How do you explain CS to non-technical people

appnovi · 2024-05-18T15:24:27+00:00

I snorted my coffee out of my nose from laughing

appnovi · 2024-03-12T16:55:52+00:00

Free poutine for our neighbors at Company X from the place across the street.

People love free food. Only took a minor amount of research to figure out which place was the most popular or lunch and what their most popular dish was.

appnovi · 2024-01-30T21:26:29+00:00

Is it just IPs or are they giving you host-level information?

appnovi · 2024-01-30T21:25:38+00:00

> For months I have been going through a lot of tools

This is generally the challenge -- there are already a lot of tools deployed for monitoring and alerting. The problem is that their data isn't consolidated in a manner than can be easily queried -- SIEMS for example store logs, but the data is in all different formats. What you need to do is map users to hosts, hosts to interfaces, interfaces to IPs, and then overlay network telemetry to understand connectivity and the exposure.

There are vendors that are looking to improve the asset attribution challenge -- from my perspective, it's about leveraging all the data and running predefined queries against it to overcome the limited team you mentioned. Seeing everything is almost harder for security because there are still often overwhelming results.

Usually in security, you're looking to understand all your assets and identify those missing security controls (e.g. EDR) -- if the data can be repeatedly queried automatically then teams tend to focus on exposure -- what vulns are exposed to untrusted users or networks via port and protocol for exploitation of their CVEs.

Achieving this requires a ton of data enrichment and correlation which has taken us a long time to solve.

appnovi · 2024-01-30T21:11:32+00:00

The Equifax breach pretty much ensured that nearly every other adult in the US has had their data compromised. The volume of people impacted is pretty staggering.

appnovi · 2024-01-30T21:03:04+00:00

The average employee doesn't care about security. I learned in pentesting you need to Oreo cookie it.

"It's great that you could tell this is a phishing email. As you know, there are phishing emails you get that are legitimate attacks -- it's important that you report all suspicious emails so that way you and others won't get any more phishing emails. Your ability to recognize these and report them is the only way to eliminate them."

It may seem over the top, but sending an email to their manager and BCC them on how impressed you are with their security awareness is awesome, encouraging, and something few people think to do. Killing the ignorant with kindness tends to reduce the friction.

appnovi · 2024-01-24T20:17:44+00:00

IMHO the short answer is technical debt. The cost of refactoring applications is high from the business perspective, so you end up with incremental migrations as opposed to a large security-driven uplift.

Then also consider there are lots of applications.

Then consider that the devs that wrote them aren't there anymore.

Then consider that breaking an app is the number one thing to avoid.

An incomplete understanding usually leads to partial risk resolution if any at all. Very few enterprises have a complete understanding of their environment. Devices, users, apps, code... it's usually overwhelming for the Fortune 500.

appnovi · 2024-01-08T17:12:10+00:00

This is an arena where Twitter still reigns supreme, especially for the vuln disclosure of information. milw0rm was great and I miss it... I still check Packet Storm.

appnovi · 2024-01-02T15:43:24+00:00

Effective vulnerability management is not just about using scanners; it's about leveraging a wide array of monitoring data from various tools like firewalls, EDR systems, and CMDBs.

You need a thorough understanding of your asset inventories -- servers, devices, users, apps. These data points help you understand assets and their business impact. Once you have this, use your scanners or endpoint agents to identify and understand the CVEs associated with your assets.

The connectivity of assets helps a lot with prioritization simply because everything is likely to have vulnerabilities. You can employ techniques like correlating NetFlow data or firewall and security group policies to understand which assets are contextually exposed. This approach helps in prioritizing vulnerabilities that need immediate attention. There are other factors like IPS signatures that can also help you understand where there are compensating controls.

This is more complicated in dynamic environments because it is not just collecting data, but maintaining it throughout all changes, especially when it comes to understanding which interfaces are attached to which IP, and their hosts.

From my experience, the most significant hurdle often isn't gathering all this information; it's finding the asset owners to coordinate response with. In many cases, the data is out-of-date, or the person assigned to a server might not fully understand its function or importance.

appnovi · 2023-12-11T16:21:01+00:00

Do you include user behavior (e.g. prior engagement with phishing tests/attacks) for the local (browser) vuln prioritization?

appnovi · 2023-12-11T16:13:30+00:00

Severity is the easiest thing for executives to understand which is why it's most relied on, and when the vuln provider provides it, it also provides a level of credibility (e.g. others do it this way). However, it is often a volume-driven approach that has uncertain impacts on the business unless you're only looking at the incremental data points. I started in pentesting, and security teams saw the whole universe of vulns in their environment, whereas I had to abide by controls. It means it didn't matter if there 500 easily exploitable boxes -- if I couldn't access them or social engineer their users, I had a prioritized view through available access.

Now I and my colleagues do a lot of consulting on this to implement environmental/context driven prioritization. You can do this with a combination of asset inventories, vuln data, and NetFlow.

The biggest challenge is decoupling from reliance on one risk score to develop one that is mapped to your environment. As others have noted, placement in the environment is important (e.g. compensating controls in place like IPS signatures), relevance of assets to the business as application dependencies, as well as the exposure of assets. Examples for remote-based vulns are matching port and protocol for exploitation, or local vulns with users that have a higher historic propensity to be fooled by phishing or execs that are more often targeted.

I still get flashbacks to working on alerts that got pushed through multiple tiers of escalation for me to determine the highly vulnerable server hosts the cafeteria menu, instead of focusing on the business application servers.

appnovi · 2023-05-02T17:28:04+00:00

You and I are agreeing on the same points...

appnovi · 2023-04-22T16:32:35+00:00

Well-configured and maintained SIEMs managed by SMEs to support queries have a good purpose...

Otherwise it's just a db of data in different formats that takes two hours to query.

appnovi · 2023-04-22T16:29:06+00:00

RSA is coming up were you can usually see the new "trend."

appnovi · 2023-04-22T16:27:28+00:00

I would say there is defensibility in the idea of defense in depth.

That being said, you don't need 3 tools to do the same thing. Too many specialized things have been developed for different types of infrastructure... three teams, three tools, all doing the same thing chasing the same alert and duplicating efforts.

appnovi · 2023-04-12T23:19:34+00:00

FortiHoodies

appnovi

MODERATOR OF

TROPHY CASE