Scratching the Surface of Risk

okay good afternoon everyone this is part of the ground truth track for besides Las Vegas before we start we're going to thank our sponsors our inner circle sponsor critical stack and our stellar sponsors Amazon silence Microsoft as well as volunteers and donors this talk is by Ben and Wade and it's called scratching the surface of risk other announcements please silence your phone right phones right now and we'll pass around the mic at the end so everyone can hear you help me in welcoming them please all right thank you guys I'm Wade Ben here hopefully we'll get the six going okay kind of a double meaning on the title here surfaced meaning we are just going to

not go extremely deep into risk but we're also you'll see in a minute we're scratching the surface of the Internet a little bit to see what we can find out and we're going to share some of those findings with you so I want to give a little background we are both at the science titute research firm you can access other research that we have published from our website we have a really cool job I think it's maybe I don't know I I'm pretty biased I think it's one of the better jobs and security but our what we do a many will give us an interesting data set right and they want to publish something and they have

a marketing goal in publishing this right they want to do something to grow thought leadership or increase their visibility in the marketplace etc but from our perspective we get really interesting data and we get to scratch on it and see what's there and publish something so we're gonna be talking about two of these things today down here in the lower left some work that we did with risk recon to reports published this year and so this track is called ground truth and and there's I don't know if this metaphor is gonna work but I'll try it and you guys can call call BS if you want but there is a real sense here which we're looking for ground truth and

what is sometimes kind of a lofty aspirational marketing so case in point risk recon has they you know as a marketing message they give a definition for what they have termed the risk surface okay and this is their definition risk surface refers to anywhere an organization's ability to operate reputation SS legal obligations really regulatory compliances at risk don't ask me to memorize it I'm just quoting to you from from what their messaging says so again the model goes they provide a date yet and our job is to find something interesting about this you know they want us to hey let's write a report on interesting aspects of the risk surface using this definition so we

get a data set and our job like okay well what can we learn about the risk surface what features of that surface are in this data set and what can we report on that people are going to find interesting right so just a quick description of the data set so by the way I'm Ben we didn't really introduce ourselves and who did you were sleeping okay so uh dr. Baker and I make up the research division that's int a-- and we're really the the powerhouse I mean I'm mostly the brains he's the looks that's why we're here yeah exactly the brains that's why I said the brains of the operation so we take these data

sets and we analyze them and oftentimes what we get is just large dumps of data from the customer and they say here and so for example for what we're going to talk about today this is the dump of data that we all got so 18,000 firms this is a safe full of data we're looking at five million different hosts and hosts here as a little bit of a squishy definition it means IP addresses or domains the result and and so we have those across 200 so most of the world and looking at 40 million security findings and I'm gonna use the word findings instead of because this can sow or threaten tell information so we have a lot of

different stuff here and so the question is Commission how'd it go from this and analyze and we have to do that at the right level so I don't know how many of you are aware of the infinite coastline paradox this is this idea that the coastline of Britain in all the detail is actually an infinite length because if you take a 1 meter stick and you go around the coastline you're gonna get something that's a multiple of a meter if you go down to the centimeter you can kind of put that around rocks and you kind of get higher and higher resolution and I think a lot of times what we do in security is we start to focus on the

rock and we're looking at risk at that kind of vulnerability level like do I have my snook rule are these CDs patched with the make sure now the other end of the spectrum we don't want to kind of get too high up we don't want to get to 30,000 feet again just kind of this box right so we want to get the right hole of granularity to how we're gonna look at risk and look at our data so we want to kind of this the end picture where we get them we get Scotland we get the Orkneys up necessarily need to know every detail of that coastline and we want the same thing for risk so we did

is we operationalize this into five different kind of things that we can actually measure we're going to talk about all five and we're going to learn a little bit about each of those and then we're gonna we're drawing some insights and we're gonna ask some questions that might actually be interesting so first of all just how many internet facing hosts does an organization have what's out there what can you hit from the outside where are the infrastructure and I'm not saying geographically but this is the provider then the next of course is geography so this is goes into that compliance and regulation like what was do you have to abide by in your location value this is a tough one

and while but we're a really hard thing to define and then last the one we're gonna break these down into these five categories and these all seem like simple things for an organization that we can measure but I want a little bit by talking about I'll talk about this you've been talking long enough so let's take one organization what you're looking at here is not an incredibly pretty picture of I don't know what was it thirty five hundred ish or something like that it's a it's a an organization with about thirty five hundred hosts and and this is if you just threw them all in the same lump what your quote risk surface would look like right you know

