Is Vulnerability Management Dead? A Security Architect's Survival Guide

So hi everyone, please welcome our uh next speaker Near who is a CEO and co-founder at Zest Security. Please give him a round of [Applause] applause. Uh don't forget please if you have any questions go to besidescf.orgq&a org/q&A and you can submit your questions at slido and uh now you can join presentation and maybe answer the question is vulnerability management dead or not. So, thank you, Alexandra. Everyone, thanks for coming here. Um, it's a long day, so I'm going to keep it light and fun. And, um, this is like a big topic and I like it that we we have a full house. So, it's probably like a pain for all of us, not only for

me. Um, so is vulnerability management is dead? I did some stuff there. So you can see that it's probably not a question. Um so why you should kind of listen to what I had to say. So a little bit about myself. Uh sold the previous one to Palo Alto. Now it's part of Prisma Cloud. Uh before that build and ran the entire cyber security practice at Veronis including product security, instant response, vulnerability management, building the products, 160 people basically. So I did a lot around detecting threats being in the trenches for incident response and forensics but also managing internal security uh for many many years. Most of the time we failed and I think right now we have some kind of

opportunity to look on the failures and kind of realize how we need to pivot and this is what this talk is all about. Um, I'm very active in LinkedIn. So, if you want to connect and kind of tell me why you think I'm wrong or why you love what you just saw, send me a message. So, um, what we're going to talk about is kind of scoped. So, couple of disclaimers. First one, I'm only going to focus on cloud. I'm not going to talk a lot about onrem. I do believe that a lot of on-prem just solved with patching and we all kind of like moving to cloud and cloud is more complex and interesting and you don't have one way

to do things in cloud. This is why it's so much fun. Erh my insights are based on enterprise experience. So if you're dealing with SMBs and small organization like really small probably less relevant maybe unbiased so security is my company and uh we're streamlining remediation mitigation so I took this problem and we believe we solve big portion of it. So a lot of my opinions are basically why I build my company. Um, I'm going to give some light spoilers around Severance and White Lotus. So, if you're still watching, I'm sorry. Uh, let's get started. So, we're going to start with a big research we did around vulnerability management and the reality about it. Um, a lot of the research actually made me

kind of I was very surprised to see these numbers. After that, basically we discover what is the root cause of why vulnerability management is such a pain. H and then I'm going to share things that you can do today to basically break the old school mentality of visibility and managing your problems and at the end the Q&A of course. So let's start. So three, four, five years ago, we all believed that visibility basically going to make your organization better. I think today we're thinking about does visibility actually make us more secure. And I like to ask a question. If I'm in vacation right now in Mexico drinking margaritas, it's been a long day. So, I'm just imagining myself at the beach

and I know that I left my front door open and let's say I'm I'm actually based in New York City. So, let's say it's a it's not Tribeca but different area and my front door is open and it's not a building. So, knowing that my front door is open without doing anything about it, is that make me more secure? Probably not, right? Um, something that we're able to do is to do a research and we correlated between my backlog of vulnerabilities that we know about that we open a ticket into incidents that the sock team kind of like reviewed and 62% of these incidents actually tied directly to vulnerabilities and misconfigurations. Again, that was kind

of surprising because I thought like, you know, most of the security tools are kind of like, hey, this is pretty cool. You need to fix it, but they actually they actually give us like good visibility of where are our problems and these problems steam into attacks. Verizon and Mia just shared last week MTrren report and also the Verizon report around vulnerability management and incidents uh exploitation of vulnerability now suppress fishing. This is crazy. So is that easy to ex to to exploit and it's that hard to do something about it. It's definitely a mirror that something is wrong. So let's talk about the basics and the things that I want to hope that we're doing

already today and why we're still not there. So while I was managing like couple of teams that do vulnerability management and cloud security and product security. So we starting with CVSS and of course CVSS has a lot of problems and we're going to talk about some but uh we have the KV which to be honest Kev was great because it's actually give us information about is that vulnerability is being exploited in the wild or not if we know something about it and if we want even to take it further we can kind of like include some stuff with EPSS. The problem with EPSS of course a lack of context from my current environment. So the way that

