This talk is a different take on vulnerability statistics. Instead of examining vulnerability definitions from nvd, osvdb, etc - we look at live vulnerabilities on real networks - millions of them. Instead of examining a single tool, this talk represents the aggregation of data from 20 of the leading security tools on the market and a thorough review of the data they generate.
First, we examine the overlapping data generated from the aforementioned tools. Next, we will compare and contrast it with the output of multiple breach reports and databases, and extract trends that may be important in helping us reduce the number of breaches in the future. The corpus of this research is from over 30,000,000 vulnerabilities analyzed from the past 12 months, generated from across some of the largest corporations in the world.
We'll use this data to discuss how people are remediating vulnerabilities, how effective their efforts are, and how they could do a little bit better.
Michael is responsible for building out Risk I/O's predictive analytics functionality. He formerly worked in fraud detection in the finance industry, and holds an MS in Operations Research from Georgia Tech. In his spare time he tinkers on everything from bikes to speakers to cars, and works on his pet project: outfitting food trucks with GPS.
Ed is the CoFounder of Risk I/O a vulnerability intelligence Software as a Service that centralizes, correlates and automates the entire stack of security vulnerabilities and remediation workflow. Ed has over 20 years of experience in information security and technology. He is a frequent speaker at information security events across North America and Europe. Additionally, Ed is a contributing author to the book Beautiful Security by O'Reilly and a blogger on CSO Online.