A few years ago Alex Hutton coined the term Security Mendoza Line. It was in reference to Mario Mendoza the baseball player often used as a baseline for how well a player must hit in order to stay in the major leagues and not be demoted. Keeping up with the attacks automated within Metasploit can often serve as that baseline within information security.
More recently, Josh Corman defined HD Moore's Law as "Casual Attacker power grows at the rate of Metasploit". In other words, that baseline is moving and we are not keeping up. In a hyped industry where much of the talk remains around Advanced Persistent Threats it's the baseline that we continue to miss as proven out in reports like Verizon's Data Breach Investigation Report. Looking at the most common breaches they are most likely to be targets of opportunity where the defenders have let the basics slip through the cracks.
In this talk, we will cover why paying attention to HD Moore's Law is important and how to stay on top of this changing threat measurement. We'll offer real world examples on how an organization can identify where they stand against the Security Mendoza Line and how they can alert and defend against falling below the baseline. Content will cover not only identified threats through Metasploit modules but through the myriad of exploit sources available across the internet.
2. Nice To Meet You
About Me
CoFounder Risk I/O
Former CISO Orbitz
Contributing Author
Beautiful Security
CSO Magazine/Online Writer
InfoSec Island Blogger
About Risk I/O
Data-Driven Vulnerability Management as a Service
DataWeek 2012 Top Security Innovator
3 Startups to Watch - Information Week
16 Hot Startups - eWeek
3. About Mario
Played for Pirates,
Rangers & Mariners
Played MLB for 9 Seasons
Lifetime Batting Avg: .214,
4HR, 101 RBI
Failed to bat .200 5 times
4. The Security Mendoza Line
Wouldn’t it be nice if we had something that
helped us divide who we considered
“Amateur” and who we considered
“Professional”?
Enter The Security
Mendoza Line Alex Hutton came up with original concept of
the Security Mendoza Line
http://riskmanagementinsight.com/riskanalysis/?p=294
5. HD Moore’s Law
Josh Corman expands
the Security Mendoza Line
“Compute power grows at the rate
of doubling about every 2 years”
“Casual attacker power grows at
the rate of Metasploit”
6. A Difficult Task
Nearly 2K MSF Exploits 2000
Exploit Development
1500
ExploitDB > 18K Exploits 1000
500
>10% Known Exploits 0
2010
MSF Modules
2012
16. A Quick Side Note
CVE Trending Analysis
Gunnar’s Debt Clock
17. Q&A
follow us
the blog
http://blog.risk.io/
twitter
@ebellis And one more thing....
@riskio We’re Hiring! https://www.risk.io/jobs
Notas del editor
From Shaman to Scientist - A Use Case in Data Driven Security\n
\n
Talk about WEIS. Security is an opaque attribute within the software market. It is not easily apparent to the buyer how much security they are getting when they purchase software. This is similar to quality within the automotive industry. There are no good ways to determine what you are getting. This is a problem for the buyer and we need to figure out how to make security more transparent to the software purchaser. \n
Developers are rarely incented by software security. Speed to market, functionality and other code quality factors are often prioritized over secure code. Revenues and customer acquisition is rarely driven by security. This creates a lack of incentives around software security.\n
Metasploit has become table stakes. \n
Security is a negative externality. This is creates very big issues in the broader security of systems and the internet. A commonly used example in security of a negative externality are botnets. As an avg user on the internet I have very little incentive to secure my machine from being part of a botnet. Other than some bandwidth or system resource consumption, it doesn’t do me much harm. But those suffering a DDOS attack via a botnet are suffering the consequence from the avg user not protecting their machine. In other words, those with the power to protect are not incented to do so.\n
Security is a negative externality. This is creates very big issues in the broader security of systems and the internet. A commonly used example in security of a negative externality are botnets. As an avg user on the internet I have very little incentive to secure my machine from being part of a botnet. Other than some bandwidth or system resource consumption, it doesn’t do me much harm. But those suffering a DDOS attack via a botnet are suffering the consequence from the avg user not protecting their machine. In other words, those with the power to protect are not incented to do so.\n
