WEBVTT 1 00:00:00.000 --> 00:00:05.719 All right, let's dive into this risk based vulnerability management 2 00:00:05.879 --> 00:00:09.000 RBV RBVM. Yeah, you know how it works, why it matters, 3 00:00:09.000 --> 00:00:09.599 why it matters? 4 00:00:09.679 --> 00:00:09.800 Right? 5 00:00:09.839 --> 00:00:12.519 Yeah, what you can actually like do with this knowledge. 6 00:00:12.519 --> 00:00:13.880 We've got excerpts. 7 00:00:13.439 --> 00:00:20.079 From our Modern vulnerability managern Vulnerability Management Predictive Cybersecurity. 8 00:00:19.239 --> 00:00:20.879 By Michael Reutman and Ed Bellis. 9 00:00:20.920 --> 00:00:26.199 Hey, yeah, Rutman and Bellis. They really get into the 10 00:00:26.719 --> 00:00:30.079 nitty gritty of how organizations are shifting from just like 11 00:00:30.160 --> 00:00:34.079 counting vulnerability understanding risk. Yeah, understanding the risks they pose 12 00:00:34.159 --> 00:00:36.840 crucial change. Yeah. Instead of just trying to patch every 13 00:00:36.840 --> 00:00:39.640 single software weakness, you're you're focusing on the ones that 14 00:00:39.640 --> 00:00:41.200 that could really hurt your organization. 15 00:00:41.399 --> 00:00:41.799 That's it. 16 00:00:42.079 --> 00:00:44.640 That makes a lot of sense. Okay, so let's set 17 00:00:44.640 --> 00:00:45.280 the stage here. 18 00:00:45.439 --> 00:00:47.479 Remember the Echo fax breach. 19 00:00:47.280 --> 00:00:50.679 Yeah, the Equofax breach back in twenty seventeen, millions of 20 00:00:50.679 --> 00:00:53.560 people had their credit. 21 00:00:53.240 --> 00:00:56.119 Reports compromise, a major wake up call, huge And the 22 00:00:56.159 --> 00:00:59.439 thing is they knew about the vulnerability, oh wow, but 23 00:00:59.479 --> 00:01:02.240 they didn't fit it in time. They were drowning in vulnerabilities. 24 00:01:02.320 --> 00:01:04.680 Makes sense, no effective way to prioritize. 25 00:01:04.719 --> 00:01:07.280 That's where RBVM comes in, right, it's about having a 26 00:01:07.359 --> 00:01:10.359 system to figure out which ones are the most critical 27 00:01:10.519 --> 00:01:13.239 to fix first. But before we get into the how, 28 00:01:13.359 --> 00:01:18.799 let's define some key terms here. What exactly is a 29 00:01:18.920 --> 00:01:22.719 vulnerability and how's that like different from a threat or 30 00:01:22.760 --> 00:01:23.239 a risk? 31 00:01:23.400 --> 00:01:27.200 Okay? Think of a vulnerability as a weakness in a system, 32 00:01:27.680 --> 00:01:30.959 like a loose brick in a wall. That loose brick 33 00:01:31.239 --> 00:01:34.719 is the vulnerability, got it the potential for someone to 34 00:01:34.799 --> 00:01:38.719 exploit it, That's the threat, okay. And the overall likelihood 35 00:01:39.040 --> 00:01:42.120 of someone pushing on that brick giving way damage and 36 00:01:42.120 --> 00:01:44.159 the damage that would cause that's the risk. 37 00:01:44.239 --> 00:01:46.920 Okay. So the vulnerability is the weakness itself, threat is 38 00:01:46.920 --> 00:01:50.000 the possibility of someone exploiting it, and risk is the 39 00:01:50.000 --> 00:01:52.280 combination of like, how likely that is and how bad 40 00:01:52.319 --> 00:01:53.400 the consequences would be. 41 00:01:53.560 --> 00:01:53.959 That's it. 42 00:01:54.560 --> 00:01:57.560 So with RBVM, we're not just fixing every loose brick. 43 00:01:57.840 --> 00:02:00.879 We're figuring out which ones need a media attention. And 44 00:02:00.959 --> 00:02:05.400 this concept of assessing and managing risk. 45 00:02:05.439 --> 00:02:06.599 Has been around for centuries. 46 00:02:06.599 --> 00:02:07.680 It has been around forever. 47 00:02:07.799 --> 00:02:10.400 The book talks about ancient Babylonian merchants. 48 00:02:10.479 --> 00:02:11.800 Wow, really, they. 49 00:02:11.800 --> 00:02:13.319 Used to take out bottomery loans. 50 00:02:13.879 --> 00:02:14.360 What's up? 51 00:02:14.439 --> 00:02:16.840 They'd bet on their ships making it back safely. 