How Vulnerability Intelligence is Poisoning your Information Security Program - Gordon MacKay

okay so let's get started good so my name is Gordon Makai and I work for digital defense and we're going to I'm going to share an info sec talk in the form of a murder mystery okay anyone here play clue before okay excellent so let me just introduce myself first so yeah I'm Gordon I grew up in Montreal Canada so not far from here I know that Boston and Montreal are very you know head-to-head in terms of hockey just by the way I saw the Montreal Canadiens beat the Rangers yesterday was incredible game just want to brag about that this is a great weekend and was on the plane so I live in San Antonio I was

on the plane coming here I guess it was Friday and so many runners were on and I'm gonna runner lots of runners were you know on the plane I'm like what is going on is it really the Boston Marathon of course I googled and there was so great weekend I'm not going to be running in it because I'm going to be drinking later on so come join me anyway yes I'm from Montreal Canada I grew up there I went to McGill University so kind of friends with Harvard sort of and I started working in sama I graduated in Computer Engineering I started working started my career at Bell north and research Nortel doing software engineering software development for

switching telephone and telephony and it was great and I thought hey if I'm going to do this where's all the action and all the telecom action at the time was happening in Dallas Texas in the telecom corridor so I moved my family in myself of course to to Texas to Dallas Texas in very very late 1995 just after Christmas started working I think it was like January second or third I can't quite remember in 1996 and I you know did some call processing call processing software platform type software and stayed there about seven years then telecom started going downhill at the time sort of gradually and I started looking for a job I was being laid

I was given the heads-up and so anyway I looked around and I found this cybersecurity Internet company called digital defense and that's where I still work I started there in November of 2002 I didn't know much about Internet security at the time I knew a little bit but they brought me on board made me for my software architecture skills and I learned off through osmosis you know security my work with a bunch of pen testers who drink redbull and hack into banks and stuff and get paid to do that I don't know what they do on their off time but anyway so they brought me on board to help reaaargh attacked a vulnerability management system so

digital defense we offer vulnerability management system much like you know Jack was talking about you know some of the three like tenable rapid7 you know Qualis tripwire digital defense we offer a vulnerability management system we architected it ourselves we have three patents on it already so we're one of the best-kept secrets in that area and so when I came on board way back in 2002 I remember I started working you know it started really Viktor me right into it right away and I started working on the existing system which was very immature if you will was not in tiered it was like you know essentially you had you had database code right in the web and

you know it's kind of like two-tiered I guess and there was an issue that I started learning about and that's the basis of this talk and so we came up with a solution for this when we reaaargh affected it approximately 2004 was the second incarnation now we're in our sixth incarnation of this vulnerability management system and the solution that I'm going to talk about here or the problem that I'm going to talk about is solved in that incarnation so anyway let's move on and let's get to this so as far as an overview I'm going to go over a little bit about clue right because this talk models clue right so this problem that I'm referring to I'm

not going to tell you about it up front I'm going to step-by-step walk you through it and I'm going to encourage you and invite you to you know if you figure out what this issue you is that I'm referring to you can raise your hand and say hey mordenite I think I know what it is you can shout it out and I don't have a price to give you if you win but you recognition right so recognition is almost as good so meager mission we're going to talk about clue a little bit we're going to go over a crime scene we're going to talk about what I call detective tools moment we're going to talk about vulnerability

management background because there's a specific scanning methodology that this problem is related to and we're going to talk about circumstantial evidence I will then reveal whodunit so so that's maybe 3/4 way through the presentation talk about the victims the consequences and avoiding future crimes okay great this is the clue board does this look familiar great so clue is a game where you have nine rooms so the ballroom conservatory etc study room you have a set of cards actually you kind of see them in the corner up there I guess that's what these are right here that's kind of cool these are rooms right so these are the rooms you also have six weapons the knife the lead pipe the candlestick etc

and you have six suspects which are represented by the little playing toque is the little colored player in tokens that you see here that's mrs. peacock here she is okay missus garnet one of my favorite characters here she is right and so what happens is each player rolls a dice up to six players can play you move around the squares and you enter a room right let me take a step back first prior to prior to all that the very beginning of the game one of the players turns turns this set of weapons around shuffles them up right and then pulls out one that's the weapon that the suspect use it uses to commit the crime

