2. Ed Bellis
• Co-founder and CTO at Kenna Security, an
automated risk & vulnerability intelligence
platform
• Orbitz CISO for 6 years
• 20+ years Info Security experience
including Bank of America, CSC, E&Y
• Contributing Author Beautiful Security
• Frequent speaker at events such as…
About Me
3. Warning
This presentation contains large amounts of data
used for the purpose of proving an information
security theory. No marketers were harmed
during the making of this presentation.
10. Your Threat Model Is Backwards
“While 2015 was no
chump when it came to
successfully exploited
CVEs, the tally of
really old CVEs which
still get exploited in
2015 suggests that the
oldies are still
goodies.”
11. Your Confidence Is Unwarranted
“…we need to see
more of targeted
remediation
efforts which more
often than not
focus on those
vulnerabilities
which attackers
are successful with
in the wild.”
15. Versus The Hare
The probability that
a CVE that is
exploited in the
first year will be hit
X days after
publication. At
40-60 days, that
probability is over
90 percent.
20. Secure Because Math
Existing Exploit + Patch Available + RCE
> Advanced Persistent Threat
P for Probability!
…or put another way… “Why Burn a Zero Day?”
21. Key Takeaways
1.Focus on the Basics
2.Automate your Defenses
A. Configuration Management
B. Patch Management
C. Compensating Controls
D. Continuous Deployment
Make it necessary to be both Advanced and Persistent.