52 00:02:17.039 --> 00:02:17.360 Okay. 53 00:02:17.400 --> 00:02:19.199 If the ship sank, the loan was void. 54 00:02:19.840 --> 00:02:20.360 Interesting. 55 00:02:20.560 --> 00:02:23.199 If it arrived, they paid back the loan with interest. 56 00:02:23.639 --> 00:02:27.199 Fascinating. So even back then people were thinking about risk. 57 00:02:27.520 --> 00:02:28.919 That's just in a different context. 58 00:02:28.960 --> 00:02:29.719 Different context. 59 00:02:29.840 --> 00:02:32.599 Yeah, it's it makes you realize that this isn't some 60 00:02:32.759 --> 00:02:35.439 new fangled idea, right, we're just applying it to the 61 00:02:35.479 --> 00:02:38.560 digital world now, that's it. Another great example. 62 00:02:38.280 --> 00:02:43.159 Abraham Wald, mathematician, World War Two. Okay, figuring out where 63 00:02:43.159 --> 00:02:45.000 to reinforce armour on planes. 64 00:02:45.840 --> 00:02:47.240 So you'd think they would just look at where the 65 00:02:47.280 --> 00:02:50.800 bullet holes were, right, you would think that seems logical, But. 66 00:02:50.759 --> 00:02:54.159 Wald realized the planes were turning with damage to certain 67 00:02:54.199 --> 00:02:57.639 areas were actually the lucky ones. The planes that didn't 68 00:02:57.639 --> 00:03:01.400 make it back likely shot down because of damage to 69 00:03:01.680 --> 00:03:03.800 the areas where they weren't seeing bullet holes. 70 00:03:03.879 --> 00:03:07.120 Oh, so the data was misleading exactly the truly critical spot. 71 00:03:07.199 --> 00:03:09.360 So the data they were looking at was telling like 72 00:03:09.400 --> 00:03:10.520 an incomplete story. 73 00:03:10.759 --> 00:03:11.360 Absolutely. 74 00:03:11.400 --> 00:03:13.520 That's a great example of how important it is to 75 00:03:15.000 --> 00:03:18.800 look beyond the obvious, right, use data to uncover those 76 00:03:18.879 --> 00:03:19.639 hidden risks. 77 00:03:19.800 --> 00:03:20.280 That's right. 78 00:03:20.840 --> 00:03:24.400 Okay, so we've established that risk management has you know, 79 00:03:24.479 --> 00:03:27.080 a long history, long history, and we've got our key 80 00:03:27.159 --> 00:03:30.080 terms kind of you know, sort of, But how do 81 00:03:30.159 --> 00:03:32.759 we actually measure and manage. 82 00:03:32.400 --> 00:03:34.439 Risk in the world of cybersecurity? 83 00:03:34.439 --> 00:03:38.439 In the world of cybersecurity, data data, data data RBVM 84 00:03:38.520 --> 00:03:39.360 needs a lot of it. 85 00:03:39.479 --> 00:03:45.120 Okay, we're talking vulnerability databases like the National Vulnerability Database MVD. 86 00:03:45.400 --> 00:03:49.199 Oh yeah, the MVD encyclopedia of known software weaknesses. 87 00:03:49.280 --> 00:03:52.960 I can imagine. That's a pretty hefty encyclopedia is constantly 88 00:03:52.960 --> 00:03:55.919 getting updated constantly. So that's one piece of the puzzle, 89 00:03:56.000 --> 00:03:58.800 knowing what vulnerabilities are out there, right, what else do 90 00:03:58.840 --> 00:03:59.120 we need? 91 00:03:59.199 --> 00:04:01.840 We need to know who the attackers are, their tactics, 92 00:04:02.120 --> 00:04:02.879 and what they're after. 93 00:04:03.560 --> 00:04:08.000 So threat intelligence, threat intelligence exactly like having intel on 94 00:04:08.039 --> 00:04:08.879 your adversaries. 95 00:04:09.159 --> 00:04:09.599 That's it. 96 00:04:09.840 --> 00:04:11.639 Okay, we're keeping tabs on the bad guys. 97 00:04:12.080 --> 00:04:14.759 And lastly, we need to know what we have to protect. 98 00:04:14.919 --> 00:04:19.720 Okay, so asset inventory, ACID inventory, what devices, software systems 99 00:04:19.759 --> 00:04:22.519 are in our organization? That right makes sense. If you 100 00:04:22.560 --> 00:04:24.879 don't know what you have, how can you protect it? 101 00:04:25.199 --> 00:04:25.680 It can't. 102 00:04:25.759 --> 00:04:29.040 It's like taking inventory before you install a security system in. 103 00:04:29.000 --> 00:04:30.560 Your home, precisely. 