right so there's a crime that happen in clue and you had to deduce who had committed it with what weapon and in what room so with the suspects you know the person shuffles them up takes one Oh places the cards there similarly with with the rooms take one out and place the rest in there now the person then shuffles up the remainder of the cards and distributes them to the players okay so now you have a set of cards in your hand and you're rolling a dice and you're going around you enter a room each player when they enter a room can make a suggestion and the suggestion is I suggest as an example I suggest that mrs. peacock

committed the murder with the rope in the billiard room so you have to suggest the room that you enter in right now what happens is the player to year I believe it's left if they have one of these cards in their hands the path if they have one of these cards if they have the billiard room or the rope or mrs. peacock then they can choose to show you whichever one that is okay so it's mrs. peacock so mrs. peacock of course didn't do it one of the things I forgot to mention is at the very beginning of the game when you shuffle up the actual crime scene a player puts it in the sort of envelope and that's

what that envelope is that you see there top right here right so just blowing it up a little bit there it is it's placed in the middle okay so that's so your goal is to guess what that is and that's what we're going to do as we walk through this presentation so we're going to talk about information crime scene what is this scene that we're going to talk about okay well you know in the olden days or quite some time ago when security was a lot younger and I was a little younger as well than you were as well the different security technologies mainly operated within their own security silo maybe with the with the

exception of sin but essentially vulnerability management you know had technology and processes and it didn't share that information with other technologies similarly DLP etc right and then we started to get smarter and we started to say hey if we want to solve sort of more advanced and maybe not even that advanced use cases we need to we need to talk to each other we need to take this information from the various systems from the various systems or going to go back and share it and so what I did is I map these various technologies like I am is mr. green miss Carter this vulnerability management etc one of these one of these technologies is actually sharing

poisonous data this is the crime scene is actually sharing poisonous data into your security ecosystem and not only is it polluting its own silo but it's polluting you know these security technologies that it shares information with so that in the middle is your sis Oh drinking poison as a result of it that's sort of a side effect unfortunately so let's take a step back and talk about a security use case it's a hypothetical use case but it actually could be very real so sort of set the stage so now please don't go over here out of this room and say hey Gordon just revealed a zero-day because that's not the case it's a hypothetical use case

right but imagine imagine that we had just been you know just today has been revealed the fact that the apache web server for specific versions right so for versions two point four point zero to two point four point two four there is a serious vulnerability but it's not impacting the most recent release of two point four point two five it's fixed in that one magically okay what would you do as a security professional to sort of gauge your risk across your network well you'd probably want to consult your vulnerability assessments right hopefully you have a vulnerability assessment program vulnerability management program you consult those or even better you would launch a more recent scan right maybe even today

across your entire network to determine ok which of my which of my network elements actually is running Apache at the vulnerable versions so I'm showing this network diagram here right a very small one where the red dot represents a vulnerable instance of Apache so there's only one here today and you'd be you know a lot of security professionals would say that's enough to know that I'll now just you know prioritize this amongst all my other vulnerabilities and throw it into my vulnerability management program and off to the races I go and I'm happy but if you know if you think about it a little bit more it's very possible that although today we know about this zero day

hypothetically the bad guys and bad girls for example the hackers might have known about this for quite some time and they perhaps might have even compromised this without even knowing it maybe they got past their incident response program if that makes sense so what you do in addition to you know looking at the present is you'd look in the past you'd say hey where perhaps was I vulnerable in the past where today I'm not how could that happen well maybe maybe you know maybe you used to have an Apache that system that was vulnerable it was installed here in the past but you'd be installed that you didn't need it on that server anymore or perhaps you

upgraded to the two point four point two five and you're not vulnerable so it's possible that you were vulnerable in the past but not necessary today so this diagram is showing one instance of vulnerable which is there in the past but two that were in the past that is not in the present if that makes sense you can take that what I call vulnerability intelligence feed an into your incident response program as candidates for nodes that are perhaps already compromised not to say that they are but they might be okay it's just extra information so that's pretty cool so here's where I'm showing vulnerability management and this is at the stage now you're playing clue and

you discovered through the process of elimination going through the board and you look at your cards Wow I know that Miss Scarlet is the actual the actual murderer if that makes sense you may not know what room it's in you don't know what weapon but you know it's Miss Scarlet so you're proceeding on so this is the situation where vulnerability management is feeding poisonous information to incident response something's gone wrong okay so in other words in the previous diagram where I showed three candidates three candidates are being shared perhaps there's actually more than the three candidates but but we didn't feed the right information pins in response so there's some challenge within vulnerability management where the data

