Amateur Hour: Why APTs Are The Least Of Your Worries

•

2 likes•911 views

The document discusses why advanced persistent threats (APTs) should not be the main focus of security worries. It notes that statistics show many vulnerabilities that are exploited are older ones for which patches already exist. The document advocates focusing on remediating known vulnerabilities within 30-40 days when the risk of exploitation is highest, rather than within the typical 100-120 days companies take on average. It argues securing the basics of configuration management, patching, and continuous deployment should be automated to raise the bar for attackers and make it necessary for them to be both advanced and persistent.

Amateur Hour
Why APTs Are the Least of Your Worries

Ed Bellis
• Co-founder and CTO at Kenna Security, an
automated risk & vulnerability intelligence
platform
• Orbitz CISO for 6 years
• 20+ years Info Security experience
including Bank of America, CSC, E&Y
• Contributing Author Beautiful Security
• Frequent speaker at events such as…
About Me

Warning
This presentation contains large amounts of data
used for the purpose of proving an information
security theory. No marketers were harmed
during the making of this presentation.

“APT-1, Titan Rain,
GhostNet, Aurora,
Stuxnet, Red October,
and Duqu, Oh my!!”

Real but Likely??
• Spreadsheets that require a black belt in Excel
• COUNT ALL THE THINGS!

Your Threat Model Is Backwards
“While 2015 was no
chump when it came to
successfully exploited
CVEs, the tally of
really old CVEs which
still get exploited in
2015 suggests that the
oldies are still
goodies.”

Your Confidence Is Unwarranted
“…we need to see
more of targeted
remediation
efforts which more
often than not
focus on those
vulnerabilities
which attackers
are successful with
in the wild.”

“Low Hanging Fruit”
“if a vulnerability is
going to be
exploited, 30 days
is a good bet for
how much time you
have to remediate.“

The Tortoise
On Average it takes
companies 100 to
120 days to
remediate
vulnerabilities.

Versus The Hare
The probability that
a CVE that is
exploited in the
first year will be hit
X days after
publication. At
40-60 days, that
probability is over
90 percent.

Casual attacker
power grows
at the rate of
Metasploit.

But HD Moore’s Law is just the Tip of the Iceberg

Are These Attributes In Your Threat Model?

Secure Because Math
Existing Exploit + Patch Available + RCE
> Advanced Persistent Threat
P for Probability!
…or put another way… “Why Burn a Zero Day?”

Key Takeaways
1.Focus on the Basics
2.Automate your Defenses
A. Configuration Management
B. Patch Management
C. Compensating Controls
D. Continuous Deployment
Make it necessary to be both Advanced and Persistent.

The chase for security perfection is not uncommon. The idea of ‘shift left’ - locating defects from the beginning of SDLC and rectifying them early is a well-founded approach. But in a competitive business landscape, companies must balance the tradeoff between speed and quality to keep their business moving. Join our application security webinar and learn how to implement an agile DevSecOps to carry out the necessary security checks without compromising on time-to-market.

Amy DeMartine - 7 Habits of Rugged DevOps

SeniorStoryteller

The R.O.A.D to DevOps

SeniorStoryteller

Intelligence driven defense webinar

ThreatConnect

Learn to identify, manage, and block threats faster with intelligence. The ThreatConnect Platform was specifically designed to help you understand adversaries, automate workflows, and mitigate threats faster using threat intelligence. But we know security operations and threat intelligence are not one size fits all. That’s why we have options. You'll See: The products: Whether your security team is large or small, advanced or just getting started with threat intelligence, there is a ThreatConnect product that fits your specific needs. Innovative features in the platform: Collective Analytics Layer, which offers immediate insight into how widespread and relevant a threat is. Playbooks: automate nearly any security operation or task - sending alerts, enriching data, or assigning tasks to a teammate; all done with an easy drag-and-drop interface - no coding needed. How ThreatConnect will adapt with your organization as it grows and changes.