Security is a negative externality. This is creates very big issues in the broader security of systems and the internet. A commonly used example in security of a negative externality are botnets. As an avg user on the internet I have very little incentive to secure my machine from being part of a botnet. Other than some bandwidth or system resource consumption, it doesn’t do me much harm. But those suffering a DDOS attack via a botnet are suffering the consequence from the avg user not protecting their machine. In other words, those with the power to protect are not incented to do so.\n
We need to take a more data driven approach to security. Relying on metrics and yes and in some cases real live outcomes and evidence. There are a lot of complaints in our field about a lack of information, and while I don’t disagree often times we are not even using the information that we have! I’m going to walk through a few use cases. These are all baby steps to get to where we eventually need to be but we gotta start somewhere. Using less secrecy & religion and more openness and information sharing. In order to take the first steps, we have to get our own house in order.\n
A lot of different attributes could go into determining the “why”. Is a particular team less responsive to patching and updates? Is it the technology stack that is more prone to vulnerability or misconfiguration? Are there other environmental reasons? By determining root cause you may more accurately predict the next issue as well as risk rank new projects or applications prior to deployment. By combining vulnerability, misconfig, defect and issue data with operational data such as log and events, threat feeds, and breach data (need more of this), we could also take our predictive analytics to security breaches not just issues.\n\n
A lot of different attributes could go into determining the “why”. Is a particular team less responsive to patching and updates? Is it the technology stack that is more prone to vulnerability or misconfiguration? Are there other environmental reasons? By determining root cause you may more accurately predict the next issue as well as risk rank new projects or applications prior to deployment. By combining vulnerability, misconfig, defect and issue data with operational data such as log and events, threat feeds, and breach data (need more of this), we could also take our predictive analytics to security breaches not just issues.\n\n
A lot of different attributes could go into determining the “why”. Is a particular team less responsive to patching and updates? Is it the technology stack that is more prone to vulnerability or misconfiguration? Are there other environmental reasons? By determining root cause you may more accurately predict the next issue as well as risk rank new projects or applications prior to deployment. By combining vulnerability, misconfig, defect and issue data with operational data such as log and events, threat feeds, and breach data (need more of this), we could also take our predictive analytics to security breaches not just issues.\n\n
A lot of different attributes could go into determining the “why”. Is a particular team less responsive to patching and updates? Is it the technology stack that is more prone to vulnerability or misconfiguration? Are there other environmental reasons? By determining root cause you may more accurately predict the next issue as well as risk rank new projects or applications prior to deployment. By combining vulnerability, misconfig, defect and issue data with operational data such as log and events, threat feeds, and breach data (need more of this), we could also take our predictive analytics to security breaches not just issues.\n\n
Insert Alex Hutton formula\n4:14:40 PM Alex Hutton: once the data hits catwalk we decision and the threat is funneled off....\n4:15:46 PM Ed Bellis: haha its a new risk language\n4:16:05 PM Ed Bellis: you guys pull a lot of public sources of data?\n4:16:16 PM Alex Hutton: not yet\n4:16:21 PM Alex Hutton: some but not a ton\n4:16:24 PM Ed Bellis: also any insight on whether VERIS taking off?\n4:16:41 PM Alex Hutton: there's a broader vision (you can fit) that would make a lot of sense\n4:17:02 PM Alex Hutton: but that would take cooperation from various sources which is going to be hard, and why VERIS is a bit stalled\n4:17:17 PM Alex Hutton: there are lots of folks using VERIS, but not sharing data\n4:17:31 PM Ed Bellis:\n4:17:51 PM Ed Bellis: i'd love to tap into that\n4:19:34 PM Alex Hutton: well, the better vision is for you to feed data along with threat (and incident data) into decision making on a daily or even hourly basis\n4:19:50 PM Alex Hutton: In a sense, you hold not only the orgs perimeter, but a broad sample of perimeters\n4:20:04 PM Alex Hutton: and their\n4:20:12 PM Alex Hutton: vuln posture\n4:20:38 PM Alex Hutton: So\n4:21:07 PM Ed Bellis: right we want to move into a position where our data becomes the primary asset to help make better security decisions\n4:21:16 PM Ed Bellis: *not a verb*\n4:21:49 PM Alex Hutton: My(vuln posture * other threat activity) / (other vuln posture * other threat activity) = a much better metric than just vuln data\n4:22:24 PM Ed Bellis: meaning am i safer than my neighbor?