2024-10-05 –, Track 2
In the 1800s, lamplighters were employed to light gas streetlights that had replaced the previous generation of candles and oil lamps. However, with the advent of incandescent lighting and the automation provided by electricity, lamplighters became largely obsolete.
For decades, we’ve relied on vulnerability scanners to assess our assets and generate reports containing IP addresses and their associated CVEs. CVEs add value but only represent a subset of your risk exposure. They completely miss critical variables such as the presence and state of endpoint IT management and security controls, making them largely obsolete when relied upon in a vacuum.
This reliance on CVE data leads to a distorted view of an asset's risk level, making it difficult to prioritize remediation efforts accurately. This also negatively impacts overall organizational risk, while the sheer volume of CVE data wastes time, money, and resources.
Does it matter how many CVEs you detect if the device has no controls to remediate them? A modern approach to vulnerability management must transcend the realm of CVEs and encompass exposures related to environmental vulnerabilities. These include gaps like missing endpoint controls, outdated or non-communicative controls, and misconfigurations.
When it comes to CVEs, in many cases, CVE data can be pulled directly from IT management and security controls that you already have installed on your endpoints. This negates or greatly reduces the value derived from a traditional vulnerability scanner, which, by its nature, can also be risky to run and onerous to operationalize as part of an integrated vulnerability management strategy. Regardless of where the operating system and application CVEs are derived, they must be correlated with environmental vulnerabilities.
After correlating CVEs and environmental variables, your vulnerability management strategy can be taken to the next level. Risk prioritization can include identity data and business context enrichment by linking assets with regulatory mandates, critical systems, supply chains, geographic regions, business units, etc.
With this level of accuracy in risk prioritization, automated ticketing and response integration capabilities can be efficiently and effectively leveraged with the understanding of which risks may be mitigated or are already being mitigated by existing IT management and security controls. Finally, your vulnerability management strategy can be more formally operationalized with real-time remediation validation to ensure that what was stated as being fixed was actually fixed and stays fixed, as well as metrics to measure the effectiveness of your remediation efforts.
Attending this presentation will allow audience members to answer these questions.
• Do I still need a vulnerability scanner for effective vulnerability management?
• What needs to be correlated with my CVEs for accurate risk prioritization?
• How can I improve my alerting and response capabilities to include remediation validation?
• What metrics can I derive to measure effectiveness and improve my vulnerability management strategy?
With two IPOs & eight acquisitions, Brian has helped build some of the most successful security companies in the world. He has over 25 years in the security industry as a security company entrepreneur, board advisor, investor, and author. After getting his start with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions, including Riptech, ArcSight, Imperva, McAfee, Solera Networks, Cylance, JASK, Verodin, and Mandiant.
Brian has worked in over 50 countries across six continents. He authored the book Enemy at the Water Cooler and co-authored Physical & Logical Security Convergence with former NSA Deputy Director William Crowell. He was featured in the cyberwar documentary 5 Eyes alongside General Michael Hayden, former NSA, and CIA Director. Brian writes for Forbes and regularly presents at conferences like Black Hat, RSA, OWASP, and BSides.