The Risk I/O Blog

Increasingly, security management organizations are coming to rely on a unique type of geography to recognize where threats and vulnerabilities are active, and where security exploits are occurring. The geography in question maps fairly closely to the physical map of the world. Because Internet links that connect sites and users to service providers are involved, along with prevailing local Internet topologies between the edges of that global network and local elements of its core, this geography tends to be more compressed and to be subject to strange or interesting hops between locations. Of course, this reflects the peering partners at various points of presence for SONET and other high-speed infrastructures, and doesn’t always reflect the same kind of geographical proximity you might see on a country or continental map.

Nevertheless, keeping track of where threats and vulnerabilities are occurring is incredibly useful. By following lines of “Internet topography” spikes in detection (which indicate upward trends in proliferation, or frequency of attack) are useful in prioritizing threats based on location. For one thing, networks that are geographically nearby in the Internet topography are more likely to get exposed to such threats, so it makes sense to use this kind of proximity to escalate risk assessments of exposure. For another thing, traffic patterns for attacks and threats tend to follow other typical traffic patterns, so increasing theat or vulnerability profiles can also help to drive all kinds of predictive analytics as well.

It’s always interesting to look at real-time threat maps  or network “weather reports” from various sources to see where issues may be cropping up and how fast they’re spreading. Akamai’s Real-Time Web Monitor provides an excellent and visually interesting portrayal of this kind of monitoring and analysis at work. In the following screen capture for example, we see a handful of US States where attacks have been detected in the last 24 hours.

Akamai’s “Real-Time Web Monitor” Displaying a Security Map

In general, threat, vulnerability and attack mapping work well because such data makes for intelligible and compelling visual displays. Human viewers are familiar with maps, and quickly learn how to develop an intuitive sense for threat priority or urgency based on proximity and the nature of the threats involved. That’s why so many security service providers use maps to help inform security administrators about safety and security in their neighborhoods, and around the planet.

About the Author: Ed Tittel is a full-time freelance writer and researcher who covers information security, markup languages, and Windows operating systems. A regular contributor to numerous TechTarget websites, Tom’s IT Pro, and PearsonITCertification.com, and UpperTraining.com, Ed also blogs on Windows Enterprise Desktop and IT Career topics. His latest book is Unified Threat Management For Dummies. Learn more about or contact Ed at his website.

There’s been a lot of talk about Big Data in the security space over the past couple of years, and it seems that almost every week a new Big Data offering enters the space, whether it’s in discussion, in development, or in production. It’s no secret that here at Risk I/O, we’ve embraced the industry’s demands and are hard at work developing our precognition offerings, many of which have been dubbed “Big Data.” This is accurate, since we aggregate and correlate data both inter- and intra-client.

A Game Theory Model

However, in traditional Big Data problems—such as consumer shopping or health care—we would be looking to mine huge data sources for patterns of behavior, or commonalities between clients and attackers. In information security, we have huge amounts of SIEM data on activity around our assets, and great data on which firms have which vulnerabilities. The problem is that we’re missing successful exploit data or breach data, so just hunting for patterns or casting regressions isn’t quite as productive, because what we’re after are the probabilities and locations of attacks. Given the limited exploit data out there, I’ve been looking for some workarounds. Thankfully, there are some alternative ways of reducing risk.

I wanted to share a quick insight we’ve gathered in the process of ramping up new offerings. Particularly, I’ve invested some time into analyzing game theory as a tool for infosec analysis. Game theory is an applied field of mathematics developed as a means of computing optimal strategy sets for rational actors.

