SlideShare a Scribd company logo

SecTor 2012 The Security Mendoza Line

Ed Bellis
Ed Bellis

A few years ago Alex Hutton coined the term Security Mendoza Line. It was in reference to Mario Mendoza the baseball player often used as a baseline for how well a player must hit in order to stay in the major leagues and not be demoted. Keeping up with the attacks automated within Metasploit can often serve as that baseline within information security. More recently, Josh Corman defined HD Moore's Law as "Casual Attacker power grows at the rate of Metasploit". In other words, that baseline is moving and we are not keeping up. In a hyped industry where much of the talk remains around Advanced Persistent Threats it's the baseline that we continue to miss as proven out in reports like Verizon's Data Breach Investigation Report. Looking at the most common breaches they are most likely to be targets of opportunity where the defenders have let the basics slip through the cracks. In this talk, we will cover why paying attention to HD Moore's Law is important and how to stay on top of this changing threat measurement. We'll offer real world examples on how an organization can identify where they stand against the Security Mendoza Line and how they can alert and defend against falling below the baseline. Content will cover not only identified threats through Metasploit modules but through the myriad of exploit sources available across the internet.

Technology
1 of 17
Hitting Above The Security Mendoza Line Ed Bellis, CEO Risk I/O
Nice To Meet You About Me CoFounder Risk I/O Former CISO Orbitz Contributing Author Beautiful Security CSO Magazine/Online Writer InfoSec Island Blogger About Risk I/O Data-Driven Vulnerability Management as a Service DataWeek 2012 Top Security Innovator 3 Startups to Watch - Information Week 16 Hot Startups - eWeek
About Mario Played for Pirates, Rangers & Mariners Played MLB for 9 Seasons Lifetime Batting Avg: .214, 4HR, 101 RBI Failed to bat .200 5 times
The Security Mendoza Line Wouldn’t it be nice if we had something that helped us divide who we considered “Amateur” and who we considered “Professional”? Enter The Security Mendoza Line Alex Hutton came up with original concept of the Security Mendoza Line http://riskmanagementinsight.com/riskanalysis/?p=294
HD Moore’s Law Josh Corman expands the Security Mendoza Line “Compute power grows at the rate of doubling about every 2 years” “Casual attacker power grows at the rate of Metasploit”
A Difficult Task Nearly 2K MSF Exploits 2000 Exploit Development 1500 ExploitDB > 18K Exploits 1000 500 >10% Known Exploits 0 2010 MSF Modules 2012
Release Early Release Often
Point Click Pwn
A Data Driven Approach
Out Scripting the Kiddies Fighting Automation with Automation Netflix/ SimianArmy Github Avg: .200
Context Matters Attack Path data analysis Avg: .220
Context Matters Mitigating Controls Firewalls / ACLs IPS WAF MFA Other Avg: .240
Context Matters Honeypot, WAF & IDS data logs! logs! logs! Measuring Likelihood Avg: .260
Broader Context Targets of Opportunity? My(vuln posture X other threat activity) / (other vuln posture X other threat activity) Avg: .280
Beyond Info Sharing Model Sharing ALL Star! Avg: .300
A Quick Side Note CVE Trending Analysis Gunnar’s Debt Clock
Q&A follow us the blog http://blog.risk.io/ twitter @ebellis And one more thing.... @riskio We’re Hiring! https://www.risk.io/jobs

Recommended

BSides SF Security Mendoza Line
BSides SF Security Mendoza LineBSides SF Security Mendoza Line
BSides SF Security Mendoza LineEd Bellis
 
Enhanced threat intelligene for s ps v3
Enhanced threat intelligene for s ps v3Enhanced threat intelligene for s ps v3
Enhanced threat intelligene for s ps v3Neil King
 
0926182320 Sophos[1]
0926182320 Sophos[1]0926182320 Sophos[1]
0926182320 Sophos[1]guest043f27
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty BasicsHackerOne
 
