Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Management

•

1 like•193 views

In the last year, we’ve seen numerous attacks with global consequences leveraging exploits against well-publicized vulnerabilities with available patches. This presentation will provide Forrester’s perspective on the challenges clients face in the vuln management space and make recommendations for improving how we prioritize and communicate vulnerability risk within our organizations. Learning Objectives: 1: Outline a long-term strategy for evolving vulnerability risk practices. 2: Use industry examples to demonstrate effective VM prioritization. 3: Provide immediate takeaways to start improving VM processes tomorrow. (Source: RSA Conference USA 2018)

Technology

SESSION ID:
#RSAC
Josh Zelonis
EVOLVE OR DIE: HOW TO STOP
GETTING SLAUGHTERED DUE TO BAD
VULNERABILITY MANAGEMENT
TECH-W02
Senior Analyst
Forrester
@jz415

# R S A C
We are in a constant
state of failure.

# R S A C
Vulnerability Management Process
Asset
Identification
Enumeration
Prioritization
Remediation

#RSAC
VULNERABILITY MANAGEMENT IS A
MAINTENANCE TASK THAT BEGINS AND
ENDS WITH OPERATIONS

# R S A C
The Heisenberg Uncertainty Principle
of Asset Management

# R S A C
Take Charge Of Asset Management
Queryable infrastructure is the fabric of a good CMDB
Consider the operational benefits of EDR products
Remote management software
Creates queryable infrastructure
Ability to detect misuse
Use scanners to identify unmanaged hosts
Embrace coverage as a critical metric

#RSAC
IN 2017, OVER 29% OF CVE HAD A
SEVERITY OF HIGH OR CRITICAL.

# R S A C
Define SLA’s By Priority, Not Severity
9
Asset Criticality
Vulnerability Severity
High
Medium
Low
Low
Priority 3
Priority 4
Priority 5
Medium
Priority 2
Priority 3
Priority 4
High
Priority 1
Priority 2
Priority 3
Critical
Priority 1
Priority 2
Priority 3

# R S A C
It’s Time To Start Using Threat Intelligence Strategically

#RSAC
KEY QUESTION: HOW COULD AN
ATTACKER EXPLOIT THIS VULNERABILITY?

# R S A C
Dissect Delivery and Exploitation
A Cursory Analysis of Meltdown
Can be delivered to browser using JavaScript
—Endpoint threat model similar to Adobe Flash
How do you execute this code on a server?
—Other RCE vulnerability in an exposed service
—Privilege escalation if already local

# R S A C
Understand How You’ll Be Attacked
0
50
100
150
200
References
Vulnerability

# R S A C
How To Talk To Executives About
Vulnerability Management

# R S A C
Counting Stats Don’t Make Good Metrics

# R S A C
Control the Message
16
Help execs understand what they need to know to protect their jobs
Generate and present metrics that are consumable
This provides clarity into what you’re doing to protect them
Helps measure progress over time
GOAL: Help them make business decisions based on this information

# R S A C
Let’s Review!
Vulnerability management is a business process.
Queryable infrastructure is the fabric of good asset management.
Perform prioritization based on threat intel andasset criticality.
Help executives make business decisions supported by metrics about
unmitigated risk.

# R S A C
Apply What You Have Learned Today
Change your ideology, become a participant!
Identify and start tracking key metrics now, to help show trends later.
Critical Metric! Coverage, coverage, coverage!
Look for intelligence sources which inform threat/exploitation details.
Embrace an “application stack” approach to asset management.
Understand how software is developed and deployed within your organization.

# R S A C
Apply What You Have Learned In 3 Months
Begin outreach and develop relationships!
Start providing relevant intelligence briefings to executives.
Communicate priority based on how an exploit could be delivered.
New Metric! How are you reducing work by deprioritizing CVSS severity?
Champion efforts with operations to improve asset management.
“How can we help?” – But with suggestions, resources, and budget.

# R S A C
Apply What You Have Learned In 6 Months
Become part of the operations process!
Start leveraging CI/CD processes for patch deployment.
Key Metric! You are committing code, use build metrics to track issues.
Leverage queryable infrastructure for real time asset inventory.
Codify a new vulnerability remediation SLA based on internal priority.