like threat actor or insider threat or a malicious code can actually do something bad and predict that without context. It's also problematic but is good enough to filter let's say 50 60% of the noise. So we leaving uh the backlog with 2,000 3,000 critical issues. Let's go a little bit to the more advanced side which I like which is threat intelligence. threat intelligence actually give us a layer on top of kev that say like hey do we have any threat actors any walking PC's anything that actually exists right now to exploit these vulnerabilities that my scanners actually identify and this maybe can filter additional 5 10% of the backlog which leave us with I don't know a

thousand critical vulnerabilities so this is a good filtering but it's not for 2025 and we're still kind of like filtering and filtering and filtering and filtering and and and and something is just not working. Um I think something cool that by the way I'm giving references but specifically in this uh this theater it's cutting the the the below of the the slide. So a lot of the references you're not going to see. So I apologize for that. Just for you to know that we have the reference in the slide. Um, as we all know, like in April, like CISA kind of like, hey, the CV project is dead and and and thank for a lot of pressure from the community

and people that actually care. It's back. But this is another kind of like validation that something is not working. And we're building vulnerability management, we're building threat exposure program in our organization. So me as a security executive, I want to look three years ahead. I want to build the OKRs and I want to understand like how do I survive and how can I reduce the exposure because right now it's it's it seems like we don't really have a method that works for everyone or works for most organization. And let's talk about kind of like more cloud focused which is not something we can patch which is misconfigurations. Um great companies today build a huge market about hey this

is not a vulnerability. It's not even a bad practice. It's just like the way you handle in cloud and miscon like it's misconfigured and it's actually can lead to a lot of kind of attack publicly exposable services. um sensitive data that is not encrypted and accessible uh microservices with ability to privilege escalate and a lot of other things. So what do we do with that and is it a part of miscon if misconfiguration supposed to be a part of vulnerability management it's also a big question. So I want to start with kind of a question. We did a research. This is part of the research and I want you to raise your hand. How many an in average

ongoing open ticket for critical vulnerabilities and misconfiguration a mediumsiz to kind of like medium normal size enterprise going to have? I'm saying like an enterprise with more than 10,000 employees uh with cloud footprint. So let's ask if you think it's below 50 critical vulnerabilities and misconfiguration in the backlog. Raise your hand. Okay, a lot of optimistic people here. If you think it's between 50 to 100, raise your hand. Critical vulnerabilities. Okay, we're seeing some hands. Okay, nice. We we actually had some organization with like that amount. If you think it's between 150 to 100 critical vulnerabilities and misconfiguration in the backlog after prioritization, raise your hand. Wow, you're guys are good. Okay. And if you think it's between 150 to

200, raise your hand. Okay. Okay. This is why I like besides because people actually know what they're doing. So this is like what about reachability, right? So everybody heard about reachability. Uh so uh we had couple of conversation with not CISO but the people who are managing exposure in in enterprises and they basically told me couple of times different people uh we are only prioritizing publicly exposed assets if they have vulnerability if they're part of misconfiguration this is our highest priority this is what we do this is what's going into Jira this is what's going into service now great so you're All right, I want you to kind of give you a like this is the

first time you actually actually nailed it, guys. Like really this is great. Uh over 100 critical vulnerabilities and misconfiguration in the backlog with over 100 companies that we talked to and we did that research. So each and every one of these companies have visibility, prioritize vulnerabilities and misconfiguration, open a ticket to remediate or mitigate or whatever and it's in the backlog ongoing backlog of 100 plus vulnerabilities and misconfiguration. I want to pause right here and let's ask the question of this talk. Is vulnerability management dead? I think so. So we took couple of step forward and we asked questions that we don't know the answer and we ask this team to actually look into the ticketing