What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?Samvel Gevorgyan
 
Your Data Is Under Siege: Fortify Your Endpoints
Your Data Is Under Siege: Fortify Your EndpointsYour Data Is Under Siege: Fortify Your Endpoints
Your Data Is Under Siege: Fortify Your EndpointsInsight
 
Meet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsMeet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsHackerOne
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?Datto
 

Recommended

BSides SF Security Mendoza Line
BSides SF Security Mendoza LineBSides SF Security Mendoza Line
BSides SF Security Mendoza LineEd Bellis
 
Enhanced threat intelligene for s ps v3
Enhanced threat intelligene for s ps v3Enhanced threat intelligene for s ps v3
Enhanced threat intelligene for s ps v3Neil King
 
0926182320 Sophos[1]
0926182320 Sophos[1]0926182320 Sophos[1]
0926182320 Sophos[1]guest043f27
 
Bug Bounty Basics
Bug Bounty BasicsBug Bounty Basics
Bug Bounty BasicsHackerOne
 
What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?What is the Cybersecurity plan for tomorrow?
What is the Cybersecurity plan for tomorrow?Samvel Gevorgyan
 
Your Data Is Under Siege: Fortify Your Endpoints
Your Data Is Under Siege: Fortify Your EndpointsYour Data Is Under Siege: Fortify Your Endpoints
Your Data Is Under Siege: Fortify Your EndpointsInsight
 
Meet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsMeet the hackers powering the world's best bug bounty programs
Meet the hackers powering the world's best bug bounty programsHackerOne
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?Datto
 
Top 5 cases of Data Breach caused by Human Error
Top 5 cases of Data Breach caused by Human ErrorTop 5 cases of Data Breach caused by Human Error
Top 5 cases of Data Breach caused by Human ErrorCyware
 
Can you predict who will win the US election?
Can you predict who will win the US election?Can you predict who will win the US election?
Can you predict who will win the US election?Samvel Gevorgyan
 
Flashpoint ransomware april2016
Flashpoint ransomware april2016Flashpoint ransomware april2016
Flashpoint ransomware april2016Andrey Apuhtin
 
Ransomware - Friend or Foe
Ransomware - Friend or FoeRansomware - Friend or Foe
Ransomware - Friend or FoeSrinivas Thimmaiah
 
Ransomware attacks reveton
Ransomware attacks revetonRansomware attacks reveton
Ransomware attacks revetonMumbere Joab
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 
Anatomy of a cyber-attack
Anatomy of a cyber-attackAnatomy of a cyber-attack
Anatomy of a cyber-attackIcomm Technologies
 
Avoiding Bad URL's In the Mobile Web
Avoiding Bad URL's In the Mobile WebAvoiding Bad URL's In the Mobile Web
Avoiding Bad URL's In the Mobile WebAlliance Data card services - Know More Sell More
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesEd Bellis
 
An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info SecurityEd Bellis
 
SecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeSecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeEd Bellis
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea LeavesEd Bellis
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksBSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksEd Bellis
 
Metricon 6 That's So Meta
Metricon 6 That's So MetaMetricon 6 That's So Meta
Metricon 6 That's So MetaEd Bellis
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011Ed Bellis
 
Security as Code
Security as CodeSecurity as Code
Security as CodeEd Bellis
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
Palmer Symposium
Palmer SymposiumPalmer Symposium
Palmer SymposiumEd Bellis
 
Fix What Matters
Fix What MattersFix What Matters
Fix What MattersEd Bellis
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerceSensePost
 

More Related Content

What's hot

Top 5 cases of Data Breach caused by Human Error
Top 5 cases of Data Breach caused by Human ErrorTop 5 cases of Data Breach caused by Human Error
Top 5 cases of Data Breach caused by Human ErrorCyware
 
Can you predict who will win the US election?
Can you predict who will win the US election?Can you predict who will win the US election?
Can you predict who will win the US election?Samvel Gevorgyan
 