A common application is to analyze adversaries locked in a repeated game, with the outcome of one affecting constraints on the subsequent games. Repeated games assume that players will have to take into account the impact of their current strategy on the future actions of other players; this is sometimes called their reputation. In web security, the analogue is clear cut: hackers are looking to choose which assets to exploit, and each one of us wants to decide which assets to patch first, which vulnerabilities to deal with first, etc. For a good literature review of the field, take a look at Game Theory Meets Network Security and Privacy. Good work is being done in academia already on the subject, and the results allow us to turn Big Data problems into tractable “medium data” problems rather quickly:

Asset Network Topology Might Matter Less than You Think

A recent paper by Sandia National Laboratories and Duke University uses a game theoretic model of arbitrary network topology, which varies in both the topology and the degree of uncertainty in links. It’s a great use of game theory to determine optimal strategies.  The main result is that:

IF 

(Some assets are prioritized higher than others, that is, utility from defending the network is non-homogenous)&&(the costs of defending or remediating an asset’s vulnerabilities are not too high)

THEN 

Network topology doesn’t affect the payoff to the defender.

Making big data lighter.

Most real world systems meet the first condition, and while “high costs” are a judgment call (there is some evidence in this blog post), they are minuscule in comparison to the costs of a data breach. The result is profound: it means a map of network topology—or “second order” spillover impacts from one asset being compromised—don’t need to be factored into a data model when choosing which assets to defend. All of a sudden, the data looks smaller. This does not imply that we should ignore the topology of networks, but it does mean that we need to think critically (test, test, test) about whether including all the data we have is the best approach.

The next question we need to answer is – does result this make sense? After a good discussion with @sintixerr and @MrMeritology on twitter (started by this post), I’m convinced that it does. Here’s why network topology likely doesn’t matter when defining the defender’s optimal strategy.

1. Attack Paths - In much of game theory, the best defense against an attacker, especially one about which there is little information, is dynamic. The reason? Attackers randomize their attack patterns and paths. As the number of attack paths grows, the value of a particular asset itself matters more than its’ effect on others. Simply put, if they’re going to get there, hackers will get where they need to eventually.
2. Attacker Types and Evolution - The importance of assets changes (see @sintixerr’s post above) as a result of evolving hacker strategies (and types of attackers). And since we can’t (yet) predict how this importance will change, we also can’t predict which links in a network will matter more than others. It’s important to note here that most enterprises are also threatened by more than just one type of attacker, so any risk assessment will have conflicting estimates of risk. The aforementioned game theory paper proves this point by showing invariance to attacker type.

There’s too much uncertainty about if, who, where, or when one will be attacked. Credit to @MrMeritology for this Smithonian article, which distinguishes the problem at hand: “A mystery cannot be answered; it can only be framed, by identifying the critical factors and applying some sense of how they have interacted in the past and might interact in the future.”  The takeaway here is that Big Data is not always smart data. Big Data will let us solve every jigsaw puzzle and an NxN rubrik’s cube. Smart data will tell us which factors truly matter.

Before we launch into full-scale Hadoop implementations and start firing up R regressions on every variable we can get our hands on, it’s worth our time to take a step back, think about what’s available to us, what’s not, and what that means. My contention is that thinking about optimal strategies, which are robust to uncertainly, can alleviate the need to predict exploits – at least until the data gets big enough. More insights from the frontlines coming soon.

Visualizing your vulnerability data with our new Heads Up Display.

I’m happy to share our latest enhancement to visualizing your vulnerability data. Today, we are launching a new Heads-Up Display (HUD): a “mini dashboard” if you will,  that allows you to visualize the current state of your vulnerabilities and defects.

Our new Heads-Up Display shows a live presentation of your vulnerabilities. It provides up-to-the-minute information on aspects of your vulnerability management program such as scoring, asset priorities, exploitability and impact calculations, with more metrics on the way. Each metric is interactive: rolling over a graph will show you the actual value of the attribute represented in that graph, while clicking a graph performs a live filter based on that attribute.

