SlideShare a Scribd company logo
An Economic Approach to InfoSec
Nice To Meet You
About Me
 CoFounder HoneyApps
 Former CISO Orbitz
 Contributing Author
 Beautiful Security
 CSO Magazine/Online Writer
 InfoSec Island Blogger

About Risk I/O
  Data-Driven Vulnerability Management as a Service
  16 Hot Startups - eWeek
  3 Startups to Watch - Information Week
Security is a Lemons Market
Lacks Incentives
Negative Externalities
An Industry Built on FUD
A Data Driven
Approach
Example Use Case 1


   DLP    CMDB


  Vuln
           SIEM
  Mgmt
Example Use Case 2
      HD Moore’s Law - Josh Corman

      aka Security Mendoza Line

       “Compute power grows at the rate
        of doubling about every 2 years”

        “Casual attacker power grows at
            the rate of Metasploit”
Example Use Case 3
Predicting Vulnerability (or even breach)


   Trending

   Key Attributes

   Outcomes
Example Use Case 4




CVSS &
The Base
                        credit:
Rate Fallacy            Jeff Lowder
Example Use Case 5

CVE Trending Analysis

                        Gunnar’s Debt Clock
Example Use Case 6
         Targets of Opportunity?


My(vuln posture X other
 threat activity) / (other
   vuln posture X other
          threat activity)
(we need more of this)
talking about our mistakes
Q&A
follow us
 the blog
   http://blog.risk.io/
 twitter
   @ebellis               And one more thing....
   @risk_io               We’re Hiring! https://www.risk.io/jobs

More Related Content

Similar to An Economic Approach to Info Security

Palmer Symposium
Palmer SymposiumPalmer Symposium
Palmer SymposiumEd Bellis
 
BSides SF Security Mendoza Line
BSides SF Security Mendoza LineBSides SF Security Mendoza Line
BSides SF Security Mendoza Line
Ed Bellis
 
Info sec 12 v1 2
Info sec 12 v1 2Info sec 12 v1 2
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
Matthew Pascucci
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution  i3SIntegrated Security, Safety and Surveillance Solution  i3S
Integrated Security, Safety and Surveillance Solution i3S
Edgevalue
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version   ...Four mistakes to avoid when hiring your next security chief (print version   ...
Four mistakes to avoid when hiring your next security chief (print version ...
Niren Thanky
 
Bcc risk advisory irisscon 2013 - vulnerability management by the numbers a...
Bcc risk advisory   irisscon 2013 - vulnerability management by the numbers a...Bcc risk advisory   irisscon 2013 - vulnerability management by the numbers a...
Bcc risk advisory irisscon 2013 - vulnerability management by the numbers a...Eoin Keary
 
Dealing with the threat of spoof and phishing mail attacks part 6#9 | Eyal ...
Dealing with the threat of spoof and phishing mail attacks   part 6#9 | Eyal ...Dealing with the threat of spoof and phishing mail attacks   part 6#9 | Eyal ...
Dealing with the threat of spoof and phishing mail attacks part 6#9 | Eyal ...
Eyal Doron
 
Cyber Security, Why It's important To You
Cyber Security, Why It's important To YouCyber Security, Why It's important To You
Cyber Security, Why It's important To YouRonald E. Laub Jr
 
Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014
Michael Roytman
 
Security and User Experience (by Glenn A. Gustitus at #NUX5)
Security and User Experience (by Glenn A. Gustitus at #NUX5)Security and User Experience (by Glenn A. Gustitus at #NUX5)
Security and User Experience (by Glenn A. Gustitus at #NUX5)
Northern User Experience
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
North Texas Chapter of the ISSA
 
Info leakage 200510
Info leakage 200510Info leakage 200510
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Jay Kesan
 
Data Security for Nonprofits
Data Security for NonprofitsData Security for Nonprofits
Data Security for Nonprofits
NPowerCR
 
Data Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceData Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data Science
Michael Roytman
 
How To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and TrainingHow To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and Training
London School of Cyber Security
 
Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland
Devendra kashyap
 
KharkivJS 2018 Information Security Practice
KharkivJS 2018 Information Security PracticeKharkivJS 2018 Information Security Practice
KharkivJS 2018 Information Security Practice
Viktor Turskyi
 

Similar to An Economic Approach to Info Security (20)

Palmer Symposium
Palmer SymposiumPalmer Symposium
Palmer Symposium
 
BSides SF Security Mendoza Line
BSides SF Security Mendoza LineBSides SF Security Mendoza Line
BSides SF Security Mendoza Line
 
Info sec 12 v1 2
Info sec 12 v1 2Info sec 12 v1 2
Info sec 12 v1 2
 
11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security11 19-2015 - iasaca membership conference - the state of security
11 19-2015 - iasaca membership conference - the state of security
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution  i3SIntegrated Security, Safety and Surveillance Solution  i3S
Integrated Security, Safety and Surveillance Solution i3S
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version   ...Four mistakes to avoid when hiring your next security chief (print version   ...
Four mistakes to avoid when hiring your next security chief (print version ...
 