104 00:04:31.040 --> 00:04:35.680 But here's where it gets tricky MESSI all this data 105 00:04:35.720 --> 00:04:38.279 is coming from different places. It can be messy, it 106 00:04:38.360 --> 00:04:40.120 can we need a way to make sense of it all. 107 00:04:40.279 --> 00:04:42.720 We do turn it into actionable insights. 108 00:04:42.879 --> 00:04:44.399 Actionable insights, and. 109 00:04:44.319 --> 00:04:46.040 I bet that's where machine learning comes in. 110 00:04:46.160 --> 00:04:47.079 You got it. 111 00:04:47.079 --> 00:04:49.600 It's it's all the rage these days. 112 00:04:49.680 --> 00:04:50.040 It is. 113 00:04:50.199 --> 00:04:52.759 It's like having a superpowered analyst. 114 00:04:52.480 --> 00:04:54.279 Crunching through mountains of data. 115 00:04:54.360 --> 00:04:59.639 Yeah, to help us see the patterns, prioritize vulnerabilities. 116 00:04:59.000 --> 00:05:00.319 That need our attention first. 117 00:05:00.720 --> 00:05:04.279 Okay, I'm intrigued. So I've got the data and we're 118 00:05:04.439 --> 00:05:06.879 using machine learning to kind of, you know, make sense 119 00:05:06.920 --> 00:05:10.639 of it. Right, But how do we know if RBVM 120 00:05:10.759 --> 00:05:12.199 strategy is actually working? 121 00:05:12.720 --> 00:05:17.319 Metrics? Metrics Okay, coverage and efficiency Oka. Coverage means we're 122 00:05:17.360 --> 00:05:19.319 fixing the right vulnerability. 123 00:05:18.759 --> 00:05:21.680 So ones that actually pose a real threat. 124 00:05:21.480 --> 00:05:24.279 That's it. Efficiency is about how effectively we're doing. 125 00:05:24.079 --> 00:05:26.480 That, making sure we're not wasting resources. 126 00:05:26.040 --> 00:05:28.759 Chasing after minor issues. Right, It's like triage in an 127 00:05:28.800 --> 00:05:32.199 emergency room. Okay, you focus on the most critical cases first, 128 00:05:32.480 --> 00:05:36.240 makes sense. And speaking of critical vulnerability. 129 00:05:35.480 --> 00:05:37.720 Debt, oh yeah, that's a that's a good one. 130 00:05:37.800 --> 00:05:42.000 Every vulnerability we choose not to fix immediately adds to 131 00:05:42.040 --> 00:05:45.879 this debt, and just like financial debt, it can accrue 132 00:05:45.959 --> 00:05:46.800 interest over time. 133 00:05:47.800 --> 00:05:49.439 That sounds like a recipe for trouble. 134 00:05:49.720 --> 00:05:51.720 It can be down the line, it can be. 135 00:05:52.360 --> 00:05:56.000 So how do we balance tackling the urgent vulnerabilities with 136 00:05:56.399 --> 00:05:59.079 like managing this this growing. 137 00:05:58.759 --> 00:06:04.319 Debt prioritization, good understanding of the potential consequence consequences. Right, 138 00:06:04.399 --> 00:06:07.120 But let's get back to that machine learning magic. Okay, yeah, 139 00:06:07.160 --> 00:06:07.800 we were talking about. 140 00:06:07.879 --> 00:06:08.920 Yeah, I'm curious about that. 141 00:06:09.160 --> 00:06:12.720 How exactly does it help us prioritize? Yeah, well, different 142 00:06:12.720 --> 00:06:15.319 types of machine learning, okay, supervised learning. 143 00:06:15.399 --> 00:06:16.800 Supervised learning like. 144 00:06:17.160 --> 00:06:20.879 Showing a detective a bunch of examples of criminals and saying, 145 00:06:21.199 --> 00:06:23.399 go find more that look like this. 146 00:06:23.759 --> 00:06:24.240 Okay. 147 00:06:24.519 --> 00:06:28.959 We feed the algorithm information about past exploits, right, it 148 00:06:29.079 --> 00:06:32.879 learns to predict which new vulnerabilities are most likely to 149 00:06:32.920 --> 00:06:33.519 be targeted. 150 00:06:33.680 --> 00:06:39.319 So it's all about pattern recognition, spotting the red flags 151 00:06:39.360 --> 00:06:42.519 that say, hey, this vulnerability is ripe for exploitation. 