Flashpoint ransomware april2016
Flashpoint ransomware april2016Flashpoint ransomware april2016
Flashpoint ransomware april2016Andrey Apuhtin
 
Ransomware attacks reveton
Ransomware attacks revetonRansomware attacks reveton
Ransomware attacks revetonMumbere Joab
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 

What's hot (8)

Top 5 cases of Data Breach caused by Human Error
Top 5 cases of Data Breach caused by Human ErrorTop 5 cases of Data Breach caused by Human Error
Top 5 cases of Data Breach caused by Human Error
 
Can you predict who will win the US election?
Can you predict who will win the US election?Can you predict who will win the US election?
Can you predict who will win the US election?
 
Flashpoint ransomware april2016
Flashpoint ransomware april2016Flashpoint ransomware april2016
Flashpoint ransomware april2016
 
Ransomware - Friend or Foe
Ransomware - Friend or FoeRansomware - Friend or Foe
Ransomware - Friend or Foe
 
Ransomware attacks reveton
Ransomware attacks revetonRansomware attacks reveton
Ransomware attacks reveton
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System Security
 
Anatomy of a cyber-attack
Anatomy of a cyber-attackAnatomy of a cyber-attack
Anatomy of a cyber-attack
 
Avoiding Bad URL's In the Mobile Web
Avoiding Bad URL's In the Mobile WebAvoiding Bad URL's In the Mobile Web
Avoiding Bad URL's In the Mobile Web
 

Viewers also liked

Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesEd Bellis
 
An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info SecurityEd Bellis
 
SecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeSecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeEd Bellis
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea LeavesEd Bellis
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksBSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksEd Bellis
 
Metricon 6 That's So Meta
Metricon 6 That's So MetaMetricon 6 That's So Meta
Metricon 6 That's So MetaEd Bellis
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011Ed Bellis
 
Security as Code
Security as CodeSecurity as Code
Security as CodeEd Bellis
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 

Viewers also liked (9)

Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your Worries
 
An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info Security
 
SecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeSecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent Life
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea Leaves
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksBSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
 
Metricon 6 That's So Meta
Metricon 6 That's So MetaMetricon 6 That's So Meta
Metricon 6 That's So Meta
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011
 
Security as Code
Security as CodeSecurity as Code
Security as Code
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 

Similar to SecTor 2012 The Security Mendoza Line

Palmer Symposium
Palmer SymposiumPalmer Symposium
Palmer SymposiumEd Bellis
 
Fix What Matters
Fix What MattersFix What Matters
Fix What MattersEd Bellis
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerceSensePost
 
1st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 20081st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 2008Anton Chuvakin
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Eoin Keary
 
Current Emerging Threats
Current Emerging ThreatsCurrent Emerging Threats
Current Emerging Threatsdnomura
 
Thy myth of hacking Oracle
Thy myth of hacking OracleThy myth of hacking Oracle
Thy myth of hacking OracleErmando
 
ERAU webinar november 2016 cyber security
ERAU webinar november 2016 cyber security ERAU webinar november 2016 cyber security
ERAU webinar november 2016 cyber security Bill Gibbs
 
SMBs: The Threat Ahead
SMBs: The Threat AheadSMBs: The Threat Ahead
SMBs: The Threat Aheadmartin_lee1969
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategyJason Clark
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonUlf Mattsson
 
Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Addressing the Top 3 Real-world Security Challenges for Your IBM i SystemsAddressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Addressing the Top 3 Real-world Security Challenges for Your IBM i SystemsPrecisely
 
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019 Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019 Amazon Web Services
 
Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018joshquarrie
 
Security Intelligence Report
Security Intelligence ReportSecurity Intelligence Report
Security Intelligence ReportMicrosoftTR
 
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...JoAnna Cheshire
 
Security threats facing SA businessess
Security threats facing SA businessessSecurity threats facing SA businessess
Security threats facing SA businessessSensePost
 

Similar to SecTor 2012 The Security Mendoza Line (20)

Palmer Symposium
Palmer SymposiumPalmer Symposium
Palmer Symposium
 
Fix What Matters
Fix What MattersFix What Matters
Fix What Matters
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
 
1st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 20081st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 2008
 
Hacking_SharePoint_FINAL
Hacking_SharePoint_FINALHacking_SharePoint_FINAL
Hacking_SharePoint_FINAL
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...
 
