Dan Guido’s SOURCE Boston presentation is called Exploit Intelligence.

He suggests that the over-emphasis on vulnerabilities and a failure to assess threats will result in poor risk management. With so many vulnerabilities, it is best to prioritize based on threats — focus on the most likely exploits. Or you could say spend your defensive resources on making the known attacks less likely to work. That might mean using controls other than just patching.

This is an old song but still a good one. PCI DSS has tried to push the same message for a couple years now. But Dan has put some nice data together to illustrate his point and he seems very adamant about change. I particularly liked the part when he said

This analysis process and data should be picked up by the security industry and used effectively. AV companies have been doing you a disservice by not doing this in the past. They should start now.

They should have started a long time ago. But we also should be careful what we demand from vendors.

If we leave service definitions fairly open to interpretation and then force AV vendors to offer attacker capability evaluation (e.g. threat analysis or “kill chain models” if you must call it that) it will probably show up as a new $30/year premium subscription upgrade option with not much else changed.

Oh, wait, he included a “data should be…used effectively” clause. That always works.