Dr. CVE Love, or how I learned to stop worrying and love vuln management - Ben Webb

I appreciate it thank you so much for being here this awesome Dr for how I learn the stop worrying and loveability man so the very first question is I've been asked this every time I anybody talk what when heard why Dr CV it's actually a reference to a of satire made back in the 50s about nuclear war and the world and it seemed like an appropriate metaphor because this is in all in many ways a war that you cannot possibly win uh and it is full of just really well-meaning people who want to do the right thing to make awful decisions um so why why talk about this don't mind about this well I've spent

most of my career either as the victim or the of a vulnerability Management program um both sides of it I've been on the infrastructure side trying to like go fix stuff people are telling me is wrong and I've also been on the security side of here you should go fix stuff it's wrong and I've seen it done wrong lots of times and so now I want to kind of help people do it right so a little bit little bit about me U my name is Ben web uh you'll find me online as Ben from PC I've been in technology and security roles for coming up in 30 years now which is kind of ridiculous uh right now

I'm the the manager of engineer Ing and Technology at Recon infoset uh where we do manage security operations if that's something you're interested in or if just want to know what those words mean hit me up later because I'm not talking about it for this talk uh and as Aaron said I grew up in this area has been here for a long time but reached escape velocity uh last you can find me on the set Casey Discord which you should totally check out uh as Ben from KC just you know posting the random TR that we post and occas giving good advice so the three things that we're going to talk about this is always how I organize

discussing vulnerability management we start with precepts precepts are things you have to understand before any of this makes sense if you walk in not understanding kind of how the world works or what matters none of it's going to make sense to you and you're going to make these terrible self-defeating decisions that we see all the time the next thing will be the process it's a fairly straightforward Ward way of going through and getting actual value not just compliance out of a vulnerability Management program and then the last thing I'm going to cover is the point what you're actually trying to get to what your goals should be and actually even some ways to to measure them spoiler alert

though the real point of this is to figure out the best thing you can do write this minute to improve your environment because in 10 minutes it's different tomorrow it's different next week it's different different figure out what's the activity that will make the most impact right away that can actually he you up so let's get started we'll start with the precepts the very first thing you have to understand about vulnerability management you probably sat down and got some sort of scan at tenable or repid s or whatever this dat is terrible it is absolute crap it is full of Just Junk it doesn't make sense doesn't apply is worthless so start by just understanding

that you're not going to have good data you are going to have directional data data that is vaguely correct can tell you some important things or some worthwhile things if you look at it the right way but if you try to look at it row by row by row it is junk and it is unhelpful the next thing and it kind of tells with the first is that the idea of prioritization is just a minut every organization I've been in at some point says you know what we should do we should just get a list of the cves out of the scan and then we're going to go around to the people that own those cbes

and tell them to fix them and it's going to be great all right so people are laughing so they have some idea that it doesn't work because what happens right you take this list of cves with an imagined owner and you say hello owner system admin or or whoever look at these cves you should fix them and the first thing they say is what's a CBE what are these numbers what are you even asking me to do and by the time you've gotten that far in the conversation a chromium zero day has come out and your entire prioritization busted anyways so it cannot work that way you have to look for better things you can't just say

well we're going to prioritize it and fix it all the next thing to understand is the CVSs scoring system is not a risk method so many like the media loves this they hop on a new thing it's a 9.8 CVSs nobody cares it doesn't matter lot 9.8 CVSs cves come out that are never exploited it doesn't matter it's not about risk it's about severity and besides that it doesn't really apply to your environment a 10.0 CVSs score sitting inside of a firewall that only three people can get through probably doesn't make a difference so you can't just look at the scores and say well this is it this is the this is what we do we start at the top and work down

no the next thing back to our uh nuclear war metaphor there is no winning mes you can survive and you're never going to stop and say all right I have one vulnerability manager we're good if is a process then you will continue and continue and continue it is a rolling F wheel it is not a one time we can get this project done and now vulnerability is sold next thing and I probably I I debate every time I talk about this whether they these car this the vulnerability condition of your environment is not a metric of you of your success of your team success of your Cadman success it is a metric of how bad the world

sounds software is hard it isn't a simple thing and it's not your fault and it's not your team's fault it was never the intern that didn't hatch something it's that's not what we're talking about here and sitting down and saying well these people suck at their job and so we have vulnerabilities do not have the SP software is hard to do if it was easy elementary school kids would do it none of us would have jobs so don't take it personally don't let your team or or the people you work with take it personally it's just not that next thing is vulnerability management cannot replace organizational discipline if you don't have a ping program in your organization already or

vulnerability management will not help you all it will do is say you need a p program go find them there's it is not be The Driver behind that if you're not doing like configurations for your systems if you're not doing a secure Baseline and then maintaining that vulnerability management cannot help you all it can do is say you should go secure your systems and have a secure Baseline it's not going to help you actually do any of it do any of that and the last thing and this might be the most important kind of back to the first one you can ignore almost all of the vulnerability data most of it is stuff that makes absolutely no difference to