Current Emerging Threats
Current Emerging ThreatsCurrent Emerging Threats
Current Emerging Threats
 
Thy myth of hacking Oracle
Thy myth of hacking OracleThy myth of hacking Oracle
Thy myth of hacking Oracle
 
ERAU webinar november 2016 cyber security
ERAU webinar november 2016 cyber security ERAU webinar november 2016 cyber security
ERAU webinar november 2016 cyber security
 
SMBs: The Threat Ahead
SMBs: The Threat AheadSMBs: The Threat Ahead
SMBs: The Threat Ahead
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
 
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf MattssonISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
ISACA NA CACS 2012 Orlando session 414 Ulf Mattsson
 
Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Addressing the Top 3 Real-world Security Challenges for Your IBM i SystemsAddressing the Top 3 Real-world Security Challenges for Your IBM i Systems
Addressing the Top 3 Real-world Security Challenges for Your IBM i Systems
 
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019 Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
Guarding the guardian’s guard: IBM Trusteer - SEP326 - AWS re:Inforce 2019
 
Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018Cyber Security: A Common Problem 2018
Cyber Security: A Common Problem 2018
 
Security Intelligence Report
Security Intelligence ReportSecurity Intelligence Report
Security Intelligence Report
 
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
 
Security threats facing SA businessess
Security threats facing SA businessessSecurity threats facing SA businessess
Security threats facing SA businessess
 

Recently uploaded

In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsExpeed Software
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...Product School
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...Product School
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityScyllaDB
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀DianaGray10
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...CzechDreamin
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...CzechDreamin
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Product School
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekCzechDreamin
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 

Recently uploaded (20)

In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 

SecTor 2012 The Security Mendoza Line

  • 1. Hitting Above The Security Mendoza Line Ed Bellis, CEO Risk I/O
  • 2. Nice To Meet You About Me CoFounder Risk I/O Former CISO Orbitz Contributing Author Beautiful Security CSO Magazine/Online Writer InfoSec Island Blogger About Risk I/O Data-Driven Vulnerability Management as a Service DataWeek 2012 Top Security Innovator 3 Startups to Watch - Information Week 16 Hot Startups - eWeek
  • 3. About Mario Played for Pirates, Rangers & Mariners Played MLB for 9 Seasons Lifetime Batting Avg: .214, 4HR, 101 RBI Failed to bat .200 5 times
  • 4. The Security Mendoza Line Wouldn’t it be nice if we had something that helped us divide who we considered “Amateur” and who we considered “Professional”? Enter The Security Mendoza Line Alex Hutton came up with original concept of the Security Mendoza Line http://riskmanagementinsight.com/riskanalysis/?p=294
  • 5. HD Moore’s Law Josh Corman expands the Security Mendoza Line “Compute power grows at the rate of doubling about every 2 years” “Casual attacker power grows at the rate of Metasploit”
  • 6. A Difficult Task Nearly 2K MSF Exploits 2000 Exploit Development 1500 ExploitDB > 18K Exploits 1000 500 >10% Known Exploits 0 2010 MSF Modules 2012
  • 8. Point Click Pwn
  • 10. Out Scripting the Kiddies Fighting Automation with Automation Netflix/ SimianArmy Github Avg: .200
  • 12. Context Matters Mitigating Controls Firewalls / ACLs IPS WAF MFA Other Avg: .240
  • 13. Context Matters Honeypot, WAF & IDS data logs! logs! logs! Measuring Likelihood Avg: .260
  • 14. Broader Context Targets of Opportunity? My(vuln posture X other threat activity) / (other vuln posture X other threat activity) Avg: .280
  • 15. Beyond Info Sharing Model Sharing ALL Star! Avg: .300
  • 16. A Quick Side Note CVE Trending Analysis Gunnar’s Debt Clock
  • 17. Q&A follow us the blog http://blog.risk.io/ twitter @ebellis And one more thing.... @riskio We’re Hiring! https://www.risk.io/jobs