nothing else except obviously not incredibly intuitive right you're not gonna learn much about managing risk at that layer but you can begin to break it up this has it broken up by external providers so every cluster is a hosting provider with that's that has some of your assets in their environment right okay maybe that's a little bit more intuitive we have some more features etc we can add another layer it's kind of hard to tell what changed here but some of the dots got bigger and this is essentially a measure of asset criticality or value as been said it's a little bit squishy because risk recon is doing some things like what is this host

doing are they receiving information or is it just a static host does it look like they're handling sensitive information or have critical functions etc but the basic gist is the the higher-level functionality more critical functions higher values so it's at least a feature we want to study and see something interesting and we can also begin breaking this up by geography so it starts to get more and more complex because in a certain region now all of a sudden we've got three or four or five different providers in that region and over here we might have the same provider but they're in different countries might be subject to different law and we go back to that

definition of risk surfaced which is you know you can have the same hosting provider in different countries and those data centers are subject to two different regulations right all of this isn't supposed to be informing risk and then here our findings that are determined to be most severe and blue I believe is the least so you know you look this and you've gone on this sort of mod circle of 3,500 hosts to where I know nothing is labeled here because we don't want to get into that level of detail right now but you could conceivably find well okay which hosting provider in which region has my multiple exposures and my high-value asset and maybe is there and see what's going on

with that hosting provider and ask them to get their act together or pull my hosts out of there and put them somewhere else etc right you can start making some some decisions about this because we've got a better view of the risk surface and so why this view is important so what we were looking at that previous organization that's like one of two so if we think about these are two similar organs in a lot of metrics they have about the same about 1,300 that are both basically I think they're both the retailer's they have roughly and so what I understand is given like a failure within the organism so a data breach at the internal level or with your cloud

provider somebody loses some credentials how a ladder how bagel make the time so for one others they so even though these are similar for orange organization we can lose 80% you could lose 90 percent just kind of one failure it's really centralized whereas and we notice we're on that log scale you 110 100 this blue organization we lose maybe you know we have because it was more adverse for this kind of one type of that we might wait might hypothesize it's going to be more resilient and services and how they interact with different threats to be able to so we can take that we're gonna because we're going to make a five dimensional risk surface so it's gonna

have those things in it the hosts providers geography value and findings I remembered all good I mean it's like on the horizontal axis here it's just all the percentage of those 18,000 organizations and the vertical axis is the percentage of hosts they have and notice we have you know the more organizations that are sample the more hosts they're gonna account for based on industry but I mean there's some obvious things like information like technology be a book line right they're gonna account for them um things like healthcare this and then what we go we also can just look at that number of hosts as as a distribution most left and or a dozen those organizations have this

many internet-facing hosts I'm gonna use the point across the line some have am I going to keep them yes number of employees in the horizontal and annual revenue on the on the vertical and when we notice of course there's going to be a strong correlation here strong what and we see it started it's a really interesting thing so for example we have we're gonna tune let's say here with Chaz like twenty thousand employees ten million dollars and they have less than ten host right present the tons of Revenue employees and and we can kind of pick out some of these interesting variations we do jerk so we can talk about external so what we did mapped individual hosts to the

infrastructure and a list of providers we're going to talk about cloud providers later Akamai and doing some content delivery network stuff that's next and then interesting this company much about but they largely run hosting

[Music]

slides to go so let's I so the corporation services company they run hosting email provide these textures event shouldn't right that's not their core competency they're gonna do that and so we can also look at how many of say cloud providers does an organization have right and so I'm gonna explain these charts because we're talk about them a lot

it's gonna be the blue dot so if I care about his average just look at blue dot know a little bit about the variation that's what the the gray bar is in these interval charts so interesting thing for mation these are the guys who have you know a lot of hosts out in the cloud so here at a company you're probably not doing all your own hosting you're going to somebody else but of course you know there are some companies that I assume the ones who are actually providers are gonna host their own stuff right so we got a lot of variation information and something like finance way down here they keep things close and there's not a