you should never be looked at by anyone let alone you your management any of your peers anybody else in and we'll get to why that is and how we do that here in just a minute so let's talk about the process the very first thing you do is you gather your data duh you've got to start from somewhere um easiest thing to do every vulnerability you've got in your environment regardless of school regardless of Technology whatever put them in a big pile and this is the second part the second thing you need is actually very important go get the technology for every technology you have go get the patching process and the schedule what is the Cadence when do you

patch your Windows systems fig you probably got a th000 5,000 Windows desktops somewhere maybe a couple thousand servers some wins when you patch Ln how often is that quarterly is it monthly is it weekly you just run have get update every day find those things out because it matters it's going to matter a lot to this process and it should so once you have that very first thing you want to do is resore that data again CVSs is terrible for this um I always hesitate a little bit to do it this is actually a place where a commercial product fits pretty well there's lots of restoring Services out there uh companies like reported future and can of security and things like that

will do this the community is trying to do a better job but it's not really there yet if you have a like a thread intelligence program this is a chice for them to fit in because a lot of those types of services can do it but what you're trying to do here is wash out some Jun so offering of security people love to get a cve they're like yeah I'm awesome I look at my list of cves on my resum which makes sense it's it's a good bone for them it's great to have out there but it leads to them like leaning into getting more cves and finding more things the truth of it is 90 plus% of

them never get exploited because nobody cares you want to wash all that junk out if you have tls1.0 in your environment for every endpoint you have if they can dowr to CHS 1.0 you've probably got three C right there nobody cares doesn't matter can't be exploited presents no risk worthless data you want to be able to score all that stuff down into Oblivion now once you've done that rescore it again how risky does this actually work in your environment for instance a cross- site scripting vulnerability sitting on an internet facing web application is a huge deal you don't want to leave that across site scripting vulnerability sitting on on a web application that runs a storage array that's behind a

firew that only four people in the whole company can reach and Ires a static IP address is probably not such a big deal and should be scored down and has to be scored down because there's a good chance you're never going to fix that stupid thing any so it's important to get these things kind of environmentally aware again this is where your threat intelligence program if you have something like that can really help you out because they can help you work with what's actually applicable to you once you've done that now you smush the data technical term smush the data um really there's a lot of things you can learn from this data you can bend it

and twist it and and pull all sorts of interesting gwiz kind of numbers out of I used to have like 35 different views of this pile of But ultimately what you really want to know is what's your fix activity is it a patch probably about 90% of the time it is um or is there some other kind of thing is there a configuration change you've got to make you want to know when it was first detected how old is this thing how long has it been sitting there and we'll get to why that's important in a minute and then and this is super important and this is why you did got what your P pences when's it going to get fixed in

your normal day-to-day operation when will it be fixed so it came out today it came out on Patch Tuesday is it going to get fixed at the end of the week is it going to get fixed at the end of the month is it going to fixed at the into the quarter what's your team already doing that's important to know because that's how we make this work and this is tool of master um you can do it with python and SQL life you can do it with powerbi you can do it with Tablo or whatever data processing thing you want to do uh it's probably a bit much for ex if you've got an environment um let's just say you've got

a couple thousand workstations couple thousand servers Patch Tuesday hits you might have a half a million vulnerability show so you've got to have something that can handle that dat many filters filtering this data down is the most important thing you can do because why it's crap most of it is not going to be relevant to you and you need to find the things that are a half million vulnerabilities sorting through you're not going to find the 15 or the 20 that you actually need to worry about so all that stuff that's going to be fixed in the next week or two that's within the patch cycle for the technology get of it doesn't matter it

does not matter that a half a million vulnerabilities show just showed up in your environment if you're patching them in a week nobody needs to know nobody needs to report on it it's not a big deal it's just life this goes up and down every month for everybody all the time and it makes no difference to anything as long as you're patching you're good and having all that stuff in there and trying to report them and trying to metric it is going to keep you from finding things that matter and then get rid of the stuff that you are never going to fix anyhow uh there's lots of that if you're if your standard say you know

what we're going to have these ports open from everything don't don't report on those vulnerabilities you know if you're not enforcing TLS 1.2 all the cves associated with P 1.0 and 1.1 be it doesn't matter it's not going to help you're never going to go away till you change your standards so don't don't fuss over it those aren't vulnerabilities in your environment You' accepted that risk move on now you're down to a workable bit of data and you can figure out what's the most important thing that you can be doing right now to improve your environment because now that you're down workable data you can figure out what are the most vulnerable systems you have

what are the ones that are showing a bunch of C still because you already heed out everything that you were going to patch everything that's within cycle these are things where patching is now working go white patching didn't work iscm busted is satellite not working did you have a collect 2019 get missed incm this month now you can see that you can look at the data and say okay here's a bunch of systems that have a bunch of stuff on them still patching has happened or we've taken everything out as the patching could fix what's going on there now you've got something you can actually chase down um and then look for things that have a really broad

