
Loading summary
A
Foreign. This is Kathleen Campano and this is a Risky Business News sponsor interview with Aaron Atarzadech, Enterprise Security engineer at Nucleus Security. Welcome, Aaron.
B
Thank you so much for having me.
A
Aaron. Vulnerability management companies have always had an image problem in the eyes of customers. You go to a security conference or a trade show and people would often dismiss your craft on the premise that you work with a fixed amount of data points from a cve. Many times you hear people say that they can easily put together a script, scrape a CVE database, and then use that to pass their stuff. However, when we set up this interview, you sent me an email where you wrote that customers have way more data at their disposal than they think they have. Where does this discrepancy come from? What are you exactly referring to when you say there's more data in vulnerability management processes than people think?
B
Yeah, great question. So normally most vulnerability management teams, they're looking at just their scanners that scan the infrastructure. Right. We often forget that there's often endpoint agents that are being deployed on those systems. There is the infrastructure team that's managing the vms or the EKS clusters, the GKE clusters that is being deployed. So these are all different data sources that VM solutions can plug into to pull data that the scanner isn't pulling, as an example.
A
So from what I understand, there's a little bit of asset correlation and asset management, which is just as important to modern day vulnerability management as the good old vulnerability scanners.
B
Yeah.
A
When do you think this became the norm? With the first APT attacks, with the rise of ransomware, with the move to the cloud, when did people go from, I just can't apply every little patch. Let me start splitting assets in tiers and categories.
B
Yeah, I think this came about with the mass adoption of cloud environments. I think Covid played a big role into this, where people could no longer go in person, so they're no longer managing on prem assets. So a lot of people started deploying cloud environments and started the mass migration to the cloud. And you're no longer just supporting one vm, you're no longer just supporting one host, you are now supporting the eight assets that are surrounding that host, such as a vpc, a security group, the IAM roles tied to it, the volume that's tied to it. Right. So we go from just managing one source with maybe a load balancer in front of it, to now eight separate assets that are all surrounding a single vm. So it's an explosion of data now.
A
So as you say, it's an explosion of data as a vulnerability management platform. How do you collect all this metadata? Where do you collect it from? And then how do you deploy it to customers?
B
We are big proponents of plugging into everything. So we don't just look at the VM scanners themselves. We, we're looking at the underlying cloud environments like AWS and GCP and Azure OCI tying into the cloud environments itself, reaching out to it, asking if they have any EDR solutions that are being deployed on those hosts, reaching out to the infrastructure team that maybe has a CMDB that's also doing discovery scans within the environment, ingesting data from them. Also even the application team, they may have spreadsheets of who owns what application that's being deployed in what AWS account. Right. It's all different bits of metadata that's completely across the entire organization and no one has a good way of aggregating that data until now.
A
So there is some sort of customer input in the rollout of your platform. Right. Like you don't use any type of automated system that just automatically classifies and categorizes assets based on their importance. You also need the customer to chip in, right?
B
Not necessarily. So there is, that's the beauty of correlation is every different data source provides different metadata that one doesn't have. For example, you may pull from AWS production environment versus a staging environment or security group controls around what security group is publicly facing versus which one is not publicly facing. So we're pulling from the different data sources, the underlying metadata that can fill in the gaps that different data sources that are giving us data cannot fill in those gaps.
A
We think the way cloud infrastructure is usually set up encourages this simpler way of categorizing data. Because of the role based systems usually.
B
Having cloud platforms, I think everyone has a unique way of deploying their architecture. They have a unique way of deploying applications. No one customer is the same. It's. It's giving them a platform that is completely flexible to how they deploy their application, how they interact with the cloud, be able to morph and work with their current deployment.
A
Stack networks inside. Large companies also have this tendency to change all the time in both size and content. People add and take those systems, especially in the cloud. How do you deal with this? What would be the typical time between when you detect a new system and add it to your dashboard and like do you prompt clients about it to ask them what this is, where this belongs, how important this is?
