CG - Towards Effective & Scalable Vulnerability Management

all right good morning everyone welcome to bides Las Vegas this is common ground and the title of today's talk is towards effective and scalable vulnerability management by yotam perkl before we get started I would like to make some announcements first of all we would like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsors Prisma Cloud sem grab blue cat Flex track Toyota conductor one it's their support that along with other sponsors and donors and our volunteers that this that makes this event possible also I would request everyone to uh switch uh your phones in silent mode because this is streamed online and we'll have a Q&A towards the end of every talk so you can use the mic I'll

be walking around with the the mic and with that let's get jump right into it please welcome our speaker y worker over to you so hi everyone um very excited to be here um before we start just to get a sense of the crowd um I would love to get a show of hands who here directly deals with vulnerability management as part of their day job okay very good and who knows maybe doesn't uh directly um work with vulnerability but know how it organization uh prioritize vulnerabilities okay a few more so and out of all those hands uh how many of your organizations rely either solely on CVSs scoree or primarily on CVSs score to do vulnerability

prioritization okay so great um okay uh a few other question so who here uh has heard of Vex show of hands okay seaf okay uh epss okay so so that's good so there there a lot of topics to cover and uh this talk was originally supposed to be 45 minutes uh it got trim to 20 so I apologize in advance if I'll Rush some of the pieces I have a lot of Links at the end so you can uh dive further uh and also I'm around the conference feel free to to approach me with questions and um I can talk about this topic for hours but today I'll hold it to 20 minutes so um let's start so I'm yam I

currently lead vulnerability management at startup called resilient uh prior to that I worked at PayPal doing thread intelligence Insider threat uh and vulnerability management uh research uh I also take part in several op ssf uh working groups around open source security uh and CA work groups around sbom and Vex uh and organized the Pyon one of the organizers of the pon conference okay so uh the reason you see an iceberg here isn't because we're going to talk about climate change or global warming uh this kind of reflects the way we are standing the way we're at with uh software uh supply chain uh currently most code in your production environment isn't code that you wrote uh

we use third party code whether it's open source or commercial and that's good it allows us to move fast it allows us to focus on our core uh business logic uh but on the other hand uh it also comes with risk and one of those risks is uh in the form of of vulnerabilities uh non vulnerabilities as and as you can see here uh the amount of vulnerability is constantly Rising uh this is up to August 2023 you can also you can already see that we're 2,000 uh is vulnerabilities over what we were at in terms of the publish rate uh last year and this isn't something that is going to change anytime soon um and

um exploitation of non vulnerabilties still is the one of the major factors uh attack vectors for uh initial access to organizations and um organizations simply uh don't seem to keep up and be able to remediate or patch uh all of these uh vulnerabilities so what do we normally do about it so we turn to CVSs um and the thing with CVSs is that it's not uh it's suboptimal uh I would say it's not effective it's not scalable uh and it doesn't even reflect actual risk um and I'll explain so it isn't scalable I say that because around 57% of all of the vulnerabilities with CVSs res score in nvd are CVSs uh are high in critical vulnerabilities so even

if you do prioritize and focus only on the hides and the crits it's not it's still 57% of of nvd that we're talking about hundreds of thousands of vulnerabilities it's not scalable um it's also not effective uh the reality is that only a fraction of vulnerabilities will ever be exploited uh and only a fraction of those are are actually exploitable in the context of specific environments so when you focus your time uh on vulnerabilities there are not likely to be exploited or will never be exploited you're wasting your valuable and limited resources as is on uh on the wrong things um and uh attackers are already a step ahead because they don't rely on CVSs scores

in order to determine which vulnerabilities to exploit um so um again it's not it's not an effective thing to do um and moreover it's not really a smart thing to do as well um so pause

here yeah so as I said uh it's not that attackers only exploit High rical vulnerabilities uh this quote is actually from the folks who uh are in the CVSs working group invented the standard and they strictly mention and say that it's only a measure of technical severity it's not recommended to use CVSs base score alone to determine remediation priority um but uh that is the current status quo so clearly this isn't working um we have have about 16% of vulnerabilities according to research from cyth Institute that are left unattended for over a year after the initial Publications uh as I said huge backlogs of vulnerabilities and uh attackers exploit these vulnerabilities this is from research we did analyzing the

