C (4:49)

Someone was asking the other day about, can you talk more about new threats and daily breaches? Right. And you know, to your point, Steve, I don't think that there's always the new zero day that folks are chasing that sometimes it's older vulnerabilities. Right. But we do see that there is an increase in the number of vulnerabilities year over year. There was a 38% increase from 23 to 24, and that number keeps rising. So. So given this surge, what are some of the biggest internal challenges organizations face when they're dealing with vulnerabilities?

B (5:29)

You know, I have a new answer to this. I think after spending really close to a decade in this space. And I will say that vulnerability management, ctem, you know, threat exposure management, these are things that are the same or it share some space at least depending on who you speak to and what you see is this market moving to this CTEM continuity, continuous threats and exposure management. This concept, and it's in relation to what you asked, the biggest challenges organizations are finding is what do I focus on? And it's a great concept, it's a great framework. It's just that it's a framework, right? We're aligning to this. This takes into account the fact that CISOs are really struggling to figure out day to day, what do I focus on in vuln management? To focus on the most important thing in my organization. That is the key, most difficult thing, you know. So I've taken a more of an approach with my clients to take a step back. You know, the biggest internal challenge, you ask, actually the biggest internal challenge is panic. And it's caused by large numbers, frankly, if we really break it down, because you have teams that are in the auditing capacity and those that are responsible for risk management. And it's really hard for somebody to back away from a statement saying we need to fix all external critical vulnerabilities within 24 hours. Great concept, great idea, right? But we know if we shift over to even just our partners and our, our friends within the managed detection and response space, they handle millions of events a day. And they don't tell themselves they have to run every single one to ground within the spare time. What they do is they have big funnel and they take in all these events and they crunch them down and they get value out of taking a million events and turning them into five. Right? That's valuable in their world, in the vuln management space, I think we got off on the wrong foot because we used to have enough vulnerabilities, we could tackle them in a week or two. Now we're getting to the point where we have so many vulnerabilities, it's become just as large as the detection response. So the biggest internal challenges are the. I would say it's created an adversarial scenario between risk and it. And I see it a lot because risk rightly doesn't want to see the critical vulnerabilities exposed. But the reality of the scanners producing 100, 200,000, I've seen 10 million. I've seen it. So it's good for everybody to hear that on the call, all your listeners need to hear. You're probably sitting there thinking, I have more vulnerabilities than you think. No, probably not. Believe it or not, everybody and everybody I've worked with has this problem. I think we need to talk about that, socialize that, and then get ourselves back to a mindset like we do in managed detection response of, okay, we know all of this. What should we tackle first? Right. That's the key.

D (8:15)

And Steve, you emphasize that sometimes, you know, the market is moving to threat exposure management, but oftentimes organizations don't know where to start on vulnerability management. And sometimes, you know, small to medium sized businesses don't have the limited resources to respond to such vulnerabilities, which can often lead to vulnerability debt. Steve, can you clarify what this term means and can you also explain what are the most effective strategies for organizations to move past it?

B (8:46)

Absolutely. It's a great point too, to bring up vulnerability debt. And I apologize to anybody that heard that term and got a pit in their stomach because those of us who do deal with it, right, we're very familiar with this term. For those who don't, it's a phenomenon. You imagine you're starting a job. A lot of times it happens as a ciso, even in a small organization, a credit union or a small, maybe even a local car dealership. And you start the job the honeymoon period and then you get hit with the first scan results. And there are 200,000 or 250,000 vulnerabilities and half of them are critical. That's that debt. Right. Somebody was here before, you're here now, somebody will maybe be here next. And you're looking at this large amount of debt vulnerability backlog and you're saying, where do I start? A lot of times the board also is very keen on driving down the number of vulnerabilities. The amount of vulnerabilities can get very large. So that is a space where we really bring in some wisdom. Right. It's not. The technology that exists in the market is very good nowadays. There are many good CTEM capabilities and technologies. We don't even need to, you know, it's an easily searched field. Right. A lot of folks are getting in on this and it's needed because there's a gap between when you get the results from the vulnerability scanners and the technologies. And when you go to figure out, like I said before, what do I work on this week, what do we start on and then how do I take that process, make sanity within an insane system, right. Too many vulnerabilities and then show an auditor that is working the way they want it to. And a lot of that, believe it or not, the huge backlog can be an opportunity. You can flip that on its head and you can start looking at it as intel. That's how we, you know, I've spent some time in the threat intel space. In the threat intel space we look at data as power, we look at data as enabling.

A (10:38)

Right.

B (10:38)

And empowering and allows us to get to the base of something. In this space we look at data as maybe sometimes it's malicious to us. Here's a great, real quick anecdote client who is getting ready to turn on agent based or authenticated scanning, which means the scanner is going to have the ability to more completely ascertain the vulnerability status of the system because it's going to be able to log in. Imagine one world where we look at that as more data. And that's good, right? More data is always good in the intel world that's going to give us more information about where the vulnerabilities are and what to focus on. But if we're in an SLA service level agreement driven environment, which all of us are, all of us are. So if we're in that environment, then if I move over to every critical and high has to be fixed within 24 hours or 15 days or 30, 30 by the way is the average 30 days. Then I have just added maybe half a million more vulnerabilities depending on the size or even half doubled them, tripled them a lot of times. Authenticated scanning. Can 10x your vulnerability count? So it really, really has to do with how the organization looks at it and how we approach it from the perspective of threat management.

C (11:52)

It's so interesting because I'm listening to you and I'm thinking, well geez, you can get that, you know, down to even five vulnerabilities. But really the only one that matters is the one that's being exploited. Right. And you don't know what that is.

