It has been just two weeks since RSA. What has changed in this time frame? Well, we had a Patch Tuesday, for one. Barely two days later Adobe Flash released an update including fixes for known critical vulnerabilities including one that was observed in targeted attacks.
According to Verizon’s 2014 breach report, in just two to four weeks 50% of vulnerabilities that will be exploited, have already been exploited. Verizon’s 2015 DBIR goes a step further and talks about ways to profile a vulnerability to start to identify those likely to be exploited in that first 30 days. They said a CVE being added to Metasploit is pretty much the single biggest indicator it has or will be exploited in the wild. Another interesting pattern was identified when they looked across the 67k CVEs and found the 792 that were exploited. When you get down to the 24 there were exploited in the first month a pattern emerges. The majority of the CVEs that were exploited were Access Vector – Network and Authentication – None. The CVEs exploited in the first 30 days were predominantly CVSS 9 or 10 and Confidentiality, Integrity, and Availability were all Complete.
So 1 out of every 100 CVEs will be exploited and 50% of those will be exploited in 30 days or less from the date of publication. If you saw my 2015: Top 5 Vulnerable Vendors in mid December you may recall the huge increase in the number of vulnerabilities identified last year. Based on those numbers the top 5 vendors last year counted for 2624 vulnerabilities identified and addressed in 2015. So 26 of those were exploited and one should have been in the 30 day Window. Adobe Flash accounted for more than 5 Zero Days alone last year.
Since RSA, LANDESK acquired AppSense! Among other things, AppSense provides Application Whitelisting and Privilege Management. According to Australian Signals Directorate, SANS, and many other security agencies outline certain preventative strategies that should be at the heart of any security strategy. Application Whitelisting (AppSense), Patching Applications (Shavlik), Patching the Operating System (Shavlik), Restricting Administrator Privileges based on user role (AppSense) can eliminate “At least 85% of the targeted cyber intrusions that the Australian Signals Directorate (ASD) responds to”.
I read a few different perspectives on RSA this year after the show was over. Having been there this year and experiencing it first hand, I found this blog post by Gartner’s Anton Chuvakin to be very close to the mark. It is a good read, but here are a couple of excerpts that I found interesting:
“A lot of the tools firmly target the “security 1%-ers”, NOT the mainstream.”
I saw a lot of this at the show as well. Having an IT background and working on a product line that focuses on the Operations side of the house I can attest to the fact that there is still a gap between Operations and Security. Much of the focus and many of the “cool” solutions cater to the security 1%-ers. Preventative measures are often overshadowed because they have been around for a long time and lack the glamour of the new security solutions, but they have a tried and true track record and can reduce risk to your environment significantly.
“Does this shit work and is it cost effective?!!”
This one actually cracked me up. Even more so because we are partnering with the team over at Bufferzone and I had a chance to listen to them position their offering. Israel Levy delivered it in one simple statement, “You have heard of Bromium. Well this is Bromium, but it works.” I laughed when I first heard him and his team using this delivery, but after talking with them more I can absolutely understand and agree with it. Bromium apparently has extremely high resource costs to run. 4GB RAM, i3 or better CPU, and Windows 7 or later. Bufferzone will run lighter and across a broader set of hardware.
So, looking out two weeks, we will have a webinar with the Bufferzone team talking about how Shavlik and Bufferzone together give you a stronger layered security approach.