Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
One login enemy at the gates
1. Enemy at the Gates…Why traditional
vulnerability management has failed.
AKA “Why hackers don’t give a S*#t”
2. Agenda
Effective, Scalable #Fullstack Vulnerability Management 2
Vuln Stats Report 2020
Keeping Pace with change
Failed vulnerability Management
Moving the Dial
3. What is Edgescan?
Effective, Scalable #Fullstack Vulnerability Management 3
Edgescan Fullstack Vulnerability Management helps companies
to get the most from their vulnerability scanning and
management requirements. Edgescan provides unparalleled
vulnerability management & system visibility.
4. Where’s the risk? - 2020 Vulnerability Stats Report
34.78% of all external web
application vulnerabilities
are a high or critical risk.
40.35% of all internal web
application vulnerabilities
are a high or critical risk.
4.79% of all public Internet
facing network/host layer
vulnerabilities discovered
were high or critical risk.
Risk is still in the Web/API
/Layer 7 space.
Focus needs to be on
software security but not
exclusively!!
Effective, Scalable #Fullstack Vulnerability Management 4
RISK DENSITY – INFRASTRUCTURE VS LAYER 7
5. MOST COMMON VULNERABILITIES
ACROSS THE FULL STACK 2019
Effective, Scalable #Fullstack Vulnerability Management 5
Crypto issues still very
common
XSS a common problem
Exposed data/disclosure
Patching/Maintenance
6. Clustering of CVE’s
Effective, Scalable #Fullstack Vulnerability Management 6
CVE’s per Asset
What’s a CVE?? Common Vulnerability and
Exposure is a dictionary that provides
definitions for publicly disclosed
cybersecurity vulnerabilities and exposures
7. The old jokes are the best…..
Effective, Scalable #Fullstack Vulnerability Management 7
Age Vs % of CVE’s
Oldest CVE
CVE-1999-0517
SNMP community name is the
default (e.g. public), null, or
missing.
(CVSS 7.5)
Most common CVE CVE-
2016-2183
DES and Triple DES ciphers -
Sweet32 attack
(CVSS 7.5)
8. Size doesn't matter….(phew what a relief!!!)
• For small organisations (with 11-
100 staff) we can see the combined
Medium + High + Critical Risk % of
all vulnerabilities is 4.1%.
• For larger organisations, the risk
density is largely similar, i.e. for
organisations with 100+ staff, a
similar risk density profile can be
found.
• So organisation size does not
appear to change risk posture.
• Question is ratio of Security
team(s) size Vs volume of assets to
be secured and useful metric?
Effective, Scalable #Fullstack Vulnerability Management 8
RISK DENSITY BY ORGANISATION SIZE
9. Keeping Pace with Change
Effective, Scalable #Fullstack Vulnerability Management 9
10. Cyber Security: Keeping Pace with Change
Change occurs when:
A system does not change: Over time critical vulnerabilities are discovered. Patches are
released. Yesterday I was secure, Today I’ve a Critical Risk. Need to patch/Redeploy.
When a system changes: New features deployed, new services exposed, larger attack
surface, more exposed, more to attack, more headaches..
Change gives rise to Risk
Keeping pace: On-demand, Continuous, Integration, Fullstack
Traditional tool based/consultant based approaches have failed to keep pace.
Effective, Scalable #Fullstack Vulnerability Management 10
11. Cyber Security: Keeping Pace with Change
Penetration Testing
Manual assessment of a system. Coupling of usage of automated tools, scripts and expertise.
• Strengths: Logical issues. Accurate / (should be) False positive free. Complex exploits, Support
• Weaknesses: Not scalable, Expensive, Not on-demand, Does not fit with DevOps etc. Point-in-time
scan. No Metrics??!
Vulnerability Management
Automation/Software testing software.
• Strengths: Scale/Volume, On-demand, DevOps
• Weaknesses: Accuracy, Risk Rating, Coverage, Depth (Logical vulnerabilities). Requires Expertise to
validate output. Metrics are poor, require multiple tools.