Many threat intelligence teams are small and must make limited resources work in the most efficient way possible. The data these teams rely on may be quite high volume and potentially low signal to noise ratio. The tools used to collect and exploit this data have finite resources and must be leveraged at the highest utilization possible. Additionally, these tools must be applied to the most valuable data first. This talk presents a process that your team can implement to make your threat and malware hunting more efficient. The core of this process uses YARA rules to process files from an arbitrary source in volume. From that core, it covers methods of prioritizing the output of the rules based on the team’s priority and the confidence in the quality of the rules. Using this process, files are submitted to sandboxes for automated analysis. The output of each of these systems is then parsed for certain qualities that would increase or decrease the value of the information to the team. Attendees will take away not only a solid process that they can implement in their own organizations, but also a list of gotchas and problems that they should avoid. Robert Simmons is Director of Research Innovation at ThreatConnect, Inc. With an expertise in building automated malware analysis systems based on open source tools, he has been tracking malware and phishing attacks and picking them apart for years. Robert has spoken on malware analysis at many of the top security conferences including DEFCON, HOPE, and DerbyCon among others. Robert, also known as Utkonos, has a background in biology, linguistics, and Russian area studies. He has lived extensively in Russia and Ukraine and has been known to swear profusely and constantly in Russian.

Ops Happen: Improve Security Without Getting in the Way

SeniorStoryteller

451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...

Adrian Sanabria

Enterprise security teams are facing numerous challenges because of evolving threat vectors bypassing existing technology, deluge of alerts, and lack of skilled resources to stop advanced threats. Even if enterprises have a budget to bring in outside incident response and forensics teams to stop the bleeding, by then, damages and loss have already occurred. Security teams must change the shape of their security program to stop threats at the earliest and all stages of the attacker lifecycle. Join 451 Research Senior Analyst, Adrian Sanabria, and Director of Products at Endgame, Mike Nichols, talk about how earliest prevention and instant detection can change the shape and outcome of enterprise security program. This talk will outline strategies for: • Prioritizing the alerts and events that really matter • Identifying parts of the investigation workflow that can be automated • Building a detection methodology that creates confidence and continuously improves defenses

Threat Hunting 102: Beyond the Basics

Cybereason

Building a Threat Hunting Practice in the Cloud

ProtectWise

See Clearly and Respond Quickly from the Network to the Endpoint

ProtectWise

ProtectWise and Demisto enable security analysts to move quickly from detection to response and resolution. ProtectWise leverages advanced analysis techniques and unlimited retention of full-fidelity network traffic to provide highly reliable detection of known and unknown threats in real-time and retrospectively. Demisto provides automation playbooks that convert these detections into action for the point products in your security infrastructure.

Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon

Tom Stiehm

DevSecOps Days Istanbul 2020 Security Chaos Engineering

Aaron Rinehart

Outpost24 webinar - The economics of penetration testing in the new threat la...

Outpost24

Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...

Adrian Sanabria

There are over 100 endpoint security products that claim to stop malware and other attacks against Windows. Nearly every major security incident or breach that has made media headlines had two things in common: Windows running one of these 100 products. This workshop won't spend any time bashing vendors, however. In fact, many of these products can be valuable assets when part of a more comprehensive endpoint protection strategy. Part one of this workshop will address the anatomy of malware and why it succeeds so often. The second part will dive down into practical defensive strategies, including passive prevention, detection, response, and remediation. - Passive prevention is effectively free and ideal - Prevention will always fail a percentage of the time, so detection is essential - Response, if practiced and efficient, has a chance of stopping attacks before they reach their goal - Remediation, because someone has to clean up this mess... Every successful security strategy includes planning to handle failure quickly and effectively. The remainder of the workshop will be hands-on. Part three will review the native defensive capabilities in Windows and the pros/cons associated with using them. For the finale, brave and trusting attendees will be invited to run neutered malware on the virtual Windows systems provided for this workshop to test out our newfound defensive skills. If not, there's no shame in watching your neighbor infect themselves with ransomware as you take notes.

