander Leonov
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
ESET Middle East
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
WhiteSource
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply Chain
Mark Sherman
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
bugcrowd
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself Secure
Cigital
 
CSS Trivia
CSS TriviaCSS Trivia
CSS Trivia
Alert Logic
 
The uncool-security-hygiene
The uncool-security-hygieneThe uncool-security-hygiene
The uncool-security-hygiene
Thiagu Haldurai
 
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Eoin Keary
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
Eoin Keary
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
Cenzic
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 

Contenu connexe

Tendances

Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity RiskGlobal CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
EC-Council
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED
bugcrowd
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
WhiteSource
 

Tendances (18)

The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
 
SentinelOne Buyers Guide
SentinelOne Buyers GuideSentinelOne Buyers Guide
SentinelOne Buyers Guide
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
 
Pitfalls of Cyber Data
Pitfalls of Cyber DataPitfalls of Cyber Data
Pitfalls of Cyber Data
 
Skillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant fluxSkillful scalefull fullstack security in a state of constant flux
Skillful scalefull fullstack security in a state of constant flux
 
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity RiskGlobal CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
 
7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED7 Bug Bounty Myths, BUSTED
7 Bug Bounty Myths, BUSTED
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource WebinarThe State of Open Source Vulnerabilities - A WhiteSource Webinar
The State of Open Source Vulnerabilities - A WhiteSource Webinar
 
Get Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM AssessmentGet Your Board to Say "Yes" to a BSIMM Assessment
Get Your Board to Say "Yes" to a BSIMM Assessment
 
Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
 
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
Protecting Enterprise - An examination of bugs, major vulnerabilities and exp...
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply Chain
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself Secure
 
CSS Trivia
CSS TriviaCSS Trivia
CSS Trivia
 
The uncool-security-hygiene
The uncool-security-hygieneThe uncool-security-hygiene
The uncool-security-hygiene
 

Similaire à One login enemy at the gates

Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of Defense
Lumension
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Rochester Security Summit
 
A Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration TestingA Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration Testing
YogeshIJTSRD
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
Aaron Rinehart
 

Similaire à One login enemy at the gates (20)

Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
Edgescan vulnerability stats report 2019 - h-isac-2-2-2019
 
edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019) edgescan vulnerability stats report (2019)
edgescan vulnerability stats report (2019)
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
Webinar Ivanti Neurons For Patch Intelligence
Webinar Ivanti Neurons For Patch IntelligenceWebinar Ivanti Neurons For Patch Intelligence
Webinar Ivanti Neurons For Patch Intelligence
 
Why Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of DefenseWhy Patch Management is Still the Best First Line of Defense
Why Patch Management is Still the Best First Line of Defense
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
Web Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management FrameworkWeb Application Security Vulnerability Management Framework
Web Application Security Vulnerability Management Framework
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
A Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration TestingA Comparative Study between Vulnerability Assessment and Penetration Testing
A Comparative Study between Vulnerability Assessment and Penetration Testing
 
Protect Against 85% of Cyberattacks
Protect Against 85% of CyberattacksProtect Against 85% of Cyberattacks
Protect Against 85% of Cyberattacks
 
Streamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptxStreamlining AppSec Policy Definition.pptx
Streamlining AppSec Policy Definition.pptx
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud version
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Boss
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
VMWare Tech Talk: "The Road from Rugged DevOps to Security Chaos Engineering"
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016Best Practices for a Mature Application Security Program Webinar - February 2016
Best Practices for a Mature Application Security Program Webinar - February 2016
 

Plus de Eoin Keary

Plus de Eoin Keary (20)

IISF-March2023.pptx
IISF-March2023.pptxIISF-March2023.pptx
IISF-March2023.pptx
 
Validation of vulnerabilities.pdf
Validation of vulnerabilities.pdfValidation of vulnerabilities.pdf
Validation of vulnerabilities.pdf
 
Does a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdfDoes a Hybrid model for vulnerability Management Make Sense.pdf
Does a Hybrid model for vulnerability Management Make Sense.pdf
 
Edgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics ReportEdgescan 2022 Vulnerability Statistics Report
Edgescan 2022 Vulnerability Statistics Report
 
Edgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats ReportEdgescan 2021 Vulnerability Stats Report
Edgescan 2021 Vulnerability Stats Report
 
Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020Edgescan vulnerability stats report 2020
Edgescan vulnerability stats report 2020
 
Full stack vulnerability management at scale
Full stack vulnerability management at scaleFull stack vulnerability management at scale
Full stack vulnerability management at scale
 
Vulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of changeVulnerability Intelligence - Standing Still in a world full of change
Vulnerability Intelligence - Standing Still in a world full of change
 
Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.Hide and seek - Attack Surface Management and continuous assessment.
Hide and seek - Attack Surface Management and continuous assessment.
 
