Learn to use AI like a Pro. Learn More

Exploring the World of CTEM

Understanding Continuous Threat Exposure Management (CTEM) | Jonathan Risto

Estimated read time: 1:20

    Learn to use AI like a Pro

    Get the latest AI workflows to boost your productivity and business performance, delivered weekly by expert consultants. Enjoy step-by-step guides, weekly Q&A sessions, and full access to our AI workflow archive.

    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo
    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo

    Summary

    In this informative webinar presented by the SANS Institute, Jonathan Risto delves into the intricacies of Continuous Threat Exposure Management (CTEM). Spanning over an hour, the session covers the fundamental aspects of CTEM, distinguishing it from traditional vulnerability management. Jonathan emphasizes the importance of a holistic approach to threat exposure, exploring key components such as scoping, discovery, prioritization, validation, and mobilization. Challenges, benefits, and strategies for successful implementation of CTEM are discussed, making it essential knowledge for cybersecurity professionals seeking to enhance their threat management practices.

      Highlights

      • Jonathan Risto emphasizes the five key steps of CM: scoping, discovery, prioritization, validation, and mobilization. 🌟
      • CTEM is not a tool, but a process that involves understanding business risks and prioritizing accordingly. 🔑
      • Automation and continuous assessment are critical to effective CM. 🚀
      • Traditional vulnerability management is reactionary, whereas CM seeks to be more proactive. 🚦
      • Cross-functional collaboration is necessary to tackle cybersecurity challenges in a unified way. 🤜🤛

      Key Takeaways

      • CM is a proactive and continuous approach to threat management. 📈
      • Cooperation across all organizational levels is essential for effective CM. 🤝
      • Continuous testing and validation improve vulnerability management. 🔍
      • Automation is crucial to keep up with the fast-paced threat landscape. 🤖
      • Understanding and prioritizing business risks ensures alignment with organizational goals. 🎯

      Overview

      Jonathan Risto captures the audience's attention with a deep dive into Continuous Threat Exposure Management (CTEM), unraveling its complexities and practical implications. With humor and relatable anecdotes, Risto guides professionals through the intricacies of CM, making it clear that this process is an elevated approach to traditional vulnerability management, focusing more on holistic, ongoing processes rather than isolated incidents.

        Emphasizing the importance of cooperation across different functional areas of a business, Risto outlines how CTEM requires an integrated effort to properly manage and mitigate threats. His engaging presentation covers not just the mechanics of CM but also the cultural and structural shifts needed within organizations to fully embrace this modern strategy.

          Risto doesn't shy away from acknowledging the challenges associated with implementing CTEM. From cultural resistance to the need for new KPIs and metrics, he addresses these potential hurdles with candid advice and practical solutions, offering a pathway to effectively adopting CTEM for heightened cybersecurity resiliency.

            Chapters

            • 02:30 - 04:30: Introduction to the Webinar The chapter titled 'Introduction to the Webinar' seems to have a missing or incomplete transcript.
            • 04:30 - 09:00: Agenda Overview Chapter 1: Agenda Overview This chapter introduces the agenda, detailing the main topics that will be covered in the upcoming sections. It sets the stage for a comprehensive exploration of the subject at hand, outlining key points and objectives to be discussed. Each subsequent chapter is designed to delve deeper into each item listed in this overview, providing a structured approach to the material. The agenda overview ensures that readers are prepared for the information that follows, highlighting the importance of each topic and its relevance to the overall theme of the text.
            • 09:00 - 12:00: Speaker Introduction The chapter titled "Speaker Introduction" seems to have content that is not provided in the transcript. The transcript only shows the letter 'e', which isn't enough to generate a meaningful summary. However, typically, a chapter with this title would likely provide an overview of a speaker, including their background, expertise, and the context or relevance they bring to the discussion or event in which they are participating.
            • 12:00 - 15:00: Definition and Importance of CTEM In this chapter titled 'Definition and Importance of CTEM,' the text explores what CTEM stands for and why it is significant in its respective field. The discussion likely includes an outline of key definitions related to CTEM, such as its components and core principles. Additionally, the chapter examines the various dimensions of its importance, including potential impacts, benefits, or applications that make CTEM a critical subject of study or implementation. The summary provides an overview of these aspects, setting the stage for deeper exploration in subsequent chapters.
            • 15:00 - 25:00: Key Components and Steps of CTEM This section delves into the crucial elements and methodology associated with the CTEM process. It dissects the intricate components and delineates the steps involved, providing a clear understanding of the overall procedure. By breaking down each element, the chapter aims to offer a comprehensive guide to mastering CTEM intricacies. Key themes include the importance of each component, the sequence of steps, and how they integrate to achieve the desired outcomes.
            • 25:00 - 40:00: Differences between Traditional VM and CTEM The chapter explores the differences between traditional virtual machines (VMs) and container-based virtualization (CTEM). It compares the architectural designs, resource utilization, deployment speed, and management complexities associated with each technology. Furthermore, it discusses the advantages and limitations of using container-based virtualization in modern cloud infrastructure for various workloads and applications.
            • 40:00 - 48:30: Why Consider CTEM? Chapter Title: Why Consider CTEM? This chapter explores the reasons for considering CTEM as a viable approach. It delves into the potential benefits and applications of CTEM in various contexts, helping the reader understand its significance and advantages over traditional methods. The chapter also provides insights into the decision-making process involved in adopting CTEM.
            • 48:30 - 65:00: Implementing CTEM: Steps and Challenges The chapter covers an exposure management webinar hosted by Jonathan Rosco. It encourages the audience to use the Q&A section for questions, promising to address them during the session and at the end.
            • 65:00 - 86:00: Best Practices and Conclusion This chapter wraps up the discussion by focusing on vulnerability management, highlighting the significance of addressing continuous threat exposure management (CTIM). The session acknowledges CTIM as a critical topic and attempts to demystify it, addressing any perceptions of it merely being a buzzword. Overall, the chapter underscores the importance of integrating effective strategies to manage threats continuously.
            • 86:00 - 95:00: Q&A and Closing Remarks The chapter titled 'Q&A and Closing Remarks' is about addressing questions from the audience at the end of a presentation. The speaker encourages participants to submit their questions via the Q&A feature. The speaker assures that if there are numerous questions that cannot be addressed immediately, they will be compiled and addressed later, possibly through a blog post. The chapter emphasizes engagement and ensuring that all inquiries are acknowledged, even if they cannot be answered in real time.

