measuring risk
play

Measuring Risk Ron Gula NSA Pen Tester Cloud Security Network IDS - PowerPoint PPT Presentation

Aug 29, 2022 •154 likes •458 views

Measuring Risk Ron Gula NSA Pen Tester Cloud Security Network IDS Who is Ron Gula??? Vuln Management Cyber Companies THREAT X VULNERABILITY = RISK THREAT X VULNERABILITY = RISK Out of date browser on server One

  1. Measuring Risk Ron Gula

  2. • NSA Pen Tester • Cloud Security • Network IDS Who is Ron Gula??? • Vuln Management • Cyber Companies

  4. THREAT X VULNERABILITY = RISK

  5. THREAT X VULNERABILITY = RISK

  6. • Out of date browser on server • One server with 10 vulns versus Ten servers with 1 vulns • “Low” and “Medium” vulns

  7. • Severity • Exploit • Asset • Malware • Age • Patch Rollups

  9. EVEN IF WE PATCHED 100% WE STILL HAVE ZERO DAYS

  10. • Patch Management • Vuln Scanners • System Hardening • Network Monitors • EDR & Forensics • Web Proxy • GRC & Compliance • SIEM & Logs • Authentication • Asset Management • IT Provisioning • NAC and Firewall • Procurement

  11. If you know the enemy and know yourself you need not fear the results of a hundred battles.

  12. If you know the enemy and know yourself you need not fear the results of a hundred battles. • Complex OSes • BYOD and Mobile • On-Prem Apps • Cloud Apps • All Users • User Access

  13. If you know the enemy and know yourself you need not fear the results of a hundred battles. • Complex OSes • Vulnerabilities • BYOD and Mobile • Activity Logging • On-Prem Apps • System Configurations • Cloud Apps • Network Monitoring • All Users • Change Detection • User Access • Privileged Access

  15. Can you build a list of all Access Control and Authentication enclaves Can you build a map of all ACLs and enclaves? and access control lists on them?

  16. Can you build a list of all users and their authorized apps?

  17. MONITORING AUDIT

  18. DATA DATA DATA & APPS & APPS & APPS DATA & APPS DATA & APPS DATA & APPS

  19. TELEMETRY Logs, Packets, Flows, Cloud APIs, Auth, Files, .etc LOOK FOR BADNESS NIDS, AV, BOTs, UBA, NBAD, APT, .etc AUDIT FOR GOODNESS Apps, Users, Transactions, Normal

  20. WHY CAN’T WE MODEL RISK? • Periodic & Imperfect Assessments • Imperfect Threat Model • Collection of Data • Lack of standards on “risk”

  21. RISK MEASURING ENABLES • Better Security Policy • Better Security Budgets • Fact based Security WHAT IS THE #1 THING?

  22. FRAMEWORKS • Vendor Neutral • Cross-Organizational • Prescriptive • Written by Pen Tests & I.R.

  27. CONCLUSIONS Conclusions

  28. CONCLUSIONS Conclusions

  29. CONCLUSIONS Conclusions

  30. Questions and Contact Information

Recommend

Asset Pricing Chapter IV. Measuring Risk and Risk Aversion June 20, 2006 Asset Pricing 4.1

Asset Pricing Chapter IV. Measuring Risk and Risk Aversion June 20, 2006 Asset Pricing 4.1

4.1 Measuring Risk Aversion 4.2 Interpreting the Measures of Risk Aversion 4.4 Risk Premium and Certainty Equivalence 4.5 Assessing an Investors Level of Relative Risk Aversion 4.6 The Concept of Stochastic Dominance 4.7 Mean Preserving

709 views • 23 slides
2012-03-20 Measuring per-mile risk for pay-as-you- drive automobile insurance Eric Minikel CAS

2012-03-20 Measuring per-mile risk for pay-as-you- drive automobile insurance Eric Minikel CAS

2012-03-20 Measuring per-mile risk for pay-as-you- drive automobile insurance Eric Minikel CAS Ratemaking & Product Management Seminar March 20, 2012 Professor Joseph Ferreira, Jr. and Eric Minikel Measuring per-mile risk for pay-as-

368 views • 15 slides
Measuring per-mile risk for pay-as-you- drive automobile insurance Eric Minikel CAS Ratemaking

Measuring per-mile risk for pay-as-you- drive automobile insurance Eric Minikel CAS Ratemaking

