Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SecTor 2012 The Security Mendoza Line

2,415 views

Published on

A few years ago Alex Hutton coined the term Security Mendoza Line. It was in reference to Mario Mendoza the baseball player often used as a baseline for how well a player must hit in order to stay in the major leagues and not be demoted. Keeping up with the attacks automated within Metasploit can often serve as that baseline within information security.

More recently, Josh Corman defined HD Moore's Law as "Casual Attacker power grows at the rate of Metasploit". In other words, that baseline is moving and we are not keeping up. In a hyped industry where much of the talk remains around Advanced Persistent Threats it's the baseline that we continue to miss as proven out in reports like Verizon's Data Breach Investigation Report. Looking at the most common breaches they are most likely to be targets of opportunity where the defenders have let the basics slip through the cracks.

In this talk, we will cover why paying attention to HD Moore's Law is important and how to stay on top of this changing threat measurement. We'll offer real world examples on how an organization can identify where they stand against the Security Mendoza Line and how they can alert and defend against falling below the baseline. Content will cover not only identified threats through Metasploit modules but through the myriad of exploit sources available across the internet.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

SecTor 2012 The Security Mendoza Line

  1. 1. Hitting Above The Security Mendoza Line Ed Bellis, CEO Risk I/O
  2. 2. Nice To Meet YouAbout Me CoFounder Risk I/O Former CISO Orbitz Contributing Author Beautiful Security CSO Magazine/Online Writer InfoSec Island BloggerAbout Risk I/O Data-Driven Vulnerability Management as a Service DataWeek 2012 Top Security Innovator 3 Startups to Watch - Information Week 16 Hot Startups - eWeek
  3. 3. About MarioPlayed for Pirates,Rangers & MarinersPlayed MLB for 9 SeasonsLifetime Batting Avg: .214,4HR, 101 RBIFailed to bat .200 5 times
  4. 4. The Security Mendoza LineWouldn’t it be nice if we had something thathelped us divide who we considered“Amateur” and who we considered“Professional”? Enter The Security Mendoza Line Alex Hutton came up with original concept of the Security Mendoza Line http://riskmanagementinsight.com/riskanalysis/?p=294
  5. 5. HD Moore’s Law Josh Corman expands the Security Mendoza Line “Compute power grows at the rate of doubling about every 2 years” “Casual attacker power grows at the rate of Metasploit”
  6. 6. A Difficult TaskNearly 2K MSF Exploits 2000 Exploit Development 1500ExploitDB > 18K Exploits 1000 500>10% Known Exploits 0 2010 MSF Modules 2012
  7. 7. Release Early Release Often
  8. 8. Point Click Pwn
  9. 9. A Data DrivenApproach
  10. 10. Out Scripting the KiddiesFighting Automationwith AutomationNetflix/SimianArmyGithub Avg: .200
  11. 11. Context MattersAttackPath dataanalysisAvg: .220
  12. 12. Context MattersMitigating Controls Firewalls / ACLs IPS WAF MFA Other Avg: .240
  13. 13. Context MattersHoneypot, WAF & IDS data logs! logs! logs! Measuring Likelihood Avg: .260
  14. 14. Broader Context Targets of Opportunity?My(vuln posture X other threat activity) / (other vuln posture X other threat activity) Avg: .280
  15. 15. Beyond Info Sharing Model SharingALL Star!Avg: .300
  16. 16. A Quick Side NoteCVE Trending Analysis Gunnar’s Debt Clock
  17. 17. Q&Afollow us the blog http://blog.risk.io/ twitter @ebellis And one more thing.... @riskio We’re Hiring! https://www.risk.io/jobs

×