            Understanding Continuous Threat Exposure Management (CTEM) | Jonathan Risto Transcription

            • 00:00 - 00:30 e
            • 00:30 - 01:00 e
            • 01:00 - 01:30 e
            • 01:30 - 02:00 e
            • 02:00 - 02:30 e e
            • 02:30 - 03:00 good afternoon everyone wel welcome to
            • 03:00 - 03:30 the understanding can choose cor
            • 03:30 - 04:00 exposure management webinar with Jonathan Rosco and we begin and uh thank you so much please use the Q&A session for any Q&A area for any questions and we'll try to answer your question throughout and um at the end of the webinar yes thank you you appreciate the intro there and welcome everybody thank
            • 04:00 - 04:30 you for taking the time today to join us for this fun and exciting topic and well we'll just put it in a broader brush of vulnerability management because that's just an exciting topic that we need to deal with today specifically we're going to be dealing with continuous threat exposure management that's what we're here to talk about you may have heard of ctim you may want to figure out what this is wonder if it's just yet another buzzword that's out there so we do of some things we are going to spend over
            • 04:30 - 05:00 the next 45 minutes to 60 Minutes however long it takes now if you do have questions please feel free to put them into the Q&A we'll get to them at the end of the end of the presentation talk here and if we end up with a whole bunch of questions and for some reason I just can't get to them all what we'll do is we'll make sure we capture those and then we'll come back and be able to put something out as a blog post or otherwise all depends how the talk goes but feel free to come over and answer the questions in the Q&A for us so what
            • 05:00 - 05:30 is it we're going to be talking about today here's a quick agenda about what we're going to deal with just what is this continuous threat exposure management what are the main components in there and really what is the difference between this CM thingy as well as traditional vulnerability management and then why we might want to consider it five things you can do to start moving towards ctim some of the challenges that are out there as well as maybe some of the best practice is for
            • 05:30 - 06:00 adopting CM itself so lots of different information lots of stuff we're going to be covering through so let's just get into this start with might be wondering who the heck I am Jonathan risto uh course co-author on the leadership 516 building and leading vulnerability management programs I've been teaching with Sans for forever it's actually more than 13 years thinking about that yeah I've taught a wide variety of classes over the years everything from the incident response and the pen testing
            • 06:00 - 06:30 curriculum teaching the uh 20 critical controls that are now the 18 critical controls with SE 566 I've taught the forensics classes when we only had 508 and then even helped write exam questions for 408 when it came out and 516 as well is where I've been focusing I'll call it the last five years just because well hey I'm um biased and want to deal with my own stuff in vulnerability management also work with Sans zedu I'm on the faculty research
            • 06:30 - 07:00 committee actually in alumni as well but faculty research committee working with the students on their Masters program uh helping them answer questions guidance as they're writing their paper we're also the ones that grade the paper in the webcast and I do have a day job on top of the seemingly 1,700 other things that are going on in my life yeah currently the technical director cyber posture management inside the government itself and when I seem to have Absolut Ely no spare time um but I do enjoy
            • 07:00 - 07:30 spending it with my three kids and also enjoying the outdoors uh at the moment I'm watching the snow melt where I am and we're losing the ice on the Lakes but soon we'll be able to go into other fun things that are on the outside world as well but that's me but that's not why we're here who really cares about that what we're here for is this continuous threat exposure management and what is CM just to lay it completely out there cm is not a tool you can't go out and
            • 07:30 - 08:00 buy this it's not a oo cool nice shiny let's buy this oh I'll just I have a little clicker here in my hand in order to advance my slides you're not able to go and buy a product there are products and tools that we need to leverage but cm is an ongoing process how we structure and tackle the problems in inside our
            • 08:00 - 08:30 environment and give you a better definition there on the screen and I'm not going to read it but it is it's using the risk-based approach to help us try and find the problems figure out which ones really are the most important out there at we have that what we have in our scope and the objective for the program and helping make sure we can mitigate those problems and it does generally go classed as going beyond the traditional vulnerability management
            • 08:30 - 09:00 because it's a continuous process now I know you're probably thinking right now um my VM process I've got dedicated people we're doing it all the time it is continuous agreed it's how we're focusing on the problems and the other issues that we end up dealing with as part of a more robust holistic vulnerability Management program with things like misconfigurations actually looking at it from the attack path what can the I was
            • 09:00 - 09:30 about to say the vendors the adversaries actually get to in our environment and how do we actually get rid of those problems so we know we're focusing on the right things because we have big problems when trying to look at the challenges out there your backlog is hundreds of thousands you may be into the millions with problems so understanding that is out there and the challenges that we have because of that
            • 09:30 - 10:00 and we're often asked how do we know we're fixing the right problem so it's ultimately wrap this up in a nice little bow looking at vulnerabilities from a holistic perspective and trying to get in front of them instead of playing the whacka mole game that we often do is more reactionary from the vulnerabilities we wait till the VM or sorry the the vulnerability is announced it's found in the scan scanner and then we start the
            • 10:00 - 10:30 process and then we play the whack-a-mole let's actually start layering in a lot more details around this to try and get a little more robust and quicker to get the work done that is what cm is doing or attempting to do for us now just to rain on the parade here to start with it is not a perfect thing it is not the Panacea this will not solve all of your problems that you have related to
