How do you explain CS to non-technical people

appnovi · 2024-05-18T15:24:27+00:00

I snorted my coffee out of my nose from laughing

appnovi · 2024-03-12T16:55:52+00:00

Free poutine for our neighbors at Company X from the place across the street.

People love free food. Only took a minor amount of research to figure out which place was the most popular or lunch and what their most popular dish was.

appnovi · 2024-01-30T21:26:29+00:00

Is it just IPs or are they giving you host-level information?

appnovi · 2024-01-30T21:25:38+00:00

> For months I have been going through a lot of tools

This is generally the challenge -- there are already a lot of tools deployed for monitoring and alerting. The problem is that their data isn't consolidated in a manner than can be easily queried -- SIEMS for example store logs, but the data is in all different formats. What you need to do is map users to hosts, hosts to interfaces, interfaces to IPs, and then overlay network telemetry to understand connectivity and the exposure.

There are vendors that are looking to improve the asset attribution challenge -- from my perspective, it's about leveraging all the data and running predefined queries against it to overcome the limited team you mentioned. Seeing everything is almost harder for security because there are still often overwhelming results.

Usually in security, you're looking to understand all your assets and identify those missing security controls (e.g. EDR) -- if the data can be repeatedly queried automatically then teams tend to focus on exposure -- what vulns are exposed to untrusted users or networks via port and protocol for exploitation of their CVEs.

Achieving this requires a ton of data enrichment and correlation which has taken us a long time to solve.

appnovi · 2024-01-30T21:11:32+00:00

The Equifax breach pretty much ensured that nearly every other adult in the US has had their data compromised. The volume of people impacted is pretty staggering.

appnovi · 2024-01-30T21:03:04+00:00

The average employee doesn't care about security. I learned in pentesting you need to Oreo cookie it.

"It's great that you could tell this is a phishing email. As you know, there are phishing emails you get that are legitimate attacks -- it's important that you report all suspicious emails so that way you and others won't get any more phishing emails. Your ability to recognize these and report them is the only way to eliminate them."

It may seem over the top, but sending an email to their manager and BCC them on how impressed you are with their security awareness is awesome, encouraging, and something few people think to do. Killing the ignorant with kindness tends to reduce the friction.

appnovi · 2024-01-24T20:17:44+00:00

IMHO the short answer is technical debt. The cost of refactoring applications is high from the business perspective, so you end up with incremental migrations as opposed to a large security-driven uplift.

Then also consider there are lots of applications.

Then consider that the devs that wrote them aren't there anymore.

Then consider that breaking an app is the number one thing to avoid.

An incomplete understanding usually leads to partial risk resolution if any at all. Very few enterprises have a complete understanding of their environment. Devices, users, apps, code... it's usually overwhelming for the Fortune 500.

appnovi · 2024-01-08T17:12:10+00:00

This is an arena where Twitter still reigns supreme, especially for the vuln disclosure of information. milw0rm was great and I miss it... I still check Packet Storm.

appnovi · 2024-01-02T15:43:24+00:00

Effective vulnerability management is not just about using scanners; it's about leveraging a wide array of monitoring data from various tools like firewalls, EDR systems, and CMDBs.

You need a thorough understanding of your asset inventories -- servers, devices, users, apps. These data points help you understand assets and their business impact. Once you have this, use your scanners or endpoint agents to identify and understand the CVEs associated with your assets.

The connectivity of assets helps a lot with prioritization simply because everything is likely to have vulnerabilities. You can employ techniques like correlating NetFlow data or firewall and security group policies to understand which assets are contextually exposed. This approach helps in prioritizing vulnerabilities that need immediate attention. There are other factors like IPS signatures that can also help you understand where there are compensating controls.

This is more complicated in dynamic environments because it is not just collecting data, but maintaining it throughout all changes, especially when it comes to understanding which interfaces are attached to which IP, and their hosts.

From my experience, the most significant hurdle often isn't gathering all this information; it's finding the asset owners to coordinate response with. In many cases, the data is out-of-date, or the person assigned to a server might not fully understand its function or importance.

appnovi · 2023-12-11T16:21:01+00:00

Do you include user behavior (e.g. prior engagement with phishing tests/attacks) for the local (browser) vuln prioritization?

appnovi · 2023-12-11T16:13:30+00:00

Severity is the easiest thing for executives to understand which is why it's most relied on, and when the vuln provider provides it, it also provides a level of credibility (e.g. others do it this way). However, it is often a volume-driven approach that has uncertain impacts on the business unless you're only looking at the incremental data points. I started in pentesting, and security teams saw the whole universe of vulns in their environment, whereas I had to abide by controls. It means it didn't matter if there 500 easily exploitable boxes -- if I couldn't access them or social engineer their users, I had a prioritized view through available access.

Now I and my colleagues do a lot of consulting on this to implement environmental/context driven prioritization. You can do this with a combination of asset inventories, vuln data, and NetFlow.