Cloud, DevOps and the New Security Practitioner

Adrian Sanabria

First presented at Cloud Security World in Boston on June 15th, 2016. Once upon a time, walls were erected between the Linux/UNIX crowd, Windows admins and the mainframers. Each architecture had its place and its experts, and they rarely mixed. This time around, we didn’t just get a new domain, we got a new way of doing IT and running businesses. Cloud has created new opportunities and DevOps has capitalized on them. The result of this combination is so unrecognizable that it isn’t uncommon to see IT organizations split down the middle by the new and old approaches. As DevOps continues to gain in popularity, the same split is occurring in the security workforce. Will the traditional security practitioner be in danger of becoming obsolete?

Open Source Defense for Edge 2017

Adrian Sanabria

Even though large breaches have hit headline news in years past, some companies are still on the fence about investing in cybersecurity. As a security practitioner (or jack of all trades) how can you be expected to cover your assets with zero budget? Thankfully, there are plenty of open-source tools out there that will allow you to secure your organization. Come join me as I discuss how you can track your network assets, perform vulnerability assessments, prevent attacks with intrusion prevention systems, and even deploy HIDS. We will also jump into finding sensitive data and PII in your network, as well as incident response tools and automation. All it costs is your time (and maybe a VM or two). You really can drastically improve the security posture of your network with little to no budget, and you’ll have fun doing it! OK, maybe it won’t be fun, but at least you’ll learn something, right?

One login enemy at the gates

Eoin Keary

GDS-Austin - DevSecOps & Security Chaos Engineering

Aaron Rinehart

DevSecOps & Security Chaos Engineering - "Knowing the Unknown" - "Resilience is the story of the outage that didn’t happen". - John Allspaw Our systems are becoming more and more distributed, ephemeral, and immutable in how they function in today’s ever-evolving landscape of contemporary engineering practices. Not only are we becoming more complex but the rate of velocity in which our systems are now interacting, and evolving is making the work more challenging for us humans. In this shifted paradigm, it is becoming problematic to comprehend the operational state, health and safety of our systems. In this session Aaron will uncover what Chaos Engineering is, why we need it, and how it can be used as a tool for building more performant, safe and secure systems. We will uncover the importance of using Chaos Engineering in developing a learning culture through system experimentation. Lastly, we will walk through how to get started using Chaos Engineering as well as dive into how it can be applied to cyber security and other important engineering domains.

New Barriers of Transformation

DevOps Indonesia

Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting

CrowdStrike

Falcon OverWatch Experts Hunt 24/7 To Stop Incidents Before They Become Breaches Is your IT security team suffering from alert fatigue? For many organizations, chasing down every security alert can tax an already overburdened IT department, often resulting in a breach that might have been avoided. Adding to this challenge is an increase in sophisticated threats that strike so fast and frequently, traditional methods of investigation and response can’t offer adequate protection. A new webcast from CrowdStrike, “Proactive Threat Hunting: Game-Changing Endpoint Protection Above and Beyond Alerting,” discusses why so many organizations are vulnerable to unseen threats and alert fatigue, and why having an approach that is both reactive and proactive is key. You’ll also learn about Falcon OverWatch™, CrowdStrike’s proactive threat hunting service that investigates and responds to threats immediately, dramatically increasing your ability to react before a damaging breach occurs. Download the webcast slides to learn: --How constantly reacting to alerts prevents you from getting ahead of the potentially damaging threats designed to bypass standard endpoint security --Why an approach that includes proactive threat hunting, sometimes called Managed Detection and Response, is key to increasing protection against new and advanced threats --How CrowdStrike Falcon OverWatch can provide 24/7 managed threat hunting, augmenting your security efforts with a team of cyber intrusion detection analysts and investigators who proactively identify and prioritize incidents before they become damaging breaches

Mobile Application Security Threats through the Eyes of the Attacker

bugcrowd

[Webinar] Building a Product Security Incident Response Team: Learnings from ...

bugcrowd

How TransUnion Moved to a Risk-Based Approach for Vulnerability Management

Kenna

TransUnion CISO Jasper Ossentjuk believes that with the increased pace of automated and targeted attacks, InfoSec teams can only work smarter—not harder. Find out how Jasper and his team leverage Kenna to automate key components of vulnerability management while they moved to a risk-based view that dramatically saved time, enhanced team efficacy, and equipped Jasper with high-level reporting that enabled him to share his team's results with his executive peers.