            • 10:30 - 11:00 vulnerabilities pardon me I do not feel we have anything that is going to be able to do that it is trying to look as I said more holistically how can we solve the problems quicker faster more efficiently and actually working on the problems that matter that is what CM that was the intent when Gartner launched it out the door and how we see it practically getting employed and used inside organizations but it is a bit of a shift
            • 11:00 - 11:30 and we're going to talk about some of the things we need to worry about here because what are the main categories of it there's really five parts to C and it's so call it a five-step process if you want to call it that but what we have here is it does it starts through with doing the scoping and for a scope in cm you will probably have multiple Scopes in your program it's not just saying oh we are going to solve all the problems that are public facing maybe that is a scope but it's pretty
            • 11:30 - 12:00 broad but it could be the scope of looking at what do we want to do from the cloud environment maybe it's going to be focusing on a certain application Suite that we are using or that is publicly exposed or as when you're starting with CM you're probably going to start with a very small scope and see how we can move through all of the steps but it is disi disining and deciding what is the problems we want to tackle and how that's tied into the business
            • 12:00 - 12:30 itself uring and understanding the business processes and making sure we're aligned on where the business sees the risk next you have discovery which is looking for all of the problems that we have out there we need to understand the assets the vulnerabilities what do we have out there so a big component in here or we need to have to do CM that pesky asset inventory yeah yes
            • 12:30 - 13:00 everything comes back we have to kind of understand but it is leveraging tools that we have be it our cmdbs that contain the data our easm tools that are helping us find the information from the outside what are we leveraging from other data sources I'll pick on things like active directory or the vulnerability scanner or let's say our endpoint protection software that we have or EDR xdr whatever the heck you are running pulling the information together to make sure we understand what
            • 13:00 - 13:30 is out there and what the problems that we have in our environment that's the discovery phase now prioritization is the third step of the process we've got to figure out all the different exposures that we have and rank them and this is based on business impact exploitability and can the adversary even get to it or are they doing these type of attacks so it's not just just the fact and recognize this as a simple
            • 13:30 - 14:00 example it's a CVSs 10 the sky is falling we have to fix this now most organizations we've moved beyond that but just as an example it's not just trying to layer in one or two simple pieces of contextual information I call them things to layer in like is there an exploit available and we have a high ranking CVSs score it's trying to factor in a lot more details and information understanding and doing that analysis on
            • 14:00 - 14:30 the environment to understand what's going on leveraging things like epss stepping through and doing the ssvc calculations on here with the decisions tree of how it actually pops out at the end going oo this might actually be important step number four in the process is validation now this is making sure what we want to put in place is actually going to work
            • 14:30 - 15:00 this can be done through simulation exercises this can be done with testing in the lab this can be done with red team but it is what we said was important is it actually a problem and will what we want to put in place actually solve the problem that we have identified that needs to be remediated and that ties into the last step which is the mobilization that's where we take the findings and the validation and all the work that we've done and actually getting it put in place inside the
            • 15:00 - 15:30 organization getting the teams to move forward to get the work completed so we get rid of those big problems that we have so the attackers are not going to be able to take advantage of the environment and we reduce the footprint those are the five steps of CM now recognize in five minutes I can't make you an expert on all five of the steps but that is an overview of what we have to deal with from a CM
            • 15:30 - 16:00 perspective pardon me apologize for that so that is the essence of what ctim is with these five steps now looking at things here or if you've heard some of the stuff I've talked about you're going well I'm leveraging some of that in my program today and that's great phenomenal that you are if you're leveraging things like the what are we doing for the attack paths in the
            • 16:00 - 16:30 environment or are you leveraging let's pick on epss or some other threat intelligence information to help you understand what's going on with adversary Behavior and the likelihoods of compromise that's great that is moving your program forward and trying to be more holistic so it's not a problem that you're doing it but I bet you're probably running into issues inside your environment trying to get problems realized or problems removed and getting the work realized and
            • 16:30 - 17:00 completed we run into a lot of challenges within the VM programs and CM is trying to at least ensure we have a more of a focus and the organizational support across the board we'll see coming up on some of the challenges or things we have to worry about but it is it's trying to get that closer collaboration work done getting the prioritization and the leadership Buy in all common things that we do but if we of changing the focus putting things
            • 17:00 - 17:30 into the business terms and making sure that all the teams have bought into the idea and we're all working together more effectively instead of the um ooh here's the vulnerability throw it over the wall at you and then hopefully you will fix it within the 30 60 90day window and then we'll just pick it up when the scanner goes back over that again yeah probably not effective in our environments these days because
            • 17:30 - 18:00 let's just say the adversaries are in there a lot faster and taking advantage of the problems long before that 3060 90day remediation time frames come into play so we've got to do something different so it's trying to change the mindset for us now here are some of the differences and I recognize some of the stuff in the traditional vulnerability management is sometimes a little bit of a broad brush stroke or stepping back into I'll call it the 20 years ago view of the world where you had a
            • 18:00 - 18:30 vulnerability scaner we hadent perimeter protection and you prioritized everything based on CVSs but trying at least to highlight some of the differences that we have here so it is we are focusing in the traditional VM on known vulnerabilities you've got the cve the scanners pulled it up now I've got to get rid of it with CM we're trying to look at different types of exposures and this includes things like misconfigurations what are the various attack paths and the environment or even
