Vulnerability Intelligence - Standing Still in a world full of change
1. Effective, Scalable #Fullstack Vulnerability Management 1
Vulnerability Intelligence
Standing Still in a World Full of
Change
November 2017 - Geneva
3. What we do….
Effective, Scalable #Fullstack Vulnerability Management 3
#fullstack vulnerability management
Web Applications, API and Host
Managed Service
Continuous Assessment
False-Positive free
Manage thousands of systems globally.
4. 2017 – so far
• Lloyds 48hr DDoS – 20,000,000
• Trump – administration details leaked
• Clash of Clans – 1,000,000
• Cellebrite – 900 GB of Data
• SWIFT – Fake Trade Documents - 3 banks – India
• CoPilot – GPS – 220,000 Records
• Sentara HealthCare – 5,000 Patient records
• Deep Root Analytics – 198,000,000 records
• Equifax – 143,000,000+ Records!
Globally, every second, 18 adults
become victims of cybercrime
- Symantec
“The loss of industrial information and intellectual property through
cyber espionage constitutes the greatest transfer of wealth in
history” - Gen. Keith Alexander
“One hundred
BILLION
dollars” - Dr
Evil
“Eoin, I didn’t click it” – Meine
Mutter
5. The Threat Is Real
• 15% of all Hosting and web
application environments
combined have a high or
critical risk
• 95% of Critical risks are in
the web application layer
• 82% of High Risks are in the
web application layer
• 65% of all vulnerabilities
discovered are in the
Hosting Layer
Effective, Scalable #Fullstack Vulnerability Management 5
6. Attack Vectors & Threat Actors
Malware/Ransomware
Phishing
Hacking
CEO Fraud
Human Error / Insiders
DdoS
Organised Crime – Dedicated. Motivated by profit
Hacktivisim – political, social motivations
“Script kiddies” - curious
Automated scanners/worms – systems used to identify
“soft targets”
Cyber Terrorism – Political motivations
Nation States: Cyber Espionage/APT
Insiders
7. Two weeks of
ethical hacking
Ten man-years of
development
Traditional Approach to Security
8. Agile Risk Model – Keeping pace with change
Fail Early – Fail Often
“Push Left”
Spread-Risk
10. Make this more difficult: Lets change the application code once a month.
Keeping Pace with: DevSecOps
New Vulnerabilities
Continuous patching requirements
New Deployments (Services, Systems)
Continuous Testing
11. Effective, Scalable #Fullstack Vulnerability Management 11
API’s are King…..
DevSecOps – Dev Ops the secure way
Integration with
SIEM, Ticketing, Alerting
WAF (Firewalls)
Messaging: Alerts
Build Servers
Bug Trackers
Security Visibility via intelligence
12. Effective, Scalable #Fullstack Vulnerability Management 12
“Vulnerability Management –
Even when standing still the world changes around you.”
13. Make this more difficult: Lets change the application code once a month.
Fullstack – A Layered cake.