Security as Code: DOES15

Ed Bellis

What's hot

DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...

DevSecCon

Why is Security Management So Hard?

inaz2

Advanced Threat Hunting - Botconf 2017

Kevin Finley

Ops Happen: Improve Security Without Getting in the Way

SeniorStoryteller

451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...

Adrian Sanabria

Threat Hunting 102: Beyond the Basics

Cybereason

Building a Threat Hunting Practice in the Cloud

ProtectWise

See Clearly and Respond Quickly from the Network to the Endpoint

ProtectWise

Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon

Tom Stiehm

DevSecOps Days Istanbul 2020 Security Chaos Engineering

Aaron Rinehart

Outpost24 webinar - The economics of penetration testing in the new threat la...

Outpost24

Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...

Adrian Sanabria

Cloud, DevOps and the New Security Practitioner

Adrian Sanabria

Open Source Defense for Edge 2017

Adrian Sanabria

One login enemy at the gates

Eoin Keary

GDS-Austin - DevSecOps & Security Chaos Engineering

Aaron Rinehart

New Barriers of Transformation

DevOps Indonesia

Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting

CrowdStrike

Mobile Application Security Threats through the Eyes of the Attacker

bugcrowd

[Webinar] Building a Product Security Incident Response Team: Learnings from ...

bugcrowd

What's hot (20)

DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...

Why is Security Management So Hard?

Advanced Threat Hunting - Botconf 2017

Ops Happen: Improve Security Without Getting in the Way

451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...

Threat Hunting 102: Beyond the Basics

Building a Threat Hunting Practice in the Cloud

See Clearly and Respond Quickly from the Network to the Endpoint

Shifting Security Left - The Innovation of DevSecOps - ValleyTechCon

DevSecOps Days Istanbul 2020 Security Chaos Engineering

Outpost24 webinar - The economics of penetration testing in the new threat la...

Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...

Cloud, DevOps and the New Security Practitioner

Open Source Defense for Edge 2017

One login enemy at the gates

GDS-Austin - DevSecOps & Security Chaos Engineering

New Barriers of Transformation

Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting

Mobile Application Security Threats through the Eyes of the Attacker

[Webinar] Building a Product Security Incident Response Team: Learnings from ...

Viewers also liked

How TransUnion Moved to a Risk-Based Approach for Vulnerability Management

Kenna

Security as Code: DOES15

Ed Bellis

Kony Mobile Management

Dipesh Mukerji

Kony plaform shortDipesh Mukerji

Ss8 The Ready Guide 2 0guest21f2fb

Autonomous driving end-to-end security architecture

Andrei Kholodnyi

Presentation describes what security challenges automotive industry encounter with towards autonomous driving. What security threats appear and why. Who are the threat agents and what are their objectives. It presents end-to-end data path security threats based on the recent automated driving hardware architectures and propose defense-in-depth to solve approach on ECU and intra-ECU level to mitigate those threats

Viewers also liked (6)

How TransUnion Moved to a Risk-Based Approach for Vulnerability Management

Security as Code: DOES15

Kony Mobile Management

Kony plaform short

Ss8 The Ready Guide 2 0

Autonomous driving end-to-end security architecture

Similar to Amateur Hour: Why APTs Are The Least Of Your Worries

Fix What Matters

Ed Bellis

Outpost24 webinar: Security Analytics: what's in a risk score

Outpost24

React Faster and Better: New Approaches for Advanced Incident Response

SilvioPappalardo

It’s impossible to prevent everything (we see examples of this in the press every week), so you must be prepared to respond. The sad fact is that you will be breached. Maybe not today or tomorrow, but it will happen. So response is more important than any specific control. But it’s horrifying how unsophisticated most organizations are about response. This is compounded by the reality of an evolving attack space, which means even if you do incident response well today, it won’t be good enough for tomorrow.

