Predictive Vulnerability Scoring System

Presented at Black Hat USA 2019, Aug. 8, 2019, 12:10 p.m. (50 minutes)

Effective prioritization of vulnerabilities is essential to staying ahead of your attackers. While your threat intelligence might expose a wealth of information about attackers and attack paths, integrating it into decision-making is no easy task. Too often, we make the mistake of taking the data given to us for granted – and this has disastrous consequences.

We'll explain what we miss by trusting CVSS scores, and what should absolutely be taken into consideration to focus on the vulnerabilities posing the greatest risks to our organizations. We'll look at tens of thousands of vulnerabilities, CVSS scores, CVE, NVD, scraping mailing lists, collecting data feeds and ultimately end up with a few dozen data points that helped us understand the probability of a vulnerability being exploited.

Finally, we'll use all that data as well as billions of in-the-wild events collected over 5 years in order to create a machine learning model for predicting the probability of a vulnerability being exploited, a scoring system which outperforms CVSS on every metric: accuracy, efficiency and coverage.

Presenters:

• Jay Jacobs - Chief Data Scientist, Cyentia Institute
  Jay Jacobs is a security data scientist with a deep-seated passion for using data to improve cybersecurity decisions, practice, and products. He enjoys digging into data to find the insight and knowledge to tackle hard problems and do amazing things for his company, customers, and the community at large. Though he's taken on many projects, Jay is probably best known for his contributions to Verizon's annual Data Breach Investigations Report series and his book "Data-Driven Security: Analysis, Visualization and Dashboards." Jay is a founding member of the Society of Information Risk Analysts, and remains an active proponent of improving how we measure and manage risk.
• Michael Roytman - Chief Data Scientist, Kenna Security
  Michael Roytman is the Chief Data Scientist at Kenna Security, and has spoken at RSA, SOURCE, Bsides, Metricon and SIRAcon. His work focuses on cybersecurity data science and Bayesian algorithms, and he serves on the board of the Society of Information Risk Analysts. He is also a technical advisor in the humanitarian space, having worked with Doctors Without Borders, The World Health Organization, and the UN. He is the cofounder and executive chair of Dharma.ai, for which he landed on the 2017 Forbes 30 under 30 list. He currently serves on Forbes Technology Council. He holds an M.S. in Operations Research from Georgia Tech, and his home in Chicago houses an industrial-scale coffee roasting operation.

Links:

• https://www.blackhat.com/us-19/briefings/schedule/#predictive-vulnerability-scoring-system-16147

Similar Presentations:

• BSidesLV 2023 / Vulnerability Intelligence for All: Say Goodbye to Data Gatekeeping
• BSidesLV 2019 / Getting CVSS, NVD, and CVEs to Work for You: Standardizing and Scaling Your Vulnerability Risk Analysis
• Black Hat USA 2013 / How CVSS is DOSsing Your Patching Policy (and wasting your money)