Complexities Of Vulnerability Management: Strategies For Managing Security Holes by Pablo Ramos

okay um hello everybody sorry so much for the technical issues they are not supposed to happen but uh we have to live with it um so thanks everybody for being here uh we're gonna continue talking about vulnerabilities in this case we're gonna relate a little bit more on vulnerability management and we'll discuss a few of the topics and I think we're gonna get a lot of context from what we had on the previous talk so thanks a lot Chris for that um definitely it will I look forward to talk with you um first of all a little bit about me um I've been living Ireland for the last seven years I'm originally from Argentina I won't make any references to

the workup um and that being said currently I'm a crowdstrike I work in Spotlight which is our vulnerability management model and what I'm I work with the team is basically to make sure that we detect the vulnerabilities that we can take everything related to that and a bunch of other stuff um normally I relate to breaking things and solving certain problems and they talk about today it's basically going to be a vulnerability management like what is it vulnerability management it's something simple you know they have something that is outdated and you need to fix it that simple as that we do that all the time we patch our machines we patch our watches we patch our doorbells

we patch your servers we patch basically everything that we can get our hands on or everything that might get updated and because of that we might get a risk but the idea behind this is to understand a little bit from the context I had the opportunity to work on the back end of some availability management products and some of our challenges of detecting the vulnerabilities and some of the things that we have seen customers and people deal with a little bit across the time so we're going to concentrate on three major challenges here the first one first one is going to be detection uh what vulnerabilities you have how many there are they and actually how real is

that true from the snapshot that you get from your companies the second one it's accuracy how do you trash them and how do you react what do you prefer you prefer false positive alert or you prefer false negative alert what's the benefit of a false positive on a tool that helps you to manage your vulnerabilities you do the work you assess you don't have a risk you know if you go for a false negative you have everything is okay and then a machine gets popped so in a nutshell false negatives are less work for most of the teams but the higher risk where false positive might be more work but actually you can translate in a little bit of more

security when you work on the other side you want to balance both you need to make sure that you detect what matters and whatever you detect is as accurate as you can but it's a final point on this and and some of the questions that I believe has the most throughput for the teams and the more output is what do you do with the information you have and for which ones you can react and what are the Avenues that you can take many of us when we work with a vulnerability management tool or something that would help us to assess that we want to get the guidance why well maybe because we're the ones assessing we're the ones prioritizing

but we're not the ones patching how many of you had an issue when you either got tasked to patch something that you don't know how or how many you get issues when somebody push back because say hey you just need to apply this KB and they come back and say like detection is not going away what is it happening so details about the guidance that you can give to on a tool is as important as they can get but what's the situation that we normally get with vulnerability management and how do we assess this risk in a nutshell is we get the information actually it happens um I especially through this picture from I'm pretty well no power around here um

but the idea is this most of the time when you see the events coming out is when you realize that you might have a problem and sometimes that might even be too late to react think about all the things you have in your environments think about how do we need to deal with the volume of challenges that we have to face but first of all how many of you to learn a tool to get more more reports that you can action where everything is critical and we'll discuss that a little bit later but most of the time you're not even aware what to do like how many actions do you need to make to make their model go away and

this is a little bit about where the complexity is coming from like vulnerability management is not complex but when you start throwing at them all the different variables all the different nuances from what you need to patch how do you need to patch it what is it actually present is it real or not if it starts to become a little bit more like um a science an art rather than a science although we try to look at this with data we try to react with that we also need to make it fit within the schedules that we have among a company and there's a lot of things around that but I wanted to start with the idea it's

how do you normally become aware that there is a new vulnerability what's the most common case if I had to bet on that it would be when the vendors releases an advisory that's what happens most of the time there is a new advisory you see that some there's a new vulnerability or a bunch of vulnerabilities you try to trash them you try to work through them and you not try to understand what do you need to do in order to fix them but from the moment that that vendor advisory or that knowledge might be coming away to the moment that you have a detection on a tool that you can react you have you have a Delta of time that

you need to react besides that you have the time it takes you or your teams to get to the remediation when you work on the team that actually helps to helps company or like basically what you do is you help somebody to detect the things that they have you get noticed most of the time at the same time that everybody else is you need to rush through a detection you need to ship that detection and then you need to make sure that whoever is relying on you can become aware of that as soon as possible so many of us have had to deal with scans can Windows how long it takes to run a scan what what different

