That's So Meta: Gleaning Business Context In The Vulnerability Warehouse
Ed Bellis, HoneyApps
For years businesses have been mining and culling data warehouses to measure every layer
of their business right down to the clickstream information of their web sites. These
business intelligence tools have helped organizations identify points of poor product
performance, highlighting areas of current and potential future demand, key performance
indicators, etc. Imagine if you had a data warehouse covering all of your applications,
infrastructure, logs, vulnerability assessments, incidents, financial information, and
metadata. What could you do with this readily available information? In this talk, Ed will
cover some of the many sources of security data publicly available and how to apply them
to add context to your security data and tools to help make more intelligent decisions. Ed
also points out a number of ways to repurpose information and tools your company is
already using in order to glean a clearer view into your security program and the threats
that may affect it.
3. Nice To Meet You
About Me
CoFounder HoneyApps
Former CISO Orbitz
Contributing Author
Beautiful Security
CSO Magazine/Online Author
HoneyApps
Vulnerability Management as a Service
16 Hot Startups - eWeek
3 Startups to Watch - Information Week
5. Stage 2: Where are all of my vulnerabilities?
Back in my Yahoo days I performed hundreds of web
application vulnerability assessments. To streamline the
workload, I created an assessment methodology consisting
of a few thousand security tests averaging 40 hours to
complete per website. Yahoo had over 600 websites
enterprise-wide. To assess the security of every website
would have taken over 11 years to complete and the other
challenge was these websites would change all the time
which decayed the value of my reports.
Jeremiah Grossman
Founder, WhiteHat Security
6. Stage 3: Scan & Dump or...
“thanks for the 1000 page report,
now what?!”
7. Why This Occurs
Lack of Communication
Lack of Data
Lack of Coordination
Silos, Silos, Everywhere
8. Stage 4: A New Beginning
Or......
Using What You Got!
9. Vulnerability Management: A Case Study
Building the Warehouse
WebApp Vulnerability
Type: XSS
Severity
Threat
Subtype: (persistent,reflected,etc)
Asset URL/URI
Confirmed?
Dates Found/Opened
Dates Closed
Description
Attack Parameters
10. Vulnerability Management: A Case Study
Building the Warehouse
WebApp Vulnerability Asset:URL
Type: XSS Platform / Code
Severity Web Server Version
Threat Application Server Version
Subtype: (persistent,reflected,etc) Database Version
Asset URL/URI
Confirmed?
Dates Found/Opened
Dates Closed
Description
Attack Parameters
11. Vulnerability Management: A Case Study
Building the Warehouse
WebApp Vulnerability Asset:URL
Type: XSS Platform / Code
Severity Web Server Version
Threat Application Server Version
Subtype: (persistent,reflected,etc) Database Version
Asset URL/URI
Confirmed? Asset:Host
Dates Found/Opened Host Operating System
Dates Closed Other Applications/Versions
Description IP Addresses
Attack Parameters Mac Address
Open Services/Ports
12. Vulnerability Management: A Case Study
WebApp Vulnerability
Asset:URL
Type: XSS Platform / Code
Severity Web Server Version
Threat Application Server Version
Database Version
Subtype: (persistent,reflected,etc)
Asset URL/URI
Asset:Host
Confirmed?
Dates Found/Opened
Host Operating System
Dates Closed Applications/Versions
Other
Description Addresses
IP
Attack Parameters
Mac Address
Open Services/Ports
13. Vulnerability Management: A Case Study
Meta Data
WebApp Vulnerability
Asset:URL
Type: XSS Platform / Code
Severity Web Server Version Business Unit
VERIS data
Threat Application Server Version Internal IP Address
Database Version
Subtype: (persistent,reflected,etc) Geographic Location External IP Address
Asset URL/URI
Asset:Host
Confirmed?