that we're sharing isn't perfect if that makes sense okay so let's explore more so this is where we take a step back I put this on the board because on my next diagram I talked about time and every time I think about that I think about you know pretty Marty right so we're Doc's on the board and in Back to the Future - this is back to the future - by the way if you've seen it so I used these sort of I guess diagrams I you know kind of fantasized about myself on the board just like Doc and so to share a little bit more about this issue this challenge that vulnerability management vulnerability scanning has is the bottom

part of the diagram that I'm showing here represents the real-world assets right the computers that you can touch even if they're virtual you know they're there right whereas the top part of the diagram illustrates two different point in time scans these are right so within vulnerability management you're not just doing one scan at one point in time and finding the vulnerabilities and saying I'm done let me go patch never again look at it it's a process where you're doing this at regular intervals to understand all new vulnerabilities came out or what did I fix did I really fix it let me verify that so you're actually doing vulnerability scans at multiple points in time well one of the

challenges is how does the vulnerability management system not necessarily the scanners but the vulnerability management system how does it know that a given asset that's been scanned at one point in time is the same as its correct counterpart as scanned at a different point in time so that's important in order to satisfy our use case in many other use cases it needs to be able to do this okay if that makes sense question is how does it do this right so to understand that let's look a little more into vulnerability management vulnerability scanning technologies I mapped the different weapons of clue to these and I'll explain that in a second but first let me explain these different

technologies so there are different scanning technologies and vulnerability scanning land that we all use there's agent-based which is up here there's passive scanning not all vendors do that but some do it's not up here but it falls into one of these categories there's what I call remote unauthenticated based scanning or network scanning and then credential base or privilege based so when asian-based represented by the Rope because it's tied to it so there's sort of a relation this is where essentially you'll have your your vulnerability management system which perhaps is not necessarily on you know on your computer and you'll have agents that are on the computers they're actually programs that are on the computers that you want to scan so

you have to deploy them somehow sometimes that's not hard but sometimes it's not that easy right and so when you run a scan the centralized vulnerability management system interfaces with that program and says go launch your scan and the scan is actually running on the computer if that makes sense it's right on it so it's very accurate because it's present on it you can get all the files all the registry Keys lots more so that's the engine based remote unauthenticated in this case the scanner has no presence at all on the host that it's scanning its remote and it will send internet messages to those nodes that it's scanning and based upon the responses it'll determine well first of

all is there even a computer there at the IP address space that I may be scanning what ports are open what services are there what applications are present for example Apache what what vulnerabilities exist finally right so that's remote unauthenticated based scanning or network based credential based scanning is sort of a mixture of the two the scanning intelligence is remote but essentially what you do is you go into your your IT system you set up a set of credentials for your various nodes that you want to use privilege scanning with you enter the vulnerability management system and you provision those credentials and then the vulnerability scanner will authenticate to the various nodes and then it can get

information such as registry keys files etc and draw conclusions it may even be able to or can depending upon the credentials drop what we call a dissolvable agent or which is a program on the computer so in that sense it's very very similar to agent based scanning okay so it's very you know very deep but there are challenges or overhead challenges IP overhead challenges to actually perform it in other words you have to create credentials you have to maintain those credentials you don't want them to have too much power you may not want them to live forever maybe you just want to manage it and you know sort of in such a way that okay I'm just about to launch a

scan let's let's enable it so there's some overhead involved if you want to do it right okay so let's take a step back now most organizations enders first of all most vulnerability management vendors will offer their certainly offers the remote an authenticated one they may or may not offer agent-based and they typically will offer credential based so they're going to offer two two things maybe three maybe even four passive is in there as well and essentially the way that clients will use use the technology is because unauthenticated or network based scanning is so it has such low overhead and it's quite accurate even though it's not necessarily on the node they'll set up recurring scans may be monthly may be

weekly maybe even continuously to scan these the entire network they'll cast the wide net to get you know to kind of get the risk and the information across the entire network and then they'll use agent based or credential base for certain situations we can talk a little bit about more for example laptops where you know you know you're actually doing browsing and you have Adobe and you know flash and those types of things there are certain vulnerabilities that authentic it cannot detect because they actually don't open ports to do so but yet they're still remotely exploitable so if I send you for example a word doc that has a you know malicious payload even though word isn't an application