Online Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat ModelOnline Gaming Cyber security and Threat Model
Online Gaming Cyber security and Threat Model
 
Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.Keeping the wolf from 1000 doors.
Keeping the wolf from 1000 doors.
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbers
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
 
Ebu class edgescan-2017
Ebu class edgescan-2017Ebu class edgescan-2017
Ebu class edgescan-2017
 
Vulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbersVulnerability management and threat detection by the numbers
Vulnerability management and threat detection by the numbers
 
14. html 5 security considerations
14. html 5 security considerations14. html 5 security considerations
14. html 5 security considerations
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
02. input validation module v5
02. input validation module v502. input validation module v5
02. input validation module v5
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27
 

Dernier

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
Asmae Rabhi
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
galaxypingy
 

Dernier (20)

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Power point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria IuzzolinoPower point inglese - educazione civica di Nuria Iuzzolino
Power point inglese - educazione civica di Nuria Iuzzolino
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 

One login enemy at the gates

  • 1. Enemy at the Gates…Why traditional vulnerability management has failed. AKA “Why hackers don’t give a S*#t”
  • 2. Agenda Effective, Scalable #Fullstack Vulnerability Management 2 Vuln Stats Report 2020 Keeping Pace with change Failed vulnerability Management Moving the Dial
  • 3. What is Edgescan? Effective, Scalable #Fullstack Vulnerability Management 3 Edgescan Fullstack Vulnerability Management helps companies to get the most from their vulnerability scanning and management requirements. Edgescan provides unparalleled vulnerability management & system visibility.
  • 4. Where’s the risk? - 2020 Vulnerability Stats Report 34.78% of all external web application vulnerabilities are a high or critical risk. 40.35% of all internal web application vulnerabilities are a high or critical risk. 4.79% of all public Internet facing network/host layer vulnerabilities discovered were high or critical risk. Risk is still in the Web/API /Layer 7 space. Focus needs to be on software security but not exclusively!! Effective, Scalable #Fullstack Vulnerability Management 4 RISK DENSITY – INFRASTRUCTURE VS LAYER 7
  • 5. MOST COMMON VULNERABILITIES ACROSS THE FULL STACK 2019 Effective, Scalable #Fullstack Vulnerability Management 5 Crypto issues still very common XSS a common problem Exposed data/disclosure Patching/Maintenance
  • 6. Clustering of CVE’s Effective, Scalable #Fullstack Vulnerability Management 6 CVE’s per Asset What’s a CVE?? Common Vulnerability and Exposure is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures
  • 7. The old jokes are the best….. Effective, Scalable #Fullstack Vulnerability Management 7 Age Vs % of CVE’s Oldest CVE CVE-1999-0517 SNMP community name is the default (e.g. public), null, or missing. (CVSS 7.5) Most common CVE CVE- 2016-2183 DES and Triple DES ciphers - Sweet32 attack (CVSS 7.5)
  • 8. Size doesn't matter….(phew what a relief!!!) • For small organisations (with 11- 100 staff) we can see the combined Medium + High + Critical Risk % of all vulnerabilities is 4.1%. • For larger organisations, the risk density is largely similar, i.e. for organisations with 100+ staff, a similar risk density profile can be found. • So organisation size does not appear to change risk posture. • Question is ratio of Security team(s) size Vs volume of assets to be secured and useful metric? Effective, Scalable #Fullstack Vulnerability Management 8 RISK DENSITY BY ORGANISATION SIZE
  • 9. Keeping Pace with Change Effective, Scalable #Fullstack Vulnerability Management 9
  • 10. Cyber Security: Keeping Pace with Change Change occurs when: A system does not change: Over time critical vulnerabilities are discovered. Patches are released. Yesterday I was secure, Today I’ve a Critical Risk. Need to patch/Redeploy. When a system changes: New features deployed, new services exposed, larger attack surface, more exposed, more to attack, more headaches.. Change gives rise to Risk Keeping pace: On-demand, Continuous, Integration, Fullstack Traditional tool based/consultant based approaches have failed to keep pace. Effective, Scalable #Fullstack Vulnerability Management 10