B
Yeah. So ever changing data, right. It's a constant problem that I think everyone deals with on a daily basis. You know, whether security group changes, whether a cluster is continuously redeployed. For us, we do real time syncing with the cloud. So it's a matter of setting up mapping rules or setting up automation rules within Nucleus that are continuously being triggered every single time a new event or new asset is brought into Nucleus to ensure that we don't display stale data. Right? If you start assigning vulnerabilities out to engineers for remediation within a cluster and you have 10,000 containers, and today you have 10,000 containers, but tomorrow it's dead and you have a whole brand new cluster, that's just useless work. So it's about keeping real time data within Nucleus, within any platform really, and ensuring that it's the most up to date data.
A
This trend of increased attacks, targeting edge devices, using them for initial access instead of phishing, and how this has triggered for many companies, more increased focus on securing edge devices and systems that can be used for initial access. I was wondering if this has triggered any kind of response from customers like, okay, we know these are under attack. Do we have any ways to keep them under a closer grip than the rest of our assets? Like in a class of their own, like a CISAK section or something?
B
This is a great question. So we look at things like end of life, we look at vulnerabilities that are exploitable on end of life assets that can't be patched, right? And when we think of risk in Nucleus and just even outside of Nucleus, right, It's not just the vulnerability context, it's the asset context, right? So I think of this as an upside down tree where the left branch of this tree is the context of the asset. So imagine you have the same vulnerability across two different assets. One is EOL and one is a fully supported asset. The one that's EOL is out of compliant. So the risk of this asset being exploited is higher even though the they have the same vulnerability on them. So when you start doing things like assigning due dates and prioritizing and boiling things up to the top, that vulnerability that is on an EOL asset will dynamically be adjusted and bumped up to the very top of the list versus something that is patchable that you can update the operating system or you can patch the host. This is a very common use case that we see on a daily basis. And by just looking at the vulnerability scanner and surfacing the vulnerabilities, you can't get that contextual data that the low level data of like is this host, you know, if it's just like an external scan, right? If you're just doing an external scan and you don't have like the build information from like a Windows build, right? You may not know it may be Windows 10, but what version of Windows 10? What build version of Windows 10, right? And being able to cross correlate from like let's say CrowdStrike that's embedded onto the host itself and from the external scan, you now have the build information from CrowdStrike correlated to the vulnerability that maybe NESSUS is giving you or what the Daskan is giving you. That's where the real power of correlation comes in. So. Very much so, yes.
A
Are there other kind of examples where correlation usually plays a big role in prioritizing patching, like besides edge networking devices, like let's say internal static systems inside a ad network, something like that?
B
That's a very common one. We see a lot of customers use DLP solutions like Rubrik, where Rubrik is scanning for things like credit card information, social securities and stuff like that. And being able to correlate not just your EDR solution, but DLP solution just like Rubrik and saying, hey, this host that has an exploitable vulnerability, has sensitive data on it, prioritize this higher than a host that doesn't have sensitive data on it, or something that is in staging, right? Like it's not just the EDR agents, it's not just the cmdbs. Think outside of the box. Other teams within the organization are scanning those same hosts and they have additional data that you can leverage to prioritize findings.
A
So how do you help larger teams prioritize assets in a coherent way? Is there any specific trick to avoid overlaps or assets getting lost?
B
Yeah, like asset linking is a big one. We see a lot of the times where customers want to be able to pinpoint and runtime. Hey, I may have a vulnerability that's being scaled out across an ASG, right? Thousands of VMs. And I'm not remediating at the AMI, I'm not remediating at the image I'm remediating in my repo. How do I correlate the runtime environment back to the REST environment? How do I correlate it back to which repository actually built this image that's being deployed in this cluster and through the power of plugging into the multiple different systems, whether it be plugging into your shift left scanner within your CI CD pipeline, that's giving you the image and the SHA of that image that's being Then in turn deployed through cloudformation script in aws, you're able to correlate from runtime all the way back down to rest to be able to pinpoint specifically where in fact that vulnerability surfaced. From now, these are just small examples of a scanner won't give you all that metadata. You have to think outside of the box of how to pull the metadata to correlate both vulnerabilities for prioritization and contextualization.