#RSAC
THANK YOU!
Email: jzelonis@forrester.com
LinkedIn: https://www.linkedin.com/in/zelonis/
Twitter: @jz415

What's hot

As threats evolve, it is essential to move beyond looking at events toward developing behavioral analysis capabilities. Knowing not only the components but also the rhythms of your environment becomes crucial to enable earlier detection of attackers. This session will review the threat and risk landscape today, recommend approaches to bolster your security control monitoring, apply situational awareness and kill chain techniques, and walk through the construction of two specific use cases. They are 1) detecting compromised accounts via remote access behavior analysis and 2) detecting malicious activity (attacker or insider) by detecting and tracing network jumpers from corporate to guest networks. The session will discuss the design approach and searches used in these two use cases so that you can build other use cases to improve your security capability and posture.

Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk

Andrew Gerber

Vodafone is one of the world’s largest telecommunications companies, enabling connectivity by providing mobile, fixed and IoT networks to customers around the world. Vodafone is redefining the boundary of the SOC and sees the balance between prevention, detection and response for both Vodafone’s organization and customers as vital. This session will describe the journey from reactive SOC to proactive cyber-defense. (Source: RSA Conference USA 2018)

Pulling our-socs-up

Priyanka Aash

Cylance Protect-Next-Generation Antivirus-Overview

Innovation Network Technologies: InNet

So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations. Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc

Building a Next-Generation Security Operations Center (SOC)

Sqrrl

Embracing Threat Intelligence and Finding ROI in Your Decision

Cylance

Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...

EC-Council

In this talk we will look at the current attacker community as well as the tactics and capabilities that are currently being leveraged against targets across the globe. We will then go into the financial mechanics behind both financial based cybercrime as well as nationstate espionage. We will touch on some of the scary capabilities of attackers and try to work thru the reason why we still aren’t seeing the broad scale destructive attacks that everyone has been predicting for years. By Jim Walter, Senior Research Scientist, Cylance

Exploring the Capabilities and Economics of Cybercrime

Cylance

Cylance Information Security: Compromise Assessment Datasheet

Innovation Network Technologies: InNet

When companies hire cybersecurity consultants to investigate incidents, those professionals’ reports and emails could be used against the company in court unless a privilege applies. This session provides an overview of the attorney-client privilege for post-breach investigations, and tips for increasing the chances that the privilege will apply and the data will remain confidential. (Source: RSA USA 2016-San Francisco)

Preserving the Privilege during Breach Response

Priyanka Aash

Is your SOC overwhelmed with alerts and threats? Cyber-adversaries are wielding tools and machine power, while organizations are still trying to scale their cybersecurity with OpEx and poorly planned CapEx spending. In this session, you will learn from a SOC expert about mistakes that have been made in the past, what we can do about it right now and what is in store as we move towards SOC 2030. (Source: RSA Conference USA 2018)

Soc 2030-socs-are-broken-lets-fix- them

Priyanka Aash

Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries

EC-Council

DATA LOSS PREVENTION OVERVIEW

Sylvain Martinez

Conventional wisdom tells us to use two-factor authentication—and it does help to improve security. But the best way to reduce user-friction is to never require a person to authenticate. This talk will provide a modern solution to reconcile these two divergent imperatives by leveraging standard profiles of OAuth2 for “trust elevation.” Its not just the front door that needs protection! (Source: RSA USA 2016-San Francisco)

DON'T Use Two-Factor Authentication...Unless You Need It!

Priyanka Aash

Selena Larson, Dragos Intelligence Analyst's presentation from RSA 2019. There have been public narratives about the US being on the precipice of a nationwide hacker-caused blackout. What is the reality of adversary activity and the potential or likelihood of a cyber attack that could disrupt the electric grid? What are hackers currently doing in ICS networks? In this presentation, Selena Larson, Intelligence Analyst at Dragos will separate fact from (science) fiction. More information here: https://dragos.com/rsa-2019/ More info: www.dragos.com Follow us on LinkedIn: https://www.linkedin.com/company/drag.... Follow us on Twitter: https://twitter.com/dragosinc

Debunking the Hacker Hype: The Reality of Widespread Blackouts

Dragos, Inc.