152 00:06:42.879 --> 00:06:46.319 Right. And then we have unsupervised learning. Unsupervised more like 153 00:06:46.360 --> 00:06:49.519 giving the detective a pile of evidence okay, saying see 154 00:06:49.560 --> 00:06:50.360 what you can find? 155 00:06:50.959 --> 00:06:55.519 Okay, So it's more exploratory, right, potentially uncovering connections that 156 00:06:55.560 --> 00:06:58.319 we that we might have missed otherwise. 157 00:06:58.360 --> 00:07:03.000 And there's specific algorithms can use algorithms okay, like logistic regression. 158 00:07:03.120 --> 00:07:08.680 Logistic regression neural network Logistic regression is great for answering yes, 159 00:07:08.720 --> 00:07:10.120 no questions like is. 160 00:07:10.079 --> 00:07:12.639 This vulnerability likely to be exploited? 161 00:07:12.839 --> 00:07:13.279 Exactly? 162 00:07:13.480 --> 00:07:18.959 Okay, So it's giving us a simple, straightforward prediction. What about. 163 00:07:20.079 --> 00:07:25.000 Neural networks more complex okay, able to make more nuanced 164 00:07:25.040 --> 00:07:29.279 predictions based on a wider range of factors. It it's 165 00:07:29.279 --> 00:07:31.800 like asking, on a scale of one to ten, okay, 166 00:07:32.120 --> 00:07:34.920 how likely is this vulnerability to be exploited? 167 00:07:34.959 --> 00:07:36.480 And what are the contributing factors? 168 00:07:36.560 --> 00:07:37.040 Exactly? 169 00:07:37.120 --> 00:07:40.920 Okay, So it's giving us a more detailed risk assessment. 170 00:07:41.040 --> 00:07:41.319 It is. 171 00:07:41.480 --> 00:07:44.199 This is all starting to make sense, but it still 172 00:07:44.199 --> 00:07:47.600 seems pretty technical. We've got all this data, these fancy 173 00:07:47.600 --> 00:07:50.600 algorithms we do, but who's actually doing the work of 174 00:07:50.720 --> 00:07:52.360 fixing these vulnerabilities. 175 00:07:52.439 --> 00:07:54.680 That's where we get into the human side of our 176 00:07:54.720 --> 00:07:57.079 BVM just as important as the technical side. 177 00:07:57.160 --> 00:07:57.480 Okay. 178 00:07:57.759 --> 00:08:01.120 Strong collaboration between security and IT, security and IT teams. 179 00:08:01.199 --> 00:08:03.079 Yeah, yeah, I can see how that could get tricky. 180 00:08:03.480 --> 00:08:07.360 Because security is focused on identifying the risks right, it 181 00:08:07.759 --> 00:08:08.439 is tasked with. 182 00:08:08.480 --> 00:08:09.759 Patching them exactly. 183 00:08:09.959 --> 00:08:14.399 It seems like there's potential for miscommunication and delays absolutely 184 00:08:14.399 --> 00:08:14.759 and things like. 185 00:08:14.879 --> 00:08:17.480 Additionally, there's been a silo mentality between these teams. 186 00:08:17.600 --> 00:08:18.279 Yeah, I've seen that. 187 00:08:18.759 --> 00:08:21.160 But for OURBVM to work effectively. 188 00:08:20.759 --> 00:08:22.120 They need to be on the same page. 189 00:08:22.240 --> 00:08:23.000 Security and it. 190 00:08:23.360 --> 00:08:26.800 Yeah, working together seamlessly, seamlessly, So how do we break 191 00:08:26.839 --> 00:08:27.759 down those silos? 192 00:08:27.879 --> 00:08:33.559 Clear communication is key, okay, regular meetings, share dashboards, integrated 193 00:08:33.559 --> 00:08:36.799 ticketing systems okay, anything that keeps everyone in the loop right, 194 00:08:36.960 --> 00:08:41.000 ensures smooth handoffs, handoffs. Yeah, we also need share goals 195 00:08:41.000 --> 00:08:41.559 and metrics. 196 00:08:41.559 --> 00:08:43.080 Shared goals and metrics, okay. 197 00:08:43.159 --> 00:08:46.360 Both teams should be working towards the same KPIs. 198 00:08:46.240 --> 00:08:48.399 Like reducing vulnerability DEBT. 199 00:08:48.320 --> 00:08:52.279 Reducing vulnerability debt okay, Improving remediation velocity. 200 00:08:52.639 --> 00:08:53.799 Mediation velocity. 201 00:08:53.840 --> 00:08:58.720 It's a measure of how quickly an organization can fix vulnerabilities. 