            • 18:30 - 19:00 identity problems that we have picking on cloud services that's the biggest problem we have out there is the misconfigurations because I don't know about you there's way too many cloud services that I need to try and understand that people seem to want to leverage and the cloud service providers pick on Amazon a or gcp are launching new services like it's going out of style oo there's a new one today how the heck do I have to protect that and we
            • 19:00 - 19:30 don't have the Staffing on the VM team trying to solve the problems with the knowledge to understand and quite frankly I'll pick on the operations folk they don't have a good understanding either because there's so much to try and know and understand in the multicloud environment we just can't stay on top of it so misconfigurations are a big thing from cloud but we are trying to look more holistically at all the problems out there vulnerability scanning we're doing those periodic scans could be monthly quarterly and you're thinking I've got agents they're
            • 19:30 - 20:00 scanning all the time yeah great fully agree agents will help us out speed up the frequency but I also bet there's a whole bunch of things in your environment that don't have agents and agents aren't perfect anyways we still have to do the network-based scans Etc it is what CM we're trying to do more of a continuous assessment on here we're also not trying to use the static analysis methods and this is where like I said CVSs yeah we've gone Beyond right we've gone beyond just
            • 20:00 - 20:30 using CVSs right nod your head and say yes if not we need to move Beyond just using CVSs to prioritize most organizations have but they still are out there we are trying to incorporate more information pick on threat intelligence just as some examples I've put there on the screen we want to take a look at as well how we are prioritizing normally in traditional VM it's how is it bubbled to the top of the most the highest severity score if it's
            • 20:30 - 21:00 pick on CVSs score 10 if you're using weighted averages it's scored 45 out of 47 or out of 50 or however we're getting to those most severe things we are at least looking in cm again trying to do things with exploitability in here as well as factoring in business impact so several extra points of where we see some of the main differences the remediation often Lo you're working with whatever Ops teams oh it's a database
            • 21:00 - 21:30 problem we send that to the dbas and hope they fix it oh it's a Linux problem let's get the Linux administrators to reboot their boxo good luck um but it is they're very siloed in how our operational approaches to get the problems it is sent to it the ticket is opened in Remedy or whatever system you're using and they go ahead and do it now within CM it is trying to deal with it in a different approach with the
            • 21:30 - 22:00 mobilization phase it is trying to have more cross functional teams that is tying in it security the business units trying to help ensure that we can get the remediations done quicker is what the intent is and in our traditional validation or sorry traditional VM are we doing validation often this is left to the patch management tool said it was patched it's patched or the vulnerability scanner has come across
            • 22:00 - 22:30 again and went ooh it's no longer there ticket closed we want to at least also engage with more things like our red teams the analysis on here making sure what we've put in place as the mitigation measure is actually working now this is easy to do when it's a patch think about your compensating controls that we all have in our environments today how are you valid Val ating they're doing what they're supposed to
            • 22:30 - 23:00 be doing you said by putting that WAFF rule in play you expect it to block let's pick 70% of the attacks that are coming in for that known problem I'm looking at you log 4J um but how do you test that that's actually the case are you validating that your risk reduction is there most of us aren't we put that in play great the WAFF is working and then we kind of leave it be we want to do in C1 more of the regular
            • 23:00 - 23:30 simulation and Analysis as well as validation on a regular basis that the risks are reduced to that acceptable level so there we go enough pontification on that but it is it's trying to move it forward to get us more re non reactionary more proactive and shortening the window from that mean that the time to discover to the time to remediate we want to shrink that that is
            • 23:30 - 24:00 the intent of cm and how they are approaching it now why should we think about CM lots of reasons and CM as I said at the start it is not the perfect solution it may not work in all environments let's pick on OT H can you quickly get mobilization done in your OT environment right now you have a problem
            • 24:00 - 24:30 you're in manufacturing probably 6 months till that sight's going down that's when you get the patch put on until then good luck we have to try and either put a compensating control or the risk is accepted till that site is going down c will not be able to suddenly come along and take it so we can patch that skus system that's out there no it will but it should at least help ensure the controls we're putting in place will actually reduce it but there are parts
            • 24:30 - 25:00 of our environment it may not work and it may not work in your organization but it's something we should consider when I talk about um both CM briefly in the course and uh well we do talk about cm in there or just in general we've got to make sure that what we are willing to do for our organizations even can have a complete fundamental shift on how we operate which is what CM would do for us from
            • 25:00 - 25:30 the classic way we've been looking at things so it is if we think it will do better let's see if we can do it maybe it will maybe it won't but being willing and able to do that fundamental shift even say from uh the classic vulnerability model that we have where it's our VM teams are example set up the program do all the scanning we find the problems prioritized fire it at o at their operations team in order to get them fixed then we validate and make
            • 25:30 - 26:00 sure all the work is done but there's that step where we're not or do we move it more to a standard operational process and we are pure governance that's another operating model for VM or do we want to move into CM we should be willing to look at it now benefits that are brought forward and why we should consider them better risk-based prioritization that is the intent and the goal with CM trying to make sure we're focusing on the exposures that are