A simple use case for quickly finding vulnerabilities in your environment that have a very high likelihood of being exploited may be as follows:

1. Navigate to the Vulnerabilities tab within your instance of Risk I/O where you will find the Heads Up Display.
2. Let’s start by filtering on vulnerabilities that don’t require local access by clicking the Network portion of the Access Vector chart. This filter brings our open vulnerabilities down from 63,060 to 50,970.
3. Now lets drill down further by continuing to look at the simplest of vulnerabilities to exploit. I’ll click the Low value for Access Complexity and None Required for level of Authentication. This brings our list down even further to 16,462.
4. From here I can narrow the number of vulnerabilities to tackle by filtering on their impact subscores. This will give us issues that are not only likely to be exploited but with higher impacts. Lets filter by choosing Complete impacts of Confidentiality, Integrity and Availability. This brings our open list down to 5,709 open vulnerabilities.
5. Next up, we’ll take our current list and narrow it further by only looking at vulnerabilities that have a Known Exploit. Choosing this value to filter on results in 1,111 open vulnerabilities.


The 16 most egregious vulnerabilities via HUD.

6. So far, we’ve been focusing on vulnerabilities that are easy to exploit, could have a higher impact on our environment, and have a publicly available exploit from sources like the Metasploit Framework, ExploitDB, etc. Let’s take this one step further and filter only on vulnerabilities within our DMZ that may be publicly facing. Since I have tagged these assets with DMZ within my instance of Risk I/O, I can simply select the tag ‘DMZ’ to filter on. This gives me a very short list of 16 open vulnerabilities to work with.

As mentioned, this is a simple use case to find the most egregious of vulnerabilities within our environment and I’m certain you will have and find many others. We think HUD will be one of the easiest ways to stay on top of your vulnerability management. We’ll be sprinkling more mini visualizations throughout Risk I/O in the future as we identify specific metrics that would be helpful to see in a more visual fashion. Give it a try and let us know what you think.

Mario Mendoza set what would become known as The Mendoza Line

I wanted to thank the folks at SecTor for having me out and allowing me to bring the Security Mendoza Line discussion north of the border. As last year, I had a great time and I’m always impressed with how well the conference is run. This was also the first year we did a sponsorship and we brought along the new t-shirts to share. Watch for the ‘shirt-o-matic’ coming soon.

I was able to meet a ton of people and the kind folks at the Liquid Matrix Security Podcast allowed me to ramble on a bit as part of their ongoing coverage of the con. If you haven’t already, go subscribe to the podcast as they have already been piling up good content. Below is my deck from the talk. It was the first time I gave this talk and after a few follow ups afterwards, I will likely be making some modifications. I also have some additional data to add to it based on real world vulnerabilities and how they relate to the Mendoza line.

After the talk, I do have to agree with both Alex Hutton and Josh Corman that HD Moore’s law resonates more with our audience. Perhaps I could create a hockey analogy for the next time I’m up at SecTor…

Here at Risk I/O, we’re really big fans of data. Given the right data you can make insightful business decisions very quickly. This is one of the core values we build into every feature release.

Risk I/O is excited to be the recipient of a DataWeek Award as a Top Innovator in the Security/e-Governance category.

With our data-driven approach to security, we’re excited to have been selected by the DataWeek Awards as a Top Innovator in the Security/e-Governance category. This is the first annual DataWeek event, which is used as a platform for data-centric
companies to discuss how big data can be harnessed. Risk I/O is honored to be joining a long list of innovative companies in accepting a DataWeek Award.

Throughout the remainder of 2012, we’ll be releasing data-centric features that will aid our users in decision support. Within the security community, we have seen a real issue with managing the mountain of data produced by vulnerability assessments, penetration testing and static analysis. There are very specific use cases that we are building into our product which include prioritization, predictive analytics, and an aggregated vulnerability database. We want our users to understand what’s the most important vulnerability to fix first and how vulnerable their data is to a specific threat. We also want our users to be able to easily access all available information on a specific vulnerability right in our product. We’ll be informing our users when these features are available.

We’re excited to be part of the Data Revolution and to be recognized for our commitment to it. Now to get back to building out some data-centric features for our users, fast and furious!

Risk I/O can now be used to identify publicly available exploits to your existing vulnerabilities. Our development team has made it possible for Risk I/O to match attack vectors from databases of quality assured exploits, such as Metasploit and ExploitDB, to applicable vulnerabilities. This information, paired with vulnerability data from assessment tools, allows you to understand how your organization is vulnerable to attacks.

