amateur hour: why apts are the least of your worries
TRANSCRIPT
Ed Bellis• Co-founder and CTO at Kenna Security, an automated risk & vulnerability intelligence platform
• Orbitz CISO for 6 years
• 20+ years Info Security experience including Bank of America, CSC, E&Y
• Contributing Author Beautiful Security
• Frequent speaker at events such as…
About Me
Warning This presentation contains large amounts of data used for the purpose of proving an information
security theory. No marketers were harmed during the making of this presentation.
Your Threat Model Is Backwards
“While 2015 was no chump when it came to successfully exploited CVEs, the tally of really old CVEs which still get exploited in 2015 suggests that the oldies are still goodies.”
Your Confidence Is Unwarranted
“…we need to see more of targeted remediation efforts which more often than not focus on those vulnerabilities which attackers are successful with in the wild.”
“Low Hanging Fruit”
“if a vulnerability is going to be exploited, 30 days is a good bet for how much time you have to remediate.“
Versus The Hare
The probability that a CVE that is exploited in the first year will be hit X days after publication. At 40-60 days, that probability is over 90 percent.
Secure Because Math
Existing Exploit + Patch Available + RCE > Advanced Persistent Threat
P for Probability!
…or put another way… “Why Burn a Zero Day?”
Key Takeaways
1.Focus on the Basics
2.Automate your Defenses A. Configuration Management B. Patch Management C. Compensating Controls D. Continuous Deployment
Make it necessary to be both Advanced and Persistent.