Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Amateur Hour: Why APTs Are The Least Of Your Worries


Published on

InfoSec World 2016

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Amateur Hour: Why APTs Are The Least Of Your Worries

  1. 1. Amateur Hour Why APTs Are the Least of Your Worries
  2. 2. Ed Bellis • Co-founder and CTO at Kenna Security, an automated risk & vulnerability intelligence platform • Orbitz CISO for 6 years • 20+ years Info Security experience including Bank of America, CSC, E&Y • Contributing Author Beautiful Security • Frequent speaker at events such as… About Me
  3. 3. Warning This presentation contains large amounts of data used for the purpose of proving an information security theory. No marketers were harmed during the making of this presentation.
  4. 4. “APT-1, Titan Rain, GhostNet, Aurora, Stuxnet, Red October, and Duqu, Oh my!!”
  5. 5. Real but Likely?? • Spreadsheets that require a black belt in Excel • COUNT ALL THE THINGS!
  6. 6. Likely or Very Likely? 74%
  7. 7. Don’t Worry, We Got This 67%
  8. 8. “What is real? How do you define real?”
  9. 9. 2016 DBIR A Sneak Preview
  10. 10. Your Threat Model Is Backwards “While 2015 was no chump when it came to successfully exploited CVEs, the tally of really old CVEs which still get exploited in 2015 suggests that the oldies are still goodies.”
  11. 11. Your Confidence Is Unwarranted “…we need to see more of targeted remediation efforts which more often than not focus on those vulnerabilities which attackers are successful with in the wild.”
  12. 12. The Great Defensive Gap
  13. 13. “Low Hanging Fruit” “if a vulnerability is going to be exploited, 30 days is a good bet for how much time you have to remediate.“
  14. 14. The Tortoise On Average it takes companies 100 to 120 days to remediate vulnerabilities.
  15. 15. Versus The Hare The probability that a CVE that is exploited in the first year will be hit X days after publication. At 40-60 days, that probability is over 90 percent.
  16. 16. Casual attacker power grows at the rate of Metasploit.
  17. 17. But HD Moore’s Law is just the Tip of the Iceberg
  18. 18. Are These Attributes In Your Threat Model?
  19. 19. What About These?
  20. 20. Secure Because Math Existing Exploit + Patch Available + RCE > Advanced Persistent Threat P for Probability! …or put another way… “Why Burn a Zero Day?”
  21. 21. Key Takeaways 1.Focus on the Basics 2.Automate your Defenses A. Configuration Management B. Patch Management C. Compensating Controls D. Continuous Deployment Make it necessary to be both Advanced and Persistent.
  22. 22. Q&A