Hitting Above The Security Mendoza Line         Ed Bellis, CEO Risk I/O
Nice To Meet YouAbout Me CoFounder Risk I/O Former CISO Orbitz Contributing Author Beautiful Security CSO Magazine/Online ...
About MarioPlayed for Pirates,Rangers & MarinersPlayed MLB for 9 SeasonsLifetime Batting Avg: .214,4HR, 101 RBIFailed to b...
The Security Mendoza LineWouldn’t it be nice if we had something thathelped us divide who we considered“Amateur” and who w...
HD Moore’s Law        Josh Corman expands      the Security Mendoza Line       “Compute power grows at the rate        of ...
A Difficult TaskNearly 2K MSF Exploits         2000                                         Exploit Developmentin first 9 mo...
Release Early Release Often
Point   Click   Pwn
A Data DrivenApproach
Out Scripting the KiddiesFighting Automationwith AutomationNetflix/SimianArmy
Context MattersAttackPath dataanalysis
Context MattersWait just a minute...Computing Optimal SecurityStrategies for Interdependent Assetshttp://vorobeychik.com/2...
Context MattersMitigating Controls  Firewalls / ACLs  IPS  WAF  MFA  Other
Context MattersHoneypot, WAF & IDS data    logs! logs! logs! Measuring Likelihood
Broader Context         Targets of Opportunity?My(vuln posture X other threat activity) / (other   vuln posture X other   ...
Beyond Info Sharing    Model Sharing
A Quick Side NoteCVE Trending Analysis                        Gunnar’s Debt Clock
Q&Afollow us the blog   http://blog.risk.io/ twitter   @ebellis               And one more thing....   @riskio            ...
Upcoming SlideShare
Loading in …5
×

BSides SF Security Mendoza Line

2,465 views

Published on

Hitting Above The Security Mendoza Line. Presentation by Ed Bellis at BSides San Francisco.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,465
On SlideShare
0
From Embeds
0
Number of Embeds
1,867
Actions
Shares
0
Downloads
5
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

BSides SF Security Mendoza Line

  1. 1. Hitting Above The Security Mendoza Line Ed Bellis, CEO Risk I/O
  2. 2. Nice To Meet YouAbout Me CoFounder Risk I/O Former CISO Orbitz Contributing Author Beautiful Security CSO Magazine/Online Writer InfoSec Island BloggerAbout Risk I/O Data-Driven Vulnerability Intelligence Platform DataWeek 2012 Top Security Innovator 3 Startups to Watch - Information Week 16 Hot Startups - eWeek
  3. 3. About MarioPlayed for Pirates,Rangers & MarinersPlayed MLB for 9 SeasonsLifetime Batting Avg: .214,4HR, 101 RBIFailed to bat .200 5 times
  4. 4. The Security Mendoza LineWouldn’t it be nice if we had something thathelped us divide who we considered“Amateur” and who we considered“Professional”? Enter The Security Mendoza Line Alex Hutton came up with original concept of the Security Mendoza Line http://riskmanagementinsight.com/riskanalysis/?p=294
  5. 5. HD Moore’s Law Josh Corman expands the Security Mendoza Line “Compute power grows at the rate of doubling about every 2 years” “Casual attacker power grows at the rate of Metasploit” http://blog.cognitivedissidents.com/ 2011/11/01/intro-to-hdmoores-law/
  6. 6. A Difficult TaskNearly 2K MSF Exploits 2000 Exploit Developmentin first 9 months! 1500ExploitDB > 18K Exploits 1000 50017.8% Known Exploits 0 2010 MSF Modules 2012
  7. 7. Release Early Release Often
  8. 8. Point Click Pwn
  9. 9. A Data DrivenApproach
  10. 10. Out Scripting the KiddiesFighting Automationwith AutomationNetflix/SimianArmy
  11. 11. Context MattersAttackPath dataanalysis
  12. 12. Context MattersWait just a minute...Computing Optimal SecurityStrategies for Interdependent Assetshttp://vorobeychik.com/2012/ssgames.pdfGame Theory: Smart Data>Big Datahttp://blog.risk.io/2013/02/playing-around-with-game-theory/
  13. 13. Context MattersMitigating Controls Firewalls / ACLs IPS WAF MFA Other
  14. 14. Context MattersHoneypot, WAF & IDS data logs! logs! logs! Measuring Likelihood
  15. 15. Broader Context Targets of Opportunity?My(vuln posture X other threat activity) / (other vuln posture X other threat activity)
  16. 16. Beyond Info Sharing Model Sharing
  17. 17. A Quick Side NoteCVE Trending Analysis Gunnar’s Debt Clock
  18. 18. Q&Afollow us the blog http://blog.risk.io/ twitter @ebellis And one more thing.... @riskio We’re Hiring! https://www.risk.io/jobs

×