informations you have depending on the part of the vulnerability management process you're in and sometimes even your maturity so all this time from the moment that the bug or the vulnerability was introducing through the product into your own Library a third-party library or basically a product you use every day just to work um that's what we try to assess as risk and most of the time when there is an exploit for a vulnerability before there is a patch we start talking about zero day and then it's when everything goes bananas this is when we're all set to freak out about like where is it is do I have this on my environment where do I

have it can I patch it is it exposed which are the assets and what are the benefits that you can take from there there is a second approach when the exploit actually comes after you get the vulnerability release so maybe after a fair scan you don't you have it you don't care about it and x amount of days later Maya next will become available and you might be targeted by that and we saw a really good analysis on the previous talk about how this can be predicted but not all hope is lost but we need to keep track of some of the metrics that we could use as teams in order to understand where we're standing the

first one is time to awareness how fast can you become aware there is a new vulnerability which might be impacting you the second one is the time to detection what's the time from since you knew about it until you see it on your tools and you basically can react sometimes you can be proactive but most of the time you're overloaded or you can't be proactive um so you wait until that and then after you found out you treat you trash that you send it to the writing the writing tried to patch something they kind of get to that maybe sometimes you can even patch it not because you don't have the patch because you can you cannot afford to put

a service down for x amount of hour until you patch it so again things started to become complex the more things will start throwing at it but I want to take a hinge on detections the core for us to be able to properly assess or risk is knowing how many vulnerabilities though we have for those of you that rely on a third-party product to give you your vulnerability management what percentage of all known vulnerabilities do you think they are detecting do you even care this is a person that we normally try to ask it's like for multiple interviews you have out there do we know how many detections do we have do we know which

ones we actually need to care about and that knowledge can come from I don't need to know if I have a vulnerability I just need to be fast to know that something is installed in my environment and that whatever I have installed is not on the last version their actions that we can take and some strategies we can put there in context but this is the the core question that we have so what do we have CVS vulnerabilities that get acknowledged they get a cve a fancy ID sometimes they get a name some all of us we can track that we have end-of-flight software can you raise your hand if you have a software that is completely outdated no

longer supported by the vendor by your noise on your environment so okay we have a few and all the rest is lying aside from that is we have a lot of other things there are vulnerabilities that might not get a cve they're called features or they're like issues with configurations that you also need to assess and they also form part for your vulnerability Management program but not everybody might be alerting you and normally this gets at the bottom of the box so maybe you have a misconsideration or or your SSL that you're still using weak encryption and you don't know it or you can interaction upon it so there's a lot of things to throw into the mix which

basically just does one thing it has complexity and I like starting with this because we're not going to go into the full Deep dive of the analysis but number one you can detect them all I will say that when you start looking through all the different vulnerability products or different tools that will give you some sort of acknowledgment there is a vulnerability person on your environment hardly any of them will be above 50 percent so that means these are 50 50 chance that the time that vulnerability comes out your vendors like you might not get a detection ever there's a lot of the times that the data detection can be extremely problematic because you cannot even patch it and

there is a Final Approach that basically CVS alone is not an indicator yes at the moment of this talk there were more than 200 000 vulnerabilities out there based out just of nvd were not counting like the third party or vulnerabilities without a cve and there's a lot of the a lot of data that we cannot put into the talk because of time constraints and a bunch of other things that happen but what we're trying to understand is like and we had a pretty good analysis is when you start looking at MBD and how many vulnerabilities you get every single year how many vulnerabilities you get by week how many vulnerabilities you get by a day and when everything is

important it became house chaos and we're gonna look at the ideas um on how we can sort of trash through this nevertheless there are certain events you can prevent what happens on the second Tuesday of every month so we all know what's going to happen we all know that the 1pm EST new patches are going to come out and at those time we're going to say Hey you have this vulnerability and by the way yeah already been exploited but probably you need to wait a little bit more until you can action upon it like if you prepare probably you can shrink that Gap but the idea behind this is that we have a lot of vulnerabilities but we do care

about the exploits the exploits are the the signal that will give us that somebody that it's their risks Associated to a Boolean ability is pretty likely to come higher because somebody can rely on it to put a footprint into our environment and that's what we most of the time we want to prevent when we start diving about this normally there are three main classifications that were some of um who care for the security teams actively exploit it yeah it's already raining outside I know I'm wet like that's the normal the most common situation like something comes out I already has a zero day I think they look at sisa um well sisa came after but a lot of the