Hybrid
Augmented with Expertise
• Strengths: Complex issues, Logical exploits, False positive Free, Scale/Volume, On-demand, DevOps,
Accuracy, Coverage, Metrics, Support.
Effective, Scalable #Fullstack Vulnerability Management 11
12. Why is traditional Vulnerability Management Failing?
• Reliance on Software to test software (scanners) alone is folly! – Scanners alone don’t
work.
• Automation accuracy is not a strong as human accuracy – Our attackers are humans.
• Scale vs Depth – Scanners do scale, Humans “do” depth. – Our enemies do Depth
every time and are focused.
• Change is constant – Consultant based security does not keep pace with change. –
Our enemies love change.
Effective, Scalable #Fullstack Vulnerability Management 12
13. What vulnerability management
should look like…
On-demand: Assurance of coverage & depth of testing on demand. – DevOps, Security Team,
Deployment process
Continuous & Accurate: Continuous assessments detecting and validating new vulnerabilities all
the time.
Good for: Metrics, Risk lifecycle tracking, TTR Metrics, Root Cause etc etc
Integration: Continuous flow of validated vulnerability intelligence into your SoC/Bug Tracker/GRC
systems – Situational awareness.
Fullstack: “Hackers don’t give a S*#t”. Risk can be in web or hosting infrastructure, internal or external
systems. Multiple tools for the same purpose? Multiple data sets? No complete picture of risk. We need
risk convergence.
Effective, Scalable #Fullstack Vulnerability Management 13
16. Visibility
Ports
Services
Live hosts (Web, API’s, etc)
Attack Surface - Exposure
Vulnerabilities (Infrastructure)
CVE
Vulnerabilities (Unique) – Web
Application
Logical Vulnerabilities
"The U.S. Military Doesn't Know How Many
Websites It Operates“
- Gizmodo (May 2019)
17. Visibility
Continuous – Frequent –
#Fullstack – Asset Profiling
Alerting – What matters to me?
API’s – Do we have any
deployed? Where?
New Deployments; Services,
Firewalls, Web, API, Servers etc
etc…
Common Platform Enumeration
CPE (https://nvd.nist.gov/products/cpe)
“Bill of materials.”
Components
Versions
- Instant CVE detection!!
We cant secure
what we don’t
know about
20. Consider:
Automated Component Patch Management: NuGet, CHEF,…
Automated Configuration Management: Puppet
96% of applications contain Opensource Components.
57% of code is open source in an average codebase. - Blackduck
22. It’s all just software
The 2020 Verizon DBIR
also highlighted a year-
over-year two-fold
increase in web
application breaches, to
43 percent’
[DBIR]
Not just pushing left,
need to push both
directions.
Eg A System is live,
nothing changes but
might be vulnerable
tomorrow.
23. Push Left: Prevention. Catch Early
Push Right: Detection, Vigilance
Even the Risk profile of a static system can change. Today’s secure
environment is at risk tomorrow via a vulnerability were not aware of yet.
Push Left: Enable & Assist developers build and deploy secure code & systems
Push Right: Detect “the next CVE” and also mop-up anything that we missed in pre-prod.
25. Toolchains are great….
Automation – Wherever we can..but not at the cost of accuracy.
Tools are Dumb;
Risk is Human;
Speed Vs Accuracy , Fast or Secure – Can we have both.
We’re protecting our systems against breach by humans, not scanners right!!
New feature in dbir (open ports)
Ports that offer the most value with least effort.
telnet: highest searched for, close by 445, further down is 1433 (honeypot events vs internet scans)
445:used in ddos attacks
Malware involved in a large number of breaches – malware leverage vulns
attack surface identification / continuous visibility - define and describe.
Even if your code doesn’t change, the ground beneath your feet can change – inf, source code, component, - gives rise to you being vuln all of a sudden.
Map your attack surface
Continuous Visibility
Visibility and alerting - delta
Automatic Discovery
High proporation of most enterprises, don’t know what they have. API’s, even worse.
Don’t have to be sad
Dbir shows that web app hacking is still significant towards breaches
Pushing left paradigm
Not just pushing left, need to push both directions. Eg system is live, nothing changes but might be vuln tomorrow. Push left and right.