Insights from-NSAs-cybersecurity-threat-operations-center

Priyanka Aash

Which are the most dangerous new attack techniques for 2016/2017? How do they work? How can you stop them? What's coming next and how can you prepare? This fast-paced session provides answers from the three people best positioned know: the head of the Internet Storm Center, the top hacker exploits expert/teacher in the U.S., and the top expert on cyberattacks on industrial control systems. (Source: RSA USA 2016-San Francisco)

The Seven Most Dangerous New Attack Techniques, and What's Coming Next

Priyanka Aash

Want to detect threats in your organization? Stop reading every feed and curate your threat intel and content so they actually work for your security architecture. By managing meaningful threat intelligence so the external intel maps to internal threat models and curating your content sensibly, you can create a high-functioning SOC that both detects and defends against cyberattacks. (Source: RSA Conference USA 2018)

Threat intel- -content-curation-organizing-the-path-to-successful-detection

Priyanka Aash

Splunk for Security Workshop Join our Splunk Security Experts and learn how to use Splunk Enterprise in a live, hands-on incident investigation session. We'll use Splunk to disrupt an adversary's Kill Chain by finding the Actions on Intent, Exploitation Methods, and Reconnaissance Tactics used against a simulated organization. Data investigated will include threat list intelligence feeds, endpoint activity logs, e-mail logs, and web access logs. This session is a must for all security experts! Please bring your laptop as this is a hands-on session.

Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin

Splunk

Security Threat Mapping

Parthasarathy P ACA, CISA, CGEIT, CRISC

What's hot (19)

Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk

Pulling our-socs-up

Cylance Protect-Next-Generation Antivirus-Overview

Building a Next-Generation Security Operations Center (SOC)

Embracing Threat Intelligence and Finding ROI in Your Decision

Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...

Exploring the Capabilities and Economics of Cybercrime

Cylance Information Security: Compromise Assessment Datasheet

Preserving the Privilege during Breach Response

Soc 2030-socs-are-broken-lets-fix- them

Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries

DATA LOSS PREVENTION OVERVIEW

DON'T Use Two-Factor Authentication...Unless You Need It!

Debunking the Hacker Hype: The Reality of Widespread Blackouts

Insights from-NSAs-cybersecurity-threat-operations-center

The Seven Most Dangerous New Attack Techniques, and What's Coming Next

Threat intel- -content-curation-organizing-the-path-to-successful-detection

Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin

Security Threat Mapping

Similar to Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Management

Decision-makers need reliable data in order to understand risk and determine value of investments. With the amount of data available in a multinational company, one would assume that answers would be easy to find. But how does one identify which data is reliable and make it meaningful? This talk will provide best practices and lessons learned on how ADP built an effective security metrics program. Learning Objectives: 1: Understand use cases in which metrics can be applied to business-driven security. 2: Gain a structured approach to leveraging data for security decision-making. 3: Learn through practical lessons how to communicate results of your metrics program. (Source: RSA Conference USA 2018)

Creating Order from Chaos: Metrics That Matter

Priyanka Aash

The Hershey Company initiated a strategic initiative to identify all of the truly critical IT assets that enable the company’s continued success. The evaluation confirmed the importance of protecting their business critical SAP systems. To get executive cross functional buy-in the security team implemented an SAP Vulnerability Management program with a clear strategy of “why” to influence results. (Source: RSA USA 2016-San Francisco)

Understanding the “Why” in Enterprise Application Security Strategy

Priyanka Aash

For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf

JustinBrown267905

Rapid Threat Modeling Techniques

Priyanka Aash

Businesses like Autodesk understand that cyber-risk management is essential, but they often don’t know where to begin. Autodesk implemented a cyber-risk framework in six months by using Agile software development, risk modeling and risk quantification. This session will explore the company’s success secrets and offers advice on how security leaders can jumpstart their cyber-risk program. (Source : RSA Conference USA 2017)

Top 5 secrets to successfully jumpstarting your cyber-risk program

Priyanka Aash

Settle the Score

Bill Creasey

How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience

Priyanka Aash

Ransomware is a strategy for adversaries to make money – a strategy that’s proven successful. During this presentation, we will cover how ransomware works, ransomware trends to watch, best practices for prevention, and more. At the core of the discussion, Scott will explain how to build detections for common tactics, techniques, and procedures (TTPs) used by ransomware families and how to validate they work, ongoing, as part of the larger security program. Participants will leave this webinar with actionable advice to ensure their organization is more resilient to ever-evolving ransomware attacks.

