Vulnerability Management Sucks

right so welcome to Bloomberg's making socks or should I say uh Windows sucks uh my HDMI just decided to die um so I apologize about that uh but proceeding on because I've already wasted enough time um mandatory who wear my slide um Toby size Alex uh maybe going to conferences for about four years or so now uh roughly two and a half years of the blue team I I don't actually use Arch so if you'd like the leader please do uh and there's a Twitter handle if you want to listen to any of my nonsense um so as a bit of a snow summary I'm going to try to deliver uh quite a a breadth of

um content in uh relatively small space so when we talk about Performance Management massive topic I'm mainly going to be explaining about the importing cycle um so mainly in the context of infrastructure packaging anything you can really stick a CV to in terms of vulnerabilities so General scenario when you first starting out um doing rugby fashion uh you may start with some informal patching policy you may be doing a various things eventually you start scaling up uh either you manage to convince management or you get four sphere regulatory audit uh whatsoever that you need to have a uh solution uh you onboard one of those you may have bought a few more it depends where your

devices are some support Windows better than Linux you may have a mix of various uh scenarios going on which means you end up having multiple places and you end up in a state where you're sending out and scheduling course to system owners so the evolving situation you have is we have multiple uh VM Solutions we've got very with data sources may be coming in it's just a split kind of cloud on-prem environment as an example scenario we may have some information coming in from our Cloud assessments and this is why the following you can stick a CV to those um and we're just dealing with a lot of different environments a lot of different stakeholders just owners and

the question that really evolves at this point is through PDF still go through and the answer to that is it's really dumpster fire um we're now dealing with lots of data productization is becoming a nightmare sending PDF reports or reporting to system owners that contains uh you know problems of vulnerabilities is not intuitive we're facing pressures on doing reporting we need to establish as many times patch slas we need to be able to do audit Trails on um our system on Instagram activities uh for whatever is going on and it's not easy to do it was a sort of solution we could put in place um system items it's just a headache major difference Management Solutions is

just annoying we don't have to balance between back and forth and things and also sometimes different systems will have different ratings scores by retrievable rev from high to low critical to Urgent uh zero to a thousand uh and generally it's annoying and we don't want to be putting any more manual effort in running around chasing things we've already got too much to deal with as a sort of team in general or implicit team so what I would establish as the pillars of same reporting is anything other than a PDF for the love of God um Germany PDFs are nice for executive ports um but else wise we need a system that makes findings auditable actionable and

prioritized generally um when you're sending around reports like this especially if it's in like such an email chain uh it gets a bit hard to track actionable in the sense that we we don't want to have a bunch of items on a PDF we want to have more clear view of what's our our main priorities and so forth so by doing this we need to count for different system owners and stakeholders at the same time what's their capability what's their capacity what support systems you need in place for certain radiation activities and we also need to establish appropriate slas and metrics based on that and finally automation so you know we should be the full High eye in this

whole process uh as we build this automation out uh we don't want to be the Judge Judy executioner we don't want to be patching people stuff for them uh we want to be serving the reporting and maybe we will if there's some disastrous serving Mobility running about what we'll go scream at everyone um but you generally don't want to allocate uh effort and employees uh towards this unless we have the capacity forward so in a general attempt to solve the madness uh we effectively create some sort of system that looks like this to process all that information so we take all of our various probability Management Solutions uh any other data sources you may have

Network scanners Etc and every X period whenever you want to run our reporting or maybe continuously um will produce just an artifacts of the state of our sort of vulnerability management States uh the lay of the land and then we put it through effectively a data pipeline to normalize in which the data and produce something we can use uh generally when it comes to this in the normalization phase some magic may be going on but generally we're going to use the nist national vulnerability database and the CV database as a source of Truth um find out why on later slides but the one Business Management Solutions we have may always not be that reliable um when it comes to enrichment generally

we just want to make sure we tag on correct system owners uh the correct sort of risk scoring CBE is not always the best to do conversation with and once we've got all that data in a nice past sort of art back to whether that sits in some sort of database of some kind we can run some sort of automation on that too let's just generate backlog items against priorities so forth and then maybe when I put that in some nice neat dashboards um for our system owners stakeholders Etc just to kind of have it immediately available to them what is the highest priority of what I want to do right now what is the general lay of the land