You can now get information on publicly available exploits for a specific vulnerability.

In an earlier post, I wrote about the importance of focusing on data that allows you to “hit above the Security Mendoza line,” or the threats most likely to occur based on the evidence and ease of exploit. Alex Hutton referred to the Security Mendoza Line when talking about vulnerabilities exploitable with MetaSploit modules. Josh Corman expanded on this quite a bit with HD Moore’s Law. We built this feature to weed this out of your environment and allow you to hit above the Mendoza line .

We often talk about “enough security” and Josh frames it correctly by stating this is InfoSec table stakes. By combining data from these publicly available exploits and network accessibility, you can truly identify some low hanging fruit and protect yourself from the Point, Click & Pwn of the most casual and opportunistic attackers.

For the dataheads in the audience, a quick and early glance suggests about 14% of active and open vulnerabilities have publicly available exploits through one of these tools or databases. I think there is more interesting views to be had, but clearly an indicator that we have a long way to go before we can protect ourselves from even the most casual adversaries.

If you are a current customer, you can access this new feature in the Vulnerabilities tab. Don’t have an account? Signup for our free version!

I’ve just returned from RSA, BSides and Metricon and thought I would pen a few of my thoughts while they’re still fresh in my mind.

On Monday I had the privilege of participating in a panel on Data Driven Security at Metricon 6.5. Scott Crawford moderated and has a great blog series on data driven security. It was an interesting group of backgrounds between myself, Mark Clancy, Chris Eng, Micha Govshteyn and Martin McKeay. Some of the participants were further along in their analysis of the data they were collecting while some had a volume of data (Akamai) most of us could only dream of. While I don’t think there was anything too surprising that transformed from the panel, the final question from Russell Thomas was the exception. Russell asked, and I’m paraphrasing, if we had one new open job req we could hire for right now, how many of us would hire someone dedicated to this topic. What surprised me the most wasn’t the question but roughly half the panel including myself answered yes.

We are very dedicated to data-driven security and have very specific use cases that we are building into our product. I went in to Metricon worried that security intelligence would be more talking about SIEM or the various ‘State of the Industry’ reports published by several security vendors. While I don’t have an issue with those solutions and actually appreciate several of the published reports, utilizing big data in security can and should go well beyond these. One useful way we see to use this data as part of a decisioning system is through prioritization.

For example: if I have one million identified security risks, realistically I have little chance of remediating everything. How do I decide what’s most important? As a service provider that has visibility across many organizations, we can take into account a lot of different factors to help determine when someone becomes a ‘target of opportunity’ including postures across these issues as well as threat data across both public and private networks. This, of course, is one of MANY examples on how you can feed security and operational data into a system that helps make smarter security decisions.

While I was pleasantly surprised to not be talking about SIEM at Metricon, walking the show floor at RSA brought all my fears back and then some. Big Data was a huge topic at RSA but as mentioned by the guys at Securosis, there was a lot of repurposing of existing products like SIEM. As I mentioned to a coworker as we walked the floor, “it’s like Vegas minus the fun.”

RSA aside, there are plenty of examples out there of using large amounts of data in the real world to aid decisioning systems. One shining example is what Preston Wood and the team over at Zions Bancorporation are doing. They have taken security intelligence way beyond SIEM. Imagine taking these capabilities and setting them atop data that Akamai or other large service providers may house. Additionally, if you haven’t seen the post by Ben Sapiro yet, go check it out. While it’s not focused on big data in security, he talks a lot about analytics and at the end of the post lists a LOT of real world metrics anyone can start with to improve their program.

Secure. I don’t think it means what you think it means.

Back in my days as a CISO or even previous to that in various practitioner roles, there were two frequently asked questions by executives and management.

