bsides sf security mendoza line
DESCRIPTION
Hitting Above The Security Mendoza Line. Presentation by Ed Bellis at BSides San Francisco.TRANSCRIPT
Hitting Above The Security Mendoza LineEd Bellis, CEO Risk I/O
Nice To Meet YouCoFounder Risk I/O
About Me
About Risk I/O
Former CISO Orbitz
Contributing Author Beautiful Security
CSO Magazine/Online Writer
Data-Driven Vulnerability Intelligence Platform
DataWeek 2012 Top Security Innovator
3 Startups to Watch - Information Week
InfoSec Island Blogger
16 Hot Startups - eWeek
About Mario
Played for Pirates, Rangers & Mariners
Played MLB for 9 Seasons
Lifetime Batting Avg: .214, 4HR, 101 RBI
Failed to bat .200 5 times
The Security Mendoza Line
Alex Hutton came up with original concept of the Security Mendoza Line
http://riskmanagementinsight.com/riskanalysis/?p=294
Wouldn’t it be nice if we had something that helped us divide who we considered “Amateur” and who we considered “Professional”?
Enter The Security Mendoza Line
Josh Corman expands
HD Moore’s Law
the Security Mendoza Line
“Compute power grows at the rate of doubling about every 2 years”
“Casual attacker power grows at the rate of Metasploit”
http://blog.cognitivedissidents.com/2011/11/01/intro-to-hdmoores-law/
A Difficult Task
ExploitDB > 18K Exploits
0
500
1000
1500
2000
2010 2012
Exploit Development
MSF Modules
Nearly 2K MSF Exploitsin first 9 months!
17.8% Known Exploits
Release Early Release Often
Point Click Pwn
A Data Driven Approach
Out Scripting the Kiddies
Fighting Automation with Automation
Netflix/SimianArmy
Context Matters
Attack Path data analysis
Context Matters
Wait just a minute...
http://vorobeychik.com/2012/ssgames.pdf
Computing Optimal Security Strategies for Interdependent Assets
Game Theory: Smart Data>Big Datahttp://blog.risk.io/2013/02/playing-around-with-game-theory/
Context Matters
Mitigating Controls
Firewalls / ACLs
IPS
WAF
MFA
Other
Context Matters
Honeypot, WAF & IDS datalogs! logs! logs!
Measuring Likelihood
My(vuln posture X other threat activity) / (other
vuln posture X other threat activity)
Broader Context
Targets of Opportunity?
Beyond Info SharingModel Sharing
CVE Trending Analysis
A Quick Side Note
Gunnar’s Debt Clock
Q & A
follow us
http://blog.risk.io/
http://www.honeyapps.com/signuphttp://www.honeyapps.com/signup
@riskio
@ebellis
the blog
And one more thing....
We’re Hiring! https://www.risk.io/jobs