202 00:08:58.879 --> 00:09:02.080 Got it once they're identical, let's are identified, okay. 203 00:09:01.840 --> 00:09:05.399 And then there's remediation capacity. Remediation capacity, Wow, how many 204 00:09:05.480 --> 00:09:06.720 vulnerabilities a team can. 205 00:09:06.559 --> 00:09:09.279 Handle within a certain time, within a given time Okay, 206 00:09:09.320 --> 00:09:11.399 So speed and efficiency, speed inefficiency. 207 00:09:11.440 --> 00:09:16.480 Got it. But let's be realistic. Okay, not every organization 208 00:09:16.960 --> 00:09:20.919 has a massive security team with unlimited resources, right, what 209 00:09:21.080 --> 00:09:25.720 about smaller companies? Smaller companies, Yeah, with limited budgets. 210 00:09:25.759 --> 00:09:28.360 That's where the concept of self service security comes in. 211 00:09:28.480 --> 00:09:30.200 Sell service security. 212 00:09:29.840 --> 00:09:35.320 Imagine empowering IT teams okay, to identify and fix vulnerabilities 213 00:09:35.320 --> 00:09:38.200 on their own, on their own, with waiting for instructions 214 00:09:38.240 --> 00:09:38.960 from security. 215 00:09:39.080 --> 00:09:40.759 So giving them the tools and. 216 00:09:40.720 --> 00:09:43.080 The knowledge to manage their own risk. 217 00:09:42.919 --> 00:09:44.360 That sounds pretty revolutionary. 218 00:09:44.440 --> 00:09:47.039 It is, It's becoming more and more common. The book 219 00:09:47.080 --> 00:09:49.519 talks about a shipping company that used their CMDB. 220 00:09:49.799 --> 00:09:51.600 Hold on, remind me what a CMDB is. 221 00:09:51.600 --> 00:09:53.840 Again, Configuration management database. 222 00:09:53.960 --> 00:09:55.039 Oh yeah, okay. 223 00:09:55.240 --> 00:09:58.600 Think of it like a detailed inventory all the hardware 224 00:09:58.639 --> 00:09:59.960 and software in your organism. 225 00:10:00.519 --> 00:10:01.279 Okay, got it. 226 00:10:01.360 --> 00:10:04.559 So the shipping company use their CMDB to. 227 00:10:04.519 --> 00:10:06.919 Give their IT teams a way to manage their own 228 00:10:06.960 --> 00:10:08.600 vulnerabilities exactly. 229 00:10:08.879 --> 00:10:11.960 They could see which assets they were responsible for, okay, 230 00:10:12.000 --> 00:10:15.759 the associated risks, the deadlines for remediation, got it. It 231 00:10:15.840 --> 00:10:17.279 freed up the security. 232 00:10:16.879 --> 00:10:19.080 Team to focus on more strategic things. 233 00:10:18.879 --> 00:10:22.720 To focus on more strategic initiatives, okay, while it became 234 00:10:22.759 --> 00:10:24.600 more proactive, no active. 235 00:10:24.240 --> 00:10:27.279 And efficient and efficient win win for every reason. 236 00:10:27.519 --> 00:10:27.759 Win. 237 00:10:28.080 --> 00:10:31.039 But even with the best tools and systems in place, 238 00:10:31.720 --> 00:10:34.360 I imagine it can still be tough to keep up 239 00:10:34.399 --> 00:10:38.320 with the ever changing threat landscape it is, So how 240 00:10:38.360 --> 00:10:42.320 do we make sure our RBVM program stays like effective 241 00:10:42.360 --> 00:10:42.919 over time. 242 00:10:43.120 --> 00:10:48.360 That's where automation comes in. Organizations mature in their RBVM journey, 243 00:10:48.399 --> 00:10:52.440 they often look to automate tasks what like vulnerability scanning, 244 00:10:52.639 --> 00:10:54.960 risk scoring, even remediation. 245 00:10:55.320 --> 00:10:58.480 So we're taking the manual workout of the equation, taking 246 00:10:58.559 --> 00:11:03.120 the manual workout, making things smoother, more efficient. But automation 247 00:11:03.200 --> 00:11:05.840 can only take us so far. Right, true, we also 248 00:11:06.000 --> 00:11:10.080 need those well defined processes, well defined processes that are 249 00:11:10.159 --> 00:11:11.120 consistently followed. 250 00:11:11.240 --> 00:11:17.240 Consistently follow This includes regular reviews, our data sources, risk models, 251 00:11:17.320 --> 00:11:18.759 and remediation strategies. 252 00:11:18.840 --> 00:11:23.039 So it's about building a sustainable system sustainable systems then 253 00:11:23.039 --> 00:11:24.000 that can adapt. 