lot of very I find it interesting there's more variation you know within an industry than across industries yeah absolutely so yeah we're going from what 14% here to 20% but you know for information we're all the way up to nearly 70 yeah yeah also talk ask questions I'm happy to answer I'm you know we should make this interactive it's late in the day I know some of you've been drinking yeah why is that 2% bigger than the other person [Music] 2.2 okay and talking for well so again another dimension we were interested in the number of countries in which organizations work now this is kind of weird because you have left here and then host countries per organization so

reading this correctly it is organizations in Western Europe on average host assets in about 7.4 other countries right and on the other end of the spectrum in Central Asia you know a much lower around to other countries again grey bars lots of variation among that but you know I this is kind of weird again I don't I don't know what this informs you about risk but it could be you know Western Europe you've got very you know they want free trade you've got a lot of things that make it easy to do business oh you know you're gonna tend to business and more countries right whereas that's not necessarily the case all over and if you

are opening offices and other things like that okay North America you know is less you know and it may be because there's a lot of hosting providers in North America so you don't necessarily have to go out out of band due to you know host your assets so lots of things tied into this but it's sort of an interesting view of other places again if it's seven verse to potentially impacted by lots of different other regulations yes sir

correct so the answer is yes but only to as good of resolution as geolocation services Fridays are anyway so services like max mind which I think they think risk recon uses several different services but IP or this IP address that a domain resolves to located in this country so like max mind claims that they can get you city block I don't know if that's true but that's where that's where the actual location

so you're saying we get something they like fall back to another I mean it's largely not in the sample anyway yeah that's a good point remember what the time frame was this is dynamic and in fact future work will be looking at how these things change there could be hosts that we never we never seen before and then they come up at another time and disappear and things we'll never see right you start the scan it's nothing there and it comes up after your scanner leaves and yeah and all of this is only internet facing host so you know nothing nothing internal we would

organization based on what they have online like at any given time and that's gonna be maybe not static but within a distribution over time

yeah

yep and certainly that like that kind of dive is worthy of research but you know we're trying to get that maybe not 30,000 foot picture but top of the hill we're just scratching surface crap

you also we're also going to have a Q&A at the end so maybe see a question back there yeah sorry his hand was up for a while I felt bad cool so a lesser question than a comment max mine they're using a sense as kind of how they do geolocation is the primary key and you can get an IP assigned out of any ass and and run it anywhere in the world so you know usually there is some correlation but it is not one-to-one and there especially if you know companies you're using pp ends that it really can distort your picture so you know this is a certainly like a good you know I would say top of

the hill look if it's if there's if there are data points from here that are interesting to individual companies then they're going to need to look a little bit deeper yep yep go here yeah it's my favorite chart so because you're in the ground trip track I'm gonna assume you're interested in novel and weird visualizations so this is a visualization I made this is called a Klee if you'd like to know more I have a blog post go to the science here website you can read more about how to read these but these work for a certain type of three-dimensional data and what is you have three float numbers that you're gonna try to visualize so rather than a

scatter plot we're going to we're gonna have three but those three numbers have a one okay so this allows us to kind of the relative proportions in one chart in two dimensions basically down here in the lower left is one dimension work we're gonna look at is value so in an organization what percentage of hosts are low medium high values those are my three dimensions and notice they all add up to one we're gonna be exclusive with those values so down here on the lower left this is the this is the organizations that only and then over here on the right only high value and up here at the top only medium value and so the density here the

color is play like how many of out of all organizations law I'm that kind of hex grid that it lands in is the same way you read a scatterplot where you kind of go across you go here and then that point where those two lines intersect that's the data you're gonna we're gonna do the same thing so we're going to draw so if we have an organization that is 50% low we're gonna go down at a 60 degree angle 33% high we're gonna go up at a you know 60 degree angle from here and then across and medium and we're gonna get to this point this is 33% high 50% low and 70% 17% medium so there's not necessarily

for you to like pick out these individual points is that most organizations are low and medium with a little bit of high but they tend to be down here there are some organizations that are exclusively medium value high value or low value and so this is kind of an interesting way to break up three things we can look at more traditional way and do break comes across different industries and just examine on the total for that industry it's the breakdown of all you so public administration they have crazy amount of internet-facing house that we would consider high value hospitality that's an interesting one for me because we think you know having critical infrastructure on the websites

