KARMA is a system for rating a system's ability to avoid negative outcomes based on rating a limited number of key attributes. The system is based on SME knowledge of the particular system being rated, and its goal is to find the attributes that most predict negative outcomes in the real world. Analogs exist already in industries like:
In these fields it's possible to learn a relatively small number of things about a system / person / situation and then make informed decisions about how likely that system is to have an undesirable outcome, e.g., premature death, insurance payout, or loan default.
The goal of the KARMA system is to do the same with information security as it pertains to other types of system. These include security program components such as vulnerability management, insider threat, etc, as well as system components such as applications, operating systems, etc. This talk will give an overview of how KARMA can be used in an environment to provide a more accurate view of real-work risk, i.e. knowing your actual attacker-based risk instead of your compliance with arbitrary standards.
Daniel Miessler is a Director of Client Advisory Services with IOActive, based out of San Francisco, California. Daniel has 17 years of experience in information security with a focus on web, mobile, and IoT, and is the project leader for the OWASP IoT projects. In his spare time, he enjoys reading, writing, programming, and table tennis.