SlideShare a Scribd company logo

CyberCentral Summit 2018 in Prague

Alexander Leonov
Alexander Leonov

Whole last week I spent in Prague at CyberCentral conference. It was a pretty unique experience for me. I was for the first time at the International conference as a speaker. And I not only presented my report there, but lead the round table on Vulnerability Management and participated in a panel session. Read more about the event and my presentation at https://avleonov.com/2018/04/22/cybercentral-summit-2018-in-prague

Presentations & Public Speaking
1 of 38
Download to read offline
Enterprise Vulnerability Management: fancy marketing brochures and the real-life troubles Alexander Leonov CyberCentral 2018
2 #:whoami - Alexander Leonov - Lead Security Analyst at Tinkoff Bank - 6+ years in Vulnerability Management vendor - Security Automation blog at avleonov.com
IPs Typical VM Solution Task Results Tasks Reports Dynamics 3
IPs Inconvenient Questions Task Results Tasks Reports Dynamics 4 Targets? Credentials? Quality of detection? What is really exploitable? Who is responsible for patching? Remediation criteria? Processes and Products
What actually should we scan? Perimeter Office Business critical / Production 5
6 Perimeter - Dynamic Assets: 20% - Typical Targets: Linux WebServer - Inventorisation: IANA ASN, Wiki, JIRA, Monitoring, WAF/AntiDDoS - Typical Assessment: Unauth Scanning
7 Office - Dynamic Assets: 80% - Typical Targets: Windows Desktop with old Web browser (need for legacy) - Inventorisation: Wiki, WSUS, System Center - Typical Assessment: Auth Scanning, Agents
8 Business critical / Production - Dynamic Assets: < 10% - Typical Targets: Linux/Unix/Windows Server ERP/CRM with third party modules installed - Inventorisation: Wiki, сonsultations - Typical Assessment: Unauth Scanning, alternative methods
9 VM Analyst's Heaven - Scan targets: known and fully described - Responsible person: known for every asset - Credentials / local agents: available / installed - Patch Management process: already functioning - IT attitude: trust in scanning results - Your task: ensure that everything works fine; if not - create a task
10 VM Analyst's Hell - Scan targets: unknown - Responsible person: unknown - Credentials / local agents: no way! - Patch Management process: it’s not necessary! - IT attitude: don’t bother us! - Your task: ensure that every vulnerability is really exploitable in our environment; make exploitation PoC (if you break something it will be your fault)
11 VM Analyst's Heaven and Hell
Vulnerability Management Market 12 Worldwide Device Vulnerability Assessment Revenue Share by Vendor, 2016
IPs Outrageously expensive Task Results Tasks Reports Dynamics 13 $2,190 USD/year free (no complaints) $10-15 USD/year per host 5000 $50-75k
Limited license = Limited IT Visibility Perimeter Office Business critical / Production * free agented inventorisation in Qualys and Rapid7 Nexpose without Vulnerability Assessment 14
- The ability to manage scans via API has been removed =( - The ability to add multiple users has also been removed =( - As of January 1, 2019, all Nessus Professional users will be required to update to version 7.x to maintain support and updates. The end of cost-effective VM since V. 7 15
OpenVAS “Attic Cleanup” 16
What about your own scanner? 17 Asset Service Vulnerability Hostname / IP cpe:/a:drupal:drupal:7.32 CVE-2018-7600 Data Gathering Assessment Unauthenticated mode
18 Asset Package Vulnerability Hostname / IP Drupal7-7.32-1+deb8u10 DSA-4156, CVE-2018-7600 Data Gathering Assessment Authenticated mode What about your own scanner?
19 What about your own scanner?
20 All Vulnerability Scanners are the same? A Platforms (OSes) x B Software Vendors making products for Platform x C Products made by each Software Vendor x D Vulnerabilities in each Product x E Vulnerability detection methods (authenticated and unauthenticated) Knowledge Base of Vulnerability Scanner
CVE-based comparison Based on data from ALL CVEs in NVD: 104794 2018 CVEs in NVD: 2373 21
22 Reports: problem of prioritization - Exploitability flag - Links to exploits at - Use in Malware - CVSS (AV:N) - CWE (CWE-94 'Code Injection', CWE-95 'Eval Injection', CWE-400 'Resource Exhaustion')
23 Common Weakness Enumeration (CWE)
24 Common Weakness Enumeration (CWE)
25 Common Weakness Enumeration (CWE)
26 Exploitability
27 Dynamics Why? ● Non-reliable scan results ● Dynamic assets ● ...
Dynamics … Smoothing … Set criteria of successful fix 28
29 Why *they* don’t patch vulnerabilities
30 It’s great when you can update OS automatically, but - Reboot is often required (nobody likes this) - Update mechanisms may break and updates will not be installed
Something can break after update - It is necessary to check each patch on test servers 31
Update can make situation even worse 32 January 10, 2018 Spectre CVE-2017-5753 CVE-2017-5715 Meltdown CVE-2017-5754 January 3, 2018 January 05, 2018 January 23, 2018 “stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior“ …
Update can make situation even worse 33 Spectre CVE-2017-5753 CVE-2017-5715 Base Score: 7.3, 6.5* Meltdown CVE-2017-5754 Base Score: 5.6* January 3, 2018 April 05, 2018 Intel won’t patch some of its older processors against Meltdown and Spectre Windows 7 or Server 2008 R2 + applied Microsoft's Meltdown patches => CVE-2018-1038 "Windows Kernel Elevation of Privilege Vulnerability." (Base Score: 7.8*) March 29, 2018 * CVSS v.3 xforce.ibmcloud.com
The Neverending story - Constantly appearing exploitable vulnerabilities of web-browsers, Adobe products, Java, etc. - Manual work or expensive patching solutions are required 34
Fifty Shades of Legacy - Critical vulnerable software that is strongly needed for work; Extra money for update and stuff retraining - Critical software requires outdated vulnerable libraries (Java) - Legacy Operating Systems that only can run some critical software 35
Some systems are just difficult to update - UNIXes, network devices, etc. 36
37 In conclusion - There is no magic in Vulnerability Management - Vulnerability scanners are awesome. Trust them, but not too much. - Homegrown automation is still necessary: ○ Update scan targets (Wiki, DNS, WAF/AntiDDoS, AD, Monitorings...) and manage regular scan tasks ○ Get critical exploitable vulnerabilities from scan results ○ Inform responsible person / make tasks ○ Get statistics and visualize VM process
38 Thanks! Questions? me@avleonov.com