            • 26:00 - 26:30 a problem and not really the oh if you stand with the tin foil hat in the thunderstorm facing north northwest by 5 degrees on one foot with the arm up that this works yeah let's actually look on the things that actually do make sense for us and are an actual exposure for us trying also to ensure that we're aligning with the business risk and where the business feels the priorities need to be often what we are doing is this is a critical problem but yeah
            • 26:30 - 27:00 it's on Jonathan's laptop it may be a really big problem but what is the business risk of that are we factoring in the business impact of that so we want to make sure we have alignment because it does help ensure the business sees the value let Al loan the operations team is actually working where the business feels we need to ensure it's up picking on a web-based company or something like that we probably would have a higher business
            • 27:00 - 27:30 priority on let's say order taking than on say issuing the bill because most customers are more than happy to wait an extra day to get the bill compared to the organization not being able to accept a new order coming in so what do we align with from a business perspective and it is trying to look at uh cm is looking at it from a continuous process continuous assessment as opposed to the periodic assessments of I'll pick
            • 27:30 - 28:00 on uh our multi-function printers how often do you scan them for problems are they weekly monthly quarterly well wait how do we check and see what's going on with all the routers and switches two examples where we don't have the agents for continuous assessment now I remember when I was doing red team work I loved finding the multifunction printers because they were never never ever secured configurations
            • 28:00 - 28:30 were atrocious you had things like tftp turned on on them SNMP public and private for the strings phenomenal and I really remember what from a forensic perspective I love those devices when they first came out people didn't remember they had a the hard drives in them so all the Treasure Trove of information from a forensics that's on there oh they were so much fun to play with but we're doing the continuous assessment as opposed to the periodic assess assessments that's an intent here
            • 28:30 - 29:00 and something any organization adopting CM or not we should be doing these continuous assessments on as short an interval as possible for us we are also trying to look at the attack techniques for Point number four of why we should move forward here because our adversaries aren't just looking at oh let's pick on the what was the update that Microsoft put out there for how many vulnerabilities came out for the March patch update woohoo so much fun hey um yeah a whole bunch of
            • 29:00 - 29:30 problems were released out there I think there were five that have or was it six that have exploits available to them it's not just cve though that people are exploiting misconfigurations is the top breach Source from cloud services last stats I was reading it's in the 60 to 65% range of how breaches and data spills are occurring in Cloud it's misconfigurations that does doesn't have a cve in it that's us not doing
            • 29:30 - 30:00 something we should that we need to be able to find and identify those weaknesses that we have that's we're trying to do from a C1 perspective as well and we want to help get better at our validation for the last bullet point here it does enhance it because we are taking a look at not just the problems what are the solutions and layering in adversary information and threat intelligence trying to
            • 30:00 - 30:30 understand is this really a problem is there a known exposure for this do we have exploit availabilities and are the attackers actively on this picking on some data points that get layered in now we are layering some of these into our traditional VM as well but we are trying to get better at look at how we look at all of the problems as what the intent is here again from a CM standpoint now what should we do what are five
            • 30:30 - 31:00 things we can do if we wanted to start to move over into the CM environment five-step plan there you go now back to that constant problem that we have what the heck is the attack surface we have out there oh boy here we go again welcome to understanding the assets it always comes back why do you think it is number one and
            • 31:00 - 31:30 number two on the critical controls of understanding your hardware and your software assets out there it's the biggest most important thing we can do cm is no different I need to understand the attack surface both from the asset perspective but understanding what we have from the security gaps it's not just do I have an asset that's sitting there okay yeah I have an asset that's there okay what service and ports are open on this what is actually exposed
            • 31:30 - 32:00 publicly from this system or open and available in general do we have uninstall or sorry do we have software that shouldn't need to be there I put IIs on the file server why unless you need it REM it's identifying all of those types of things that we have on the assets so making sure we understand the attack surface that is out there to help start moving here and how we can start to shift the
            • 32:00 - 32:30 focus threat formed prioritization now as I said a lot of us are doing this some of it even basic threat intelligence like what is the ex is this uh vulnerability exploitable reason we're using it because it's in the tools today all the vulnerability scanners will put whether or not there's an exploit available pick on your qualis rapid 7 TBL of the world they all tell you ooh no exploit available on this some of them will even get fancier with the demonstrations and information oh this is an aown malware
            • 32:30 - 33:00 kit this is actually part of ransomware attacks it's all coming down to helping us understand the threat information associated with the problem so even if we don't move towards CM trying to get more proactive in the work helping us get better pieces of context into play adopting threaten formed prioritization is going to help us improve the program regardless if you decide to go the CM
            • 33:00 - 33:30 route or not layer in that information knowing that there it is there's no active exploits it's currently in malware kits attackers are currently doing this now and let's go to even corporate specific stuff they're knocking at my door looking for that Port all great pieces of thread information that probably tells us maybe we should fix this problem being able to layer that into our decision proc processes okay enough harping on that
            • 33:30 - 34:00 one uh can you tell we're a little passionate about some of this but hey when you live and breathe vulnerability management you get excited about it should see me come visit me for five days in the class you want to see excited and lots of great conversations woohoo regardless we'll talk about that coming up later continuous testing and validation another component we often fall down on on in our classic VM