reservations things like that high value that's publicly facing

so you know Naik's and you know there's some weirdness and how they do that yeah so there's like brokerages and other kinds of things in the real estate real estate sector that you know yep yep so we've talked about three things hosting value and location what we might want to do is look at how this breaks down across those those three things that being and then we can kind of further break those down based on domestic so things for low value host people farm that there's kind of equal like you have on page you know high back it's kind of more of an even split not they're across so you want where the host is yep

security findings so this problem arguably the most interesting aspect of all of this maybe the most risk relevant aspect of this and this is you know again not a whole lot of information in this one but you know on well the median number of security our percentage of hosts that have is this higher critical I forget this is higher critical higher critical we kind of ignore close and and and that I think because it wasn't as interesting so about 1% of hosts have a higher critical finding and you know what would you do with it information I don't know but you can slice it up in different ways hey you know research question is that higher

and lower in larger and smaller organizations if you look at this let you know the bottom of the chart generally a higher percentage of hosts have higher critical findings in smaller organizations and in larger organizations now you could read that several ways you could say well of course because smaller organizations have all kinds of security issues and they can't get their stuff together and and you know you can weave a story around that but you could also just say hey the law of large numbers is at play here and you know larger organizations have a lot more hosts and therefore a smaller proportion of posts have higher critical findings yes yeah you know if we could just leave all the questions

towards the end because the live stream can't here unless we actually put it through the mic ok well they should have bought a ticket and been here not kidding guys just kidding just kidding we're glad you're listening and thank you so I'll take the question question was asked about how do we know it's higher critical findings we we don't again this data set is provided to us and some of these things are pretty labeled I would work with piont we try to understand well how did you get this and and risk recons answer there's some automatic ratings there's some lookups to you know what what cbss scores the amount to and things like that so I am

not telling you that this is true on all of these everybody in this room would agree oh yeah that one's higher than that one that one's critical that one's high right but again we're looking really big picture here overall we're trying to weed the just noise that isn't really an issue versus the stuff that hey you might actually care about these findings right is that is the point of this and I think it's pretty good at that level for that goal so you know interesting little stat 56% of firms have a higher critical security finding in an internet facing host over half this is a kind of a neat view takes oh I can't go on that side so

on the top if you almost want to visually put a line here these are firms with hosts on premises and firms with hosts and external providers so as we did this we kept going back to this notion of hey I wonder if the rate of security findings is higher on on-prem assets verse you know hosted on on third party networks right because a lot of us worry about that right do I want to keep my valuable assets really close to my chest so I can protect them better or does somebody else do a better job at that and that question is you'll see is kind of depends but let's just over here you know firms with severe findings and

high-value assets with hosts on premises about 8% of firms have higher critical findings and on prim assets 25% of firms have higher Sevilla critical findings and assets and external providers so you could read that you know the the rate of higher critical findings is three times in external hosting providers then then on prim among organizations among organizations sorry and not number of hosts the proportion of firms that have those right so I think you want to do yes a little sequence so we've talked about 500 and I'm gonna put small are not critical it's what I'm gonna do with these charts host countries per organization revenue right so we're gonna look at kind of revenue a size of

the company as as the size of the company for a proxy so the question now becomes like can we get a better more unified view control charts and the idea

isolate the bar and stick with me arrange it in kind of a star shape and we'll take these middle points make this array alright and so the idea here is not to actually be able to you know extract that variation it's not it's not to be able to like dive deep and get that kind of sand look at risk but as we can we boiled these like five charts of look at how this evolves over as revenue evolves so if we have really small again not a lot of presents and you know nicely not tanks but a lot of high-value hosts out there and then was you notice because as we increase their their host

their providers their geography kind of starts to expand more and more findings kind of especially in this middle range they're kind of out here on the edge and then you know those findings as you get larger and larger organizations you start to hide your high-value assets and your findings kind of shrink you get better at math and so this idea of a how risk as the company's company revenue in evolves alright everybody likes it so we knew the same thing we there's some interesting things here education I would say like we could even say this is a huge risk surface anybody who has ever worked at a university I think would agree with this right edge things you

know like finance low findings kind of not huge spread on the other dimensions they kind of run a tight we expect that from banks and financial services organizations anything else you like them this way one of the things we were interested in and again it's I don't think this is perfect it's just trying to see generalities and we've already shown you that that the variation among industries is super huge so I'm there any difference in shape and in some of these things to be honest with you but but one of the things I into in the future is like does the shape matter you know does is there some reason that health care and hospitality are similar