that listens on the Internet you you may still be compromised right so you'll use credential based scanning to detect that or for example if you know where your credit card information is you have nodes that or parts of the network which have more risk you'll want to perhaps get more information so you'll be willing to spend more money to set up credential based scanning or agent based gaming if that makes sense now I tied the candlestick to remote unauthenticated based scanning because the candlestick if you look at the various weapons include the candlestick is the only one that actually sheds light or can shed light I didn't have a flashlight so if I did I would have used

it but so the candlestick sheds light right so it's kind of like the scanner sheds light on the nose that it's scanning and based upon what it sees remotely with that light it draws conclusions okay so that makes sense so great no it's at this point in time I didn't tell you but the candlestick is actually the weapon if you haven't guessed it yet since I spend so much time on it the candlestick is actually the weapon that's being used here in other words it's because of remote network based unauthenticated scanning that vulnerability management vendors experienced this challenge that I'm sharing with you today which is the subject of our murder and you may wonder a great specifically how

do Valle 'nor ability management vendors the solution providers how do they actually track the various endpoints that remember that diagram that I shared where you had two different scans how do they track the assets I've seen at one point to the correct counterparts as seen as the other at the other point especially when we're talking about remote unauthenticated scanning agent base scanning credentialed a scanning don't have that challenge and we can talk about why but let's leave that to the side for now remote unauthenticated does have that channel and the reason is because if you look at network characteristics for the various elements that are on the internet there's really nothing I mean there's certain characteristics that you would

think are quite static but in reality they may all change okay a lot of people talk when when I present this or talk about it they will say well what about MAC address and I'm like yeah it's pretty stable but the problem is unless you're deploying scanners on every single network segment or unless you're talking about Windows you're not always going to get the MAC address and so in fact one of the largest vendors out there doesn't use MAC address at all to track and so you may wonder how do they do it what do they use well they use various characteristics such as IP address various host names MAC address they do use host types other things to actually

correctly match those things but most of the vendors out there used only one or two perhaps three so they're very limited in those algorithms if that makes sense actually this is this is one of the very you know one of the top mentors out there I'm not going to name who this is what they they actually I'm so I'm sharing with you one one of the prevalent algorithms out there that actually is used to solve this problem and I call the algorithm and they call it for example they call this this problem host tracking so if you googled host tracking you know what I really meant event host tracking you'll figure out who it is because I'm not banging on

anybody here I'm just saying this this is you know this is real this is a real problem and so they use what I call single host tracking key admin user specifies one of it's a very long name I'm a software developer and I use very long names in my variables as well and everyone tells me what are you doing but anyway I digress so they use one of I P address DNS host name or NetBIOS hosting in other words they will allow you to go into the vulnerability management system as you as the administrator and provision this system in such a way that you indicate how do you want how do you want the vulnerability

management system to track hosts across time from you know different scans and you can specify well you know I know that I had this this ranger this IP address range in this range I know I have laptops and it's using the HCP so I'm not going to use IP address that would be done I need something else let me use NetBIOS oh but this this is a set of servers and this different IP address so you can do it by different ranges and you can go in and say oh I want this technique for this range this technique for that range etc and so that's how they do it now is that good enough and

the question and that's the question and to answer whether or not that's good enough we really have to ask another question and the other question is how often do these characteristics change in different IT environments so my team and I actually did this study about a year and a half ago that's why we entered the study room did this study to find out and understand well how often do these things change and the reason we were wondering about this is because we know that we spent you know we have we have an algorithm which I'll share you know in a little while to solve this problem and you know it uses pattern recognition and things like that I kind of studied

that you know my final Europe Gill and so we're spending a lot of money a lot of money meaning it's special software it's not like simple okay I'll just use this characteristic or that characteristic it's it's a lot more complex than that and when you have software that's semi complex you're going to have maintenance as time goes on more maintenance that if it's simple meaning you're going to have some bugs so you're going to have updates you're going to have to make babysit it you're going to have to you know you're going to have to it's not it's it be great if you have an algorithm let's just perhaps possible it's hands off and it's very

intelligent and uses analytics etc but that's that's not necessarily you know how this works and so we want to understand well whatever what are our competitors doing and is it worth it is it worth it for us to actually spend this extra time if in fact IT environments are very static because if they're very sad we don't have to spend all that money if that makes sense so we did a study and what we did is we looked across time and we subdivided this study into different types of devices firewalls servers laptops and desktops you know because they're going to have different rates of change if that makes sense based upon different characteristics okay and so I'm showing you just a

