Kenna Security is now part of Cisco

|Learn more

That’s So Meta

Jul 11, 2011
Ed Bellis
Chief Technology Officer, Co-founder

Share with Your Network

It’s official and I’m pretty excited about it: I will be speaking at Metricon 6.0 in San Francisco on August 9th. In case you’re not familiar with Metricon, it’s a conference born from Andrew Jaquith’s book Security Metrics (which I HIGHLY recommend). It’s co-located with another good conference, USENIX. Having participated in a Metricon two years ago, I’m a huge fan of the format and content. It easily introduces more new ideas in information security than any other conference I have attended.

My talk is a work in progress on applying meta data to a vulnerability warehouse in order to glean business context. By adding a layer of meta data, an organization can create unique views into their defect data that helps prioritize which vulnerabilities and misconfigurations are the most important to address. Without diving too much into the details of the presentation, imagine repurposing data from CMDBs, incident reports, system and application logs, network maps, organizational charts and so on. By adding this layer of meta data on top of a defect warehouse these views will start to expose multi-vector attack paths, correlate internal and external assets, provide some initial ‘likelihood’ into exploitable exposures, etc.

The talk is part of a series I am doing on security intelligence, some of which has been blogged about here. Once the presentations are complete I will be posting them here so stay tuned. If you happen to be in San Francisco on August 9th or are already coming to USENIX, try to make it to Metricon. There’s alway a lot of great ideas and I don’t think you’ll be disappointed. Hope to see you there!

Update: As promised below are the slides from my Metricon 6 presentation. This is an updated version originally  presented at OWASP Philadelphia.

The guys over at The Risk Hose podcast also have a great wrap up of the conference.

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.