Real-time Vulnerability Alerting

Real-time Vulnerability Alerting

amol sarwate / 08.27.19

Here at CloudPassage, we’ve been researching how public data can be used for real-time vulnerability alerting using principles from the United States Tsunami Warning Center. I am excited to announce that we will be presenting and demonstrating initial results from this research at the OWASP Global AppSec 2019 conference in Washington DC. Please join our session on vulnerability alerting and threat intelligence on September 13 at 4:30 pm.

In this session, I will demonstrate how a real-time vulnerability alerting system can be built in the AWS cloud using public data. With more than 2000 unique vulnerabilities disclosed every month, CSOs and security practitioners have an impossible task of cutting through the noise and prioritizing the most critical issues for remediation. Doing this daily is excruciating and doing it only weekly is too slow. So wouldn’t it be nice if there was an automated system that alerted you about the most gruesome, high-profile vulnerabilities in real time and produced insights you can take action on immediately?

Vulnerabilities Are Like Tsunamis

Vulnerabilities and security attacks are like tsunamis caused by earthquakes that hit without warning, causing significant damage and leaving us scrambling. Although one cannot predict earthquakes, there are two tsunami warning systems operated by NOAA in the United States that produce reliable results in the nick of time. Based on the same core concepts and principles, we have built an open-source Vulnerability Warning Center proof of concept with real-time vulnerability alerting about highly-seismic vulnerabilities before they hit your organization’s shore.

Using Public Data for Real-time Vulnerability Alerting

Unlike getting data from honeypots and sensors, I decided to take a different approach and harness public data about attacks, exploits, data leaks, and vulnerabilities from blogs, Twitter, and numerous other data points to create simple alerts and graphs that warn with actionable insights in real time. In this initial phase the system has shown remarkable results which I will demonstrate in our session. In the live demo, I will ask the audience to pick a day, or week, or month, and I will then demonstrate the system’s capability to identify the most pressing security vulnerabilities during that time frame.

An Example of Real-time Vulnerability Alerting

In the XY scatter graph below, from July 15 to August 15 the system generated about 40,000 data points on more than 4000 unique vulnerabilities and generated intelligence quotient scores for each. The X-axis represents the day of the month on which the data was collected and the Y-axis represents the vulnerability intelligence quotient score. The data gets generated every few hours to refresh the graph and accurately identifies in real time the nastiest threats and vulnerabilities.

Real-Time Vulnerability Alerting

In the session, I will also examine the design and implementation details of our real-time vulnerability alerting to show how the system can cut through the noise and rank the most relevant real-time vulnerability information. I believe that we have just scratched the surface. In the future, I plan to leverage machine learning and data analytics to process data from different regions, languages, and sources that will increase coverage, accuracy, and even highlight the industries that are being targeted by the threat. 

We hope to see you at OWASP Global AppSec 2019 in Washington DC so we can share with you a system based on public data that can accurately—and in real time—curate, identify, and prioritize high-priority vulnerabilities and provide you actionable insights to protect your organization’s assets.

Meanwhile, check out CloudPassage Halo that provides comprehensive security visibility and compliance for your public cloud infrastructure.