Measuring per-mile risk for pay-as-you- drive automobile insurance Eric Minikel CAS Ratemaking & Product Management Seminar March 20, 2012 Professor Joseph Ferreira, Jr. and Eric Minikel Measuring per-mile risk for pay-as- you-drive

591 views • 43 slides
Measuring Time from Identification of a New Risk to Regulatory Action: Focus on Signaling Tools

Measuring Time from Identification of a New Risk to Regulatory Action: Focus on Signaling Tools

Measuring Time from Identification of a New Risk to Regulatory Action: Focus on Signaling Tools and Processes 06 December 2016 Amie Goulbourne, MPH, MT(ASCP) Safety & Benefit Risk Management (SABR) Biogen, Inc. Disclaimer: The information

119 views • 9 slides
Risk minimisation activities measuring effectiveness Dr Jane Cook Branch Head

Risk minimisation activities measuring effectiveness Dr Jane Cook Branch Head

Risk minimisation activities measuring effectiveness Dr Jane Cook Branch Head Pharmacovigilance and Special Access Branch 11 November 2015 Risk Minimisation Programme You have identified the risks to be mitigated. You have

219 views • 17 slides
Regulatory initiatives for measuring the impact of risk minimisation measures EMA Workshop, 5-6

Regulatory initiatives for measuring the impact of risk minimisation measures EMA Workshop, 5-6

Regulatory initiatives for measuring the impact of risk minimisation measures EMA Workshop, 5-6 December 2016 Dolores Montero Division of Pharmacoepidemiology and Pharmacovigilance Department of Human Medicines Evaluation on the

824 views • 16 slides
Measuring Climate Risk from the Bottom-Up Fossil companies that remain fossil are unattractive

Measuring Climate Risk from the Bottom-Up Fossil companies that remain fossil are unattractive

Measuring Climate Risk from the Bottom-Up Fossil companies that remain fossil are unattractive for investors Henrik Jeppesen, CFA, CAIA Head of Investor Outreach North America Carbon Tracker Initiative June 13, 2018

489 views • 14 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Session 15: Crime and Protection Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla, Esther Han Beol Jang Richard Anderson, Tadayoshi Kohno, Kurtis Heimerl University of Washington

525 views • 18 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Session 15: Crime and Protection Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla, Esther Han Beol Jang Richard Anderson, Tadayoshi Kohno, Kurtis Heimerl University of Washington Presented

504 views • 29 slides
Measuring Year-to-Year Improvement in Risk-Adjusted Outcome Measures: Filling a Methods Gap

Measuring Year-to-Year Improvement in Risk-Adjusted Outcome Measures: Filling a Methods Gap

Measuring Year-to-Year Improvement in Risk-Adjusted Outcome Measures: Filling a Methods Gap Academy Health ARM June 27, 2016 1 Funding and Disclosures This work was funded by a contract with the Centers for Medicare & Medicaid

745 views • 27 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Qualifying Evaluation Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla University of Washington Understanding Web Communication Browse to www.cutepuppies.ext (

806 views • 42 slides
Measuring Systemic Risk and Assessing Systemic Importance in Global and Regional Financial Markets

Measuring Systemic Risk and Assessing Systemic Importance in Global and Regional Financial Markets

Technische Universitt Mnchen Measuring Systemic Risk and Assessing Systemic Importance in Global and Regional Financial Markets Using the Expected Systemic Shortfall (ESS) Indicator Lahmann / Kaserer (2011) 11 th Annual Bank Research

207 views • 20 slides
Give me $ 1M Give me $ 1M -$ 3M -$ 10M Quantifying Risk QCon SF 2019 Markus De Shon

Give me $ 1M Give me $ 1M -$ 3M -$ 10M Quantifying Risk QCon SF 2019 Markus De Shon

Give me $ 1M Give me $ 1M -$ 3M -$ 10M Quantifying Risk QCon SF 2019 Markus De Shon (mdeshon@netflix.com) How to Measure anything in Cybersecurity Risk Douglas W. Hubbard & Richard Siersen Measuring and Managing Information Risk

792 views • 41 slides
Measuring Risk QUAN TITATIVE RIS K MAN AGEMEN T IN P YTH ON Jamsheed Shorish CEO, Shorish

Measuring Risk QUAN TITATIVE RIS K MAN AGEMEN T IN P YTH ON Jamsheed Shorish CEO, Shorish