254 00:11:23.799 --> 00:11:25.720 As the threat landscape of all the exactly. 255 00:11:25.759 --> 00:11:27.200 And that brings us to another. 256 00:11:26.960 --> 00:11:30.799 Important point business context. Business context, it's not enough to 257 00:11:30.919 --> 00:11:34.480 just look at vulnerabilities in isolation. We need to understand 258 00:11:34.519 --> 00:11:37.559 how they might impact the business as a whole. 259 00:11:37.759 --> 00:11:41.799 So asking questions like, if this vulnerability is exploited, what 260 00:11:42.000 --> 00:11:45.200 systems would be affected, what data would be at risk? 261 00:11:45.240 --> 00:11:47.639 How would it impact our operations exactly? 262 00:11:47.639 --> 00:11:51.240 Our customers, our customers precisely, So connecting the dots between 263 00:11:51.240 --> 00:11:52.879 technical vulnerability. 264 00:11:52.360 --> 00:11:56.639 Between technical vulnerabilities and business impact and business impact, and 265 00:11:57.120 --> 00:12:02.000 this allows us to make more informed decisions, more formed 266 00:12:02.039 --> 00:12:05.679 decisions about prioritization and resource allocation. It sounds like we're 267 00:12:05.679 --> 00:12:07.320 breaking down those silos. 268 00:12:06.879 --> 00:12:09.639 Again, breaking down silos. 269 00:12:09.159 --> 00:12:14.000 Bringing security IT and the business side together together to 270 00:12:14.039 --> 00:12:15.799 make smarter decisions. 271 00:12:15.879 --> 00:12:16.919 Are decisions now. 272 00:12:16.919 --> 00:12:22.399 The authors they they dive deep into some specific remediation metrics, 273 00:12:22.559 --> 00:12:25.559 remediation metrics that go beyond just looking at you know, 274 00:12:25.919 --> 00:12:27.399 those CVSS. 275 00:12:26.840 --> 00:12:28.159 Scores CBSS scores. 276 00:12:28.200 --> 00:12:29.879 So what are some of the things we should be 277 00:12:29.919 --> 00:12:33.080 measuring besides those CVSS scores. 278 00:12:33.120 --> 00:12:37.279 We've already talked about remediation velocity and capacity, okay, but 279 00:12:37.360 --> 00:12:40.759 we should also consider time to remediation. 280 00:12:40.399 --> 00:12:42.000 Time to remediation okay. 281 00:12:41.720 --> 00:12:45.960 Which measures how long it takes to fix a vulnerability. 282 00:12:45.399 --> 00:12:47.360 From the moment it's discovered. 283 00:12:46.879 --> 00:12:50.080 From the moment it's discovered okay. And then there's meantime. 284 00:12:49.639 --> 00:12:52.320 To remediation meantime to remediation okay. 285 00:12:52.159 --> 00:12:54.960 Gives us an average across all vulnerabilities. 286 00:12:55.000 --> 00:12:55.360 Got it. 287 00:12:55.480 --> 00:12:59.720 Tracking these metrics helps us identify bottlenecks, bottlenecks okay, areas 288 00:12:59.720 --> 00:13:01.559 for improvement in our processes. 289 00:13:02.039 --> 00:13:07.960 So we're really trying to like optimize the entire remediation. 290 00:13:07.559 --> 00:13:09.639 Workflow, the entire workflow. 291 00:13:09.320 --> 00:13:12.360 Right, and as we mentioned earlier, that often involves automating 292 00:13:12.480 --> 00:13:13.120 certain tasks. 293 00:13:13.120 --> 00:13:14.679 With automating tasks, but we. 294 00:13:14.600 --> 00:13:19.159 Can also look at things like streamlining communication between. 295 00:13:18.840 --> 00:13:20.960 Teams, streamlining communication. 296 00:13:20.559 --> 00:13:26.480 Improving the accuracy of our vulnerability assessments, vulnerability providing better training, 297 00:13:26.559 --> 00:13:30.279 better training and resources to our IT staff. 298 00:13:29.879 --> 00:13:30.840 To the IT staff. 299 00:13:30.919 --> 00:13:34.279 So it's a it's a holistic approach, holistic approach addressing 300 00:13:34.320 --> 00:13:36.759 both the technical and the human. 301 00:13:36.480 --> 00:13:40.399 Aspects, both the technical and the human vulnerability managed vulnerability management. 302 00:13:40.399 --> 00:13:43.279 And that's why it's so important to have clear roles 303 00:13:43.279 --> 00:13:45.440 and responsibilities. 