1. Are we secure?
2. How do we compare to $x?

Let’s start with the first question. Security is not binary. That is, it’s not a state of on or off. Security in it’s entirety should be viewed more like 256 shades of grey. It’s not a question of whether or not you are secure but rather how secure or insecure you may be. There are a lot of controls and decisions that go into that state, each of them pushing your state to more secure or less. Each of those controls and decisions have a lot of trade-offs.

What I’m really getting at, is that it’s a bogus question. But you can’t really respond that way so you take it with a grain of context and politely answer.

Now on to the second question, one that I find more interesting and more meaningful. A common concern amongst management is how they line up with the competition. If your security falls behind that of your competition they worry they will be burned by this and look bad. On the other hand, if they are way ahead of the competition, why? Sure it gives some level of comfort but are they spending too much on security? Could those dollars be better spent elsewhere? Ahh trade-offs again.

There may be many reasons why you need or should be ahead of your competition in securing applications and infrastructure. Perhaps you’re working in an infosec lagging vertical where “keeping up with the competition” means you’re a target of opportunity on the Internet. Being a target of opportunity can come down to how you stand up against a particular vulnerability versus those of your neighbors on the Internet or Google’s search index. Regardless of reason, you’re going to need data to back you up.

Measuring what’s important to your organization, industry and management is the best way to answer these questions. Include not only metrics around these but also benchmarks to compare how you are doing versus your vertical, the broader industry and internally. Pick and choose your metrics carefully and make sure they pass the “so what” test. You can benchmark in an automated manner in some cases as well as loosely through industry organizations such as the ISACs and other areas where your industry gathers.

I recently gave an updated talk on my data driven security use case at BayThreat 2 in Mountain View. First off, thanks to Marisa Fagan and all the organizers, this year was even better than last. Also, apologies for not being able to stay for the entire weekend, alas duty called.

I have been making my rounds at various security events around the country attempting to evangelize a new school approach to information security. This is an approach where we rely more on data and evidence and less on the fear, uncertainty and doubt of the past. This talk continues to evolve and stay tuned for incorporation of hard data (yes – I’m practicing what I preach) in the next iteration.

There was a also a preview of BayThreat done on a recent RiskHose podcast. I spoke to Alex Hutton and I will likely participate in one of these next month. Perhaps we can do a quick summary of that event while I’m there.

The presentation is embedded below for your viewing pleasure.

Probably not…

As much as the headlines of a new bill in Washington grabbed my interest with a twinkle of hope, it turns out in some ways this may be a step away from a new wave of information sharing. It appears to promote information sharing regarding security breaches between the private sector and the government by blanketing companies with protections such as not publicly disclosing the information. While I’m all for information sharing, this seems to be more back-room sharing to the benefit of some but to the detriment of most.

One of the primary ways we can learn about information security breaches and their cause is through publicly available resources like DataLossDB. If the majority of us within the security community cannot access information and learn from it, in the end this will only cause more breaches not less. We as a community are starting to see the very early benefits of a New School way of thinking through reports like the Verizon DBIR and many others like it. By understanding what is causing real world security incidents, we can prioritize our work and put the right controls in place to protect against them. We need to get away from what has been traditionally a practice in alchemy and black art and realize we can all learn from each other. The bad guys seem to be better at this than we are.

A Screen Shot of Our Upcoming Vulnerability Explorer

Here at HoneyApps we drink the New School of Information Security kool-aid on a daily basis. By taking a quantitative approach to our security and operations we have not only been able to more effectively prioritize our work, but have learned where our product needs to evolve to support and enable these methods. With our upcoming open vulnerability explorer, we hope to combine many of the public vulnerability data sources into a single searchable and filtered view where we can also facilitate open discussions on remediation and controls that matter in protecting against these. We’ll continue to evolve our metrics and benchmarking to provide a view into how you as well as your peers are doing in very quantifiable terms. In the near future we will begin to combine this with the threat and breach activity that is available whether it’s public or via subscriptions we obtain.

There are a lot of very skilled people in functions outside of information security that continue to learn from each other and the data that is out there. Here’s to hoping the security community moves in that direction.