Hack Red Con 2024
-
Make Friends and Influence People
Joshua MasonDone
-
The Hitchhiker's Guide to Cyber Insurance
Jonathan VanSchaackDone
-
Hacking your CISO!
Scott StantonDone
-
CISO Panel
Done
-
Reframing the “Success” of an Offensive Test: Taking a Risk-Based Approach
Celina StewartDone
-
More Tools Won't Solve Your Problem
Jordan SilvaDone
-
Securing Derby 150
Jason PaytonDone
-
The CISO's Myopia
Jordan BonaguraDone
-
Social engineering the social engineers, you suck at buying software.
David GirvinDone
-
The New Era of Social Engineering: AI, Deep Fakes, and the Dark Web.
Seth BowlingDone
Nick is an information security professional with a passion for solving difficult problems. He has gained experience in the field working in highly regulated nuclear environments, consulting on GRC, working as a SOC analyst, and in the offensive security space doing vulnerability assessment, penetration testing, and red teaming. Nick currently leads a team of security consultants at Assura, Inc. where he is the Managing Director of the Offensive Security Operations department.
Abstract:
In the business world, vulnerability management is often misunderstood simply as vulnerability scanning and patching. However, an effective vulnerability management program is far more comprehensive, involving multiple layers of policy, automation, and integration. This presentation aims to demystify what a real vulnerability management program entails and guide business leaders on developing a mature, robust program that goes beyond the basics.
I will introduce the Vulnerability Management Program Maturity Matrix, a tool designed to help organizations assess their current state and identify areas for improvement across various dimensions of vulnerability management. This presentation will cover essential components of a comprehensive vulnerability management framework:
Framing the Program
• Establishing robust policies, procedures, standards, and guidelines.
• Contextualizing data for assets and information.
• Implementing effective risk acceptance processes for vulnerabilities.
• Integrating change management, patch management, and configuration management.
Operationalizing the Program
• Utilizing automated tools for attack surface discovery, vulnerability scanning, and automated penetration testing.
• Conducting manual vulnerability identification through penetration testing, red teaming, and code review.
• Efficiently managing third-party vulnerability reports from vendors, bug bounty programs, and security researchers.
• Implementing alerting mechanisms for critical vulnerabilities through accepted communication channels.
Optimizing the Program
• Aggregating and deduplicating vulnerabilities within a single platform.
• Prioritizing vulnerabilities based on risk tolerance and profiles, leveraging threat intelligence.
• Conducting root cause analysis to identify strategic areas for improvement.
• Developing metrics and reporting capabilities to measure and monitor program effectiveness.
Attendees will gain insights into creating a vulnerability management program that not only addresses immediate security issues but also builds a foundation for long-term resilience. This talk is designed for business leaders looking to enhance their organization's security posture and effectively manage vulnerabilities in an ever-evolving threat landscape.