304 00:13:44.600 --> 00:13:47.080 Clear roles and responsibilities. 305 00:13:46.279 --> 00:13:52.360 Regular community, regular communication between teams, and shared metrics. 306 00:13:51.919 --> 00:13:53.840 And goals, shared metrics and goals. 307 00:13:53.919 --> 00:13:57.320 When everyone is on the same page, on the same page, yeah, 308 00:13:57.360 --> 00:14:00.320 and working together effectively, I can see how that makes 309 00:14:00.720 --> 00:14:01.600 a huge. 310 00:14:01.320 --> 00:14:02.679 Difference, huge difference. 311 00:14:03.000 --> 00:14:07.279 Now, the authors paint this fascinating picture of the future 312 00:14:07.799 --> 00:14:09.559 of the future of vulnerability and management. 313 00:14:09.559 --> 00:14:12.919 The future of vulnerability management, They talk about the potential 314 00:14:13.080 --> 00:14:15.960 for predicting vulnerability exploitation. 315 00:14:15.679 --> 00:14:18.799 With the same accuracy, with the same accuracy as weber 316 00:14:18.840 --> 00:14:22.240 forecasting weather forecasting. Yes, that's a that's a pretty mind 317 00:14:22.279 --> 00:14:26.440 blowing concept. It is imagine being able to anticipate which 318 00:14:26.559 --> 00:14:28.240 vulnerabilities are most likely to be. 319 00:14:28.200 --> 00:14:34.879 Exploited when allowing you to proactively allocate resources, mitigate risks 320 00:14:35.120 --> 00:14:37.279 before they can even be exploited or where they can 321 00:14:37.320 --> 00:14:37.879 be exploited. 322 00:14:37.919 --> 00:14:40.120 That would be a game changer. It would be a 323 00:14:40.120 --> 00:14:41.799 game changer for security teams. 324 00:14:41.840 --> 00:14:42.679 The security teams. 325 00:14:42.720 --> 00:14:45.480 And while we're not quite there yet, not quite there yet, 326 00:14:45.720 --> 00:14:49.759 the progress being made is remarkable in this areas is 327 00:14:49.919 --> 00:14:53.240 pretty remarkable. It is so what can our listeners do. 328 00:14:54.399 --> 00:14:58.240 To start applying these principles, to start applying these principles. 329 00:14:57.840 --> 00:15:00.679 And their own organization in their own organist stations. I 330 00:15:00.679 --> 00:15:04.360 would say the first step assess your current vulnerability management program. 331 00:15:04.480 --> 00:15:05.360 Assess your program. 332 00:15:05.519 --> 00:15:08.679 Are we just reacting to vulnerabilities as they pop up 333 00:15:08.759 --> 00:15:13.360 as they pop up, or are we taking a more proactive. 334 00:15:12.879 --> 00:15:17.120 And strategic approach proactive and strategic. Right then start thinking 335 00:15:17.159 --> 00:15:21.639 about how you can incorporate data and analytics. 336 00:15:20.919 --> 00:15:23.960 Into your decision making and your decision making, so things 337 00:15:24.120 --> 00:15:26.639 like like vulnerability. 338 00:15:26.039 --> 00:15:28.480 Databases, vulnerability databases. 339 00:15:27.919 --> 00:15:33.039 Ret intelligence, threat intelligence, asset inventory, asset inventory. And don't 340 00:15:33.080 --> 00:15:39.840 underestimate the importance of collaboration. Collaboration's key breaking down those silos. 341 00:15:39.879 --> 00:15:41.399 Breaking down silos. 342 00:15:41.000 --> 00:15:45.480 Between security IT and the business side to business side 343 00:15:45.799 --> 00:15:47.679 RBVM is it's a team effort. 344 00:15:47.960 --> 00:15:48.519 Team effort. 345 00:15:48.559 --> 00:15:52.000 It requires a shared understand shared understanding of the of 346 00:15:52.080 --> 00:15:56.200 the risks and a commitment to working together can together 347 00:15:56.279 --> 00:15:57.720 to mitigate them. 348 00:15:57.840 --> 00:15:59.600 Mitigate those risks, and don't be. 349 00:15:59.559 --> 00:16:02.279 Afraid to experiment with new tools and technologies. 350 00:16:02.440 --> 00:16:03.799 Do tools to technologies. 351 00:16:04.120 --> 00:16:06.279 There are so many innovative solutions. 