How to Build and Validate Ransomware Attack Detections (Secure360)

Scott Sutherland

Cyber presentation spet 2019 v8sentfor upload

savassociates1

Weakest links of an organization's Cybersecurity chain

Sanjay Chadha, CPA, CA

Many companies establish their Secure Development Lifecycle. The adoption of it crucial especially for corporations with dozens of applications. The main challenges they face are the diversity of architecture, dev languages, methodologies, compliance, regulations, etc. This talk will shed light on scaling up and out the application security capabilities and maximizing the software security maturity. (Source : RSA Conference USA 2017)

Securing 100 products - How hard can it be?

Priyanka Aash

w-cyber-risk-modeling Owasp cyber risk quantification 2018

Open Security Summit

Someone politely knocks on your door and reports that there’s a hole in your wall big enough for a person to climb through. You immediately threaten legal action. Crazy? In the world of vuln research, this happens. This session will review a Vuln Disclosure Maturity Model created describe best-in-class practices. For any company wanting to get better bug reports faster—this session is a must. (Source: RSA USA 2016-San Francisco)

…But Now I See—A Vulnerability Disclosure Maturity Model

Priyanka Aash

NIST Critical Security Framework (CSF)

Priyanka Aash

Communicating effectively with the board of directors can make or break a security program. Across 2016, John Pescatore and Alan Paller of SANS talked with dozens of CISOs and several members of corporate boards and distilled down a set of best practices and lessons learned. This session will present the findings from that effort, with lessons learned from real-world board sessions. (Source : RSA Conference USA 2017)

Briefing the board lessons learned from cisos and directors

Priyanka Aash

Web Application Security Vulnerability Management Framework

jpubal

If you want your information risk program to be taken seriously by the business, you have to do more than just throwing around a few business terms. You need to embrace enterprise risk techniques. See how the engagement changes when you start talking about a product delivery risk instead of a Struts vulnerability. Cyber isn’t your top risk; focusing on the wrong priorities is your top risk. Learning Objectives: 1: Learn how to integrate into a broader enterprise risk program. 2: Understand techniques from other disciplines that can be used in your cyber-program. 3: Learn to communicate security risks in business context. (Source: RSA Conference USA 2018)

There’s No Such Thing as a Cyber-Risk

Priyanka Aash

A fluid and effective Vulnerability Management Framework, a core pillar in most Enterprise Security Architectures (ESA), remains a continual challenge to most organizations. Ask any of the major breach targets of the past several years. This talk takes the recent OWASP Application Security Verification Standard (ASVS) 2014 framework and applies it to Enterprise Vulnerability Management in an attempt to make a clearly complicated yet necessary part of your organization's ESA much more manageable, effective and efficient with feasible recommendations based on your business' needs.

Enterprise Class Vulnerability Management Like A Boss

rbrockway

It is critical to measure the right things in order to make better-informed management decisions, take appropriate actions and change behaviors. But how do managers figure out what those right things are? A measurement approach tied to strategic business objectives ensures that planning, budgeting and the allocation of operational resources are focused on what matters to the organization. (Source : RSA Conference USA 2017)

Developing useful metrics

Priyanka Aash

Risksense: 7 Experts on Threat and Vulnerability Management

Mighty Guides, Inc.

Similar to Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Management (20)

Creating Order from Chaos: Metrics That Matter

Understanding the “Why” in Enterprise Application Security Strategy

For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf

Rapid Threat Modeling Techniques

Top 5 secrets to successfully jumpstarting your cyber-risk program

Settle the Score

How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience

How to Build and Validate Ransomware Attack Detections (Secure360)

Cyber presentation spet 2019 v8sentfor upload

Weakest links of an organization's Cybersecurity chain

Securing 100 products - How hard can it be?

w-cyber-risk-modeling Owasp cyber risk quantification 2018

…But Now I See—A Vulnerability Disclosure Maturity Model

NIST Critical Security Framework (CSF)