Recommended

PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal orePHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
Alexander Leonov
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
Alexander Leonov
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
Alexander Leonov
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16
Alexander Leonov
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
Sander Temme
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
Mike Saunders
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
 

Recommended

PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal orePHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
Alexander Leonov
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
Alexander Leonov
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.com
Alexander Leonov
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16
Alexander Leonov
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
Sander Temme
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
Mike Saunders
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
Sebastien Gioria
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
Abhishek Singh
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open Source
POSSCON
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
Vulnerability Management V0.1
Vulnerability Management V0.1Vulnerability Management V0.1
Vulnerability Management V0.1
TECHNOLOGY CONTROL CO.
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Managing third party libraries
Managing third party librariesManaging third party libraries
Managing third party libraries
n|u - The Open Security Community
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
AlienVault
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentation
Tarek Amer
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
Robert MacLean
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStack
Tim Mackey
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat Security Conference
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open Source
Shane Coughlan
 
RSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your Network
RSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your NetworkRSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your Network
RSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your Network
Skybox Security
 
Alien vault _policymanagement
Alien vault _policymanagementAlien vault _policymanagement
Alien vault _policymanagement
Marjo'isme Yoyok
 
Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
Ivanti
 
2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm
azfayel
 

More Related Content

What's hot

BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat Security Conference
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
Abhishek Singh
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open Source
POSSCON
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
Vulnerability Management V0.1
Vulnerability Management V0.1Vulnerability Management V0.1
Vulnerability Management V0.1
TECHNOLOGY CONTROL CO.
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Managing third party libraries
Managing third party librariesManaging third party libraries
Managing third party libraries
n|u - The Open Security Community
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
AlienVault
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentation
Tarek Amer
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
Robert MacLean
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStack
Tim Mackey
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat Security Conference
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
pbink
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open Source
Shane Coughlan
 
RSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your Network
RSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your NetworkRSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your Network
RSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your Network
Skybox Security
 
Alien vault _policymanagement
Alien vault _policymanagementAlien vault _policymanagement
Alien vault _policymanagement
Marjo'isme Yoyok
 

What's hot (20)

BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open Source
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
 
Vulnerability Management V0.1
Vulnerability Management V0.1Vulnerability Management V0.1
Vulnerability Management V0.1
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Managing third party libraries
Managing third party librariesManaging third party libraries
Managing third party libraries
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentation
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStack
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
(In)security in Open Source
(In)security in Open Source(In)security in Open Source
(In)security in Open Source
 
RSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your Network
RSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your NetworkRSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your Network
RSA 2014: Non-Disruptive Vulnerability Discovery, Without Scanning Your Network
 
Alien vault _policymanagement
Alien vault _policymanagementAlien vault _policymanagement
Alien vault _policymanagement
 

Similar to CyberCentral Summit 2018 in Prague

Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
Ivanti
 
2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm
azfayel
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
Marusya Maruzhenko
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
Splunk
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
Shannon Cuthbertson
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
ERPScan
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
Ben Rothke
 
Patch Tuesday Analysis - December 2015
Patch Tuesday Analysis - December 2015Patch Tuesday Analysis - December 2015
Patch Tuesday Analysis - December 2015
Ivanti
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
Eoin Keary
 
September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018
Ivanti
 
Spring and Pivotal Application Service - SpringOne Tour Dallas
Spring and Pivotal Application Service - SpringOne Tour DallasSpring and Pivotal Application Service - SpringOne Tour Dallas
Spring and Pivotal Application Service - SpringOne Tour Dallas
VMware Tanzu
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Vladyslav Radetsky
 
A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?
MenloSecurity
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse Center
Abdessabour Arous
 
Your Datacenter at risk? – Patching for the Datacenter
Your Datacenter at risk? – Patching for the DatacenterYour Datacenter at risk? – Patching for the Datacenter
Your Datacenter at risk? – Patching for the Datacenter
Ivanti
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
Chris Gates
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
EnergySec
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
Adrian Sanabria
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
Jeff Williams
 

Similar to CyberCentral Summit 2018 in Prague (20)

Transforming your Security Products at the Endpoint
Transforming your Security Products at the EndpointTransforming your Security Products at the Endpoint
Transforming your Security Products at the Endpoint
 
2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm2 20613 qualys_top_10_reports_vm
2 20613 qualys_top_10_reports_vm
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
SAP security in figures
SAP security in figuresSAP security in figures
SAP security in figures
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Patch Tuesday Analysis - December 2015
Patch Tuesday Analysis - December 2015Patch Tuesday Analysis - December 2015
Patch Tuesday Analysis - December 2015
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018September Patch Tuesday Analysis 2018
September Patch Tuesday Analysis 2018
 
Spring and Pivotal Application Service - SpringOne Tour Dallas
Spring and Pivotal Application Service - SpringOne Tour DallasSpring and Pivotal Application Service - SpringOne Tour Dallas
Spring and Pivotal Application Service - SpringOne Tour Dallas
 
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threatBasic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
Basic detection tests of McAfee ENS + MVISION Insights usage for SunBurst threat
 
A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?
 
End of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse CenterEnd of Studies project: Malware Repsonse Center
End of Studies project: Malware Repsonse Center
 
Your Datacenter at risk? – Patching for the Datacenter
Your Datacenter at risk? – Patching for the DatacenterYour Datacenter at risk? – Patching for the Datacenter
Your Datacenter at risk? – Patching for the Datacenter
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security Innovating Faster with Continuous Application Security
Innovating Faster with Continuous Application Security
 

Recently uploaded

Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussionPro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
OECD Directorate for Financial and Enterprise Affairs
 
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
OECD Directorate for Financial and Enterprise Affairs
 
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
OECD Directorate for Financial and Enterprise Affairs
 
IEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdfIEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdf
Claudio Gallicchio
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
OECD Directorate for Financial and Enterprise Affairs
 
2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf
Frederic Leger
 
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie WellsCollapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Rosie Wells
 
