SlideShare une entreprise Scribd logo

BSides SF Security Mendoza Line

Ed Bellis
Ed Bellis

Hitting Above The Security Mendoza Line. Presentation by Ed Bellis at BSides San Francisco.

Technologie
1  sur  18
Télécharger pour lire hors ligne
Hitting Above The Security Mendoza Line Ed Bellis, CEO Risk I/O
Nice To Meet You About Me CoFounder Risk I/O Former CISO Orbitz Contributing Author Beautiful Security CSO Magazine/Online Writer InfoSec Island Blogger About Risk I/O Data-Driven Vulnerability Intelligence Platform DataWeek 2012 Top Security Innovator 3 Startups to Watch - Information Week 16 Hot Startups - eWeek
About Mario Played for Pirates, Rangers & Mariners Played MLB for 9 Seasons Lifetime Batting Avg: .214, 4HR, 101 RBI Failed to bat .200 5 times
The Security Mendoza Line Wouldn’t it be nice if we had something that helped us divide who we considered “Amateur” and who we considered “Professional”? Enter The Security Mendoza Line Alex Hutton came up with original concept of the Security Mendoza Line http://riskmanagementinsight.com/riskanalysis/?p=294
HD Moore’s Law Josh Corman expands the Security Mendoza Line “Compute power grows at the rate of doubling about every 2 years” “Casual attacker power grows at the rate of Metasploit” http://blog.cognitivedissidents.com/ 2011/11/01/intro-to-hdmoores-law/
A Difficult Task Nearly 2K MSF Exploits 2000 Exploit Development in first 9 months! 1500 ExploitDB > 18K Exploits 1000 500 17.8% Known Exploits 0 2010 MSF Modules 2012
Release Early Release Often
Point Click Pwn
A Data Driven Approach
Out Scripting the Kiddies Fighting Automation with Automation Netflix/ SimianArmy
Context Matters Attack Path data analysis
Context Matters Wait just a minute... Computing Optimal Security Strategies for Interdependent Assets http://vorobeychik.com/2012/ssgames.pdf Game Theory: Smart Data>Big Data http://blog.risk.io/2013/02/playing-around-with-game-theory/
Context Matters Mitigating Controls Firewalls / ACLs IPS WAF MFA Other
Context Matters Honeypot, WAF & IDS data logs! logs! logs! Measuring Likelihood
Broader Context Targets of Opportunity? My(vuln posture X other threat activity) / (other vuln posture X other threat activity)
Beyond Info Sharing Model Sharing
A Quick Side Note CVE Trending Analysis Gunnar’s Debt Clock
Q&A follow us the blog http://blog.risk.io/ twitter @ebellis And one more thing.... @riskio We’re Hiring! https://www.risk.io/jobs

Recommandé

SecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineSecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineEd Bellis
 
How much security is enough?
How much security is enough?How much security is enough?
How much security is enough?Sherry Jones
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attackКомсс Файквэе
 
Security4all Desktop Security
Security4all Desktop SecuritySecurity4all Desktop Security
Security4all Desktop SecurityBen W.
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013Комсс Файквэе
 
W.A.R. Words Are Risk
W.A.R. Words Are RiskW.A.R. Words Are Risk
W.A.R. Words Are RiskEC-Council
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?Datto
 
Threat and Mitigation
Threat and MitigationThreat and Mitigation
Threat and MitigationNoel Waterman
 

Recommandé

SecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineSecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineEd Bellis
 
How much security is enough?
How much security is enough?How much security is enough?
How much security is enough?Sherry Jones
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attackКомсс Файквэе
 
Security4all Desktop Security
Security4all Desktop SecuritySecurity4all Desktop Security
Security4all Desktop SecurityBen W.
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013Комсс Файквэе
 
W.A.R. Words Are Risk
W.A.R. Words Are RiskW.A.R. Words Are Risk
W.A.R. Words Are RiskEC-Council
 
What is Ransomware?
What is Ransomware?What is Ransomware?
What is Ransomware?Datto
 
Threat and Mitigation
Threat and MitigationThreat and Mitigation
Threat and MitigationNoel Waterman
 
Palmer Symposium
Palmer SymposiumPalmer Symposium
Palmer SymposiumEd Bellis
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Eoin Keary
 
Hacking_SharePoint_FINAL
Hacking_SharePoint_FINALHacking_SharePoint_FINAL
Hacking_SharePoint_FINALIan Naumenko, CISSP, CRISC
 
Fix What Matters
Fix What MattersFix What Matters
Fix What MattersEd Bellis
 
SMBs: The Threat Ahead
SMBs: The Threat AheadSMBs: The Threat Ahead
SMBs: The Threat Aheadmartin_lee1969
 
December ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security PresentationDecember ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security Presentationwhmillerjr
 
Current Emerging Threats
Current Emerging ThreatsCurrent Emerging Threats
Current Emerging Threatsdnomura
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Top 5 Famous Cyberattacks Of The World | SOCVault
Top 5 Famous Cyberattacks Of The World | SOCVaultTop 5 Famous Cyberattacks Of The World | SOCVault
Top 5 Famous Cyberattacks Of The World | SOCVaultSOCVault
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionEoin Keary
 
Splunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security SessionSplunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security SessionSplunk
 
1st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 20081st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 2008Anton Chuvakin
 
IBM Cyber Threat Analysis
IBM Cyber Threat AnalysisIBM Cyber Threat Analysis
IBM Cyber Threat AnalysisIBM Government
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetWatcher
 
Hacking 10 2010
Hacking 10 2010Hacking 10 2010
Hacking 10 2010Felipe Prado
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to InfrastructureJorge Orchilles
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerceSensePost
 
Security Intelligence Report
Security Intelligence ReportSecurity Intelligence Report
Security Intelligence ReportMicrosoftTR
 
Thy myth of hacking Oracle
Thy myth of hacking OracleThy myth of hacking Oracle
Thy myth of hacking OracleErmando
 
Risk Management Metrics That Matter
Risk Management Metrics That MatterRisk Management Metrics That Matter
Risk Management Metrics That MatterEd Bellis
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesEd Bellis
 

Contenu connexe

Similaire à BSides SF Security Mendoza Line

Palmer Symposium
Palmer SymposiumPalmer Symposium
Palmer SymposiumEd Bellis
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Eoin Keary
 
Fix What Matters
Fix What MattersFix What Matters
Fix What MattersEd Bellis
 
SMBs: The Threat Ahead
SMBs: The Threat AheadSMBs: The Threat Ahead
SMBs: The Threat Aheadmartin_lee1969
 
December ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security PresentationDecember ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security Presentationwhmillerjr
 
Current Emerging Threats
Current Emerging ThreatsCurrent Emerging Threats
Current Emerging Threatsdnomura
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Top 5 Famous Cyberattacks Of The World | SOCVault
Top 5 Famous Cyberattacks Of The World | SOCVaultTop 5 Famous Cyberattacks Of The World | SOCVault
Top 5 Famous Cyberattacks Of The World | SOCVaultSOCVault
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionEoin Keary
 
Splunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security SessionSplunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security SessionSplunk
 
1st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 20081st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 2008Anton Chuvakin
 
IBM Cyber Threat Analysis
IBM Cyber Threat AnalysisIBM Cyber Threat Analysis
IBM Cyber Threat AnalysisIBM Government
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetWatcher
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to InfrastructureJorge Orchilles
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerceSensePost
 
Security Intelligence Report
Security Intelligence ReportSecurity Intelligence Report
Security Intelligence ReportMicrosoftTR
 
Thy myth of hacking Oracle
Thy myth of hacking OracleThy myth of hacking Oracle
Thy myth of hacking OracleErmando
 

Similaire à BSides SF Security Mendoza Line (20)

Palmer Symposium
Palmer SymposiumPalmer Symposium
Palmer Symposium
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...
 
Hacking_SharePoint_FINAL
Hacking_SharePoint_FINALHacking_SharePoint_FINAL
Hacking_SharePoint_FINAL
 
Fix What Matters
Fix What MattersFix What Matters
Fix What Matters
 
SMBs: The Threat Ahead
SMBs: The Threat AheadSMBs: The Threat Ahead
SMBs: The Threat Ahead
 
December ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security PresentationDecember ISSA Meeting Executive Security Presentation
December ISSA Meeting Executive Security Presentation
 
Current Emerging Threats
Current Emerging ThreatsCurrent Emerging Threats
Current Emerging Threats
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Top 5 Famous Cyberattacks Of The World | SOCVault
Top 5 Famous Cyberattacks Of The World | SOCVaultTop 5 Famous Cyberattacks Of The World | SOCVault
Top 5 Famous Cyberattacks Of The World | SOCVault
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud version
 
Splunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security SessionSplunk Discovery Day Hamburg - Security Session
Splunk Discovery Day Hamburg - Security Session
 
1st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 20081st Russian CSO Summit Trends 2008
1st Russian CSO Summit Trends 2008
 
IBM Cyber Threat Analysis
IBM Cyber Threat AnalysisIBM Cyber Threat Analysis
IBM Cyber Threat Analysis
 
Netwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech TalkNetwatcher Credit Union Tech Talk
Netwatcher Credit Union Tech Talk
 
