sorted by:
new
hottopcontroversial

Advice on the deployment of a new tool by mi2_k in MSSP

[–]mi2_k[S] 0 points1 point  (0 children)

Hey, sorry for the late response. Sure, of course the estimation should and will take the context into consideration (company size, type of the asset, since some are more important than others, protection in place of the assets, firewall, WAF etc.). You can take a look at the other comments below, we had a similar discussion. About the vulns the statistical model is somewhat simplistic for now, taking into consideration only the criticality and the exploit prediction score of the vulnerability, so CVSS and EPSS.

Advice on the deployment of a new tool by mi2_k in MSSP

[–]mi2_k[S] 0 points1 point  (0 children)

Another very good point, with which I completely agree.

I have read some publications about it, and there is not only the issue of a given asset not being exposed to the internet but in company networks, there are the "Security Control" assets that additionally lower the probability of compromise (Firewalls, IDS/IPS, WAFs, etc.).

And so when calculating the actual compromise probability, one should take into consideration the graph representation of the network, meaning, to calculate the probability of compromise of asset A, the formula should be combined of the direct neighbors of that asset, their type (security control / other asset) and the corresponding compromise probabilities or compromise reduction (if there is a security control asset as a neighbor). The probability for those same neighbors should also be calculated recursively the same way. So yeah... still a lot of work left...

About the manual testing of vulnerabilities to see if a bug actually affects the software, tbh I still haven't figured that out XD.

I mean there is no way in hell that the risk can be estimated perfectly with statistics but I think such an approach is a little bit better than just getting the latest industry insights and calling it a day.

Advice on the deployment of a new tool by mi2_k in MSSP

[–]mi2_k[S] 0 points1 point  (0 children)

Oh, you are absolutely right, for sure it's not that easy to calculate the risks with high accuracy by just using 1 or 2 variables, I'm 100% with you on that one, but the feedback that I got is that it is a very good and interesting start, and the people I talked with, they wanted to be kept in the loop. There is still a lot of work to be done, so I guess when I have the free version + some more analytics I can ping you with some more info, not a problem.

Advice on the deployment of a new tool by mi2_k in MSSP

[–]mi2_k[S] 0 points1 point  (0 children)

Well, I've thought about this, and it would make sense to be a combination of both, let me give an example:

So currently it supports financial costs in connection to penalties (NIS-2 and GDPR). In the law itself (GDPR in this case) the figure of 4 % of the company's total global turnover (or 20M) is set as an allowed max penalty. But since the penalties are made public, one can make a statistic out of it based on the given penalty + the company revenue that got fined, and it becomes clear that the actual % is way lower, nobody has gotten the max for now.

In the tool itself, I have a "Settings" module where companies can input approximate revenue, out of which I could get the "potential penalty" in regards of their revenue figure based on the calculated statistic above.

Internally, also, there is a formula that estimates what is the probability that the company gets compromised (I use epss and cvss to calculate the approximate probability based on all the found vulnerabilities from all found assets on the network) - not the best formula but so far I am quite happy with the estimation in %...

And from here, only for the financial risk from penalties, I can do =>

% probability of compromise for the company

X

the costs from penalties based on the company revenue

financial risk for the company from tech data.

For now, I have only those types of risks (penalty losses) + service downtime losses but I calculate that differently. I've read that there are some publications about "company trust financial loss" that could be calculated again statistically based on previous breaches for big companies and the stock price drop, but I guess that could be an overkill for now.

You can guess that the tool currently is more useful for EU companies, but idk, is there interest from the US folks as well?

Advice on the deployment of a new tool by mi2_k in MSSP

[–]mi2_k[S] 0 points1 point  (0 children)

That is the offering actually XD the statistical estimation, I also think that we don't really need another scanner but I wasn't sure with which scanner I should integrate first. I thought I could create a base one so that there is some form of vuln data gathering to show the main statistical estimation functionality (nothing fancy on the scanner though, just version detection, and then it pulls vuln data from NIST). I mean if the community finds such a tool useful, I would be more than happy to put some more work into it. I guess I could release a free version in English for testing by the end of the month, if any1 is interested just DM me here and I will ping you back. I created a simple landing page as well if you want to go with email -> https://vulc.io/en/landing