CVS that are actively getting exploited normally you become aware of them either before that or when the pat when the window releases the patches exploit available um in the previous talk we were seeing about around like 50 000 CVS with an exploit available I doesn't mean it's actively exploited but what does it mean there is something out there so there's two options nobody use it or nobody detected that somebody is using it do we have anybody here that works doing pen test have you ever seen a CV that you rely on that's not flag on sisa that is not fly by anybody that's been exploited but every time you see it you say oh yes

for a long time this tend to happen and most of those signals might not get actually public but pull it public or publicated or relied on so that's a lot of information that maybe we might not know and the final is the pocs most of the vendors when you report a cve to them they actually ask you to give them a POC so they already know that it might be a way for exploitation to happen or there might be a similar a singly working piece of software that could trigger this not everything gets shared but most of the time that's a pretty good signal that somebody that you might not want to know about can transform that POC into

an working exploit and the times between the three have previous papers and Analysis of how fast they can move depending on the software because the more common the software it is the more likely more people have knowledge about it and how to weaponize it so sisac EV has been part of the many talks so far and and definitely we'll start comparing this against like the historically they're not such a big numbers but there are certain clusters we know that they use the software that companies are likely to use the most are the first ones that are likely to appear on the sisaki AV list why commonality we became good at detecting them we keep better monitoring on anything around

this I don't have an answer but definitely there is a trend so the question is what do you do with all the rest this is great for prioritizing then we'll get to the actions but it's important about the context you cannot properly protect your infrastructure your teams your security your users if you don't get the context in and the context is that we have a cluster we are pretty good at detecting certain type of applications or software being exploited but for many others we might have no idea that's where at some point the idea like covering as many vulnerabilities as you can is actually something really interesting to work on but so how does this translate into

actionable Data when you grab the 946 cves if I recall correctly from the Z subdated up to yesterday that means that 0.46 of all the cves are on that list simple man I'm I'm like I wanted to keep it as simple as possible so that means that you might not need to care about all of those vulnerabilities that's a lie these are not the core that you need to look you need to look into the whole environment you need to look into the whole story but this is actually strong signal that those products are likely the ones that you need to keep updating as soon as you can patch your operating system as soon as you can patch your

auto update applications as soon as you can and I'm hardly to bet that if you rely on any third-party software for doing your vulnerabilities assessment most of the volume of the vulnerabilities are likely to be browsers operating systems um I'm gonna say action servers as the most problematic um and those are the top three that we'll give like if you patch your browsers if you are your office applications at the Fort I think those are the four that are most commonly used before most commonly with vulnerabilities the one that more frequently a periodically gets updated so that's gonna give us a hint for what's coming later so detection in a nutshell in my opinion does not imply coverage because you need

to understand how many things are affected and we're going to be walking through a few examples and something I wanted to plot the data across nvd it's great when you look into it into into a cve independently of how delay it is from the moment that the vendor pulls the advisory until you get the data in NBD you normally get a lot of uh the cpes the CPS gives you the configuration of the software and the versions that are being affected but normally this distribute across three common scenarios situations like 3cx this was a supply chain attack or was it russianized version of a software that was used to compromise a couple of companies when

this happened most likely nobody had a detection of these in their environments it was something new so what's the question I'm affected how can I respond where is it you need to have a like you need to think of not just on the product but do you have a platform that is flexible enough that you can go on query even when things might not be detected how will you react on this depending on the size of your company but it's relatively simple you have one vulnerability affecting one product um from one single vendor you patch that and you forget the next scenario which was a reason um anybody knows about the net filter issue on Linux