Briefing the board lessons learned from cisos and directors

Web Application Security Vulnerability Management Framework

There’s No Such Thing as a Cyber-Risk

Enterprise Class Vulnerability Management Like A Boss

Developing useful metrics

Risksense: 7 Experts on Threat and Vulnerability Management

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs

Priyanka Aash

Verizon Breach Investigation Report (VBIR).pdf

Priyanka Aash

Top 10 Security Risks .pptx.pdf

Priyanka Aash

Simplifying data privacy and protection.pdf

Priyanka Aash

Generative AI and Security (1).pptx.pdf

Priyanka Aash

EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf

Priyanka Aash

DPDP Act 2023.pdf

Priyanka Aash

Cyber Truths_Are you Prepared version 1.1.pptx.pdf

Priyanka Aash

Cyber Crisis Management.pdf

Priyanka Aash

CISOPlatform journey.pptx.pdf

Priyanka Aash

Chennai Chapter.pptx.pdf

Priyanka Aash

Cloud attack vectors_Moshe.pdf

Priyanka Aash

Stories From The Web 3 Battlefield

Priyanka Aash

Lessons Learned From Ransomware Attacks

Priyanka Aash

Emerging New Threats And Top CISO Priorities In 2022 (Chennai)

Priyanka Aash

Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)

Priyanka Aash

Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)

Priyanka Aash

Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud

Cloud Security: Limitations of Cloud Security Groups and Flow Logs

Priyanka Aash

Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.

Cyber Security Governance

Priyanka Aash

The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.

Ethical Hacking

Priyanka Aash

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs

Verizon Breach Investigation Report (VBIR).pdf

Top 10 Security Risks .pptx.pdf

Simplifying data privacy and protection.pdf

Generative AI and Security (1).pptx.pdf

EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf

DPDP Act 2023.pdf

Cyber Truths_Are you Prepared version 1.1.pptx.pdf

Cyber Crisis Management.pdf

CISOPlatform journey.pptx.pdf

Chennai Chapter.pptx.pdf

Cloud attack vectors_Moshe.pdf

Stories From The Web 3 Battlefield

Lessons Learned From Ransomware Attacks

Emerging New Threats And Top CISO Priorities In 2022 (Chennai)

Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)

Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)

Cloud Security: Limitations of Cloud Security Groups and Flow Logs

Cyber Security Governance

Ethical Hacking

Recently uploaded

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

Angeliki Cooney has spent over twenty years at the forefront of the life sciences industry, working out of Wynantskill, NY. She is highly regarded for her dedication to advancing the development and accessibility of innovative treatments for chronic diseases, rare disorders, and cancer. Her professional journey has centered on strategic consulting for biopharmaceutical companies, facilitating digital transformation, enhancing omnichannel engagement, and refining strategic commercial practices. Angeliki's innovative contributions include pioneering several software-as-a-service (SaaS) products for the life sciences sector, earning her three patents. As the Senior Vice President of Life Sciences at Avenga, Angeliki orchestrated the firm's strategic entry into the U.S. market. Avenga, a renowned digital engineering and consulting firm, partners with significant entities in the pharmaceutical and biotechnology fields. Her leadership was instrumental in expanding Avenga's client base and establishing its presence in the competitive U.S. market.

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Angeliki Cooney

Architecting Cloud Native Applications

WSO2

ICT role in 21st century education and its challenges

rafiqahmad00786416

DBX First Quarter 2024 Investor Presentation

Dropbox

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

The action of the next cyber saga takes place in the mystical lands of the Asia-Pacific region, where the main characters began their digital activities in the middle of 2021 and qualitatively strengthened it in 2022. Corporate espionage, document theft, audio recordings, and data leaks from messaging platforms were all a matter of one day for Dark Pink. Their geographical focus may have started in the Asia-Pacific region, but their ambitions knew no bounds, targeting a European government ministry in a bold move to expand their portfolio. Their victim profile was as diverse as a UN meeting, targeting military organizations, government agencies, and even a religious organization. Because discrimination is not a fashionable agenda. In the world of cybercrime, they serve as a reminder that sometimes the most serious threats come in the most unassuming packages with a pink bow.

Cyberprint. Dark Pink Apt Group [EN].pdf

Overkill Security

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

Manulife - Insurer Transformation Award 2024

The Digital Insurer

AXA XL - Insurer Innovation Award Americas 2024

The Digital Insurer

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

Passkeys: Developing APIs to enable passwordless authentication Cody Salas, Sr Developer Advocate | Solutions Architect - Yubico Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

apidays

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Recently uploaded (20)

CNIC Information System with Pakdata Cf In Pakistan

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Architecting Cloud Native Applications

ICT role in 21st century education and its challenges

DBX First Quarter 2024 Investor Presentation

MS Copilot expands with MS Graph connectors

Ransomware_Q4_2023. The report. [EN].pdf

Corporate and higher education May webinar.pptx

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Cyberprint. Dark Pink Apt Group [EN].pdf

presentation ICT roal in 21st century education

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

FWD Group - Insurer Innovation Award 2024

Manulife - Insurer Transformation Award 2024

AXA XL - Insurer Innovation Award Americas 2024

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...