ish right or is that maybe it's just random noise but maybe maybe it's similar types of assets simple business model similar approaches to managing IT you know might might result in different shapes here alright so that was all very exploratory again here's this definition what kind of dimensions can you measure let's do some visualizations see what comes out this is more of a traditional we had a research question we want to know is the cloud safer or more or then on Prem right a lot of people want to know this question you hear it a lot and and how can we use this data set to offer up evidence for for one of these positions or the other

so so first of all let's let's back up a second and just marvel at the amount of consolidation in the cloud space so by the way this is the percentage yeah we probably should have done this as a percentage of cloud-hosted hosts but anyway the point is by the time you get out of the top 10 cloud providers the percentage of hosts is really small right and this is the top 20 and this is almost everything yeah right there's we could the list is a whole lot longer but the numbers are astonishingly small if you look at that by industry we just take the top cloud providers from from the beginning there which have a large

majority of the hosts and we look at well okay information sector manufacturing sector which cloud providers do they use you know Amazon eats over half of them no matter what the industry is and we'll show you in a minute that's not that's not a not a bad thing that's that's actually a good thing certain industries stick out like why does the manufacturing sector have sort of an appeal for Rackspace more so than than than others and things pop out like that that you kind of want to trace and professional services Microsoft you have anything else you want to call out on that one no I just did you know look at counting firms and yeah you're a good

point you're running using office 365 etc you know so you could stare at this it's kind of weird and interesting Amazon doesn't win everywhere however so across the top here you have different regions and these are the top clouds out of that list we just showed you in each region and and there's some fluctuation around Amazon is top in a lot of different places not everywhere and then you get beyond that you have a lot of lot of hopping around so overall firms are twice as likely to have severe exposures cloud assets okay we just think about that chart we showed you a while ago where we did all external facing hosts and internal and

it was like 3x this is just in cloud so you could say well you're you're you know when we look at cloud based hosts the there there's less discrepancy with on-prem than all external hosted assets but let's look at this a different way you know you don't take this one sure so but that's not true for everybody yeah boil this down to a number but that's not gonna be true for all organizations here each point here is it as an ordinate on the horizontal axis is the number of on-premises hosts with the higher vertical findings and the vertical axis percentage of cloud those with higher findings so if you're green on safer and if you're blue the cloud is safer and

and the patenting is about race play so for about 60 percent of organizations they do better on Prem and forty percent do better in the cloud and so we might ask why so why is there this this difference so one thing we wanted to look at is came maybe a more complex view than those radar charts I don't even know what to call this we call them a surface plots they told us by the end of it but do is kind of look at these three outfits and kind of I think actually we have four here and understand what's going on so and then portal 2 how many hosts fall in that category so Alma like the most are

internally hosted medium value lowest is the the high that's the small square and then it's colored by the number of higher critical findings so the general thing you'll notice is that the there are a higher percentage of hosts with higher critical findings that are hot and that's not to say like people are bad at protecting their do critical tasks they're gonna have problems you know low value assets we pointed this out before more likely to be hosting the cloud high-value assets the the square is different so we can kind of do that same breakout strees and kind of get a different view than that radar chart so there are some things here so for example hospitality chip really loves

the cloud right they don't like to host internally and most of the problems happen on cloud hooks and things whereas education down here all thing with bad is happening in dr al you is happening internally which again is sort of interesting well that general end goes across where you have higher value or higher more critical findings by you assets across the board but this gives us another way to kind of look at that variation across across industry whatever we'd like question you safer on paramah in the cloud and we can ask that's what that separation is is it's it's an industry based thing and so what we did we built we built some logistic regression models

just identify like is this folks gonna have a higher critical finding and we can build them separately across industry so education is the only one that benefits from being in the cloud so this is on-prem top class right and it's actually like you know it's it's still overall overall it's still higher than everybody else but they're probably safer and it you know it's because they may be those clouds have tools that those hosts that are not being used internally so there's a but where there's actually goodness tration energy real estate yeah but on balance there's no difference here and then for everybody else you're you're better on prem at least for these sets of organizations right and those are