A
Where is asset linking usually useful in AppSec environments. Right. Usually where you have CI CD pipelines. Right.
B
AppSec is a popular one. A lot of the times think of a development cycle right after you build an image and you want to move that image to a staging environment to do testing on it. You may go through multiple environments, whether it be staging QA and ultimately or QA staging and then ultimately moving it to production. Right. A lot of the times customers leverage things like the cloud accounts to separate the different environments and being able to map the Cloud account IDs to risk pillars in a platform to say these cloud accounts are the highest priority cloud accounts versus, you know, staging, maybe second priority and then lowest priority is qa because that's within my zero trust environment. You know, no one can access those hosts unless you're on zero trust. Right. So the correlation of sure, I'm scanning externally with a vulnerability scanner, but then correlating that to potentially AWS or GCP to give you the cloud account information to then in turn prioritize the vulnerabilities that are surfacing from the external scanner higher or lower based off of where it's actually being detected on. That's just a clear example of asset correlation that is very useful for a lot of our customers.
A
Okay, I think that's a great way to end it. Aaron, thank you very much for your time today.
B
Of course, really appreciate it. Thank you for having me.
Risky Bulletin Episode Summary: "Sponsored: Nucleus Security on Asset Correlation and Asset Linking"
Release Date: February 23, 2025
Host: Kathleen Campano (A)
Guest: Aaron Atarzadech, Enterprise Security Engineer at Nucleus Security (B)
In this episode of Risky Bulletin, hosted by Kathleen Campano, the spotlight is on Asset Correlation and Asset Linking within the realm of vulnerability management. The discussion is enriched by insights from Aaron Atarzadech, an Enterprise Security Engineer at Nucleus Security. Aaron brings a wealth of knowledge on how modern vulnerability management transcends traditional methods, emphasizing the significance of comprehensive data utilization.
[00:00] A: "This is a Risky Business News sponsor interview with Aaron Atarzadech, Enterprise Security engineer at Nucleus Security. Welcome, Aaron."
[00:14] B: "Thank you so much for having me."
Kathleen initiates the conversation by addressing the skepticism vulnerability management companies often face. She highlights the common perception that vulnerability management is limited to fixed data points derived from CVEs (Common Vulnerabilities and Exposures), with some believing that simple scripts can suffice.
[00:16] A: "Vulnerability management companies have always had an image problem in the eyes of customers... customers have way more data at their disposal than they think they have."
Aaron counters this by explaining that many vulnerability management teams rely solely on scanners, neglecting other critical data sources.
[00:55] B: "Most vulnerability management teams... are looking at just their scanners that scan the infrastructure... there's often endpoint agents... infrastructure teams managing VMs or EKS clusters."
The shift to cloud environments has exponentially increased the volume and variety of data that needs to be managed. Aaron attributes this transformation to the mass adoption of cloud services and the impact of the COVID-19 pandemic, which accelerated remote operations and cloud migrations.
[01:51] B: "Mass adoption of cloud environments... Covid played a big role... supporting not just one VM, but multiple assets surrounding each host... an explosion of data now."
He elaborates on the complexity introduced by cloud infrastructures, where a single virtual machine (VM) is interconnected with various components like VPCs, security groups, IAM roles, and storage volumes.
Kathleen probes into how Nucleus Security manages to harness such vast amounts of metadata. Aaron emphasizes the importance of integrating multiple data sources to achieve a holistic view of the organization's assets.
[02:34] B: "We are big proponents of plugging into everything... underlying cloud environments like AWS, GCP, and Azure... EDR solutions, CMDBs, application teams' spreadsheets... aggregating data that was previously siloed."