            • 34:00 - 34:30 programs we put something in place we put the compensating control we restrict the access we put tighter identity and authorization on it whatever it ends up being there but does that can fix the problem is it having the intended results or what about the new attack patterns that come out for the problems H are we actually able to address those or have we even gone back we've marked that is mitigated no longer reporting on
            • 34:30 - 35:00 it yes we do that but it is the intent is to try and continually validate test ensure what we're putting in place and what we have in place is able to solve the problems this will require automation talk a little bit about that coming up but yeah I can't just have the massive red team inter internal that is just constantly validating everything while yeah they're like a kid in a candy store would love it but that's not
            • 35:00 - 35:30 practical in most organizations to have that level of support from your red team that would require a whole lot of people testing and the tooling so we do need some automation help I still want to leverage red team don't get me wrong definitely but I want to keep them for the things that I can't automate those call it the higher level functions the business processed problems or not another fun way to call it the weird and bizarre that I can't get the automated
            • 35:30 - 36:00 tool to do for me where I need the human in the loop to be able to understand what's coming back and realize what's going on yeah the tool will come back and say oh there's no known exploits for running IIs on a Commodore 64 yeah well maybe that someone changed a banner I haven't seen automated tools that are still going to be able to figure some of those simple deception techniques out but the continuous validation and testing will help us
            • 36:00 - 36:30 continue to move to a improved model from a VM regardless if you decide to stop or adopt CM Point number four that you can see in the right hand column establish the cross functional security program now doesn't that sound like a nice unicorn to be chasing but it is we've got to part of the biggest problem I find in most organizations from a security perspective is all those silos and the
            • 36:30 - 37:00 fact that the remediation efforts or in the T C10 the mobilization efforts are not prioritized this is the skyf falling situation we have to raise the emergency situation the the five alarm fire situation to get people to move towards it because it's their secondary or tertiary duty to just keep Jonathan happy when he comes and talks to you please not where we want to be we've got
            • 37:00 - 37:30 to break down the silos and actually um ensure the teams are engaged across the entire process as well as ensuring the teams have been given the time and the resources to get the work done nothing like going to people that are already short staffed and going ooh here's a problem I need you to drop everything else that you're not getting done to fix this thing as
            • 37:30 - 38:00 well yes we can use our relationships we often have good relationships on the it but we need to make sure that leadership as well is on board here I want people engage from start to finish and have the time and resources to actually get the jobs done quickly big problem that we see generally can help us move forward and start down the path of the catm all of these you could do and not have to
            • 38:00 - 38:30 adopt C10 they're definitely going to help you improve the program final point is shifting from the call it the wack-a-mole game the reactionary to try and be a little bit more proactive and doing the continuous approach the let's keep flipping through this cycle as quickly as we can and removing the problems from our environment instead of oh the scanner found a problem now what we do about this looking at it seeing what new
            • 38:30 - 39:00 problems have come out before the scanners have identified we understand the threat vors that are into the environment what exposures we could have and we take steps to actually remove those possibilities even before there is a vulnerability it is looking at the vulnerability as well as the exposures in general how do we minimize those that another thing that can help you move more towards the CM model oh lots of cool things out there
            • 39:00 - 39:30 now five challenges that you can run into when trying to implement CM yeah this is not some of these are definitely specific to CM some of these are probably not um the problems you're running into today everything from point number one with the cultural resistance that's out there they a lot of our teams are resistant to begin with to our tradition approach now telling them that they need to work dedicated related to
            • 39:30 - 40:00 VM let alone changing the workflows and how stuff has to get done ooh I'm getting pushed back hard I'm ending up at the other side of the room yeah we can end up with that cultural change this is where we need Buy in from all levels in the organization an agreement that this is where we want to go while I may be able to implement CM from the bottom up normally require the leadership engagement so we have it as
            • 40:00 - 40:30 well from the top down to help remove some of those barriers and set the corporate expectations as well as providing the resources needed in agreement that this is the way we need to do business so that help remove some of that resistance that is out there we're also going to need to worry about tooling as well as I'll call it the integration of the environment we have lots of tools
            • 40:30 - 41:00 we have tons of data I'm sure most of you on this call right now have the data swamp that is out there I've got 17 different tools and none of them talk to each other or only two or three over here talk these two or three talk together but I'm sitting there having to look at six different screens to get the holistic view nothing more frustrating than having to do the contrl C and contrl V
            • 41:00 - 41:30 to take information from one tool to the other this is where our tooling the integration inside the environment is definitely needed and I'll argue stocking up and doing some of the automation I want to make it simple for the group to be able to work I'm right now launching some programs at work and I am pushing hard to try and do everything we can from an automated perspective we need to I don't have enough staff I don't have
            • 41:30 - 42:00 enough resources to be able to do everything manually and I'm not paying my staff to sit there to do the control C control V type work I want them to be able to have it available and actually doing the higher level functions that we need them to do instead of things that we just have not have the right tooling for don't have the automation for data overload there's lots of data that we have available to