there was a recent previous circulation vulnerability reported to to the Linux kernel um for some mistakes oh I'm gonna have to speed up um they basically released about the vulnerability so according to the guidelines the person that reported vulnerability published the exploit that means we know there is a cve affecting all most of the Linux distributions we don't know which ones or which versions but everybody starts to freak out you cannot do anything until you don't get out the information I'm a personal timer look for say so uh why love for say was such a thing it's we don't know how many products are affected why because it's a library many of you might have a custom software

somewhere somewhere across your environment with the relying on this library and a strong mature that's a cost process will help you to find this kind of stuff but many companies might not have it or a lot of third-party software might might be relying on this library and even if you have a single detection it doesn't mean it's the only detection that you have so that creates a massive problem where you have multiple platforms and multiple products being affected or when everything is affected so we're gonna we're running a little bit out of time um but the idea is how to fight back how do you put all the information on the con and and the data together in order

to react and I don't have a perfect formula but we have a place to start so the most important thing is context whatever you do you need to have the consideration to the context the context is about how unique you are from the different companies how unique your infrastructure or your events or your users or your employees are in a way that you can think about like the asset what is it what is it it's exposed is it not exposed is it commonly used it's used by a single person is this person normally following good back practices can you look into how fast that user actually patches this operating system whenever something comes up can you

force or can you recommend your users to patch through tooling what controls do you have if you have a system that is not attached and something will pop that box can you detect it do you have a service or do you have a product that will help you to fastly react when somebody gets Hands-On keyboard on an event of list of this happening and finally it's how do you aggregate all the information to have the risk that will guide your teams to the actions that you need to take if you were compromised because you haven't patch or to minimize the attempt of being compromised so what's the next you have the context now you go into your prioritization and we

had a pretty cool um discussion previously about like CSS being static and everything is critical and you have open source models that will try to prioritize making a prediction um on How likely a CVS How likely CVS to be explained in the next 30 days and most of the VM vendors right now will have like some profitary uh score that is fulfilled by the insights or third-party vendors into what you should patch or not but this query like the conflict like I need CVSs as we were discussing because of a lot of things of compliance a lot of things that I need to certify but I actually want to move fast in order to mitigate

the risk the second one how do you patch a software update to the latest version available how useful is this information for you when you don't have an idea how that's always been patched what software within your environment is auto updating how many of you force your teams to update Google Chrome within a certain amount of time of a new version coming out fixing a lot of books like these behavioral stuff that you can Define and how you do break your plan in order to make things to happen so the three main problems that we have it's related to detection accuracy and actions do we detect everything that we need how big is your Gap how many things

we don't can put the spotlight on our curiosity whatever information do we have is that good enough that we can trust it and we can take action on it to minimize the risk of something that we're missing on what actions do we need to take what's the guidance for us or for the RL teams to actually execute in order to minimize the risk context prioritization or remediation through any model that you might follow needs to suit whatever you do this is not an answer this is a framework this is the idea that the complexity for your own programs are gonna depend on how much time you invest on them some of the tools will help you

but nobody will will be perfect because nobody will recover everything some some might be better at covering some others might be better better at protection or detection and some of them try to do everything at once so are there any potential solutions for this I don't think so but there is a process and there is hope number one villain processes and iterates frequently if you're starting from zero try to go for the most frequent things changing your your user your workstations then build up through your servers like your containers or your services are Exposed on the internet and then try to go to the things that are extremely hard to patch and on purpose I

haven't even mentioned about ICS and OT because that's a complete differently like how many of you had to deal I'm gonna go to my manager and say hey I need 100K just to patch diesel system and when the answer is no is there um where Focus will be on the programs on making sure that we can serve for remediation and protection if you can patch just try to concentrate around the security controls you have and how your team can reacts combine give the tool give your teams the tools and the processes that they can lay the foundations on so they can quickly react to whatever whatever is threatening you or whatever it's surfacing these detections and looking

forward on top of all the open models are going in maybe s-bombs backs and a few other complete like new formats to share information about vulnerabilities will be great it will be ever it will be even be easier for us helping com helping you to detect your vulnerabilities if all of the vendors will publish the vulnerity information on the same page but I we don't have the time to try to to thrive on this so I don't have a solution what I wanted to bring in is like vulnerability management is a process that should be pretty well defined that it has its complexities and the more you know about the information there is available to

you the more actions you can take and I think we'll run out of time thank you