\n4:22:25 PM Alex Hutton: in fact, a very interesting likelihood data point to do some degree of probabilistic analysis on that I don't have the time to really explore yet, but is very, very interesting\n4:23:10 PM Alex Hutton: that may be a byproduct, more about establishing a rate at which I can expect my luck to run out.\n4:23:23 PM Ed Bellis: i see\n4:23:35 PM Alex Hutton: so you're the CSO of Orbitz, you know you have a vuln. to specific threat activity.  So far, you're lucky\n4:24:02 PM Alex Hutton: but what about establishing rate of threat activity vs. how pervasive that same vuln is around other orgs?\n4:24:31 PM Ed Bellis: where do we get the rate of threat activity?\n4:24:42 PM Ed Bellis: breach db's?\n4:24:51 PM Alex Hutton: High Threat Activity + Low pervasiveness in the aggregate population = Luck running out.\n4:25:06 PM Alex Hutton: nope.  that's part of your exit strategy\n4:25:19 PM Ed Bellis: bought by verizon ?\n4:25:33 PM Alex Hutton: Some MSSP who is running or aggregating WAF data, Firewall/IDS/IPS data\n4:25:58 PM Alex Hutton: you as "Yet another managed service" well, that's a scenario I believe in, yes.\n4:26:20 PM Alex Hutton: But you as "Next generation in managed services by data aggregation" is going to be very, very compelling, I think\n4:26:46 PM Alex Hutton: what you have to understand (and I think you do) is how to leverage your data into "decision" (the verb)\n
Insert Alex Hutton formula\n4:14:40 PM Alex Hutton: once the data hits catwalk we decision and the threat is funneled off....\n4:15:46 PM Ed Bellis: haha its a new risk language\n4:16:05 PM Ed Bellis: you guys pull a lot of public sources of data?\n4:16:16 PM Alex Hutton: not yet\n4:16:21 PM Alex Hutton: some but not a ton\n4:16:24 PM Ed Bellis: also any insight on whether VERIS taking off?\n4:16:41 PM Alex Hutton: there's a broader vision (you can fit) that would make a lot of sense\n4:17:02 PM Alex Hutton: but that would take cooperation from various sources which is going to be hard, and why VERIS is a bit stalled\n4:17:17 PM Alex Hutton: there are lots of folks using VERIS, but not sharing data\n4:17:31 PM Ed Bellis:\n4:17:51 PM Ed Bellis: i'd love to tap into that\n4:19:34 PM Alex Hutton: well, the better vision is for you to feed data along with threat (and incident data) into decision making on a daily or even hourly basis\n4:19:50 PM Alex Hutton: In a sense, you hold not only the orgs perimeter, but a broad sample of perimeters\n4:20:04 PM Alex Hutton: and their\n4:20:12 PM Alex Hutton: vuln posture\n4:20:38 PM Alex Hutton: So\n4:21:07 PM Ed Bellis: right we want to move into a position where our data becomes the primary asset to help make better security decisions\n4:21:16 PM Ed Bellis: *not a verb*\n4:21:49 PM Alex Hutton: My(vuln posture * other threat activity) / (other vuln posture * other threat activity) = a much better metric than just vuln data\n4:22:24 PM Ed Bellis: meaning am i safer than my neighbor?\n4:22:25 PM Alex Hutton: in fact, a very interesting likelihood data point to do some degree of probabilistic analysis on that I don't have the time to really explore yet, but is very, very interesting\n4:23:10 PM Alex Hutton: that may be a byproduct, more about establishing a rate at which I can expect my luck to run out.\n4:23:23 PM Ed Bellis: i see\n4:23:35 PM Alex Hutton: so you're the CSO of Orbitz, you know you have a vuln. to specific threat activity.  So far, you're lucky\n4:24:02 PM Alex Hutton: but what about establishing rate of threat activity vs. how pervasive that same vuln is around other orgs?\n4:24:31 PM Ed Bellis: where do we get the rate of threat activity?\n4:24:42 PM Ed Bellis: breach db's?\n4:24:51 PM Alex Hutton: High Threat Activity + Low pervasiveness in the aggregate population = Luck running out.\n4:25:06 PM Alex Hutton: nope.  that's part of your exit strategy\n4:25:19 PM Ed Bellis: bought by verizon ?\n4:25:33 PM Alex Hutton: Some MSSP who is running or aggregating WAF data, Firewall/IDS/IPS data\n4:25:58 PM Alex Hutton: you as "Yet another managed service" well, that's a scenario I believe in, yes.\n4:26:20 PM Alex Hutton: But you as "Next generation in managed services by data aggregation" is going to be very, very compelling, I think\n4:26:46 PM Alex Hutton: what you have to understand (and I think you do) is how to leverage your data into "decision" (the verb)\n
A study by Thomas Zimmerman of MS and Stephan Neuhaus mines the CVE database looking at all sorts of trends. It’s a good paper. There’s a table near the end that clearly shows the increase in vulnerabilities through the application layer with a decrease of many of the more traditional network vulnerabilities over time. Yet we continue to prioritize our spending and resources on the attacks of 5+ years ago.\n