4 b. thomas whipp presentationCFG

Clear and present danger: Cyber Threats and Trends 2017

Morakinyo Animasaun

Sect f41SelectedPresentations

R af dWilliam L. McGill

Risk Analysis for Dummies

William L. McGill

Slides to the online event "Creating an effective cybersecurity strategy" by ...

Berezha Security Group

Slides to the online event "Creating an effective cybersecurity strategy" by Berezha Security Group, where we debunked myths about cybersecurity and recommended some easy-to-use practical steps to build an effective cybersecurity strategy for your small business. Meeting plan: 1. Widespread misconceptions about the cybersecurity of small and medium-sized businesses. 2. 10 steps to combat cyber threats. How to protect business effectively within a limited budget? About the speakers -Vlad Styran, CISSP CISA, Co-founder & CEO, BSG Vlad is an internationally known cybersecurity expert with over 15+ years of experience in Penetration Testing, Social Engineering, and Security Awareness. He is a BSG Co-founder & CEO and responsible for business and cybersecurity strategies. He could help businesses with consulting services in software security, cybersecurity awareness, strategy, and investment. Also, he acts as a speaker, blogger, podcaster in his volunteer activities. - Andriy Varusha, CISSP, Co-founder & CSO, BSG Andriy is an experienced top manager in IT-audit, consulting, and IT project management by leading outsourcing teams in Ukraine, Poland, and the USA. He also is keen on building customer relationships within the US, UK, and Western Europe geographies. At BSG, he leads the BSG advisory practice and consults development teams in all aspects of cybersecurity. About BSG Berezha Security Group (BSG) is a Ukrainian consulting company focused on application security and penetration testing. Our job is to help companies in all aspects of cybersecurity. We complete more than 50 Penetration Testing and Application Security projects yearly to know the business security vulnerabilities across the verticals. We help our customers address their future security challenges: prevent data breaches and achieve compliance. Our contacts: hello@bsg.tech ; https://bsg.tech

Relating Risk to Vulnerability

Resolver Inc.

Risk management is a strategic security activity and is a cornerstone of security governance. The management of risk not only requires that we effectively measure it but also understand what effect vulnerability has on the level of risk. Both risk and vulnerability constantly change and not only in response to threats but also business initiatives. Does your organization have a mature risk and vulnerability identification, measurement and management process? The discussion will identify how risk responds to changes in vulnerability and how we might maximize our risk management activities to enhance the resilience of the organization and its assets. Presentation by: Philip Banks, P. Eng., CPP, Director, The Banks Group

Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...

HackerOne

Hackerone Chief Bounty Officer, Adam Bacchus, a fire breathing, mohawk wearing stud presented his "Bug Bounty Reports - How Do They Work?" at Nullcon 2017 in Goa, India for the Bounty Craft tracks. In this presentation you will learn: - How to know and research your audience - What are the atomic materials of a good bug report? - Good, Bad, and Ugly examples of bug reports (taxi driver anyone?) - What are some helpful resources - And more!! All these juicy details will help you level-up your reporting game and get you MORE bounties, invitation to BETTER programs, and INSANE exposure and love from fellow hackers.

Focusing on the Threats to the Detriment of the Vulnerabilities

Roger Johnston

Управление рисками: как перестать верить в иллюзии

Positive Hack Days

Поставщики GRC-решений подают формальное соответствие как обязательный этап на пути к оценке рисков. Докладчик расскажет о недостатках таких решений, о том, что на самом деле требуется вместо них и как разумно применять существующие недорогие и перспективные решения для управления уязвимостями.