cross-section I'm showing you server types host these are findings and client type post clients meeting laptops and desktops by the way here is a reference I'm sure you could all read that I'll make the slides available so that it's more easier we can go to my website digital defense comm and just search on resources and you'll find it anyway so for server type host database servers web servers etc application servers where you would think that you know there's they're not going to change that much and it's true there's very low rate of change but you know IP address which is default actually on the previous algorithm that I showed you for that large vendor IP address actually changes

at four percent across three months so if you look at a three month time period if you have one server or let's say you have a hundred thousand servers four thousand of them are going to actually experience at least one change so we counted one if we saw a change across that three month and it compounds itself so after another three months you're going to see more more churn right so if your algorithms are simplistic you're going to get things wrong if that makes sense so you're probably getting a little understanding of the crime here so here's where I have a diagram actually showing and a map so what I did is I map the rooms to the different IP addresses

and so in this vulnerability management game that we're playing which is more than just vulnerability management because we're taking the information we're feeding it into our security ecosystems in the form of integrations right to solve different use cases this game is actually more complex than clue because include the murders the murder happens or what's committed in one room but in this game the rooms change right so it's actually multiple rooms that make sense so that's that one so whodunit reveal this is the point in time where I reveal the whole story probably guessed it by now but a it's the candlestick which is the weapon Miss Scarlet is the culprit and any room you would have picked is cool because it

happens in many different rooms so the reason is most widely used scanning technology in environments not to say that the other ones are not used but I mean if you're using if you're doing scanning and you're doing all agent-based than the Bravo to you that's great similarly with credential based but most most if not all of our clients actually are having troubles doing that because it costs money and so they they often use remote network unauthenticated scanning but that comes with the challenge and that challenge is solved in different ways by different vendors in fact that challenge isn't is it's not at the forefront of your minds often when I give this talk by the end of it

people people come up to me and they say wow I didn't even realize that that was a problem and you know it's kind of like you just don't think about it you just assume that it's there just matching perfectly but that's not the case and in fact most vendors use very simplistic algorithms and I was a little surprised at this and so that's the second point and thirdly all remotely discoverable characteristics derp subject to change so IP address is subject to change you know IT personnel they're not just sitting around doing nothing they're you know things things draw up printers drop it I said I'll just change the IP address and I'll inform the people you

know so they kind of get around that problem but they're not thinking oh I better I better not change these things because the vulnerability management system is using this tracking mechanism to track it and all things are going to break so that's not good no they don't think that right you have these different teams and so anyway that's that's a big problem so the real crime here is that vulnerability management systems lacks efficient what I call scan to scan endpoint correlation and the result is often they mistake a scanned asset at one in one point in time to a different one or they assume a it must be a new asset I've never seen this before so this is the sort of crime

revealed so I open up the envelope well I almost forgot I have it here open it up and I've got the candlestick I got Miss Scarlet here obviously you know that I shuffled them up sort of non randomly so right and you got the roof anyway for the purpose of the presentation very good let's move on consequences time check we're doing good okay consequences there's actually two different I mean there's a lot of sub consequences wasted money etc but the root cause or consequences of this issue are that the vulnerability management system that you're using will often declare an asset duplication in other words and we'll talk within the second or an asset mismatch let's talk about asset mismatch

okay so here's an example there's this diagram again this back to the future diagram okay here's your assets and over here I scan in week one and I you know I see three different hosts with various different network characteristics this is what the scanner is seeing at that point in time time progresses now let's assume that your IT operations team is doing some work and something happened and they made a change to these two assets and for whatever reason they flip the IP addresses okay this is sort of a very simplified example but in this situation what happens is the vulnerability management system if it's using IP address for example that larger vendor that I was talking about if if

you didn't know about this problem you can go into the system it specify anything it's going to be using the default which is IP address and even if it were servers maybe you'd want it to be that way so anyway the system the vulnerability management system will believe that this asset is the same as this one because they have the same IP address well what's going to happen is let's so for example take a step back let's assume that this red asset has you know a set of vulnerabilities and the yellow asset has a completely different you know it's orthogonal nothing in common yeah sure they may that may both have high-level vulnerabilities etc but they have

nothing in common for the sake of argument right so what happens is after this scan the vulnerability management system will declare wow you fix all the vulnerabilities that were there before for that red asset oh you got new ones now but that's okay you're always going to have new ones here and there but that good job you fix those but that's not true the only reason it's declaring that is because it it encountered a mismatch I don't know if you've experienced this but we've talked to you know lots of people not not necessarily our clients but prospects that have come to us and you know or people come up to me after a presentation early oh that's exactly the

