From awhile back, Brian Krebs talks to three researchers at U-M about their ZMap tool. An efficient and comprehensive way to scan the Internet, they’ve recently built a search engine called Censys that searches across their daily data collections from the ZMap scans. From Krebs' interview with the researchers (Zakir Durumeric, Eric Wustrow, and J. Alex Halderman):
“What we were able to find was by taking the data from these scans and actually doing vulnerability notifications to everybody, we were able to increase patching for the Heartbleed bug by 50 percent. So there was an interesting kind of surprise there, not what you learn from looking at the data, but in terms of what actions do you take from that analysis? And that’s something we’re incredibly interested in: Which is how can we spur progress within the community to improve security, whether that be through vulnerability notification, or helping with configurations.”
Using ZMap allows them to quickly collect this data (compared to other network scanners), but the researchers aren’t just scanning the Internet because they feel like it. They’re taking action based on the scan results—notifying people when their machines are vulnerable to the Heartbleed bug.
Beyond notification, they can take other steps:
“So, that’s the other thing that’s really exciting about this data. Notification is one thing, but the other is we’ve been building models that are predictive of organizational behavior. So, if you can watch, for example, how an organization runs their Web server, how they respond to certificate revocation, or how fast they patch — that actually tells you something about the security posture of the organization, and you can start to build models of risk profiles of those organizations. It moves away from this sort of patch-and-break or patch-and-pray game we’ve been playing. So, that’s the other thing we’ve been starting to see, which is the potential for being more proactive about security.”
Internet scan data can help us better understand organizational security posture and develop different models of risk profiles in organizations. With those risk profiles, improving an organization’s security posture could be a matter of identifying the inefficient elements and focusing on them. Security posture is culture as much as machines. While SIEMs can identify risk factors in your machines, models of organizational security posture can identify the risk factors in your culture.