system, look into the project and actually give us answers. So 49% is actually because they need to time to understand the best path for resolution. Can I patch? Do I need to patch? Is there a patch code? H do I need to change it in the code? Do I need to change it in production? er 26% saying like a lot of the time going into risk that we cannot remediate. We cannot remediate sometimes. So for example the healthcare we talk to they say like hey it's it's business critical. There is no way we can patch. There is no way we can do something about it. It's like okay so what do you do? It's like first of all

we need to talk to everyone to try to patch it and then we understand that we cannot do anything about it and then we need to build a plan. And 25% of the people kind of say like the amount of time and effort required from other department is basically something that takes the most amount of time to actually solve the problem. So I will kind of caps it into effort based right like what is the effort that other people because security team are not fixing right so what is the effort that will require the business in order to do something about it. So let's go even deeper. So it's like okay what do you do it right now?

So between 6 to 8 hours a I'm sorry 6 to eight working days per month a a security engineer is spending on prioritization and analysis of visibility from threat exposure tools for CSPM CSA the software composition analysis cloud security posture management vulnerability management scans 6 to eight days a month just prioritization after that um almost a month ago over remediation of misconfiguration. So no vulnerability just changing configuration within the cloud environment and this is something that I was kind of surprised about sometimes more than 8 weeks in total to remediate application vulnerabilities. So actually changing things in the cloud infrastructure is easier to many of the companies today than to fix something in application. That's kind of weird

because how many DevOps people you have versus how many developers you have. It's it's like it's it's interesting. Um something more interesting is like 87% of more of four people involved in this entire process. So I will I will just ask a question related to that. Do you think software composition analysis vulnerabilities are part of the vulnerability management and exposure management team versus application security team? If you think software composition analysis vulnerabilities are part of the application security team, raise your hand. Okay. If you think software composition analysis relevant for the team that managing vulnerability management or cloud security posture management, raise your hand. Exactly. So that's also a problem because some of these vulnerabilities are in the

container level, some of them in the base image, some of them are in the application, some of them not related to the developers, some of them related to infrastructure, but who is the owner? How many people we need to talk to? What's going on here? So again, this is like one of the like what's going on and the the people that managing the vulnerability management also like I asked him like why are you not managing software composition analysis finding? And they're like, "Oh, this is OBS." It's like, "Yeah, but who is managing the base images and patching?" It's like us. It's like, "So, how?" And then we nail down why is it so important? Like, why do we care? It's

like why do we need to do it better? Why we that in charge of security really care about our exposure, our vulnerabilities? like why um the TTE based on um menient which again they're seeing so many incidents the time to exploit reduced to 5 days some exploitation sometimes less than an hour since the the actual vulnerability was released. So basically if takes us 3 to 8 weeks to remediate a problem that we know it's a problem that we prioritize you know what the prioritization take us 6 days and another like 3 to four weeks to actually do something about it. So basically we're we're left with like a window for exploitation that is impossible. And this is kind of like why

do we actually care? So again, now we're kind of talking about the problem, right? Why vulnerability management today is kind of like being like on a short leash. This is my favorite scene in White Lotus, by the way. That was like um just book a trip to Thailand after that. Um 50 cent percent of risk cannot be remediated. So half of your backlog more than half of your backlog will ended up with two things. Accept risk. Everybody love to expect accept risk right now, right? It's like it's amazing. Let's accept it because R&D cannot fix or cannot do anything about it. And some things are have no patch. So do you do you run like

a lot of people knew the answer for the beginning. So you're you're you're hands on. How many vulnerabilities you have from your scanners that if you go to remediation or if you go to the vendor there is no patch available. At least 20% of the findings you have no patch available. How many of these vulnerabilities related to assets that are not in production right now? So a lot of things cannot be remediated. How many of the things cannot be remediated because the dev team don't want to close your tickets? Right? How many of these things cannot be remediated because this system cannot be touched? So I'm I'm talking about remediation as kind of a surgery. So if