issue I'm experiencing thank you for highlighting that so that's that's mismatch duplication which I don't have a diagram for you but sort of simplistically is a case where imagine that at this point in time or later you know so for example let's say here you you you actually detected this issue you like wow wait a sec why is the vulnerability management system telling me that these things are fixed I know they're still there and then you and then you discover oh it's because okay let me go into the system and actually change this so that it no longer matches an IP address but instead matches on let's say oh I don't know well I guess

it's kind of hard because there isn't anything in this situation but let's use this one so the red one DNS hostname I think that's correct it looks right yeah we're going to use that and if it's not let's assume that it is right so I'll use that right but then later let's say that's changed and so now you're in a situation where you have nothing that's common and the vulnerability management system will detect it at a certain IP address and it would declare well I've never seen this host before because it doesn't match anything so it must be a new one let me add it to the asset list so that's duplication now you have two hosts which

actually had the same information and you may actually take this and take this host prioritize the vulnerabilities and send it out for remediation well need to discover you know after work you know in research Wow I don't I don't even know where that host is or oh hey wait a sec this house belongs to this other team it's not mine and so there's actually what I call a lot of chasing ghosts right so victims and impacts I talked a little bit about this one of the largest well there's a lot of different issues here but one of them one of the sort of high level ends is you have in your you know in most

organizations security generals right and they're looking at this information and they're making decisions based upon the risk you know so if you look at what what vulnerability management brings us brings us a lot of things but it also brings us sort of a gauge of what our risk is across our entire network talking about our actual you know network security risk that's opposed to other types of risk right well that information they want they're making us making decisions based upon it and often that decision-making although perhaps is correct based you know it's correct from an algorithm perspective it's incorrect because the actual data is not correct right so if so in other words the the

vulnerability management system is is a gauge for risk and that gauge is off because of this issue right so that's that mismatch scanned endpoints right so I had a prospect that comes to us and told us told me a story where they were actually like just as the example before they were assigning out vulnerabilities so so essentially this is a large organization they have they were using a different solution at the time they have a centralized vulnerability management team or centralized security team that is responsible for vulnerability management and they had different IT teams that owned these assets right and so they had a lot of duplication in their asset because of this problem and

they were signing up Valle 'nor abilities to teams that didn't even know where the assets were because they weren't owned by them they were owned by a different team so that's wasting time right so lots of other issues there so how do you solve it well this is what we did at digital defense we unlike other vendors where they're just taking a few different characteristics simultaneously in the case of that large vendor that I referred to they were actually using one simultaneously you had a choice of which one out of three but really you're looking at you could imagine like or sort of you know yeah the analogy I use is imagine your fingerprint where you have all these

different ridges etc well wouldn't it be great if you could fingerprint match based upon everything you see but what a lot of vendors are doing is they're actually just taking one one little Ridge one that you could one a three that you can choose or maybe they have two maybe you don't have a choice maybe there's two or three so it's very limiting why not use everything that you can see and that's what we do right so it's not simple because you have different characteristics that have different weights and there's a lot of sort of dependencies etc but if you could use everything that's a philosophy if you could use everything you see then even though you know one thing or two

things may change across time at certain rates by and large if you're looking at everything you kind of have a semi static thing that you can use to match these hosts right so that's what we do so the ideal solution so going back to our mismatch even though this red host had perhaps changed its IP address the system should actually of course realize that and this is a simplistic case but it should match it together so simple diagram murder mystery solved thank you very much for helping me with this so security ecosystems the use case for example at the very beginning which is kind of you know it's a cool use case inner others in order to satisfy that

you have to understand or the the vulnerability management system has to correctly map the given assets as it sees them at different points in time and those things change right that's the second point Network and points change problem is most vulnerability management solutions use one or two characteristics or three but they don't use all of them unfortunately so they're very limiting how do you solve this well ask your vendor hey well how do you how do you solve this problem now that you're sort of more enlightened on it or hey use their API pull out so for every scan you pull out all the data put it in you know some place not necessarily a sim although perhaps you

could and you correlate this on your own now not easy but it's doable and that's what we do but we do it within the context of the actual bowels of our vulnerability management system so wonderful it might be a little bit early but hey thank you and any questions