statistically significant slopes we can cut this different ways more money different problems so we can look across revenue and again these lines are there were lots of models that we built to try to piece of pull apart these differences so if we look at the likelihood that you're going to be have a higher critical finding in a cloud that's this blue line and then on Prem is the green line so we notice like early on where we might not have a ton of data you're better off on Prem okay so if you're a small organization you're you're less likely to have those findings on Prem in the middle the area you should be in the

cloud and then towards the end again kind of seagate these larger organizations get better at handling things internally yeah we thought this one was sort of interesting do you want you want I'll do it all right thanks for giving me a chance man no I just like to talk sound of my own voice well on the bottom here you have those the the number of cloud providers that an organization has hosts with and then the percentage of those hosts with higher critical findings and and what this is showing if you have the rate of severe findings is highest when you have one cloud provider and it drops the more cloud providers you get it till about

you know eight and then it kind of levels out and and and look at the number of dots out here and I wouldn't trust like you would Rockets back up again or anything like that it just look at the behavior here Wade saying he doesn't trust my modeling right the the behavior here is kind of interesting because you think oh I decrease bindings just by having more cloud providers hmm what's going on there my hypothesis which I can't really prove right now is that we've got kind of a maturity thing going here like these organizations they just were experimenting and they they you know spun up a host did some stuff forgot about it for a while they're not quote

serious about the the cloud whereas maybe these are more mature they probably have a cloud security program and so you get less hosts I don't know maybe maybe that's not the case but that's my hypothesis of what's going on because it doesn't make sense to me that just by having a bunch of cloud providers you drop your findings right spread the risk the risk from but and also potentially you get better at this idea of like I'm gonna put some of my infrastructure in the cloud I've managed this on AWS hey Hatcher isn't that different you know IBM cloud isn't that different and I kind of I understand the benefits of the cloud and I'm willing to use those tools

to secure it as you get more and more and and you know if I'm willing to spread out to a bunch of different clouds I may be picking them based on like what they're good at - so you know I might be going somebody for you know specific types of database some people for other types of hosts yeah all right we're almost done here another thing we wanted to ask is ok that was cloud overall is there a difference among clouds actually let's just go to go to this one yeah this is number of findings per host in different clouds okay if you can count the number of severe higher critical findings on your hosts so we we redacted some names

here to protect the not so innocent now just but but the interesting thing here is the you know the the Green internal bar actually has a much higher rate of findings than you know the top clouds right down at the bottom there with the with the lowest rate not always the case of course this one is an is another interesting view if you look at this and say percent of hosts with higher critical findings instead of number of findings per host which was the last year you get something like this whereas for internal for internal host it's a severe finding rate of 1.6 Anna's on does better than that Microsoft does better than that and if you remember

those are the top two in terms of sheer volume of hosts that are hosted so this is actually a good thing that the you know cloud providers that hosts the largest proportion of hosts actually have the you know cleanest security record I view that as a that's that's good I'm glad they're not way up there at the 14.4% which will leave unnamed which is you know a cloud provider with a much higher rate of findings so woven into this of course you know you could argue oh well Amazon and Microsoft were probably business use case and and those organizations know how to secure them and maybe the rate is so much higher on some of those at the top because they're

you know more casual or not as critical assets or something like that or maybe they're just not secure environments or maybe amazon offers better tools to secure your hosts there's lots of different stuff going on here that we don't know the answer to that into in the future but just the difference in volume here of the the high-end severe finding rate I think is is very interesting among the among cloud providers let's just skip that one all right questions we have time I mean we have time yeah cool you want to sum up that or so originally titled this slide like so [ __ ] what a lot of questions we do a lot of description you

might be like I like what am I supposed to do so one thing I want to talk about is we talk about that in a legit the beginning I want you to like see the whole country so try to look at your organization like holistically and don't get too focused on like individual things and and like what vendor I have installed and what CVS I'm patching and like we think this is a good approach and like we're doing it on kind of a I don't want say global but you know eighteen thousand firm but a scale but you guys everybody can do it within their own you know organization you should like question no and answer those

questions with data so really try to dig in to operationalizing and measuring things that you care about when you ask those questions like what's better on cloud or on Prem or in cloud or on Prem and try to like answer it with like analysis and data last I would say also data is not destiny so everything and it here if if you're in a university and I ragged on you too hard like I'm sorry but the doesn't happy this could actually and you have to do those things so any doing this with risk recon and with this large-scale you know analysis if you have questions just raise your hand I'll come over