you have a back pain, you can sometimes go and do a surgery, but sometimes it's doesn't worth it. not for you, not for your family. Uh you can actually live with the pain. And that's like the whole idea of what do I do with the problems I have and why sometimes like I can't fix them. And now let's talk about what from my experience actually work and how we need to look differently of vulnerability management. Raise your hand if you have an incident response plan. everyone. Yeah, of course. What about the risk remediation plan? Oh, that's interesting. Okay, some of you have that's great. This is like this what we need to work on. So, the

survivor kit, let's do it. Visibility scanners, SCA, CSPM, solve. You can even use open source. They're great. You don't need to spend a million dollars on them. Unifi data layer. Uh, this is what you need. you it's not that hard and you can get it with any type of data repository just to put everything in one place. The third one is updated cloud inventory with enrichment. Which type of cloud assets you have, if they're publicly accessible, if they contain sensitive data and so on, every CSPM have it. And you you should have it. And then let's go more advanced. DevOps correlation. Crazy. What is being managed by DevOps? What is not being managed by DevOps?

What's being managed by Terraform? What's being managed by cloud form? We will I will explain why it's so important. But you need to have this information to help you to pivot um Docker Kubernetes actifactory base image mapping. So which of the containers related to which base images? Some of it it's easy, some of it it's tough. GCP make it very hard. For example, so GCP actually kind of wrapping the wrapper and sometimes it's hard to correlate. If using Kubernetes, you need to look into the Kubernetes in order to do the correlation. a cloud guardrails. This is crazy. This is I think something new that um I want to share with everyone today and mitigating control

coverage. So if today you have cloud flare, if you have a SAS, if you have this type of solution that can block attacks, should I prioritize it as critical and high or not? This is the next one. Oh, I forgot to mention secure by design. Hey, we're doing security by design and we don't have any critical vulnerabilities in production. When I hear that, I just stop talking to this guy because they have no idea what you're talking about. Yes, we have no vulnerability because we have secure by design. What about the vulnerabilities and misconfiguration that happened today? Great. So, the enrichment and context are free. What does it mean? We get CVSS, Kev, and threat intelligence. You

have great resources. I love VCH by the way. It's a great company. They're doing great threat intelligence. They have open source er look on VPC look on gateways and your cloud assets metadata easy extract it from your from your load balancer CDN as well. Easy uh business criticality. You know better than each vendor which type of system and application are critical. Tag them. Tag the repos. Tag the system. Tag the identities. stag the assets and then reachability cloud API easy just ask what is actually in the cloud related to cloud inventory moderate is look on the events like AWS cloud look what is running who is authenticating just take the asset ID this is actually

very useful to remove a lot of sea vulnerabilities advance runtime but it costs money and drift uh easy ask the devops Let's hope the devops know. Most of the time they know they're I love DevOps. They know what they're doing. Moderate is read logs advance map your infrastructure as code and terraform state and plan and cloud formation and palumi and the rest. So this is the enrichment we need to do. Why infrastructure as code coalation is cool? I will give you an example. So first of all uncover where the risk resides. So if right now I have a misconfiguration, I open a ticket, DevOps or engineering is getting the ticket, they following the CSPM remediation, they go into the console,

they're applying the fix a week after the same problem happen again in a different lambda function. This is a secret in Lambda because we have it in environment variable in Terraform. Great. Every time every time Terraform deployed, it adds the secret. They didn't fix it in Terraform. They fix it in the console. they're because it's coming back over and over and over again. This is why you need to understand what introduced the problem to the environment from the get-go. This is why you need to understand and have visibility to DevOps systems cloud guards. I want to spend some time here because this is something cool that I discovered to be super useful. So in AWS for example service um

control policies and resource control policies. So you can basically use this policy if something if something cannot be uh remediated. So think about as mitigation control. What we're showing in this example is again secret in lambda functions. So you have some microservices that running secrets. Great. You need to to kind of like manage them in a vault. Amazing. But what if you can't do it? What if you can't do it right now? So the way the attackers are walking is they're basically quering those lambda functions and accessing these secrets. You can basically create this service control policy to deny any type of service or any type of malicious activity that taking and asking for those