Development Team Network Location
Dates Found/Opened
Host Operating System Ops Team Site Name
Dates Closed Applications/Versions
Other Compliance Regulation
Description Addresses
IP Security Policy
Asset Group
Attack Parameters
Mac Address
Open Services/Ports
14. Vulnerability Management: A Case Study
Meta Data
WebApp Vulnerability
Asset:URL
Type: XSS Platform / Code
Severity Web Server Version
ThreatUnit Application Server Version
Business
VERIS data
Database Version
Subtype: (persistent,reflected,etc)
Internal IP Address
Asset URL/URI
Geographic Location External IP Address
Confirmed? Asset:Host
Development Team Network Location
Dates Found/Opened
Host Operating System
Dates Closed Applications/Versions
Ops Team Other Site Name
Description Addresses
IP
Compliance Regulation
Attack Parameters
Mac Address
Security Policy
Asset Group
Open Services/Ports
15. Vulnerability Management: A Case Study
Meta Data
WebApp Vulnerability
Asset:URL Apply Internal Threat Data
Type: XSS Platform / Code
Severity Web Server Version
ThreatUnit Application Server Version
Business
VERIS data Firewall Application
Database Version
Subtype: (persistent,reflected,etc)
Internal IP Address
Asset URL/URI
Geographic Location External IP Address
Confirmed? Asset:Host
Development Team Network Location
IDS/IPS
Dates Found/Opened
Host Operating System
Dates Closed Applications/Versions
Ops Team Other
Description Addresses
IP
Compliance Regulation
Site Name
WAF
Attack Parameters
Mac Address
Security Policy
Asset Group
Open Services/Ports
16. Vulnerability Management: A Case Study
Meta Data
WebApp Vulnerability
Asset:URL
Type: XSS Platform / Code
Severity Web Server Version
Apply Internal Threat
Threat Unit Application Server Version
Business
Internal IP Address
VERIS data
Database Version
Subtype: (persistent,reflected,etc)
Asset URL/URI
Geographic Location External IP Address
Firew
Asset:HostApplicati
Confirmed? Team
Development Network Location
Dates Found/Opened
Host Operating System
Dates Team Other Applications/Versions
Ops
Closed Site Name
IDS/ IPCompliance Regulation
Description Addresses
WA
Asset Group
Attack Parameters
Security Mac Address
Policy
Open Services/Ports
17. Vulnerability Management: A Case Study
Apply External Threat Data
Meta Data
WebApp Vulnerability
Asset:URL
Type: XSS Platform / Code
Severity Web Server Version
Apply Internal Threat
Threat Unit Application Server Version
Business
Internal IP Address
VERIS data
Database Version
Subtype: (persistent,reflected,etc)
Asset URL/URI
Geographic Location External IP Address
Firew
Asset:HostApplicati
Confirmed? Team
Development Network Location
Dates Found/Opened
Host Operating System
Dates Team Other Applications/Versions
Ops
Closed Site Name
IDS/ IPCompliance Regulation
Description Addresses
WA
Asset Group
Attack Parameters
Security Mac Address
Policy
Open Services/Ports
18. Vulnerability Management: A Case Study
Apply External Threat Data
Meta Data
WebApp Vulnerability
Asset:URL Example Data Sources
Type: XSS Platform / Code
Severity Web Server Version
Apply Internal Threat
Threat Unit Application Server Version
Business
Internal IP Address
VERIS data ❖DataLossDB
Database Version
Subtype: (persistent,reflected,etc) ❖Verizon DBIR
Asset URL/URI
Geographic Location External IP Address
Firew
Asset:HostApplicati
Confirmed? Team
❖WHID
Development
Dates Found/Opened
Host Operating System
Network Location
❖Trustwave Global Security Report
Dates Team Other Applications/Versions
Ops
Closed Site Name ❖FS-ISAC
IDS/ IPCompliance Regulation
Description Addresses ❖SANS ISC
WA
Asset Group
Attack Parameters
Security Mac Address
❖Veracode State of S/W Security
Policy
Open Services/Ports
❖ExploitDB
19. Vulnerability Management: A Case Study
WebApp Vulnerability
Asset:URL
Meta Data
Type: XSS Platform / Code
Severity Web Server Version
Threat Application Server Version
Apply Internal Threat
Database Version
Subtype: (persistent,reflected,etc)
Business Unit
Internal IP Address
VERIS data
Asset URL/URI
Asset:Host
Geographic Location External IP Address
Confirmed?
