Monday, September 21, 2015

Some updates to vuln visualization

A while ago, I posted about an internal tool I created, Cestus, which I use to help score my vulnerabilities in my environment.   Since then, I've made a few tweaks to the tool.

Specifically, I've added:

  1. Risk-based adjustment based on host importance.  Some hosts are obviously more important than others.  Perimeter-facing mission-critical boxes score individually higher than internal utility servers behind 3 layers of firewalls.   To do this, I had to modify the database and add new fields.  Luckily with SQLite, this was a snap.
  2. Scoring based on type of vulnerability service.  Vulnerabilities that require local access (such as a browser vuln) score lower on servers than external service type of vulnerability does.  Bonus risk points for an external service discovered on what should be a client box.... laptops should not have listening FTP servers on them!
  3. New report on total number of vulnerabilities and total risk score per host.  Handy for shaming informative reports to asset owners.
  4. New report on total number of listening services per host.  Good for seeing which boxes are leaving large footprints on your networks.  And singling out unusual looking devices.  Both have proved very "interesting" when reviewed.  Also good to compare to asset master lists to see if you missed scanning anything.
  5. New report on vulnerabilities based on keyword name in description.  This lets me create useful pie charts on which vendors are causing the most number of vulnerabilities in our environment.  So far these reports haven't been that revelatory:

That's all I've got for now.  I'm still working on integrating this into our on-going threat and IDS data streams. 

Friday, September 11, 2015

Siracon 2015

Excited to be presenting at this year's SiraCon in Detroit

My talk will be on Third Party Risk Assessment Exposed

You hear things like "The majority of breaches occur as the result of third parties." You see a lot of surveys and read a lot of "best practices" around third party security. But what is actually happening in third-party risk assessment? It’s hard enough to measure the risk of your own organization, how can you quickly measure an external organization? Banks are required to do this but specific methods aren't defined. So what are they doing? We’ll examine data from hundreds of external assessments in the financial sector and compare this to actual breach data. We'll look at such questions like: What are the top questions asked by more than half of the assessors? What are questions asked rarely? What factors drive assessments? What important questions are missed? We’ll also dig into the top assessment standards SOC1-2-3, ISO27k, Shared Assessments and see what they’re accomplishing.

Looks to be an awesome lineup this year.  Honored to be a part of it.