UNDERSTANDING
ASSET RISK VIA
VULNERABILITY PRIORITIZATION
Understanding Asset Risk Via Vulnerability Prioritization
TODO 2: FIND GROUND TRUTH1. Breaches
2. Exploits
3. Global Attack
4. Local Attack
5. Zero Days
6. Trends
7. Impact
• Alienvault, Dell, Internal(Snort)
• EDB, MSP, EKITS, Symatec, Internal(Scraper)
• SixScan, ISC, Dell, CarbonBlack, iSight, ThreatStream, PaloAlto, FireEye, Imperva, Norse
• Snort
• iDefense, ExodusIntel
• Internal, Interal(Attack Velocity), BitSight
• DBIR, NetDiligence, Config (Qualys)
“It is a capital mistake to theorize before one has data.
Insensibly, one begins to twist facts to suit theories, instead of theories to suit facts.”
I Love It When You Call Me Big Data150,000,000 Live Vulnerabilities
1,500,000 Assets
2,000 Organizations
Baseline AllthethingsProbability (You Will Be Breached On A Particular Open Vulnerability)?
=(Open Vulnerabilities | Breaches Occurred On Their CVE) /(Total Open Vulnerabilities)
6%
Probability A Vuln Having Property X Has Observed Breaches
0 2 4 6 8 10 12
0
1
2
3
4
5
6
7
8
9
10
Breach1Probability1(%)
CVSS1Base
Probability A Vuln Having Property X Has Observed Breaches
0 5 10 15 20 25 30 35 40
CVSS*10
EDB
MSP
EDB+MSP
Breach*Probability*(%)
Not So Secret Sauce
CVSS$Base Normalize$Base$Score Metasploit? ExploitDB?
Exploit$Source$3,4,5,6...N?
Active$Breach$Velocity
Asset$Internal/External?
Vulnerability$Trending?
Zero$Days? Risk$Meter$Score
0
5
10
15
20
25
30
35
40
0 1 2 3 4 5 6 7 8 9 10
Positive2Predictive2Value
Score
Positive2Predictive2Value2as2a2Function2of2Score2Cutoff
CVSS2Base
CVSS2Temporal
Risk2Meter