Editor's Notes

  1. From Shaman to Scientist - A Use Case in Data Driven Security\n
  2. \n
  3. Talk about WEIS. Security is an opaque attribute within the software market. It is not easily apparent to the buyer how much security they are getting when they purchase software. This is similar to quality within the automotive industry. There are no good ways to determine what you are getting. This is a problem for the buyer and we need to figure out how to make security more transparent to the software purchaser. \n
  4. Developers are rarely incented by software security. Speed to market, functionality and other code quality factors are often prioritized over secure code. Revenues and customer acquisition is rarely driven by security. This creates a lack of incentives around software security.\n
  5. Metasploit has become table stakes. \n
  6. Security is a negative externality. This is creates very big issues in the broader security of systems and the internet. A commonly used example in security of a negative externality are botnets. As an avg user on the internet I have very little incentive to secure my machine from being part of a botnet. Other than some bandwidth or system resource consumption, it doesn’t do me much harm. But those suffering a DDOS attack via a botnet are suffering the consequence from the avg user not protecting their machine. In other words, those with the power to protect are not incented to do so.\n
  7. Security is a negative externality. This is creates very big issues in the broader security of systems and the internet. A commonly used example in security of a negative externality are botnets. As an avg user on the internet I have very little incentive to secure my machine from being part of a botnet. Other than some bandwidth or system resource consumption, it doesn’t do me much harm. But those suffering a DDOS attack via a botnet are suffering the consequence from the avg user not protecting their machine. In other words, those with the power to protect are not incented to do so.\n
  8. Security is a negative externality. This is creates very big issues in the broader security of systems and the internet. A commonly used example in security of a negative externality are botnets. As an avg user on the internet I have very little incentive to secure my machine from being part of a botnet. Other than some bandwidth or system resource consumption, it doesn’t do me much harm. But those suffering a DDOS attack via a botnet are suffering the consequence from the avg user not protecting their machine. In other words, those with the power to protect are not incented to do so.\n
  9. We need to take a more data driven approach to security. Relying on metrics and yes and in some cases real live outcomes and evidence. There are a lot of complaints in our field about a lack of information, and while I don’t disagree often times we are not even using the information that we have! I’m going to walk through a few use cases. These are all baby steps to get to where we eventually need to be but we gotta start somewhere. Using less secrecy & religion and more openness and information sharing. In order to take the first steps, we have to get our own house in order.\n
  10. A lot of different attributes could go into determining the “why”. Is a particular team less responsive to patching and updates? Is it the technology stack that is more prone to vulnerability or misconfiguration? Are there other environmental reasons? By determining root cause you may more accurately predict the next issue as well as risk rank new projects or applications prior to deployment. By combining vulnerability, misconfig, defect and issue data with operational data such as log and events, threat feeds, and breach data (need more of this), we could also take our predictive analytics to security breaches not just issues.\n\n