            • 42:00 - 42:30 us there we need to be able to deal with this that is where some of our automation be it analytic side as well as even pulling the data together really can help us out said we've got the data swamp I've got it out there I just can't get to it there's so much information and we get so overloaded in vulnerability management with the I've got 3 million things in my backlog already it's really easy to push off to
            • 42:30 - 43:00 the side some of the other stuff we know we aren't dealing with because I've already got this herd of elephants we trying to eat over here I don't want to worry about that smaller issue I've got over here it's easy to mask because we're so busy so overloaded we're trying at least to minimize and we have to minimize that data overload because there's massive amounts of data that's out there we're trying to bring all together now I do feel that we are
            • 43:00 - 43:30 getting better at this vendors are providing us access to information to try and help us deal with the data overload picking on the tooling like what we are seeing coming from some of our traditional VM vendors some of the second generation VM tools that aren't doing the scanning but they're bringing the data together and fusing it for us through to some of the it TSM iom tools so everything from the qualus rapid 7
            • 43:30 - 44:00 TBL trying to bring a bunch of data together through to all pick on like the Kenna nucleous Securities of the world that are doing the data Fusion components from a bot of different things through to things like service now on the itsm itm that are bringing the data together to try and make it so we can minimize the data overload this is what we have to try and do otherwise we're going to be buried H cross team collaboration is another one kind of goes back to the
            • 44:00 - 44:30 buyin conversation we were just talking about it is we need to have the clear ownership roles and responsibilities call it the racy if nothing else but I need to make sure everybody understands their part and we're all working together to the goal and it is the priority for these individuals not the tertiary Duty cuz I don't know about you never seem to make it to my secondary let alone my tertiary test tasks until it's like oh crap I forgot to do this
            • 44:30 - 45:00 and then now I'm suddenly over there doing it on the 89th day of the 90day remediation time frame why do you think it takes long to get our work done and the last bullet point some challenges for us related to how do we measure the success here we do have a lot of kpis a lot of metrics I've even putting out some stuff on a regular basis from my metrics Mondays about vulnerability management metrics but it does change how we have to look
            • 45:00 - 45:30 at this we do have kpis metrics we're using some are good some are not so good but we may need to look at things in a different approach putting a different I like to term them the lens for how we look at the data so that may actually require us to change or develop new metrics which does take time how can I show this as being effective what are my kpis to show that cm's
            • 45:30 - 46:00 effective do I have a data source to help me do that that takes some time and effort for us to implement as well huh now this is we're getting to the end here I see we're about 40 minutes in so what are some things that can help with CM adoption starting small implementing on a simpler basis call it a pilot call it a trial but we're going to need to
            • 46:00 - 46:30 make sure we have everything lined up beforehand but what can we do for the small call it the quick wins to demonstrate capability if we can do that you're not going to be able to eat the whole organization all at once and launch CM come let's pick tomorrow um yeah we're flipping over to CM yeah we're going to want to do a little smaller and layer this in over time but Focus what we can starting small I've already harped on the automation point a lot without it you're going to fail we
            • 46:30 - 47:00 really will we're I find that without automation we're already failing at how we're doing VM taking a new approach to doing VM like CM without automation we're setting ourselves up for failure as well we've got to also try and get security validation being done regularly continually call it forming we want to make sure that this is done all of the time not as the
            • 47:00 - 47:30 exception even with simple things like patching are we just waiting for the tools to tell us that there's a snowflake out there a system that for some reason is weird and bizarre or are we waiting till the fact that the breach has occurred because the scanner went and found the registry entry but I'll pick on the Linux and men again they didn't reboot actually that'd
            • 47:30 - 48:00 be more a Windows than a Linux problem but something as simple as that the artifacts that are found on the system May indicate it's there could come back to something simple like a reboot have we been able to actually validate in here we want to make sure this is constant continual for everything we're doing in the environment something else that'll help with CM in general I say it even helps on VM and how to make us better at doing the job make making sure we're actually talking in business terms we're horrible in security for
            • 48:00 - 48:30 throwing out all that technical jargon we're bad we are also really bad at communicating now take someone who normally talks in gobbley goop and acronyms and go throw that at the chief marketing officer we tend to get a little bit nervous we throw the gobbledygook and talk in technical terms and you see the glossy eyes coming over they aren't understanding what's going on we want to put it into the business
            • 48:30 - 49:00 speak because that's what most of the organization talks about if you will do well I find in your career if you can take our Technical gobbl deuk and translate it to business speak you will do very well because people will come to you you can explain things in non-technical terms and they can understand it being able to communicate with 90% 80% of the organization that is not IT background and security backgrounds that's a lot of the
            • 49:00 - 49:30 organization they don't understand it so let's make put it into terms that the business talks regularly will'll help you in general but we help with CM adoption how is this actually reducing the risk for the organization how is this enabling us to meet the business objectives that we have how is it actually improving shareholder value for public companies what will it do to help out there and then continuously evolve it is a
            • 49:30 - 50:00 continuous program this is not a fire and forget and we are going to always run into problems we are not going to get it perfect at the start for sure and it's continually evolving the threat landscape that is out there be it from the attack techniques the ttps that are being used against us the new ways and creativity that is happening to actually to exploit the vulnerabilities and the exposure that we have um maybe a good