Measuring Risk QUAN TITATIVE RIS K MAN AGEMEN T IN P YTH ON Jamsheed Shorish CEO, Shorish Research The Loss Distribution Forex Example : Loss distribution : Random realizations of r => Portfolio value in U.S. dollars is USD 100 distribution

507 views • 50 slides
MEASURING PRIVACY RISK IN ONLINE SOCIAL NETWORKS Justin Becker, Hao Chen UC Davis May 2009 1

MEASURING PRIVACY RISK IN ONLINE SOCIAL NETWORKS Justin Becker, Hao Chen UC Davis May 2009 1

MEASURING PRIVACY RISK IN ONLINE SOCIAL NETWORKS Justin Becker, Hao Chen UC Davis May 2009 1 Motivating example College admission Kaplan surveyed 320 admissions offices in 2008 1 in 10 admissions officers viewed applicants online

440 views • 28 slides
Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk

Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk

FREE Lifelong Learning Event for Fasset Members Risk Management Workshop 1 Risk management workshop Why do we Risk Risk and need risk assessment control matrix management process Governance Risk appetite Agenda for and risk Risk

1.28k views • 105 slides
ITU on Measuring Speech Quality Measuring Perceived Quality Typically done by using standards

ITU on Measuring Speech Quality Measuring Perceived Quality Typically done by using standards

Outline Measuring Perceived Quality of Introduction Speech and Video in Multimedia Measuring Perceived Quality Conferencing Applications What is Multimedia Quality? UCL Approach to Measuring Quality Anna Watson and M. Angela

328 views • 4 slides
Risk Assessment Reduce the workers and Biosafety is an inexact science, and

Risk Assessment Reduce the workers and Biosafety is an inexact science, and

Risk Analysis Biosafety Risk assessment, Risk Risk analysis encom passes Management & risk risk assessm ent, risk communication m anagem ent, and risk com m unication. Ephy Khaemba International Livestock Research Institute

506 views • 11 slides
Describing is good: measuring is better. A new means of measuring the effectiveness of networks

Describing is good: measuring is better. A new means of measuring the effectiveness of networks

Describing is good: measuring is better. A new means of measuring the effectiveness of networks and simultaneously strengthening their function 9 th September 2015 Claire Grealy (Urbis) Gail Winkworth & Michael White Known dimensions of

422 views • 16 slides
Measuring the Internet Project Introduction Mat Ford / David Belson measuring@isoc.org

Measuring the Internet Project Introduction Mat Ford / David Belson measuring@isoc.org

14 September, 2020 African Internet Summit Measuring the Internet Project Introduction Mat Ford / David Belson measuring@isoc.org Presentation title Client name Measuring the Internet Why? The Internet Societys efforts focus on

336 views • 9 slides
Measuring the KSK Roll Geof f Hust on APN I C L abs KSK Roll Measurement Objective What

Measuring the KSK Roll Geof f Hust on APN I C L abs KSK Roll Measurement Objective What

Measuring the KSK Roll Geof f Hust on APN I C L abs KSK Roll Measurement Objective What number of users are at risk of being impacted by the KSK Roll? What we would like the DNS to be DNS Server C l ient DNS Resolver What we suspect is

557 views • 22 slides
Measuring the Measuring the Benefits of Income- B Based Repayment d R t for Graduate and

Measuring the Measuring the Benefits of Income- B Based Repayment d R t for Graduate and

Measuring the Measuring the Benefits of Income- B Based Repayment d R t for Graduate and for Graduate and Professional St d Students t Jason Delisle, Alex Holt, & Kristin Blagg gg New America Foundation Rationale for

864 views • 17 slides
Measuring Environmental & Social Value Introduction Agenda Introductions What is

Measuring Environmental & Social Value Introduction Agenda Introductions What is

Measuring Environmental & Social Value Introduction Agenda Introductions What is value? Why measuring broader value is important Measuring Environmental Value Coffee Break Measuring Social Value Questions

440 views • 30 slides
Measuring What Matters Quality, Impact and Measuring Social Value Philip Angier, Angier Griffin

Measuring What Matters Quality, Impact and Measuring Social Value Philip Angier, Angier Griffin

Measuring What Matters Quality, Impact and Measuring Social Value Philip Angier, Angier Griffin Measuring what matters Introductions: Name Organisation Where youre from first part of postcode Size approx annual

583 views • 27 slides

More recommend