public attack surface for the cisa catalog the known exploited vulnerability catalog and um and as you can see there are millions literally millions of instances publicly facing that are uh vulnerable to these actively exploited with known patches vulnerabilities um but that that's that's the that's the reality and and a lot of these are are also not new vulnerabilities as you can see um so how can we move forward what's what's the road uh going forward and also something I didn't mention the average organization only has a capacity to uh deal with 10% of their uh vulnerability backlog in a given months also from Cynthia Institute so we need Focus uh and what can give us F uh Focus uh

context so this uh blob you see here will slightly get more focused as hopefully as the talk progresses um and I'll I'll try to describe a few um aspects of this context so first of all um the initial kind of base level of context is a software build of materials or an bomb this is not the topic of my talk also feel free to approach me later uh and it allows us to know exactly what we have in our environment without memorizing or guessing which is great because um at least we know what we have but even if we have the perfect s bomb which most organizations unfortunately still don't have and all of the

different aspect that are still being worked on are in place is the problem solved so I argue that no unfortunately because actually the opposite is true because we know more and when we know more we have more things to deal with which is good but again this isn't something that the current the average organization has the capacity to handle um so it isn't a silver bullet and we need more uh more context so context so there are several layers as I said sbom is is kind of the the Baseel of context but you can add on top of that additional layers of context for example exploitability you have things like epss score which is I won't go into

that because again a short of time but it's a a a machine learning model that lets you predict the likelihood of exploitability within the next 30 days we have a research on that it's it's it's a very strong signal for prioritization the CIS non- exploitive vulnerability catalog of very threat int feeds uh the vulnerability itself also provides context the attack Vector is it exploited via the network only physical are privileges required do you need authentication to exploit it Etc uh environmental context so do you have mitigation mitigating control in place uh do you have reachability analysis is this code even being loaded even used uh and of course business context is uh what's the ass criticality is it exposed

or internal Etc but again this is nice it's good but it's not really actionable because in order for it to be actionable uh we need Automation and uh in order for it to scale so um this is the current how do we do about how do we uh go about handing M affected today so we can run a vulnerability scan but again uh noisy um and this is also a Shameless plag I have a talk about that specific topic later today uh at six at the breaking ground but um uh not always reliable um and and a lot of things to deal with independent investigation uh timec consuming not effective as the vendor as well not

scalable security advisories nice but uh not always we'll have those and also not something that we can currently automate and sbom as I mentioned not everyone has it and it's not alone uh it's not the Cure so this is where CAF comes in uh cesf is a common security advisory framework um and basically you can think of it and um you can think of it as a machine readable security advisory so you have for example in this case uh Cisco issuing uh uh security advisory currently it can be in HTML format it can be in a text format it can be in a PDF uh you don't really know where it's at uh and it's not something that you

can uh automate consumption of CAF tries to solve that that uh that issue um and it's easily discoverable uh via several methods in in this case we see a security txe or try to see I'll try to highlight it a bit um so we have uh the security txe file with the reference to where can where where can I consume that CF from and then the CF itself uh is the the bottom link uh which is basically ajacent file with the same security advisory that we saw before only in a machine readable uh format that allows for automation um so this is how it uh looks like and you see there's various layers and and uh pieces of metadata that can

go into such a esaf but the main thing to remember about this is that again it's machine readable it can be automated and you can you can start to consume it and Cisco is doing a great job uh of of advocating for it there was recently a summit um and there there there I hope this will get more traction uh as time goes by uh so that's one and so we can we can see the picture a bit more clearly now but uh another important piece of the puzzle is Vex uh Vex the vulnerability exploitability exchange um as Alan uh often uh feel sorry for the name but that's the name when we'll leave with it uh so um

basically this is a way to communicate whether a piece of software is affected by a specific vulnerability so um I'll read the quotes So provide users additional information on whether a product is impacted by specific vulnerability in an including component and if affected whether there are actions recommended to remediate so that's the purpose again machine readable way to for your uh vendor to say this product is not affected by vulnerability x uh also it has the uh ability to say if something is affected uh we'll discuss that shortly um and again aims to be machine readable you can embed that in as a profile in seaf that we mentioned before so all of the pieces of the puzzle come together it

can be linked to a sbom it can be separate um and it allows us to handle this this issue of false positives um from in a more scalable way um and from a vendor perspective it saves the money because you don't have to have your uh phone centers crash whenever something uh major comes up and I think the the promising direction for it is also from the consumer side so if I as a consumer have a product um that can tell me whether something is impacted by specific vulnerability because it's not loaded because the configuration is in place and it can issue a Vex for me again then I'll have this this this language automated language that I can