352 00:16:05.799 --> 00:16:10.000 Out there, innovative solutions that can help you automate tasks, 353 00:16:10.279 --> 00:16:14.000 automate tasks, gain insights, gain insights. 354 00:16:13.600 --> 00:16:20.679 Improve your overall security posture. Security posture it's about embracing continuous. 355 00:16:20.120 --> 00:16:22.879 Improvement, continuous improvements, and always. 356 00:16:22.559 --> 00:16:26.519 Looking for ways to do things better. To do things better, 357 00:16:26.600 --> 00:16:30.240 and remember security is a journey. Security is a journey, 358 00:16:30.360 --> 00:16:31.080 not a destination. 359 00:16:31.279 --> 00:16:32.039 Not a destination. 360 00:16:32.159 --> 00:16:34.320 It feels like we've only just scratched the surface here, 361 00:16:34.399 --> 00:16:35.039 we have. 362 00:16:35.120 --> 00:16:38.919 But hopefully you've gained a better understanding of how RBVM 363 00:16:39.000 --> 00:16:42.360 works and why it's so important. Definitely, it's a crucial change, 364 00:16:42.799 --> 00:16:43.240 you know. 365 00:16:43.519 --> 00:16:45.080 From reactive to proactive. 366 00:16:45.399 --> 00:16:47.120 Yeah, that's the key takeaway here. 367 00:16:47.240 --> 00:16:50.720 Embracing data, automation and collaboration. 368 00:16:50.320 --> 00:16:52.759 Absolutely, leveraging technology to gain. 369 00:16:52.600 --> 00:16:54.200 Insights, empowering those teams. 370 00:16:54.279 --> 00:16:57.080 Yeah, fostering communication across the organization. 371 00:16:57.320 --> 00:16:59.840 And it seems like the field is rapidly evolving. 372 00:17:00.159 --> 00:17:00.480 It is. 373 00:17:00.720 --> 00:17:03.240 All these new technologies and approaches are emerging. 374 00:17:03.519 --> 00:17:06.279 Yeah, we're seeing a convergence with you know, data science 375 00:17:06.319 --> 00:17:09.240 and AI leading to some really innovative solutions. 376 00:17:09.880 --> 00:17:14.480 The book mentioned predicting vulnerability exploitation with the accuracy of 377 00:17:14.559 --> 00:17:17.960 like weather forecasting. That's right, that's that's a pretty mind 378 00:17:18.000 --> 00:17:18.880 blowing concept. 379 00:17:19.079 --> 00:17:20.599 Mind bling Imagine being. 380 00:17:20.440 --> 00:17:24.480 Able to anticipate which vulnerabilities are most likely to be 381 00:17:24.519 --> 00:17:28.039 exploited and when that's it, you know, so you can 382 00:17:28.079 --> 00:17:30.880 proactively allocate those resources. 383 00:17:30.279 --> 00:17:32.839 And mitigate risks before they can even be exploited. 384 00:17:32.960 --> 00:17:35.039 That would be a game changer, it would. 385 00:17:34.799 --> 00:17:37.200 It would, And while we're not quite there yet. 386 00:17:37.000 --> 00:17:39.440 Not quite there yet, but the progress is remarkable. 387 00:17:39.480 --> 00:17:40.359 It is remarkable. 388 00:17:40.480 --> 00:17:43.880 So what can our listeners do to like, start applying 389 00:17:43.920 --> 00:17:45.839 these principles in their own organizations. 390 00:17:46.119 --> 00:17:49.960 Assess your current vulnerability management program, take a look at it. Yeah, 391 00:17:50.000 --> 00:17:52.559 are we just reacting or are we taking a more 392 00:17:52.599 --> 00:17:56.359 proactive and strategic approach? Right? Start thinking about how you 393 00:17:56.359 --> 00:18:00.759 can incorporate that data and analytics into your decision making. 394 00:18:00.759 --> 00:18:03.359 Things like vulnerability databases. 395 00:18:02.880 --> 00:18:04.799 Bred intelligence, asset inventory. 396 00:18:05.000 --> 00:18:06.799 Don't underestimate that collaboration. 397 00:18:07.000 --> 00:18:08.000 Collaboration is key. 398 00:18:08.079 --> 00:18:10.079 Break down those silos. 399 00:18:09.480 --> 00:18:13.640 Between security IT and the business side RBVM. 400 00:18:13.839 --> 00:18:17.240 It's a team effort, absolutely shared understanding of the risks, 401 00:18:17.480 --> 00:18:19.920