Bcc risk advisory irisscon 2013 - vulnerability management by the numbers a...
Bcc risk advisory   irisscon 2013 - vulnerability management by the numbers a...Bcc risk advisory   irisscon 2013 - vulnerability management by the numbers a...
Bcc risk advisory irisscon 2013 - vulnerability management by the numbers a...
 
Get Prepared
Get PreparedGet Prepared
Get Prepared
 
Dealing with the threat of spoof and phishing mail attacks part 6#9 | Eyal ...
Dealing with the threat of spoof and phishing mail attacks   part 6#9 | Eyal ...Dealing with the threat of spoof and phishing mail attacks   part 6#9 | Eyal ...
Dealing with the threat of spoof and phishing mail attacks part 6#9 | Eyal ...
 
Cyber Security, Why It's important To You
Cyber Security, Why It's important To YouCyber Security, Why It's important To You
Cyber Security, Why It's important To You
 
Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014Fix What Matters: BSidesDetroit 2014
Fix What Matters: BSidesDetroit 2014
 
Security and User Experience (by Glenn A. Gustitus at #NUX5)
Security and User Experience (by Glenn A. Gustitus at #NUX5)Security and User Experience (by Glenn A. Gustitus at #NUX5)
Security and User Experience (by Glenn A. Gustitus at #NUX5)
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
 
Info leakage 200510
Info leakage 200510Info leakage 200510
Info leakage 200510
 
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
Challenges in the Business and Law of Cybersecurity, CLEAR Cyber Conference, ...
 
Data Security for Nonprofits
Data Security for NonprofitsData Security for Nonprofits
Data Security for Nonprofits
 
Data Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceData Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data Science
 
How To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and TrainingHow To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and Training
 
Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland
 
KharkivJS 2018 Information Security Practice
KharkivJS 2018 Information Security PracticeKharkivJS 2018 Information Security Practice
KharkivJS 2018 Information Security Practice
 

Recently uploaded

Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 

Recently uploaded (20)

Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 

An Economic Approach to Info Security

Editor's Notes

  1. From Shaman to Scientist - A Use Case in Data Driven Security\n
  2. \n
  3. Talk about WEIS. Security is an opaque attribute within the software market. It is not easily apparent to the buyer how much security they are getting when they purchase software. This is similar to quality within the automotive industry. There are no good ways to determine what you are getting. This is a problem for the buyer and we need to figure out how to make security more transparent to the software purchaser. \n
  4. Developers are rarely incented by software security. Speed to market, functionality and other code quality factors are often prioritized over secure code. Revenues and customer acquisition is rarely driven by security. This creates a lack of incentives around software security.\n
  5. Security is a negative externality. This is creates very big issues in the broader security of systems and the internet. A commonly used example in security of a negative externality are botnets. As an avg user on the internet I have very little incentive to secure my machine from being part of a botnet. Other than some bandwidth or system resource consumption, it doesn’t do me much harm. But those suffering a DDOS attack via a botnet are suffering the consequence from the avg user not protecting their machine. In other words, those with the power to protect are not incented to do so.\n
  6. proving the negative is hard. why not just sell on emotion? talk about secrecy of controls - no sharing of data except bad guys - follow best practices lest you be hacked. Use the data proves negligence example. Lawyers suck at risk mgmt.\n
  7. We need to take a more data driven approach to security. Relying on metrics and yes and in some cases real live outcomes and evidence. There are a lot of complaints in our field about a lack of information, and while I don’t disagree often times we are not even using the information that we have! I’m going to walk through a few use cases. These are all baby steps to get to where we eventually need to be but we gotta start somewhere. Using less secrecy & religion and more openness and information sharing. In order to take the first steps, we have to get our own house in order.\n
  8. simple example of using what we have. sprinkle in some metadata!\n
  9. Metasploit has become table stakes. \n
  10. A lot of different attributes could go into determining the “why”. Is a particular team less responsive to patching and updates? Is it the technology stack that is more prone to vulnerability or misconfiguration? Are there other environmental reasons? By determining root cause you may more accurately predict the next issue as well as risk rank new projects or applications prior to deployment. By combining vulnerability, misconfig, defect and issue data with operational data such as log and events, threat feeds, and breach data (need more of this), we could also take our predictive analytics to security breaches not just issues.\n\n
  11. making more meaningful priority decisions - credit: Jeff Lowder CVSS ignores information about the base rates of vulnerability exploitation.\nI have an older version of Apache that if I were to upgrade to the current version would eliminate 14 vulnerabilities. I also have an older version of Tomcat that if I were to upgrade to the current version would eliminate 9 vulnerabilities. If CVSS included a base rate on these reference classes, this would help me prioritize my remediation resources more appropriately.\n
  12. A study by Thomas Zimmerman of MS and Stephan Neuhaus mines the CVE database looking at all sorts of trends. It’s a good paper. There’s a table near the end that clearly shows the increase in vulnerabilities through the application layer with a decrease of many of the more traditional network vulnerabilities over time. Yet we continue to prioritize our spending and resources on the attacks of 5+ years ago.\n
  13. Insert Alex Hutton formula\n4:14:40 PM Alex Hutton: once the data hits catwalk we decision and the threat is funneled off....\n4:15:46 PM Ed Bellis: haha its a new risk language\n4:16:05 PM Ed Bellis: you guys pull a lot of public sources of data?\n4:16:16 PM Alex Hutton: not yet\n4:16:21 PM Alex Hutton: some but not a ton\n4:16:24 PM Ed Bellis: also any insight on whether VERIS taking off?\n4:16:41 PM Alex Hutton: there's a broader vision (you can fit) that would make a lot of sense\n4:17:02 PM Alex Hutton: but that would take cooperation from various sources which is going to be hard, and why VERIS is a bit stalled\n4:17:17 PM Alex Hutton: there are lots of folks using VERIS, but not sharing data\n4:17:31 PM Ed Bellis:\n4:17:51 PM Ed Bellis: i'd love to tap into that\n4:19:34 PM Alex Hutton: well, the better vision is for you to feed data along with threat (and incident data) into decision making on a daily or even hourly basis\n4:19:50 PM Alex Hutton: In a sense, you hold not only the orgs perimeter, but a broad sample of perimeters\n4:20:04 PM Alex Hutton: and their\n4:20:12 PM Alex Hutton: vuln posture\n4:20:38 PM Alex Hutton: So\n4:21:07 PM Ed Bellis: right we want to move into a position where our data becomes the primary asset to help make better security decisions\n4:21:16 PM Ed Bellis: *not a verb*\n4:21:49 PM Alex Hutton: My(vuln posture * other threat activity) / (other vuln posture * other threat activity) = a much better metric than just vuln data\n4:22:24 PM Ed Bellis: meaning am i safer than my neighbor?\n4:22:25 PM Alex Hutton: in fact, a very interesting likelihood data point to do some degree of probabilistic analysis on that I don't have the time to really explore yet, but is very, very interesting\n4:23:10 PM Alex Hutton: that may be a byproduct, more about establishing a rate at which I can expect my luck to run out.\n4:23:23 PM Ed Bellis: i see\n4:23:35 PM Alex Hutton: so you're the CSO of Orbitz, you know you have a vuln. to specific threat activity.  So far, you're lucky\n4:24:02 PM Alex Hutton: but what about establishing rate of threat activity vs. how pervasive that same vuln is around other orgs?\n4:24:31 PM Ed Bellis: where do we get the rate of threat activity?\n4:24:42 PM Ed Bellis: breach db's?\n4:24:51 PM Alex Hutton: High Threat Activity + Low pervasiveness in the aggregate population = Luck running out.\n4:25:06 PM Alex Hutton: nope.  that's part of your exit strategy\n4:25:19 PM Ed Bellis: bought by verizon ?\n4:25:33 PM Alex Hutton: Some MSSP who is running or aggregating WAF data, Firewall/IDS/IPS data\n4:25:58 PM Alex Hutton: you as "Yet another managed service" well, that's a scenario I believe in, yes.\n4:26:20 PM Alex Hutton: But you as "Next generation in managed services by data aggregation" is going to be very, very compelling, I think\n4:26:46 PM Alex Hutton: what you have to understand (and I think you do) is how to leverage your data into "decision" (the verb)\n
  14. talk about infosec vs fraud\n
  15. This is a great TED talk about the medical industry. Talking about how we have created a system where we believe there are doctors who make mistakes and ones who dont. It’s a fallacy driven by ideology & lawyers. Our industry is very much like this. We NEED to talk about our mistakes. Talk about founding a startup and the founders who share their failure stories and WHY. Talk about fraud mgmt and how they do the same. Security NEEDS to. We need to share more about our failures and what lead to those outcomes. This can raise the bar of the entire industry and it’s completely silly to think their are orgs out there not making security mistakes. security is NOT binary, there are many shades of gray, The most common question “are we secure?”.\n
  16. \n