The Rise of Ransomware As a Service

Veriato

How criminals extort businesses using RansomWare services from the DarkWeb. One of the biggest trends in technology over the last decade has been the growth of subscription-based service models or "SaaS". Instead of installing software directly in corporate environments, companies providing customers with the ability to effectively rent access to services they need without dealing with development and maintenance. Given the high demand for RansomWare in this day and age, creative cyber-criminal entrepreneurs followed this industry trend and created RansomWare As A Service (RaaS) to ease the burden of cyber attackers having to develop their own attacks. Join Nick Cavalancia from Techvangelism and Cyber Security Expert, Dr. Christine Izuakor as we discuss: How does RansomWare as a Service (RaaS) work? Examples of RansomWare As A Service (RaaS) provider If RaaS impacts you, what can you do? RansomWare detection & protection tools

Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts

Hexis Cyber Solutions

Your agents are fatigued and overwhelmed from fighting rogue attacks, and tailing covert ghost alerts. Meanwhile, the backdoor to your organization has been blown wide-open and cyber attackers are stealing the crown jewels. You need help. From this mission: • Uncover how to mitigate ghost alerts and empower your agents to focus on more important security priorities • Leverage your current security investments-- instead of replacing them • Learn how automation reduces the need for manual investigation and response

The 5 Stages of Secrets Management Grief, And How to Prevail

Bryan Sterling

Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...

Steve Werby

20 years ago information security was a low corporate priority that was the realm of technical geeks. Factors such as the rapidly-evolving threat environment and increased corporate impact have elevated it to a multidisciplinary risk management discipline...which sometimes has a seat at the table. This talk explores what we're doing wrong, why it's ineffective (or worse), and better ways of thinking and doing. You will learn to question the status quo, rethink existing paradigms, and leverage better approaches from information security and other disciplines. Think different! Act different!

Building a Security culture at Skyscanner 2016Stu Hirst

Cloud Security - Idealware

Idealware

Vendors are lured by visions of long-term residual subscription income, while customers dream of IT services and software without significant upfront costs. Sounds like techno Shangri-La, but what of security? Pessimists warn us away from the Cloud on the grounds that we should maintain control over the security of our property. Those bullish on the Cloud argue often delusionaly that your data is safer in the Cloud than on your own hard drives. Make no mistake: the Internet is the lion's den, and the Cloud sits squarely in it. This session will discuss the security realities of traditional IT software and infrastructure, and contrast them with those of Cloud-based resources.

Black ops 2012Dan Kaminsky

Similar to Amateur Hour: Why APTs Are The Least Of Your Worries (20)

Fix What Matters

Outpost24 webinar: Security Analytics: what's in a risk score

React Faster and Better: New Approaches for Advanced Incident Response

4 b. thomas whipp presentation

Clear and present danger: Cyber Threats and Trends 2017

Sect f41

R af d

Risk Analysis for Dummies

Slides to the online event "Creating an effective cybersecurity strategy" by ...

Relating Risk to Vulnerability

Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...

Focusing on the Threats to the Detriment of the Vulnerabilities

Управление рисками: как перестать верить в иллюзии

The Rise of Ransomware As a Service

Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts

The 5 Stages of Secrets Management Grief, And How to Prevail

Bad Advice, Unintended Consequences, and Broken Paradigms: Think & Act Di...