help to reduce my attack surface so uh sorry I'm rushing I want to get to the core part which is in a few slides uh and again there are several statuses for vex you can say something isn't affected affected fixed or under investigation uh and obviously this is dynamic can change over time uh and because it's machine readable that's not really an issue um okay so and there are several justification those are the current ones I'll give an example just for context let's say a vulnerable Cod not present so if you remember lock for Shell 5 minutes okay five minutes I'm good uh so lock for Shell uh so one of the remediation advice that were that

was provided that was to remove the vulnerable class from the Jara uh the g&d up class um so if you remove that class you still have the vulnerable jar in the vulnerable version your scanner would say you're affected but you're not really affected so if you have this Vex you can update this status and let your your security tooling your uh inside threat Personnel your whatever organization and if you're a supplier than to the folks that consume your software that you're not affected by that specific vulnerability and there are several other justifications um so it's it's really uh a flexible uh format okay so now I'll try to put all of these pieces together uh and see um

so as you can see we can already see the picture clear um so this is something that again I won't go too deep into the stakeholder specific vulnerability categorization or ssvc there are Links at the end of the presentation but you can think of it as a decision tree you have a decision tree that allows you to decide what to do uh in various circumstances or situation regarding a specific vulnerability and I know you can't see well so I try to to uh give some context so there are three actions that you can take uh this I I stuck with the cisa um approach for this one but this is very flexible uh just for the sake of the example say Act is

patch remediate attend to now attend is okay I know I need to fix this but I'll first deal with the act and get to this and track So currently it's not something that I'm actively doing something about but I'm I'm keeping TR so and here you see for example three levels of context exploitability context so you have epss have threat Intel to tell you whether the vulnerability is actively exploited this Branch the middle branch is uh highly likely to be exploited or uh not likely on the right hand side and then you have another uh layer of decision which is the asset context that we uh sorry the automatable which is from the vulnerability so if the vulnerability is

is uh exploitable via the network and also doesn't require privilege or authentication that then it's automatable and then it's in a higher risk from my perspective and then I I I send it to a different branch of the tree and then we have the asset context so how critical is this asset low medium or high and then I make a decision so if for example I have a vulnerability that is actively exploited and automatable and um on a critical asset obviously I need to act upon it and again the decision here is isn't the focus like you can we can debate the decisions it's not the purpose but um the thing is you you have this thing that you can

communicate internally and to stakeholder and say this is how we do things now according to these these these parameters and you can tune that according to your capacity of the organization so you know you can only deal with 10% of the vulnerabilities make sure that that's a 10% that actually count that matter most and you can let's say okay I don't have a asset criticality that's not a problem it's flexible so I I I chopped off the the last layer of the tree and I added for example I have a a uh product a vendor that can tell me whether something is loaded or not do reability analysis so maybe that's my uh first DEC decision

that uh that I want to take after I know if something is uh what's the laih of exploitation um and uh maybe I want to I have all these things that I can put everything together and I get a lot more context so and then I can make more educated um um assumption and prioritization to focus on what actually matters and you can look at it as like a funnel okay so you have your vulnerability scanner output and then you have what we talked about the C and V that tells you what what uh what you should focus on what What affected and what isn't and then you have this decision tree with all this context that

filters that out and then you start from the bottom you start working with What's um um most critical in terms of risk reduction to your organization and work your way up okay so um this the The Blob that you saw in this picture is from a movie called The Truman Show which is about a man that lives his whole life as a in a scene of a movie but he doesn't realize that and the quote is when they asked the director um uh What uh uh how does it how does it not suspect and he said we accept the reality of the world which we are presented uh and so what I ask of you is don't accept the reality of the

world as you are presented um and and be inquisitive and and uh know that there are these resources out there um and uh transform your vulnerability Management program into a more modern uh risk-based vulnerability Management program um so that's it no time for question I'm sorry so in case I don't see a good afternoon good evening and good night also from the tman show thank you all for listening

yes what yes sure sure sure yeah I'll leave that up there was also a great presentation from bsides Dublin uh which isn't here on YouTube uh also about ssvc which is a great resource um for you guys and again I'm here at registration desk in