MINDCTI Revenue Release Quarter One 2024

Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Management

1. SESSION ID: #RSAC Josh Zelonis EVOLVE OR DIE: HOW TO STOP GETTING SLAUGHTERED DUE TO BAD VULNERABILITY MANAGEMENT TECH-W02 Senior Analyst Forrester @jz415

2. # R S A C We are in a constant state of failure.

3. # R S A C Vulnerability Management Process Asset Identification Enumeration Prioritization Remediation

4. # R S A C Vulnerability Management Process Asset Identification Enumeration Prioritization Remediation

5. #RSAC VULNERABILITY MANAGEMENT IS A MAINTENANCE TASK THAT BEGINS AND ENDS WITH OPERATIONS

6. # R S A C The Heisenberg Uncertainty Principle of Asset Management

7. # R S A C Take Charge Of Asset Management Queryable infrastructure is the fabric of a good CMDB Consider the operational benefits of EDR products Remote management software Creates queryable infrastructure Ability to detect misuse Use scanners to identify unmanaged hosts Embrace coverage as a critical metric

8. #RSAC IN 2017, OVER 29% OF CVE HAD A SEVERITY OF HIGH OR CRITICAL.

9. # R S A C Define SLA’s By Priority, Not Severity 9 Asset Criticality Vulnerability Severity High Medium Low Low Priority 3 Priority 4 Priority 5 Medium Priority 2 Priority 3 Priority 4 High Priority 1 Priority 2 Priority 3 Critical Priority 1 Priority 2 Priority 3

10. # R S A C It’s Time To Start Using Threat Intelligence Strategically

11. #RSAC KEY QUESTION: HOW COULD AN ATTACKER EXPLOIT THIS VULNERABILITY?

12. # R S A C Dissect Delivery and Exploitation A Cursory Analysis of Meltdown Can be delivered to browser using JavaScript —Endpoint threat model similar to Adobe Flash How do you execute this code on a server? —Other RCE vulnerability in an exposed service —Privilege escalation if already local

13. # R S A C Understand How You’ll Be Attacked 0 50 100 150 200 References Vulnerability

14. # R S A C How To Talk To Executives About Vulnerability Management

15. # R S A C Counting Stats Don’t Make Good Metrics

16. # R S A C Control the Message 16 Help execs understand what they need to know to protect their jobs Generate and present metrics that are consumable This provides clarity into what you’re doing to protect them Helps measure progress over time GOAL: Help them make business decisions based on this information

17. # R S A C Let’s Review! Vulnerability management is a business process. Queryable infrastructure is the fabric of good asset management. Perform prioritization based on threat intel andasset criticality. Help executives make business decisions supported by metrics about unmitigated risk.

18. # R S A C Apply What You Have Learned Today Change your ideology, become a participant! Identify and start tracking key metrics now, to help show trends later. Critical Metric! Coverage, coverage, coverage! Look for intelligence sources which inform threat/exploitation details. Embrace an “application stack” approach to asset management. Understand how software is developed and deployed within your organization.

19. # R S A C Apply What You Have Learned In 3 Months Begin outreach and develop relationships! Start providing relevant intelligence briefings to executives. Communicate priority based on how an exploit could be delivered. New Metric! How are you reducing work by deprioritizing CVSS severity? Champion efforts with operations to improve asset management. “How can we help?” – But with suggestions, resources, and budget.

20. # R S A C Apply What You Have Learned In 6 Months Become part of the operations process! Start leveraging CI/CD processes for patch deployment. Key Metric! You are committing code, use build metrics to track issues. Leverage queryable infrastructure for real time asset inventory. Codify a new vulnerability remediation SLA based on internal priority.

21. #RSAC THANK YOU! Email: jzelonis@forrester.com LinkedIn: https://www.linkedin.com/in/zelonis/ Twitter: @jz415

Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Management

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Management

Similar to Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Management (20)

More from Priyanka Aash

More from Priyanka Aash (20)

Recently uploaded

Recently uploaded (20)

Evolve or Die, How to Stop Getting Slaughtered Due to Bad Vulnerability Management