Hacking 10 2010
Hacking 10 2010Hacking 10 2010
Hacking 10 2010
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to Infrastructure
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
 
Security Intelligence Report
Security Intelligence ReportSecurity Intelligence Report
Security Intelligence Report
 
Thy myth of hacking Oracle
Thy myth of hacking OracleThy myth of hacking Oracle
Thy myth of hacking Oracle
 

Plus de Ed Bellis

Risk Management Metrics That Matter
Risk Management Metrics That MatterRisk Management Metrics That Matter
Risk Management Metrics That MatterEd Bellis
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesEd Bellis
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15Ed Bellis
 
Security as Code
Security as CodeSecurity as Code
Security as CodeEd Bellis
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksBSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksEd Bellis
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea LeavesEd Bellis
 
BSidesLV Vulnerability & Exploit Trends
BSidesLV Vulnerability & Exploit TrendsBSidesLV Vulnerability & Exploit Trends
BSidesLV Vulnerability & Exploit TrendsEd Bellis
 
An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info SecurityEd Bellis
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011Ed Bellis
 
SecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeSecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeEd Bellis
 
Metricon 6 That's So Meta
Metricon 6 That's So MetaMetricon 6 That's So Meta
Metricon 6 That's So MetaEd Bellis
 

Plus de Ed Bellis (11)

Risk Management Metrics That Matter
Risk Management Metrics That MatterRisk Management Metrics That Matter
Risk Management Metrics That Matter
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your Worries
 
Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 
Security as Code
Security as CodeSecurity as Code
Security as Code
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksBSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea Leaves
 
BSidesLV Vulnerability & Exploit Trends
BSidesLV Vulnerability & Exploit TrendsBSidesLV Vulnerability & Exploit Trends
BSidesLV Vulnerability & Exploit Trends
 
An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info Security
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011
 
SecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeSecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent Life
 
Metricon 6 That's So Meta
Metricon 6 That's So MetaMetricon 6 That's So Meta
Metricon 6 That's So Meta
 

Dernier

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Dernier (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

BSides SF Security Mendoza Line

  • 1. Hitting Above The Security Mendoza Line Ed Bellis, CEO Risk I/O
  • 2. Nice To Meet You About Me CoFounder Risk I/O Former CISO Orbitz Contributing Author Beautiful Security CSO Magazine/Online Writer InfoSec Island Blogger About Risk I/O Data-Driven Vulnerability Intelligence Platform DataWeek 2012 Top Security Innovator 3 Startups to Watch - Information Week 16 Hot Startups - eWeek
  • 3. About Mario Played for Pirates, Rangers & Mariners Played MLB for 9 Seasons Lifetime Batting Avg: .214, 4HR, 101 RBI Failed to bat .200 5 times
  • 4. The Security Mendoza Line Wouldn’t it be nice if we had something that helped us divide who we considered “Amateur” and who we considered “Professional”? Enter The Security Mendoza Line Alex Hutton came up with original concept of the Security Mendoza Line http://riskmanagementinsight.com/riskanalysis/?p=294
  • 5. HD Moore’s Law Josh Corman expands the Security Mendoza Line “Compute power grows at the rate of doubling about every 2 years” “Casual attacker power grows at the rate of Metasploit” http://blog.cognitivedissidents.com/ 2011/11/01/intro-to-hdmoores-law/
  • 6. A Difficult Task Nearly 2K MSF Exploits 2000 Exploit Development in first 9 months! 1500 ExploitDB > 18K Exploits 1000 500 17.8% Known Exploits 0 2010 MSF Modules 2012
  • 8. Point Click Pwn
  • 10. Out Scripting the Kiddies Fighting Automation with Automation Netflix/ SimianArmy
  • 12. Context Matters Wait just a minute... Computing Optimal Security Strategies for Interdependent Assets http://vorobeychik.com/2012/ssgames.pdf Game Theory: Smart Data>Big Data http://blog.risk.io/2013/02/playing-around-with-game-theory/
  • 13. Context Matters Mitigating Controls Firewalls / ACLs IPS WAF MFA Other
  • 14. Context Matters Honeypot, WAF & IDS data logs! logs! logs! Measuring Likelihood
  • 15. Broader Context Targets of Opportunity? My(vuln posture X other threat activity) / (other vuln posture X other threat activity)
  • 16. Beyond Info Sharing Model Sharing
  • 17. A Quick Side Note CVE Trending Analysis Gunnar’s Debt Clock
  • 18. Q&A follow us the blog http://blog.risk.io/ twitter @ebellis And one more thing.... @riskio We’re Hiring! https://www.risk.io/jobs