Beyond Patching and Scanning: Building a Robust Vulnerability Management Program
60min Talk - Business
Location: Track 3 - 10/26/24, 10:00 AM - 10/26/24, 10:45 AM (America/Kentucky/Louisville) (45 minutes)
Beyond Patching and Scanning: Building a Robust Vulnerability Management Program
Nick Berrie
Managing Director, Offensive Security Operations
Nick Berrie
Managing Director, Offensive Security Operations

Nick is an information security professional with a passion for solving difficult problems. He has gained experience in the field working in highly regulated nuclear environments, consulting on GRC, working as a SOC analyst, and in the offensive security space doing vulnerability assessment, penetration testing, and red teaming. Nick currently leads a team of security consultants at Assura, Inc. where he is the Managing Director of the Offensive Security Operations department.


Abstract:
In the business world, vulnerability management is often misunderstood simply as vulnerability scanning and patching. However, an effective vulnerability management program is far more comprehensive, involving multiple layers of policy, automation, and integration. This presentation aims to demystify what a real vulnerability management program entails and guide business leaders on developing a mature, robust program that goes beyond the basics.
I will introduce the Vulnerability Management Program Maturity Matrix, a tool designed to help organizations assess their current state and identify areas for improvement across various dimensions of vulnerability management. This presentation will cover essential components of a comprehensive vulnerability management framework:
Framing the Program
• Establishing robust policies, procedures, standards, and guidelines.
• Contextualizing data for assets and information.
• Implementing effective risk acceptance processes for vulnerabilities.
• Integrating change management, patch management, and configuration management.
Operationalizing the Program
• Utilizing automated tools for attack surface discovery, vulnerability scanning, and automated penetration testing.
• Conducting manual vulnerability identification through penetration testing, red teaming, and code review.
• Efficiently managing third-party vulnerability reports from vendors, bug bounty programs, and security researchers.
• Implementing alerting mechanisms for critical vulnerabilities through accepted communication channels.
Optimizing the Program
• Aggregating and deduplicating vulnerabilities within a single platform.
• Prioritizing vulnerabilities based on risk tolerance and profiles, leveraging threat intelligence.
• Conducting root cause analysis to identify strategic areas for improvement.
• Developing metrics and reporting capabilities to measure and monitor program effectiveness.
Attendees will gain insights into creating a vulnerability management program that not only addresses immediate security issues but also builds a foundation for long-term resilience. This talk is designed for business leaders looking to enhance their organization's security posture and effectively manage vulnerabilities in an ever-evolving threat landscape.