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdfWhy Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Ben Linders
 
XP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to LeadershipXP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to Leadership
samililja
 
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdfBRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
Robin Haunschild
 
Gregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics PresentationGregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics Presentation
gharris9
 
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
gpww3sf4
 
Carrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real lifeCarrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real life
artemacademy2
 
ASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdfASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdf
ToshihiroIto4
 
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
OECD Directorate for Financial and Enterprise Affairs
 
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussionArtificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
The remarkable life of Sir Mokshagundam Visvesvaraya.pptx
The remarkable life of Sir Mokshagundam Visvesvaraya.pptxThe remarkable life of Sir Mokshagundam Visvesvaraya.pptx
The remarkable life of Sir Mokshagundam Visvesvaraya.pptx
JiteshKumarChoudhary2
 
Using-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptxUsing-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptx
kainatfatyma9
 

Recently uploaded (20)

Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussionPro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
 
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
The Intersection between Competition and Data Privacy – COLANGELO – June 2024...
 
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
 
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
The Intersection between Competition and Data Privacy – OECD – June 2024 OECD...
 
IEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdfIEEE CIS Webinar Sustainable futures.pdf
IEEE CIS Webinar Sustainable futures.pdf
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
 
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
The Intersection between Competition and Data Privacy – KEMP – June 2024 OECD...
 
2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf
 
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie WellsCollapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
 
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdfWhy Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdf
 
XP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to LeadershipXP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to Leadership
 
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdfBRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
BRIC_2024_2024-06-06-11:30-haunschild_archival_version.pdf
 
Gregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics PresentationGregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics Presentation
 
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
 
Carrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real lifeCarrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real life
 
ASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdfASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdf
 
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
 
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussionArtificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
 
The remarkable life of Sir Mokshagundam Visvesvaraya.pptx
The remarkable life of Sir Mokshagundam Visvesvaraya.pptxThe remarkable life of Sir Mokshagundam Visvesvaraya.pptx
The remarkable life of Sir Mokshagundam Visvesvaraya.pptx
 
Using-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptxUsing-Presentation-Software-to-the-Fullf.pptx
Using-Presentation-Software-to-the-Fullf.pptx
 