B (12:06)

Yes, that's a great point. It's almost like being a roofer. And you, you asked me to come over and say where is the water going to get in?

C (12:16)

Right.

B (12:17)

I can tell you.

C (12:18)

Tricky.

B (12:19)

And then so are threat actors and they, they are like water when they're really good and they can be very good. So you know, when we're standing on the roof, or hopefully we're not standing on a roof, but like we're, if we have the drone, right And I could show you the cracks.

A (12:34)

Yeah.

B (12:35)

I could show you where water might come in, but that's where I stop. Right at the end of the day, if there's a tiny little hair fracture and yet it goes straight into the house, that's where it's going to come in. And it's very difficult to predict that. So the best thing you can do is take a continuous. There's that word again. Continuous approach in this way, where it's sort of like basement waterproofing. If you have a basement or roof, everybody has a roof. Right. So it's that sort of. You don't care about it until something goes wrong, you know?

C (13:05)

Right.

B (13:05)

Then you really do care about it. And I think we all need to start. Obviously, some of us are already doing this, and I. And we're making good progress, but it's almost a hygiene thing. We need to get to where we think about vulnerability management every day or exposure management every day. And it's a. It's. It's almost like our development life cycle. It continues along parallel to our improvements to our products and our. Our business.

C (13:30)

I love that analogy because it just makes sense. Right? It gives you a visual that you can sort of relate to as a homeowner and a human being. And it makes total sense. And I'm thinking about, okay, we have the drone. We see all the potential places that that water could make its way into my home and create a problem. I have limited resources, Steve, and I can't possibly afford to feel fix all of those cracks. So for organizations that may not have a strong vulnerability management program or they have limited resources, what are some actionable steps that they can take today to start, who's involved, what tools, what teams should be brought into the equation?

B (14:17)

And I'll take the last one first because, you know, got me thinking that this is. This is something. Frankly, I found I've gotten a lot of value from bringing vulnerability management and CTAM teams into cybersecurity or cyber fusion centers. If you think about it, one of the first things. If you get threat intel on a vulnerability that's making the rounds, what's the very first question that the threat intel person will ask? And it is.

C (14:42)

I'm so glad you're answering it because I thought you wanted me to answer it. I was sweating over here, Steve.

B (14:47)

I can stop you, I promise. No, but when I say it, you'll know. When I say it, you'll be like, oh, yeah, of course. The question they always ask is, do we have this? Do we have this. Oh, there's this big, very scary thing happening with this technology. Do we have that technology immediately? Right, that's vulnerability management's gonna be able to tell you that. CTAM's gonna be able to tell you that. Right. Because they're gonna be in the asset management database, they're gonna be into the ticketing system, system record. They're gonna be able to see. Yeah, we do have that. Or no, actually we have this other version that doesn't apply to that very fast. Right. The other thing that they can tell you very quickly is where somebody could have gotten in. Vulnerability management professional data, they know where the, I guess the skeletons are buried, if you will skeleton the closet. That's the metaphor. Shouldn't even use that probably. But they know where the secrets are and the secrets to the organization and where somebody could have gotten in. So during an incident or during a threat hunt, they will have interesting things to tell you about parts of the environment that you would never think to look. So I would say that small orgs that don't have this. Maybe now we're talking in this example I was talking about maybe three or four different people. What if you have one person like you said, and you're small and you don't really have a lot to focus on this understandable. A lot of people don't think of it the same way you think about software development. It really fits because just like software developers, we have an infinite backlog. You're not going to be able to fix them all. It's a marathon. Even though I use the word sprint, it really is a marathon. Not a sprint, it's a marathon made up of a bunch of sprints just like software development. So what I've seen help like think of it this way. We're used to getting software changes in via the normal software development life cycle. Developers are used to pulling tasks out of a system and working on those for a sprint. We can do the same thing for vulnerability management. We can rank and stack them according all the vulnerabilities according to Threat intel and then we can come up with that list to say this week or this two week period. We are also, in addition to the work we're doing, doing in the software development Sprint, we're going to fix some of these vulnerabilities. I think that anybody can start. The good thing about vulnerability management is it's a bit of a jobs opportunity and I know that's very near and dear to all of our hearts right now. What I mean by that is it doesn't take a lot to get started. If you have an interest in vulnerability research and how something is exploited, there are tools like Metasploitable 3. If you look that up, that's a Rapid 7 open source project. It has a very exploitable Windows system and Linux system on there. We utilize that here in Akron to work with the local STEM school. And essentially it makes it very easy to start researching vulnerabilities. You could read about one, you could replicate it in your own little lab. I think these kinds of things. When you think about how training is at such a premium and everybody says when we every time RSA does a survey, it's always we want more training. Right. And this is a great opportunity to start baking that into your job and starting to get into some of the crunchy parts of it. You can have a junior analyst learning vulnerability management and becoming potentially a pen tester someday or something like this. Right. I think it's a gap. I think it's a missing piece in our space that you can utilize to get into it. And anybody at any level of capability or technology can start on this world because there's so much information out there.

C (18:22)

I love that. So Metasploitable 3, a rack of seven open source tools. That's fantastic. I'm gonna take your advice and go check it out. I might have to call you on the side to figure out what to do next, but please do.

B (18:37)

It's a little crunchy and they've done a great job, but it's a little on the crunchy side. We'd be glad to give you the cheat sheet on that. Yeah, absolutely.

C (18:44)

Fantastic. Fantastic. Steve, thank you so much for being here today. I also have learned about continuous threats and exposure management, ctam, a acronym to add to our vernacular. So thank you so much, listeners. Thank you for tuning in. Please keep the conversation going in our RSAC membership platform by visiting onersac.commembership and be sure to check onersac.com for new content posted year round. Until next time.