Building a Security culture at Skyscanner 2016

Cloud Security - Idealware

Black ops 2012

More from Ed Bellis

BSidesSF 2014 Fix What Matters:Why CVSS Sucks

Ed Bellis

Reading the Security Tea Leaves

Ed Bellis

BSidesLV Vulnerability & Exploit Trends

Ed Bellis

Palmer SymposiumEd Bellis

BSides SF Security Mendoza Line

Ed Bellis

SecTor 2012 The Security Mendoza Line

Ed Bellis

A few years ago Alex Hutton coined the term Security Mendoza Line. It was in reference to Mario Mendoza the baseball player often used as a baseline for how well a player must hit in order to stay in the major leagues and not be demoted. Keeping up with the attacks automated within Metasploit can often serve as that baseline within information security. More recently, Josh Corman defined HD Moore's Law as "Casual Attacker power grows at the rate of Metasploit". In other words, that baseline is moving and we are not keeping up. In a hyped industry where much of the talk remains around Advanced Persistent Threats it's the baseline that we continue to miss as proven out in reports like Verizon's Data Breach Investigation Report. Looking at the most common breaches they are most likely to be targets of opportunity where the defenders have let the basics slip through the cracks. In this talk, we will cover why paying attention to HD Moore's Law is important and how to stay on top of this changing threat measurement. We'll offer real world examples on how an organization can identify where they stand against the Security Mendoza Line and how they can alert and defend against falling below the baseline. Content will cover not only identified threats through Metasploit modules but through the myriad of exploit sources available across the internet.

An Economic Approach to Info Security

Ed Bellis

Bay threat2011Ed Bellis

SecTor - The Search For Intelligent Life

Ed Bellis

For years businesses have been mining and culling data warehouses to measure every layer of their business right down to the clickstream information of their web sites. These business intelligence tools have helped organizations identify points of poor product performance, highlighting areas of current and potential future demand, key performance indicators, etc. In the information security field we still tend to look at our information in silos. Dedicated engineers solely focused on web application security, network security, compliance and so on, all while bemoaning a lack of support and information. What if Information Security teams operated with the same insight as the product, marketing and business intelligence groups within their organization? Imagine if you had a data warehouse covering all of your applications, infrastructure, logs, vulnerability assessments, incidents, financial information, and meta data. What could you do with this readily available information? By gathering and using both internal and public data, information security teams can utilize decision support systems allowing them to prioritize remediation efforts and react faster to issues. When looking through disparate data sources with a security lens, a security team can mine information that may expose threats through multiple vectors or paths. In this talk, Ed will cover some of the many sources of security data publicly available and how to apply them to add context to your security data and tools to help make more intelligent decisions. Ed also points out a number of ways to repurpose information and tools your company is already using in order to glean a clearer view into your information security program and the threats that may effect it.

Metricon 6 That's So Meta

Ed Bellis

That's So Meta: Gleaning Business Context In The Vulnerability Warehouse Ed Bellis, HoneyApps For years businesses have been mining and culling data warehouses to measure every layer of their business right down to the clickstream information of their web sites. These business intelligence tools have helped organizations identify points of poor product performance, highlighting areas of current and potential future demand, key performance indicators, etc. Imagine if you had a data warehouse covering all of your applications, infrastructure, logs, vulnerability assessments, incidents, financial information, and metadata. What could you do with this readily available information? In this talk, Ed will cover some of the many sources of security data publicly available and how to apply them to add context to your security data and tools to help make more intelligent decisions. Ed also points out a number of ways to repurpose information and tools your company is already using in order to glean a clearer view into your security program and the threats that may affect it.

More from Ed Bellis (10)

BSidesSF 2014 Fix What Matters:Why CVSS Sucks

Reading the Security Tea Leaves

BSidesLV Vulnerability & Exploit Trends

Palmer Symposium

BSides SF Security Mendoza Line

SecTor 2012 The Security Mendoza Line

An Economic Approach to Info Security

Bay threat2011

SecTor - The Search For Intelligent Life

Metricon 6 That's So Meta

Recently uploaded

A tale of scale & speed: How the US Navy is enabling software delivery from l...

sonjaschweigert1

Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved: - Reduction in onboarding time from 5 weeks to 1 day - Improved developer experience and productivity through actionable findings and reduction of false positives - Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO) Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production. We will cover: - How to remove silos in DevSecOps - How to build efficient development pipeline roles and component templates - How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence) - How to streamline operations with automated policy checks on container images

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Uni Systems S.M.S.A.

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

GridMate - End to end testing is a critical piece to ensure quality and avoid...