  • 11. Cyber Security: Keeping Pace with Change Penetration Testing Manual assessment of a system. Coupling of usage of automated tools, scripts and expertise. • Strengths: Logical issues. Accurate / (should be) False positive free. Complex exploits, Support • Weaknesses: Not scalable, Expensive, Not on-demand, Does not fit with DevOps etc. Point-in-time scan. No Metrics??! Vulnerability Management Automation/Software testing software. • Strengths: Scale/Volume, On-demand, DevOps • Weaknesses: Accuracy, Risk Rating, Coverage, Depth (Logical vulnerabilities). Requires Expertise to validate output. Metrics are poor, require multiple tools. Hybrid Augmented with Expertise • Strengths: Complex issues, Logical exploits, False positive Free, Scale/Volume, On-demand, DevOps, Accuracy, Coverage, Metrics, Support. Effective, Scalable #Fullstack Vulnerability Management 11
  • 12. Why is traditional Vulnerability Management Failing? • Reliance on Software to test software (scanners) alone is folly! – Scanners alone don’t work. • Automation accuracy is not a strong as human accuracy – Our attackers are humans. • Scale vs Depth – Scanners do scale, Humans “do” depth. – Our enemies do Depth every time and are focused. • Change is constant – Consultant based security does not keep pace with change. – Our enemies love change. Effective, Scalable #Fullstack Vulnerability Management 12
  • 13. What vulnerability management should look like… On-demand: Assurance of coverage & depth of testing on demand. – DevOps, Security Team, Deployment process Continuous & Accurate: Continuous assessments detecting and validating new vulnerabilities all the time. Good for: Metrics, Risk lifecycle tracking, TTR Metrics, Root Cause etc etc Integration: Continuous flow of validated vulnerability intelligence into your SoC/Bug Tracker/GRC systems – Situational awareness. Fullstack: “Hackers don’t give a S*#t”. Risk can be in web or hosting infrastructure, internal or external systems. Multiple tools for the same purpose? Multiple data sets? No complete picture of risk. We need risk convergence. Effective, Scalable #Fullstack Vulnerability Management 13
  • 14. Moving the Dial Effective, Scalable #Fullstack Vulnerability Management 14
  • 16. Visibility Ports Services Live hosts (Web, API’s, etc) Attack Surface - Exposure  Vulnerabilities (Infrastructure) CVE  Vulnerabilities (Unique) – Web Application  Logical Vulnerabilities "The U.S. Military Doesn't Know How Many Websites It Operates“ - Gizmodo (May 2019)
  • 17. Visibility Continuous – Frequent – #Fullstack – Asset Profiling Alerting – What matters to me? API’s – Do we have any deployed? Where? New Deployments; Services, Firewalls, Web, API, Servers etc etc… Common Platform Enumeration CPE (https://nvd.nist.gov/products/cpe) “Bill of materials.” Components Versions - Instant CVE detection!! We cant secure what we don’t know about
  • 20. Consider: Automated Component Patch Management: NuGet, CHEF,… Automated Configuration Management: Puppet 96% of applications contain Opensource Components. 57% of code is open source in an average codebase. - Blackduck
  • 21. 3. Secure Application Development
  • 22. It’s all just software The 2020 Verizon DBIR also highlighted a year- over-year two-fold increase in web application breaches, to 43 percent’ [DBIR] Not just pushing left, need to push both directions. Eg A System is live, nothing changes but might be vulnerable tomorrow.
  • 23. Push Left: Prevention. Catch Early Push Right: Detection, Vigilance Even the Risk profile of a static system can change. Today’s secure environment is at risk tomorrow via a vulnerability were not aware of yet. Push Left: Enable & Assist developers build and deploy secure code & systems Push Right: Detect “the next CVE” and also mop-up anything that we missed in pre-prod.
  • 25. Toolchains are great…. Automation – Wherever we can..but not at the cost of accuracy. Tools are Dumb; Risk is Human; Speed Vs Accuracy , Fast or Secure – Can we have both. We’re protecting our systems against breach by humans, not scanners right!!

Notes de l'éditeur

  1. New feature in dbir (open ports) Ports that offer the most value with least effort. telnet: highest searched for, close by 445, further down is 1433 (honeypot events vs internet scans) 445:used in ddos attacks Malware involved in a large number of breaches – malware leverage vulns
  2. attack surface identification / continuous visibility - define and describe. Even if your code doesn’t change, the ground beneath your feet can change – inf, source code, component, - gives rise to you being vuln all of a sudden. Map your attack surface Continuous Visibility Visibility and alerting - delta Automatic Discovery High proporation of most enterprises, don’t know what they have. API’s, even worse.
  3. Don’t have to be sad
  4. Dbir shows that web app hacking is still significant towards breaches Pushing left paradigm Not just pushing left, need to push both directions. Eg system is live, nothing changes but might be vuln tomorrow. Push left and right.