This comprehensive approach ensures that vulnerability management is not confined to isolated scanners but encompasses a wide array of organizational data points.
As organizations continually evolve, so do their assets. Kathleen raises concerns about the dynamic nature of cloud infrastructures and the challenge of maintaining up-to-date dashboards.
[05:20] B: "We do real-time syncing with the cloud... setting up mapping rules or automation rules... continuously triggered with every new event or asset."
Aaron underscores the necessity of real-time data synchronization to prevent redundant efforts in vulnerability remediation, especially in environments with rapidly changing assets like container clusters.
One of the pivotal topics discussed is the prioritization of vulnerabilities based on the context of the assets they reside in. Aaron explains how Nucleus Security differentiates risks not just by the vulnerabilities themselves but also by the asset characteristics.
[06:47] B: "It's not just the vulnerability context, it's the asset context... an EOL asset with a vulnerability is higher risk than a fully supported asset with the same vulnerability."
By correlating data from various sources, Nucleus Security dynamically adjusts the prioritization of vulnerabilities, ensuring that those posing the greatest risk receive immediate attention.
Aaron provides concrete examples to illustrate the power of asset correlation:
End-of-Life (EOL) Assets: Vulnerabilities on EOL assets are given higher priority because these assets cannot be patched, increasing their exploitability.
[07:15] B: "A vulnerability on an EOL asset will dynamically be adjusted and bumped up to the very top of the list."
Sensitive Data Handling: Integrating data from Data Loss Prevention (DLP) solutions like Rubrik allows prioritization of vulnerabilities on hosts storing sensitive information (e.g., credit card data, social security numbers).
[08:44] B: "Correlating DLP solutions... prioritize vulnerabilities on hosts with sensitive data higher than those without."
These scenarios demonstrate how multi-faceted data integration leads to more informed and effective vulnerability management.
The discussion transitions to Asset Linking, a strategy crucial for maintaining coherence in large teams and complex infrastructures. Asset linking involves tracing vulnerabilities from their runtime environment back to their source in the development pipeline.
[09:38] B: "Correlate runtime environments back to REST environments... pinpoint where a vulnerability surfaced from runtime back to the repository."
In application security (AppSec), this is particularly beneficial. Aaron describes how correlating cloud account information with vulnerability data enables prioritization based on the environment's criticality.
[10:56] B: "Mapping Cloud account IDs to risk pillars... prioritize vulnerabilities based on their detection environment, such as production versus staging."
This linkage ensures that remediation efforts are both targeted and efficient, addressing the most critical vulnerabilities first.
Kathleen wraps up the interview by acknowledging the depth and practicality of Aaron's insights into asset correlation and linking. Aaron expresses gratitude for the opportunity to discuss Nucleus Security's innovative approaches.
[12:11] A: "Aaron, thank you very much for your time today."
[12:15] B: "Of course, really appreciate it. Thank you for having me."
Comprehensive Data Integration: Effective vulnerability management requires aggregating data from various sources beyond standard scanners, including endpoint agents, cloud environments, CMDBs, and application teams.
Real-time Synchronization: Continuously updating asset information is crucial to avoid redundant remediation efforts and ensure data accuracy.
Contextual Prioritization: Vulnerabilities should be prioritized not only based on their severity but also considering the context of the asset, such as its lifecycle status and the sensitivity of the data it handles.
Asset Linking in AppSec: Tracing vulnerabilities back to their source in the development pipeline enhances the efficiency and effectiveness of remediation strategies.
Adaptive Security Posture: As cloud infrastructures evolve, security solutions must adapt by integrating flexible and dynamic data correlation mechanisms to maintain robust security postures.
This episode underscores the necessity of advanced data correlation and asset linking techniques in modern vulnerability management, highlighting how Nucleus Security is at the forefront of these innovations.