CyberCentral Summit 2018 in Prague

  • 1. Enterprise Vulnerability Management: fancy marketing brochures and the real-life troubles Alexander Leonov CyberCentral 2018
  • 2. 2 #:whoami - Alexander Leonov - Lead Security Analyst at Tinkoff Bank - 6+ years in Vulnerability Management vendor - Security Automation blog at avleonov.com
  • 3. IPs Typical VM Solution Task Results Tasks Reports Dynamics 3
  • 4. IPs Inconvenient Questions Task Results Tasks Reports Dynamics 4 Targets? Credentials? Quality of detection? What is really exploitable? Who is responsible for patching? Remediation criteria? Processes and Products
  • 5. What actually should we scan? Perimeter Office Business critical / Production 5
  • 6. 6 Perimeter - Dynamic Assets: 20% - Typical Targets: Linux WebServer - Inventorisation: IANA ASN, Wiki, JIRA, Monitoring, WAF/AntiDDoS - Typical Assessment: Unauth Scanning
  • 7. 7 Office - Dynamic Assets: 80% - Typical Targets: Windows Desktop with old Web browser (need for legacy) - Inventorisation: Wiki, WSUS, System Center - Typical Assessment: Auth Scanning, Agents
  • 8. 8 Business critical / Production - Dynamic Assets: < 10% - Typical Targets: Linux/Unix/Windows Server ERP/CRM with third party modules installed - Inventorisation: Wiki, сonsultations - Typical Assessment: Unauth Scanning, alternative methods
  • 9. 9 VM Analyst's Heaven - Scan targets: known and fully described - Responsible person: known for every asset - Credentials / local agents: available / installed - Patch Management process: already functioning - IT attitude: trust in scanning results - Your task: ensure that everything works fine; if not - create a task
  • 10. 10 VM Analyst's Hell - Scan targets: unknown - Responsible person: unknown - Credentials / local agents: no way! - Patch Management process: it’s not necessary! - IT attitude: don’t bother us! - Your task: ensure that every vulnerability is really exploitable in our environment; make exploitation PoC (if you break something it will be your fault)
  • 12. Vulnerability Management Market 12 Worldwide Device Vulnerability Assessment Revenue Share by Vendor, 2016
  • 13. IPs Outrageously expensive Task Results Tasks Reports Dynamics 13 $2,190 USD/year free (no complaints) $10-15 USD/year per host 5000 $50-75k
  • 14. Limited license = Limited IT Visibility Perimeter Office Business critical / Production * free agented inventorisation in Qualys and Rapid7 Nexpose without Vulnerability Assessment 14
  • 15. - The ability to manage scans via API has been removed =( - The ability to add multiple users has also been removed =( - As of January 1, 2019, all Nessus Professional users will be required to update to version 7.x to maintain support and updates. The end of cost-effective VM since V. 7 15
  • 17. What about your own scanner? 17 Asset Service Vulnerability Hostname / IP cpe:/a:drupal:drupal:7.32 CVE-2018-7600 Data Gathering Assessment Unauthenticated mode
  • 18. 18 Asset Package Vulnerability Hostname / IP Drupal7-7.32-1+deb8u10 DSA-4156, CVE-2018-7600 Data Gathering Assessment Authenticated mode What about your own scanner?
  • 19. 19 What about your own scanner?
  • 20. 20 All Vulnerability Scanners are the same? A Platforms (OSes) x B Software Vendors making products for Platform x C Products made by each Software Vendor x D Vulnerabilities in each Product x E Vulnerability detection methods (authenticated and unauthenticated) Knowledge Base of Vulnerability Scanner
  • 21. CVE-based comparison Based on data from ALL CVEs in NVD: 104794 2018 CVEs in NVD: 2373 21
  • 22. 22 Reports: problem of prioritization - Exploitability flag - Links to exploits at - Use in Malware - CVSS (AV:N) - CWE (CWE-94 'Code Injection', CWE-95 'Eval Injection', CWE-400 'Resource Exhaustion')
  • 27. 27 Dynamics Why? ● Non-reliable scan results ● Dynamic assets ● ...
  • 28. Dynamics … Smoothing … Set criteria of successful fix 28
  • 29. 29 Why *they* don’t patch vulnerabilities
  • 30. 30 It’s great when you can update OS automatically, but - Reboot is often required (nobody likes this) - Update mechanisms may break and updates will not be installed
  • 31. Something can break after update - It is necessary to check each patch on test servers 31
  • 32. Update can make situation even worse 32 January 10, 2018 Spectre CVE-2017-5753 CVE-2017-5715 Meltdown CVE-2017-5754 January 3, 2018 January 05, 2018 January 23, 2018 “stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior“ …
  • 33. Update can make situation even worse 33 Spectre CVE-2017-5753 CVE-2017-5715 Base Score: 7.3, 6.5* Meltdown CVE-2017-5754 Base Score: 5.6* January 3, 2018 April 05, 2018 Intel won’t patch some of its older processors against Meltdown and Spectre Windows 7 or Server 2008 R2 + applied Microsoft's Meltdown patches => CVE-2018-1038 "Windows Kernel Elevation of Privilege Vulnerability." (Base Score: 7.8*) March 29, 2018 * CVSS v.3 xforce.ibmcloud.com
  • 34. The Neverending story - Constantly appearing exploitable vulnerabilities of web-browsers, Adobe products, Java, etc. - Manual work or expensive patching solutions are required 34
  • 35. Fifty Shades of Legacy - Critical vulnerable software that is strongly needed for work; Extra money for update and stuff retraining - Critical software requires outdated vulnerable libraries (Java) - Legacy Operating Systems that only can run some critical software 35
  • 36. Some systems are just difficult to update - UNIXes, network devices, etc. 36
  • 37. 37 In conclusion - There is no magic in Vulnerability Management - Vulnerability scanners are awesome. Trust them, but not too much. - Homegrown automation is still necessary: ○ Update scan targets (Wiki, DNS, WAF/AntiDDoS, AD, Monitorings...) and manage regular scan tasks ○ Get critical exploitable vulnerabilities from scan results ○ Inform responsible person / make tasks ○ Get statistics and visualize VM process