Firew Applicati
Dates Found/Opened Network Location
Host Operating System
Development Team
Dates Closed Applications/Versions
Ops TeamOther Site Name
Description Compliance Regulation
IP Addresses
IDS/
Attack Parameters
Mac Address Asset Group
WA
Security Policy
Open Services/Ports
20. Vulnerability Management: A Case Study
WebApp Vulnerability
Asset:URL
Meta Data
Type: XSS Platform / Code
Severity Web Server Version Remediation Statistics
Threat Application Server Version
Apply Internal Threat
Database Version
Subtype: (persistent,reflected,etc)
Business Unit
Internal IP Address
VERIS data
Asset URL/URI Internal Bug Tracking Reports
Asset:Host
Geographic Location External IP Address
Confirmed?
Firew Applicati
Dates Found/Opened Network Location
Host Operating System
Development Team
Denim Group Remediation Study
Dates Closed Applications/Versions
Ops TeamOther Site Name
Description Compliance Regulation
IP Addresses
IDS/
Attack Parameters
Mac Address Asset Group
Build and Development Process
WA
Security Policy
Open Services/Ports
21. Data Lenses: Views into the Warehouse
Applying Filters To Glean Information
22. Data Lenses: Views into the Warehouse
Applying Filters To Glean Information
23. Data Lenses: Views into the Warehouse
Applying Filters To Glean Information
24. Data Lenses: Views into the Warehouse
Applying Filters To Glean Information
25. Data Lenses: Views into the Warehouse
Applying Filters To Glean Information
26. Data Lenses: Views into the Warehouse
Applying Filters To Glean Information
27. Data Lenses: Views into the Warehouse
Applying Filters To Glean Information
28. Data Lenses: Views into the Warehouse
Applying Filters To Glean Information
29. Data Lenses: Views into the Warehouse
Applying Filters To Glean Information
30. Data Lenses: Views into the Warehouse
Applying Filters To Glean Information
31. Data Lenses: Views into the Warehouse
Applying Filters To Glean Information
32. Data Lenses: Views into the Warehouse
Applying Filters To Glean Information
33. Data Lenses: Views into the Warehouse
Applying Filters To Glean Information
34. Data Lenses: Views into the Warehouse
Applying Filters To Glean Information
37. Resources Referenced
Verizon DBIR http://www.verizonbusiness.com/dbir/WASC Web App Security Stats
http://projects.webappsec.org/w/page/
VERIS Framework https://www2.icsalabs.com/veris/ 13246989/Web-Application-Security-Statistics
Denim Group - Real Cost of S/W FS-ISAC http://www.fsisac.com/
Remediation
WHID http://projects.webappsec.org/w/page/
http://www.slideshare.net/denimgroup/real-cost-of-
13246995/Web-Hacking-Incident-Database/
software-remediation
SANS Internet Storm Center
DataLoss DB http://datalossdb.org/ http://isc.sans.org/
TrustWave Global Security Report XForce http://xforce.iss.net/
https://www.trustwave.com/GSR
Veracode SOSS http://www.veracode.com/
images/pdf/soss/veracode-state-of-software-
ExploitDB
security-report-volume2.pdf
http://www.exploit-db.com/
38. Q&A
follow us
the blog
http://blog.honeyapps.com/
twitter
@risk_io
@ebellis
Notas del editor
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
Time to Fix by team, by class, by severity, by biz unit,etc,etc\nSDLC - Build Schedule - testing process - etc,etc\nTech Remediation Stats from Denim Report - factor in bug tracking reports & build/dev process\n