2024-04-20 –, Track 1
Pretty much every enterprise has a vulnerability management program. Management loves these things because they give them numbers and graphs and concrete things they can talk about. Of course, most of them are garbage, but why? It seems so simple to scan the environment, prioritize what's broken, and go fix it. Anyone who has ever had to do vuln management knows that 1) this isn't remotely how it works and 2) that trying to do it this way is a Sisyphean task that will suck the life out of pretty much anyone. So can this be done correctly? Is there a way to get actual security value out of this painful slog without reinventing the entire space? The answer is a surprising yes, and I'm going to help you understand not only why it's so painful today but also how you can reduce the toil and increase the value. More to the point I'll show you how to safely ignore 80% of your vulnerability data.
In this talk I will start with the Precepts: the (non-obvious) things you must understand to make any sort of vulnerability management effort work. From there I will move to the Process. The Process is a high level methodology for addressing the mass chaos that is vulnerability data at scale. I will then finish up with the Point. Not only will I cover the high level "what it all means" view of vuln management but I also give specific metrics and performance indicators you can use to understand your risk and drive change in your organization.
My official title is Security and Platform Engineer at Recon InfoSec, where I try to keep all of the lights blinking in the right order. I have a few certifications to my name, which indicates that I can test pretty well. What gives me some perspective on topics like operationalization, cloud architecture, and realistic security measures is that over a 26 year history in IT and security I've split my time almost exactly between working as a developer and as an infrastructure person. This gives me a lot of context for understanding not only software, hardware, and cloud architecture, but also the people who build it, defend it, and break it. I've done a bit of work with the fine folks from SecKC, and you might see me hanging around online as BenFromKC.