            • 50:00 - 50:30 example here would be uh it's an older one but remember when we had um numerous problems that have been announced publicly out there for us inside the environment I'll pick on I'll let's just even log forj from a few years ago what we had is you knew the problem right away and then it was oh there's another problem that's out here oh wait there's a little bit of a variance that's happening on this so it's the new information is constantly coming out about uh We've peeling back the layer of
            • 50:30 - 51:00 the onion from the analysis finding about more details around it are we staying on top of that have we been able to validate that the remediation and mobilization work that we did with our c1m process is actually still being effective for the new ttps Etc so as we continually evaluate feeding this information into the hopper definitely helps us improve from the CM perspective and I'll argue on a vulnerability management perspective as well so there
            • 51:00 - 51:30 are some best practices to help you from the adoption standpoint so summary things we talked about and how I want to wrap this up here yeah proactive continuous it does we have to be continuous in how we're assessing the threats the risks the exposures that we have and layering that information in to help us prioritize in the environment because it is not just looking at cve that are out there we do need to
            • 51:30 - 52:00 understand what's going on with misconfigurations as well or default passwords anyways keep seeing those popping up from vendors every now and then we do want to leverage the thread information and we've got to work better together we have to get better collaboration going so the whole goal of CM quite frankly is to try and bring and continually evolve vulnerability management to help us focus on the real problems that we have based on a lot of
            • 52:00 - 52:30 different pieces of context to try and get that understanding of our environments so there's a little bit of a summary for you on that now a couple quick things here well a this these were on right before the start of the webcast as well this one's specific for related to vulnerability management just the uh cyber operational cyber security executive the Triad on that the leadership 5 16 classes one of the three and if you're interested in more
            • 52:30 - 53:00 information on the holistic approach from a vulnerability management perspective in general take a look at sans.org ldr 5166 that'll take you over to the course landing page we've got stuff on here from the courses a couple that are coming up for us do on demand any time that you want um I'm going to be teaching at the end of the month March 31st that's a live online format and in April is the next one I'm teaching after that that one's in Orlando starting on
            • 53:00 - 53:30 April 13th if you're interested take a look there or if you want stuff later in the year we have them both um I'm next teaching in Munich at the end of June we have a class coming up in Amsterdam in May as well for those that are over in Europe uh I believe we have a Singapore run coming later this year for those over in Asia so lots of opportunities so just some information for you there now couple quick things of thank you for taking the time to be with me today I do
            • 53:30 - 54:00 appreciate it and I know I've seen a couple questions pop up I think you has been able to deal with some of them but if you have any questions I know this is a ton of information but you have any questions please feel free to put them in the Q&A and we'll be able to come back and answer them here because I said if we get a whole bunch I'll do some blog post about it now if you're interested in other information I'll deal with this while we're waiting to see if any other questions come up here on the screen
            • 54:00 - 54:30 there's lots of information from a C10 perspective Gartner coined this I'll argue two and a half three years ago Max as an approach but there's lots of vendors that are adopting this approach to how we are looking at things from the exposure management perspective there is I've put out a paper as well and this it's um one of our analyst series from CM perspective you can find that if you took a look on the sans's website it's about four or 5,000 words talking about the processes some of the challenges how
            • 54:30 - 55:00 to move through things as well there's lots of documentation on it that is available so if you want to start digging a bit deeper feel free to do so that C1 paper there actually was a webcast that we hosted uh Simplicity sponsored it for us but that we talk through some of the things as well in another webcast on here but also if you have questions I showing in here how you can reach out and get in touch with me you have both my email address on here
            • 55:00 - 55:30 want to follow me on LinkedIn as well ask questions please feel free to do so more than happy to try and help out because maybe you won't think of the question here right now in the next two minutes maybe it'll come to you in the middle of the night 3:00 a.m. it'll smack you up side of the head or maybe two weeks from now please feel free to reach out I'll try my best to answer it if I'm teaching I tend to ignore things a little more but any questions please feel freee to put them in the Q&A there and I think one
            • 55:30 - 56:00 point you may come on and say this but I'm going to steal her Thunder a little bit we the webcast is going to be available on the website it's going to be posted up there afterwards so you will be able to go back and relisten to things if you want as well the presentation will all be in there as well so you'll have access to those details also so you anything else you want to say I'm just going to take a look at the question sheets here as well no I don't have anything else to John thank you so much and thank you for everybody um for
            • 56:00 - 56:30 attending and the presentation will be available to the same link you registered and about 24 hours of recording and a presentation all right there you go so let's say by end of the day tomorrow about 24 hours it'll be posted there on you uh for you on the sand website just seeing I saw you you were able to handle some of the questions about both presentation available and stuff like that yeah that's great I don't see any other questions coming in so going once
            • 56:30 - 57:00 here going twice all right then I don't see any new questions coming up so again thank you for taking the time and spending it with me today I appreciate you taking the 50 minutes out of your very busy day to talk about this and if you're one of the Sans events feel free to look me up if I'm there more than happy to talk on just about anything but definitely on VM thanks again for attending you have a great day