  11. A lot of different attributes could go into determining the “why”. Is a particular team less responsive to patching and updates? Is it the technology stack that is more prone to vulnerability or misconfiguration? Are there other environmental reasons? By determining root cause you may more accurately predict the next issue as well as risk rank new projects or applications prior to deployment. By combining vulnerability, misconfig, defect and issue data with operational data such as log and events, threat feeds, and breach data (need more of this), we could also take our predictive analytics to security breaches not just issues.\n\n
  12. A lot of different attributes could go into determining the “why”. Is a particular team less responsive to patching and updates? Is it the technology stack that is more prone to vulnerability or misconfiguration? Are there other environmental reasons? By determining root cause you may more accurately predict the next issue as well as risk rank new projects or applications prior to deployment. By combining vulnerability, misconfig, defect and issue data with operational data such as log and events, threat feeds, and breach data (need more of this), we could also take our predictive analytics to security breaches not just issues.\n\n
  13. A lot of different attributes could go into determining the “why”. Is a particular team less responsive to patching and updates? Is it the technology stack that is more prone to vulnerability or misconfiguration? Are there other environmental reasons? By determining root cause you may more accurately predict the next issue as well as risk rank new projects or applications prior to deployment. By combining vulnerability, misconfig, defect and issue data with operational data such as log and events, threat feeds, and breach data (need more of this), we could also take our predictive analytics to security breaches not just issues.\n\n
  14. Insert Alex Hutton formula\n4:14:40 PM Alex Hutton: once the data hits catwalk we decision and the threat is funneled off....\n4:15:46 PM Ed Bellis: haha its a new risk language\n4:16:05 PM Ed Bellis: you guys pull a lot of public sources of data?\n4:16:16 PM Alex Hutton: not yet\n4:16:21 PM Alex Hutton: some but not a ton\n4:16:24 PM Ed Bellis: also any insight on whether VERIS taking off?\n4:16:41 PM Alex Hutton: there's a broader vision (you can fit) that would make a lot of sense\n4:17:02 PM Alex Hutton: but that would take cooperation from various sources which is going to be hard, and why VERIS is a bit stalled\n4:17:17 PM Alex Hutton: there are lots of folks using VERIS, but not sharing data\n4:17:31 PM Ed Bellis:\n4:17:51 PM Ed Bellis: i'd love to tap into that\n4:19:34 PM Alex Hutton: well, the better vision is for you to feed data along with threat (and incident data) into decision making on a daily or even hourly basis\n4:19:50 PM Alex Hutton: In a sense, you hold not only the orgs perimeter, but a broad sample of perimeters\n4:20:04 PM Alex Hutton: and their\n4:20:12 PM Alex Hutton: vuln posture\n4:20:38 PM Alex Hutton: So\n4:21:07 PM Ed Bellis: right we want to move into a position where our data becomes the primary asset to help make better security decisions\n4:21:16 PM Ed Bellis: *not a verb*\n4:21:49 PM Alex Hutton: My(vuln posture * other threat activity) / (other vuln posture * other threat activity) = a much better metric than just vuln data\n4:22:24 PM Ed Bellis: meaning am i safer than my neighbor?\n4:22:25 PM Alex Hutton: in fact, a very interesting likelihood data point to do some degree of probabilistic analysis on that I don't have the time to really explore yet, but is very, very interesting\n4:23:10 PM Alex Hutton: that may be a byproduct, more about establishing a rate at which I can expect my luck to run out.\n4:23:23 PM Ed Bellis: i see\n4:23:35 PM Alex Hutton: so you're the CSO of Orbitz, you know you have a vuln. to specific threat activity.  So far, you're lucky\n4:24:02 PM Alex Hutton: but what about establishing rate of threat activity vs. how pervasive that same vuln is around other orgs?\n4:24:31 PM Ed Bellis: where do we get the rate of threat activity?\n4:24:42 PM Ed Bellis: breach db's?