Episode 57

Best Practices for Overcoming Troublesome Vulnerability Management Trends

A 2023 State of Vulnerability Management Report finds that only half of the surveyed organizations (51%) have, at best, a moderate level of visibility into vulnerabilities. Several other vulnerability management metrics, such as maturity levels, frequency of vulnerability scans, and patch deployment speed, reveal an alarming and troublesome trend. In this episode, Ashley Leonard, CEO at Syxsense, joins me in reviewing the research report findings and discussing vulnerability management challenges and best practices.


Time Stamps

00:02 -- Introduction

02:20 -- Ashley Leonard's Professional Highlights

04:00 -- Scope of Vulnerability Management

06:34 -- Human Vulnerability Factor

08:57 -- AI-enabled Phishing Attacks

09:32 -- Vulnerability Management Objectives

15:50 -- Continuous Vulnerability Scanning and Remediation

18:24 -- Practicality of Continuous Vulnerability Scanning

22:37 -- Securing All Attack Surfaces, Especially IoT Devices and Cloud Assets

25:57 -- Vulnerability Management Maturity Levels

31:33 -- Apparent Disconnect Between Scanning and Visibility

36:15 -- Promptly Acting On Vulnerability Report Findings

41:49 -- Selecting Appropriate Vulnerability Management Tools and Solutions

43:55 -- Vulnerability Management Best Practices

46:30 -- Final Thoughts

Memorable Ashley Leonard Quotes/Statements

"We try and train most of our users not to log in an unknown USB device. But there have been cases where threat actors will take the USB devices and drop them in the parking lot of companies they're trying to breach. People will often pick up these USB sticks, wonder what's on it, walk into the office, and plug it in. It's shocking."

"I would share that patching should not be a monthly process. Many companies do this kind of, "Oh, it's Patch Tuesday, so we're gonna go and deploy our patch Tuesday patches to our organization." It's not even a weekly process, this should be a continuous process."

"New vulnerabilities are being published constantly, we have a whole threat research team that is constantly publishing new content. And if you're not scanning on a continuous basis, then your organization's exposed. So you really need to find technologies and partners that can do this kind of continuous vulnerability management for you."

"In the past, after a vulnerability was publicly announced, it typically took three to seven days before you started to see attackers actually weaponizing these vulnerabilities and attacking, which meant you kind of had a week or so to get your act together, deploy the patches and make sure your organization was safe. It's now down to 24 hours. And that's a problem. That's a huge problem for most organizations, because, unless you are doing continuous vulnerability scanning and remediation, you're not going to be able to respond quickly enough, and your organization is going to be exposed. So you really need technology to step in here. And you need automation that you can use to deploy these patches to your most vulnerable assets as quickly as possible."

"Patches don't get tested normally as much as a full release of a product; that's also a risk."

"Automation can really help you respond quickly but also thoughtfully in the way that you go about remediating these patches."

"Think carefully about the data, categorize how important it is, and think about where it's stored. And that's a really good starting place."

"Threat actors are now using AI to analyze the exfiltrated data from the organization. And then using that data from the AI, for example, finding customer lists, and then contacting those customers, and getting those customers to apply pressure on the organization to pay the ransom."

"Research finds that the more tools you have, the more likely you are to have a breach."

"The fewer agents that you actually have on your endpoints, in many cases, the safer you are."

"You can't just mass deploy a patch, because the patch itself causes more problems than the vulnerability it's closing. So it needs to be done very thoughtfully, using automation and processes."

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast, so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

https://us.sagepub.com/en-us/nam/cybersecurity-readiness/book275712

Latest Publications:

Preventing Security Breaches Must Start at the Top

Mission Critical --How the American Cancer Society successfully and securely migrated to the cloud amid the pandemic

Latest Webinars:

How can brands rethink data security to maintain customer trust?

Cybersecurity Readiness in the Age of Generative AI and LLM

Insights for 2023, Cybersecurity Readiness with Dr. Dave Chatterjee

About the Podcast

Show artwork for The Cybersecurity Readiness Podcast Series
The Cybersecurity Readiness Podcast Series
with Dr. Dave Chatterjee

About your host

Profile picture for Dave Chatterjee

Dave Chatterjee

Dr. Debabroto 'Dave' Chatterjee is tenured professor in the Management Information Systems (MIS) department, at the Terry College of Business, The University of Georgia (UGA). He is also a Visiting Scholar at Duke University, affiliated with the Master of Engineering in Cybersecurity program in the Pratt School of Engineering. An accomplished scholar and technology thought leader, Dr. Chatterjee’s interest and expertise lie in the various facets of information technology management – from technology sense-making to implementation and change management, data governance, internal controls, information security, and performance measurement. His work has been accepted and published in prestigious outlets such as The Wall Street Journal, MIT Sloan Management Review, California Management Review, Business Horizons, MIS Quarterly, and Journal of Management Information Systems. Dr. Chatterjee’s research has been sponsored by industry and cited over two thousand times. His book Cybersecurity Readiness: A Holistic and High-Performance Approach was published by SAGE Publishing in March 2021.