ThomasParaiso2

The Future of Platform Engineering

Jemma Hussein Allen

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

nkrafacyberclub

FIDO Alliance Osaka Seminar: Overview.pdf

FIDO Alliance

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Neo4j

Dr. Sean Tan, Head of Data Science, Changi Airport Group Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Neo4j

Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Albert Hoitingh

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

SOFTTECHHUB

The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing. One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

PHP Frameworks: I want to break free (IPC Berlin 2024)

Ralf Eggert

In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development. This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.

Recently uploaded (20)

A tale of scale & speed: How the US Navy is enabling software delivery from l...

Uni Systems Copilot event_05062024_C.Vlachos.pdf

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

GridMate - End to end testing is a critical piece to ensure quality and avoid...

The Future of Platform Engineering

Monitoring Java Application Security with JDK Tools and JFR Events

Elevating Tactical DDD Patterns Through Object Calisthenics

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

FIDO Alliance Osaka Seminar: Overview.pdf

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

Epistemic Interaction - tuning interfaces to provide information for AI support

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

By Design, not by Accident - Agile Venture Bolzano 2024

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

20240607 QFM018 Elixir Reading List May 2024

Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...

PHP Frameworks: I want to break free (IPC Berlin 2024)

Amateur Hour: Why APTs Are The Least Of Your Worries

1. Amateur Hour Why APTs Are the Least of Your Worries

2. Ed Bellis • Co-founder and CTO at Kenna Security, an automated risk & vulnerability intelligence platform • Orbitz CISO for 6 years • 20+ years Info Security experience including Bank of America, CSC, E&Y • Contributing Author Beautiful Security • Frequent speaker at events such as… About Me

3. Warning This presentation contains large amounts of data used for the purpose of proving an information security theory. No marketers were harmed during the making of this presentation.

4. “APT-1, Titan Rain, GhostNet, Aurora, Stuxnet, Red October, and Duqu, Oh my!!”

5. Real but Likely?? • Spreadsheets that require a black belt in Excel • COUNT ALL THE THINGS!

6. Likely or Very Likely? 74%

7. Don’t Worry, We Got This 67%

8. “What is real? How do you define real?”

9. 2016 DBIR A Sneak Preview

10. Your Threat Model Is Backwards “While 2015 was no chump when it came to successfully exploited CVEs, the tally of really old CVEs which still get exploited in 2015 suggests that the oldies are still goodies.”

11. Your Confidence Is Unwarranted “…we need to see more of targeted remediation efforts which more often than not focus on those vulnerabilities which attackers are successful with in the wild.”

12. The Great Defensive Gap

13. “Low Hanging Fruit” “if a vulnerability is going to be exploited, 30 days is a good bet for how much time you have to remediate.“

14. The Tortoise On Average it takes companies 100 to 120 days to remediate vulnerabilities.

15. Versus The Hare The probability that a CVE that is exploited in the first year will be hit X days after publication. At 40-60 days, that probability is over 90 percent.

16. Casual attacker power grows at the rate of Metasploit.

17. But HD Moore’s Law is just the Tip of the Iceberg

18. Are These Attributes In Your Threat Model?

19. What About These?

20. Secure Because Math Existing Exploit + Patch Available + RCE > Advanced Persistent Threat P for Probability! …or put another way… “Why Burn a Zero Day?”

21. Key Takeaways 1.Focus on the Basics 2.Automate your Defenses A. Configuration Management B. Patch Management C. Compensating Controls D. Continuous Deployment Make it necessary to be both Advanced and Persistent.

22. Q&A

Amateur Hour: Why APTs Are The Least Of Your Worries

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (6)

Similar to Amateur Hour: Why APTs Are The Least Of Your Worries

Similar to Amateur Hour: Why APTs Are The Least Of Your Worries (20)

More from Ed Bellis

More from Ed Bellis (10)

Recently uploaded

Recently uploaded (20)

Amateur Hour: Why APTs Are The Least Of Your Worries