so in impacting this system there's some complicates so firstly artifacts we know we need to get a artifact of effectively what our state looks like how can we automate this uh we're going to use apis and that would be so easy brilliant if it actually was that simple so you know generally some systems may have a nice Json API that you can just interrogate pull information out of brilliant other systems right now why I wasn't around in sort of late 2000s early 2010s um we'll have maybe XML apis which depending on whether they provide you a scheme or not may or may not be less tolerable generally that's my reaction whenever cnx the ml uh API not very

happy but at least you can work with them um and then when we don't have that capability you may manually opt to extract a CSV if we can we just need to get the data in some format if we can't do any of the above and we have a solution that effectively limits us to sort of HTML exports or PDFs we don't want to make some considerations on vendor selections really um if we can't get that information to us so we can pass it what's the point of having these Solutions if we're going to struggle to scale so that that's mainly just in the case so we should switch to some other solution um normalization so this is just the

obviously imagine lender Extravaganza so generally yeah the day you pull out of these apis and what you get from these systems it will vary so you'll have weird babies you just happened all day to in some places um unpublished from ability is an example of this so some systems may contain over mobility and you'll say okay well this one with this is here we should patch it or it gets reported uh but it's actually unpublished it's within the CPU database and through whatever means that sort of vendor somehow is able to detect it um I'm not exactly sure all the technicals around that um but when you do that you end up with just no fields for CVSs scores

um and that is extremely annoying so pretty much when we do normalization we just ignore half of what we're given and we just say what's the cve ID um go to the nist database of CV databases and pull a source of Truth we can actually rely on um and sometimes we encounter conflicts in reporting so not necessarily whether a certain system or a managed solution is detected more serious B uh IDs than the other uh it's more that where good examples maybe sort of Windows security updates uh we have one system reporting a certain amount of KPS and vulnerabilities and another reporting less and then you find out one of them is reporting it for every architecture

and you know we made sure certain systems more to evaluate certain pieces of software uh so that's just a in consideration we may have now the next plane of my existence is your standards so we're all familiar with and such but you know what else uh so we have the common platform enumeration which in a nutshell it's just software name standards so when you pull data out of these systems um and you kind of compare them sometimes you know these systems are great and they'll do that sometimes not so much um so generally in terms of what's more human readable yes is in terms of what's possible or processable uh that's terrible um we'd much prefer a nice city that we

can use to figure out you know what piece of software is is problematic again nist CB absolute saviors all those databases in the given vulnerability they'll have those CPE IDs attached so you can just go ahead and grab them um and then use that instead enrichment uh by this point if you're sending out reports to people I hope your assets are tags um because you need to know what assets are what in order to send out reports in the first place but generally this is just if you want to add any more information additional asset ownership information resource it is if we have various assets across the cloud so forth and most importantly here we probably want to come up with some

sort of weighted risk Matrix calculation sort of system so we can effectively assess by our tiering of our applications or servers uh what is the highest criticality force that we need to I mean perhaps what's the most exposed um generally your Innovation teams your devops teams may have tiering more laid out than some of your other teams or some of your system owners you may have to do some of their work on this and providing this entire kind of methodology the system goes well uh the results is we have some nice neat dashboards everything's prioritized by node exploitable compilities first um you it links to all the information that someone remediately we need to know

how to do it and we've already made their backloggers are important all they need to do is allocate spend time um so in this case uh we still need to think about you know deferral acceptance all these things that come with a sort of one ability management which effectively would have to implement ourselves as mentioned with that previous system uh it's just more engineering work um so at this point you're probably thinking well one of the Urgent sucks can we throw money at people to do this yes um but there's some considerations first so we have unified movies emerging platforms you can just go search them on Google Play it will come up um they can't magic apis out of nowhere

we still have issues if you're without a fact generation if your systems um don't have apis you can't get data out of them they can't fix that for you um you'll lose some flexibility on override sort of that mention of the example earlier um you can't granularly say we trust is system more for a certain piece of software or or whatnot and they're doing proprietary rating systems um so you know generally if you want a truly accurate radio system for protestation the only real way to do it is is shelf book you know this is a great start so if you have limited engineering resources but you have plenty of budget then you know feel free

took money at the they'll make your life easier and if you are going to be doing it yourself um General observations maintenance maintenance uh if you do not maintain the system it will fall apart um also automation also has to scale and now we're kind of more thinking devops uh you know a thousand lines of python code not a good idea for this system uh you need a scalable system that effectively is now thinking about microservices or all the kind of associations you have when you're just developing software effectively um so that is a summary of why no it sucks and what we can do to make it suck a bit less uh now for questions

management if anyone has anything to ask afterwards but I've wasted the 10 minutes at the start of the talk fumbling with a HDMI [Applause]