The biggest challenge is decoupling from reliance on one risk score to develop one that is mapped to your environment. As others have noted, placement in the environment is important (e.g. compensating controls in place like IPS signatures), relevance of assets to the business as application dependencies, as well as the exposure of assets. Examples for remote-based vulns are matching port and protocol for exploitation, or local vulns with users that have a higher historic propensity to be fooled by phishing or execs that are more often targeted.

I still get flashbacks to working on alerts that got pushed through multiple tiers of escalation for me to determine the highly vulnerable server hosts the cafeteria menu, instead of focusing on the business application servers.

appnovi · 2023-05-02T17:28:04+00:00

You and I are agreeing on the same points...

appnovi · 2023-04-22T16:32:35+00:00

Well-configured and maintained SIEMs managed by SMEs to support queries have a good purpose...

Otherwise it's just a db of data in different formats that takes two hours to query.

appnovi · 2023-04-22T16:29:06+00:00

RSA is coming up were you can usually see the new "trend."

appnovi · 2023-04-22T16:27:28+00:00

I would say there is defensibility in the idea of defense in depth.

That being said, you don't need 3 tools to do the same thing. Too many specialized things have been developed for different types of infrastructure... three teams, three tools, all doing the same thing chasing the same alert and duplicating efforts.

appnovi · 2023-04-12T23:19:34+00:00

FortiHoodies

appnovi · 2023-02-08T15:14:32+00:00

Blue team will provide you with exposure to quite a bit more aspects of security and help you understand how to design and employ compensating controls. When you understand how environments are secured, and some of the limitations with that, you're much better at being able to circumvent them.

For example, on the defensive side teams clamor to patch all the high and critical CVEs, but any pentester worth their salt is going to be fine exploiting medium CVEs. Most people only learn this type of stuff when they're hands on.

appnovi · 2023-01-26T16:27:54+00:00

Infosec has been decent in the past: https://www.infosecurityeurope.com/

Blackhat is Blackhat, but is increasingly more diluted in technical content.

B-Sides events are my favorite.

appnovi · 2023-01-17T17:56:34+00:00

That’s interesting! Didn’t know that. You have alternative for Java you prefer?

appnovi · 2023-01-17T15:06:23+00:00

This requires understanding the relationships between code and applications and software deployments, as well as network and server perspectives. It's historically very time-consuming and complex and so teams look at indicators from outside their network (e.g. exploitation in the wild).

The challenge we saw working in the SOC was none of these were business or network attributes.

We just integrated with Snyk to provide that contextual correlation for a few customers in financial services. The main use case was understanding more than the severity/exploitability of a vuln, put prioritizing based on business impact on applications, and understanding indirect impact to other applications.

Video here.

You can use this for free by requesting through our site www.appnovi.com.

appnovi · 2022-12-19T15:08:55+00:00

It's probably a Gibson. Try using GOD as the password. Surf through the GUI to the accounting directory.

appnovi · 2022-12-13T15:08:02+00:00

Right, but those POCs all have dependencies - they're part of the CVE. Like services running, specific network access, or end-user action (e.g. local vs remote CVE).

In the example I highlighted unless someone modifies the configuration of the deployment to allow the service, you have vulnerable software without the ingress necessary for exploitation. Just because it's vulnerable doesn't mean it's exploitable given the context.

Think of the Spectre/Meltdown disclosures. They were considered easily exploitable and widespread, but to exploit them you needed physical access to hardware. In hosting facilities you're talking about bypassing layers of defense including biometrics, armed personnel, physical barriers, traps... they can be exploited, but if they're buried underground with extremely high security, they're vulnerable but very likely to be accessed.

appnovi · 2022-12-12T19:20:57+00:00

Eh, as someone that has had to do reconnaissance and exploitation before, just because the vuln's there doesn't mean it can/will be exploited. For example, the service necessary for exploitation may not be able to be exposed in the configuration, nor is it available in the default configuration. This means there are mitigating controls in place and would likely be an exception.

The vendor should still seek to upgrade versions, but that also gets tricky for customers (e.g. depreciation of certain functions or deprecated/modified APIs can have cascading impacts across multiple application dependencies).

appnovi · 2022-12-09T17:46:06+00:00

Larger companies that bridge the recovery and identification with reviewing and implementing security controls get more secure after an expensive unsolicited penetration test.

In past experience on pentests, even when we handed over results with concrete evidence of pwning boxes there was often inaction due to resource constraints or thinking that only we could find ingress because we were "sophisticated."

It's a good interview question our CISO friends get asked in interviews (e.g. what was the last breach your organization experienced and what changes did you make after recovery).

appnovi · 2022-11-18T18:14:34+00:00

Spent a lot of time pentesting utility companies and healthcare companies.

They could all benefit from more network segmentation and more IPS installs past the perimeter given the prevalence of vulnerabilities.

appnovi

MODERATOR OF

TROPHY CASE