distribution uh this happens a lot lot of times if if you don't read every Microsoft release and you don't realize that there's some follow on registry P that has to be set or something like that where you might not you might have applied a patri maybe it's not totally implemented maybe you've got something that's just not going well you got to figure out why maybe your uh I know your acrobat updates didn't work this point figure out the things that are affecting a large when I say large you know I throw out there 5% of them depends on the size of your environment 5% seems to be pretty good if you've got 100 systems and five of them all showing the same

vulnerability it's probably looking at why you got a th in VI well yeah those are probably Beal numbers but you know it's an issue figure out what works for your environment and then because management loves reporting you have to actually report on those things right so what are things you actually can report because if you don't tell management something they're just assuming that you're not doing any so start with the overall trend um and when I say Trend I in Trend this is not specific numbers this is not we worded 200 this month and 300 next month and 150 last month work with like rolling averages this month is higher or lower than our three Monon rolling average

than our six-month rolling average um you know has some idea but don't get too specific with it because again this isn't you're not measuring what your team's doing you're measuring how bad the world SS um also there's probably things you're not hatching there's you know vendors are terrible and some of them like oh we can't support our software unless it's Windows 2012 figure out what those things are how much risk they present your scanner is going to tell you that or at least some level of it and kind of just have a metric for that have an idea how ugly is this really when uh our finance team will let us update the people soft

servers how bad how ugly is that game that's a good thing to know and something worth reporting and then back to your operational discipline how many things fit into this how many how many Technologies do you have that don't have a packing process yet you probably got Windows you probably got Linux what about your routers what about that junifer stack you got sitting back in the corner that nobody wants to touch how many things are falling outside of this right now that's an important thing to to keep an eye on because it speaks to the overall health of your environment if you can move that forward you're improving great strides of your envir because most of this is just about

having a good operation disip plan and then monitoring and then what are the gaps how much crap is in your scanner that you can't identify it's this is not a zero number nobody's like perfectly clean like oh yeah we've got every inpoint down we know them all and they're all all in the C it's perfect now but how much is there do you have 25% of your infl that that show up as IP addresses that you not sure what they are do you have 10% do you have 5% just it's a good metric to understand how well you're monitoring your overall in make sense so this is a fairly short talk and I cut it down a bit but this can

be a really valuable process to an organization it can't be a driver for every org for your entire organizations patching and configuration but it can provide a lot of value in monitoring those things at any given point the whole the whole reason you're doing this is to understand what's the best thing we can do today because if you can figure that out if you can say well here's the systems that didn't patch last month or here's the systems where goo didn't push down or here's the systems where somebody went out and make some changes that they shouldn't have that's really valuable activ that helps your environment for if you're sitting there going well we remediated 450,000 vulnerabilities this

month because we patched windows and that's better than the 470 or 420,000 vulnerabilities we patched last month that's not help because out of all that you missed whatever you you didn't see those systems that didn't hat you didn't see those systems that didn't get GPM so get all that out and find the thing that's the most important you can be doing right now the last thing is and I I'll say this again and I'll probably say to someone else later this is not a measurement of your performance your team's performance your peers performance the world sucks this is a way to get through it and make things better while you're at it it is not a way to tell people they're not

doing a good job or to I've just seen this especially from management when they want to come in like oh well this team's not doing very good because their numbers are down like well that team manag the technology that's awful they have bad vendors it's what it is so don't take this you know find that thing that you need to work on tell yourself yeah I did a great job I have killed it today sure there's ex-member vulnerabilities but you know we really push things forward and we're doing good work and smile and go home and have a drink because you're going to come back tomorrow and Chrome's going to happen again and you're going to be right back

to where you were and you're like Ah that's so keep your head up because it's it's good work and it's important work but it doesn't ever finish itself up so thank you thank you very much for coming out for this um I know it's not the the hackers of hacking talks but I really appreciate you being here I appreciate people attending cons like this because they're a lot of fun and if people don't come to they don't have uh big thanks to bides KC this is always a great event really enjoy it um and I I've got to put you know my foot a little bit thanks to Recon infos for what can do this kind of thing

if you like this topic or defensive security type topics join us for Thursday defense uh it's every Thursday it's a conversation not a presentation it's a bunch of really bright security Minds hanging out on a zoom call and talking and it's a lot of fun and also if you like uh defensive security topics and you're kind of end that sort of thing we are hiring the senior sof analyst so if you're interested in something like that hit me up later and I obviously have to than set Casey uh they're an absolutely wonderful organization I will tell you I like I said I made a skap velocity last fall it is the one thing out of Kansas City

family and stuff like that aside that I miss uh it's a great organization it's a privilege that you make it out they fantas and we'll learn something in the amazing people every time so thank you very much I really appreciate it have a great rest of your day