Scratching the Surface of Risk

Presented at BSidesLV 2019, Aug. 7, 2019, 6 p.m. (55 minutes)

With myriad threats facing organizations, eliminating all avenues for attack is impossible. Accepting this reality means organizations need to focus resources where they are most likely to be impactful. But this begs many questions: What types of hosts are most likely to have vulnerabilities? Are those same hosts critical parts of the business? What about cloud infrastructure that isn't fully controlled? Are hosts on foreign soil in compliance with local laws?

We could tap into prevailing FUD and personal opinions to answer these questions, but haven't we all had enough of that? We'd prefer to know what the data says. In this talk we introduce the concept of risk surface and explore its shape by tapping into a fascinating data set spanning millions of internet-facing hosts from tens of thousands of firms and major hosting providers around the world. We find that for most organizations risk is global with more than half locating infrastructure in multiple countries. Not only are hosts spread far and wide, but vulnerabilities are too: more than half of organizations have high or critical vulnerabilities on external infrastructure. Armed with this new perspective, we can make recommendations to organizations on where their resources are best deployed.

Presenters:

• Wade Baker
  Wade Baker is co-founder of the Cyentia Institute. In addition to his role with the Cyentia Institute, Wade is a professor in Virginia Tech's College of Business, teaching in the MBA and Master of IT programs. He's also proud to serve on the Advisory Boards of the RSA Conference and FAIR Institute. Wade loves learning from cybersecurity data and sharing those lessons to help others learn as well - whether that's in the classroom, boardroom, or anywhere in between. Prior to founding Cyentia, Wade was the VP of Strategy and Analytics at ThreatConnect and before that had the great fortune of leading Verizon's Data Breach Investigations Report team for a number of years.
• Benjamin Edwards
  Benjamin Edwards joined the Cyentia Institute as a Senior Data Scientist at the beginning of 2019. He was formerly with IBM Research, where he worked in applying advanced machine learning techniques to solve real world security problems and shaped the next generation of analytical security models. Before that he received his Ph.D. from the University of New Mexico with a research focus that blended the fields of security, data science, and complex systems. His work has lead to a better understanding of global attack trends, the effects of security interventions, and even nation state cybersecurity policy.

Similar Presentations:

• DEF CON 30 (2022) / Hundreds of incidents, what can we share?
• DeepSec 2015 „DeepSec No. 9“ / Have We Penetrated Yet??