\n4:24:51 PM Alex Hutton: High Threat Activity + Low pervasiveness in the aggregate population = Luck running out.\n4:25:06 PM Alex Hutton: nope.  that's part of your exit strategy\n4:25:19 PM Ed Bellis: bought by verizon ?\n4:25:33 PM Alex Hutton: Some MSSP who is running or aggregating WAF data, Firewall/IDS/IPS data\n4:25:58 PM Alex Hutton: you as "Yet another managed service" well, that's a scenario I believe in, yes.\n4:26:20 PM Alex Hutton: But you as "Next generation in managed services by data aggregation" is going to be very, very compelling, I think\n4:26:46 PM Alex Hutton: what you have to understand (and I think you do) is how to leverage your data into "decision" (the verb)\n
  15. Insert Alex Hutton formula\n4:14:40 PM Alex Hutton: once the data hits catwalk we decision and the threat is funneled off....\n4:15:46 PM Ed Bellis: haha its a new risk language\n4:16:05 PM Ed Bellis: you guys pull a lot of public sources of data?\n4:16:16 PM Alex Hutton: not yet\n4:16:21 PM Alex Hutton: some but not a ton\n4:16:24 PM Ed Bellis: also any insight on whether VERIS taking off?\n4:16:41 PM Alex Hutton: there's a broader vision (you can fit) that would make a lot of sense\n4:17:02 PM Alex Hutton: but that would take cooperation from various sources which is going to be hard, and why VERIS is a bit stalled\n4:17:17 PM Alex Hutton: there are lots of folks using VERIS, but not sharing data\n4:17:31 PM Ed Bellis:\n4:17:51 PM Ed Bellis: i'd love to tap into that\n4:19:34 PM Alex Hutton: well, the better vision is for you to feed data along with threat (and incident data) into decision making on a daily or even hourly basis\n4:19:50 PM Alex Hutton: In a sense, you hold not only the orgs perimeter, but a broad sample of perimeters\n4:20:04 PM Alex Hutton: and their\n4:20:12 PM Alex Hutton: vuln posture\n4:20:38 PM Alex Hutton: So\n4:21:07 PM Ed Bellis: right we want to move into a position where our data becomes the primary asset to help make better security decisions\n4:21:16 PM Ed Bellis: *not a verb*\n4:21:49 PM Alex Hutton: My(vuln posture * other threat activity) / (other vuln posture * other threat activity) = a much better metric than just vuln data\n4:22:24 PM Ed Bellis: meaning am i safer than my neighbor?\n4:22:25 PM Alex Hutton: in fact, a very interesting likelihood data point to do some degree of probabilistic analysis on that I don't have the time to really explore yet, but is very, very interesting\n4:23:10 PM Alex Hutton: that may be a byproduct, more about establishing a rate at which I can expect my luck to run out.\n4:23:23 PM Ed Bellis: i see\n4:23:35 PM Alex Hutton: so you're the CSO of Orbitz, you know you have a vuln. to specific threat activity.  So far, you're lucky\n4:24:02 PM Alex Hutton: but what about establishing rate of threat activity vs. how pervasive that same vuln is around other orgs?\n4:24:31 PM Ed Bellis: where do we get the rate of threat activity?\n4:24:42 PM Ed Bellis: breach db's?\n4:24:51 PM Alex Hutton: High Threat Activity + Low pervasiveness in the aggregate population = Luck running out.\n4:25:06 PM Alex Hutton: nope.  that's part of your exit strategy\n4:25:19 PM Ed Bellis: bought by verizon ?\n4:25:33 PM Alex Hutton: Some MSSP who is running or aggregating WAF data, Firewall/IDS/IPS data\n4:25:58 PM Alex Hutton: you as "Yet another managed service" well, that's a scenario I believe in, yes.\n4:26:20 PM Alex Hutton: But you as "Next generation in managed services by data aggregation" is going to be very, very compelling, I think\n4:26:46 PM Alex Hutton: what you have to understand (and I think you do) is how to leverage your data into "decision" (the verb)\n
  16. A study by Thomas Zimmerman of MS and Stephan Neuhaus mines the CVE database looking at all sorts of trends. It’s a good paper. There’s a table near the end that clearly shows the increase in vulnerabilities through the application layer with a decrease of many of the more traditional network vulnerabilities over time. Yet we continue to prioritize our spending and resources on the attacks of 5+ years ago.\n
  17. \n