I've got two questions the first is for phoner abilities was the distribution of number of hosts with a given number of vulnerabilities so you know one percent of hosts had 99 percent of ulnar abilities two percent of had that kind of thing was that long-tailed when you averaged out across two organizations or was it some other kind of distribution at one point and yes the I mean with a lot of the answer is yes it was long-tailed right like I'm sure there were host that had thousands of findings and I mean Ridge it's like four right but you know average is probably bad when you have that long tail so yeah okay and the second one these one dream

caveat with that other question is actually for higher critical findings it's largely it's not that heavy tailed so most hosts have a few higher critical but it's when we have those kind of low or medium findings that so from the stream are you passionate about horses or anti virus I know exactly who that came and it came from a jacket related to a horse you know bad pivot so I think might my take-home thing to think about from the conference this week is traditionally we've always focused on hosts and vulnerabilities on hosts and persistence and all this stuff and it's all Hostos toast it's like okay what about serverless like what if all your [ __ ] is lambda and

how does that even show up in this data right now are you it doesn't right and you know when you spin up a function like I don't even know like how to how to talk about that I I guess I you know the promise of service to is it's less vulnerable to attack because it only runs when it has to and it does a very very small thing I don't know I mean that's like that's like an interesting question for us too so I'll give you like this year I learned lambda I write some Python stuff and I had some surprises along the way and basically what they do for lambda is they spin up a container they call your

function yep but that container persists as long as it's getting function calls yeah and it's there's no memory separation I feel like if you define a global in Python yeah the next call has the same data in the global sure so that's a totally different you know attack surface right because now you might leak PII from one lambda to another one letter call - yeah sure if you can if you can get it to respond if you like don't clean your input and get it to recite right but but if these guys are just looking at host looking at IPs it's not gonna be one organization no I I mean that's as people move to different types of

infrastructure this type of analysis will have to change I certainly don't think that we're gonna stop having static websites and email services and DNS and like you know web apps and database backends and all the stuff that this touches anytime soon but as that evolved certainly this type of analysis will have to evolve yeah

to give some credit to this data even if you are running a lambda or an 80s or an as your functions type of thing there what this data is focused on are things are internet accessible and to do that there has to be some IP address or hostname that can be reached from the outside so you may have a whole service function but that eventually needs to be exposed to an API domain name etc to the outside so while this is not going to capture the true complexity that's going on behind the scenes this has a a decent chance of grabbing lease the existence of those functions there's undoubtedly so much more work to be done on service

architecture so dude everybody helping me out with my coworker saving me answer my questions for me what one area that I would have loved to have seen more information on regarding especially the vulnerabilities is whether or not they took a look at things like api's and within applications or are we just looking at layer six and down and do we have a look at layer seven that would be very informative here so so this why you know I think we probably our ability a little bit but what I we really should have been saying it's finding right so they have categorized a wide variety of things they look at that could spell trouble for an organization and across

the stack yeah and and we mentioned the the reports that are published here we I don't think we show anything about the type of findings right because there we like started and we're like there is so much here we gotta do so now to do this coming up we got to do this descriptive stuff first and then we'll kind of like try to pull out you know who's got what yeah any other questions we got one more in the back and then I will answer that hi thanks again for the talk from a business / management perspective what should you be looking at to decide on Prem versus cloud the best advice that I think we can give now

is goals and capabilities I mean because what I would like to do is say oh we studied all of these different characteristics about these different organizations and here are the characteristics that make you more susceptible to cloud issues or on Prem we couldn't do that we don't have that data right now I hope to get there someday so now I have more of a generic recommendation and that is aligned with you know we see some evidence I think that hints at that your capability to move into cloud environments has a lot to do with whether or not you're going to be successful there and so an honest evaluation of that is is probably recommendation number one at least from

my perspective you know don't have the attitude of oh just put it up there because cloud is more secure or I'm gonna leave it on Prem and it's magically more secure than if I had gone to the cloud I mean I don't I don't think that's true and I think that's sort of 60/40 split is indicative of of you're not guaranteed either way it has a lot to do with capability in different different circumstances than what we're looking at in the data at this point any other questions I heard a question about what is scientist is the Latin word for science or knowledge and we cyber eyes dit by putting C Y in front of it

because that's what cool cyber security companies do alright help me in thanking our speakers please thank you guys