configuration those tokens. You didn't fix the problem but you reduce the exploitability in 80%. Boom. mitigating control. So great example is the Nex.js JS which we all know h it happened in Saturday like like our teams my customers like went wild it was bad but great news you have w you have s you have a sik for example that can that actually monitoring they have like blocking mode and it's all good so you can you can chill in this Saturday and you can remediate maybe next week involve your mitigating control in your vulnerability ility management but vulnerability management is dead. So involve your mitigating controls. This is super important. Take a step back, step two step backs, look on your

environment, look on your technical DNA and understand what's going on, but do not get addicted to it because mitigating control can be bypassed. Remediation is the goal at the end of the day, but we need to know how to live with our risk and reduce them as fast as possible. If you remember TT is 5 days. So a lot of the things I mentioned cannot be automated. I cannot do all my slides. I have no time. A lot of the things cannot be automated. This is where AI coming into place. And AI it's critical. What we can do with AI that automation cannot do. We just talked about it today a couple of times. every

problems for vulnerability management and cloud misconfiguration have at least five or six solutions for five or six solution for each and every different environment different every project it's not something you can automate it's not easy it's not till one sock you need to use AI for example in order to do things that are not automation that they based on the circumstance and you need to feed AI with why you want to do what you want to do so you can actually automate a lot of the triage and decision decision making as long as you have the enrichment and the visibility of DevOps and vulnerabilities that we just talked about. So that's it. I think I think my last

last word about it and I needed to mention AI. AI is critical for us to move and to reach the 5day time to exploit. So I know everyone's saying AI but because all of these things that I mentioned are basically free and you can actually build them in-house or you can kind of buy solution to do that but you can actually do it. It's a lot of work use AI on top of that information and you're you're like you're almost golden. This is really powerful. Thank you so much. Questions Q&A we have time. We have two minutes. So one or question but firstly yeah round of applause please we don't have anything in the Q&A so if you have

a question everyone want to shout a question

yes yes thank you smeir great talk uh quick question around the last recommendation here which is AI is going to help solve this right which is, you know, you can throw a lot of different context and code at it and you're going to get different results based on which model you use or, you know, what time of day and where Mercury is in retrograde, right? And so, how do you get those that are a bit more um definitive um remediation results um that will actually help you plug gaps, you know, mitigate or provide, you know, some kind of remediation along the path? Does that question make sense? Yeah, definitely. It's basically um different LLMs are

good with different things. I think cloud misconfiguration the the way for example to know if infrastructure as code can mitigate that specific problem use AI to take your infrastructure as code files and take the misconfiguration with the idea of the vulnerable cloud assets and ask hey is that cloud asset exist in any one of my terapform files. That's basically a forensics that a security engineer is doing and sometimes doing mistake. Another example is if I have one single patch that can basically remediate a large number of CVS. So AI can basically do a lot of automation based on your environment and say like hey if you install this specific patch you can take all those containers with

all these different CVS and with one single patch effort-based remediation basically to do that. So we use AI because the information is changing about our environment and the information is changing from the vendor recommendation. If you provide AI these two information speed this is my environment this is the information this is the scanning information what is the best course of action based on patching. patching is good for example with the 03 model or entropic is great with reviewing code and kind of giving you infrastructure as code deterministic fix based on the secret manager you're using if it's I don't know Hashikope or if it's like aware secret manager and if you're using it in terapform example give that

information to AI without your secrets please and get the results and again if you use AI for those things please make sure you not do not send code or information to the API calls outside. You have a lot of ways to do it in a secure way. And that that's a great question, but it's definitely a talk about how we can take each and every one of the conf the the issues and use different LLMs in order to automate a lot of things that it's almost impossible to automate. Thank you. Thanks. Thank you everyone.