Hello and welcome to today’s remote session. This is Tom Bechtold with Secure World Digital. Welcome, everybody. Today we are talking about beyond the security report. Make measurable progress with Actionable findings. What does that really mean? We’re going to find out here in just a minute. And today we’re actually going to be talking with Mr.
Chris Rogers. He is the cyber Swiss army knife over at PlexTrac. I love that title. Very unique. I’m going to ask him about that in just a minute. But I wanted to say thank you to the folks over at PlexTrac for making today’s remote session possible. We got a lot of ground to cover.
I usually have something to say about things today. This one’s not really one that I’m like world Savvy on. I mean, I know about pen testing, vulnerability management and stuff like that, but I’m not like a guru, if you will. Chris Rogers is, though, so we’re going to be talking to him. I’m going to save some time here, but I do want to tell you guys a little bit if you’re new to the program, just a quick housekeeping slide here. We’ve got some different resources available for you in the tab down there at the bottom. You guys have a nice little menu bar down there in the audience.
We’ve got some resources in there that includes today’s slides and a couple of other URLs that you definitely want to check out. There’s some really good stuff about pen testing in there that you’re going to want to have. We’re taking questions at the end of this, so submit your questions along the way. I’m going to be keeping track of those. You will get a certificate of attendance. That happens after about 45 minutes. It should be an automatic little pop up deal, but you can also just hit that little certificate down at the bottom.
It’ll tell you how much time you have left if you’re not really watching the clock. So you can download that if that doesn’t work for you, it is a pop up. You’ll get an email later this afternoon that will serve as the same thing. If you have any audio or video issues, go ahead and hit F Five or Function F Five. That usually clears up most of the issues that folks are having. If it persists, you might change your browser. We are recording this like we do most of our webcasts.
You can enjoy this at another time. More importantly, I like to tell people you should share these. I say often that collaboration is really the only silver bullet we have in security, and sharing this type of information is crucial. We’ve got to start doing better about sharing information. So please share this if you like it. We actually have a new feature on the platform. It’s reactions so much like you see on other social media stuff.
If you like something that Chris is saying or God forbid, I said, let us know. Put a reaction in there, do a hand clap, heart, whatever you want. But yeah, we’ve got that loaded in there now. So we’d love to have some reactions at something. So that’d be great. And I’ve got a poll question here for you. We’re going to kick things off for you guys.
I got a question for you out there of the following strategies. Which is your security team doing today? Now this is a multiple select, so you can any or all of these, right? So is it vulnerability scanning? Are you doing penetration testing? How about threat informed penetration testing, purple teaming, are you doing that? And continuous assessment, are you continuously going back and reevaluating stuff? So we’ll take a moment, let you guys submit your choices there. Again, this is multiple. What all are you doing? Right, we’re going to get to Chris in just a minute. I want to see a few more responses in there though. Just really just kind of set the stage. It’s going to help Chris talk about certain things more.
So if you guys are already doing a bunch of some of the stuff, we don’t want to really want to spend too much time there, right? So please make your choice. Now we’re going to lock that in in just about 10 seconds. So give us a few more responses here and then we’ll get going. Like I said, certificate of attendance. After about 50 minutes, download those resources. There’s some good stuff in there. All right, we’re going to move on and see what people are thinking about today.
See what we’ve got for a top, top three. We’re looking at vulnerability scanning, penetration testing, continuous assessment, threat inform, pen testing. Coming up as fourth and purple teaming. Kind of got a little low on that. I’m going to bring Chris in. Chris, you’re seeing these results, is this kind of surprising at all? No, not really. Just in general, especially as we’re taking a look at long term longevity and really maturity of process.
What we’re seeing is that a lot of cases still have been adopting a lot of the or have maintained the red blue team CrossFit. So the purple team is still fairly new process for us and it’s a fairly new process for many organizations. We’re finding a lot of people who really like it, but some organizations, it doesn’t fit the mold quite as well. Got you. All right, I’m going to get you to your first slide, sir. And away you go. Let’s keep the questions coming in from the audience.
We’re going to try to stump Chris here at the end with some Q and A. So see what you guys absolutely.
All right. So we’re talking today about going beyond the report. We’re talking through really a lot of the gray side of things. We talk a lot as security practitioners in the hard level, but we also recognize that so much that we do happens to be very in between the black and the white, in between the area. When we really start looking at security, we recognize that we have a ton of different personalities, and those personalities really fit in a lot of different areas. Off the top of my head, we’ve got reconcilers, we have defenders, we have auditors, we have marketers, we have visionaries. There’s a lot of conversations that people have where they talk about information security in general.
And the truth is that it’s a whole echo chamber. It’s an environment that exists. And one of the things is, Tom and I were kind of starting to talk about it. I was reminded of being a kid many years ago and that there was this instance where I had an assignment, and the assignment was explain a peanut butter and jelly sandwich making situation. And what you find is that my wife is a teacher as well. So we talk about these types of things pretty regularly. But when I think about information security in general, what I kind of start thinking about is when we talk about the Defenders, all those pen testers and red team, blue team, purple team, a lot of times what their focus is, is, hey, is the area around the peanut butter and jelly sandwich, is it clean? Is the peanut butter and jelly? Is it fresh? Is it good? Do we have any problems? Is it worth eating? Those marketers are going to come in and be like, hey, I’ve got this brand of peanut butter and this brand of jelly and it’s so good, it’s delicious, it’s so good, you want this brand.
And when we start talking about some of these different groups, what we find is that we look through things through a different lens. We look through things, we look through reports, we look through processes in a different perspective that is completely adjacent to each other. Oftentimes what we find is that over the years I’ve worked in many large enterprise companies. I work for quite a few vendors, and there’s always been kind of this ongoing joke that when we talk to our executive board, they want a green thumbs up or a red thumbs down. They just want to know that they’re good. They want to know what’s happening. And the problem that we run into is that we have these different shades, we have these different areas.
Nobody looks through the same lens. And really, when we’re looking at these different perspectives regarding organizations that rely on reporting different viewpoints and dynamics are important for different organizational considerations, when we’re going there, we are going to find a lot of different things. Now when we start talking about what we have, I can go through here and just tell you all the things point by point by point. This is really here just to kind of give you a framework. At the end of the day, the things that we’re going to be covering are one, what are the personalities and what do the things that they do to get the information out for information security? What do we do as we get bigger? Do our processes change? Do our systems change? Do our priorities change? Then we go into and take a look at some. We’re going to look at two different fields. It looks like that in our poll we had vulnerability assessment and pen testing that pop in.
Where I happen to work, we run into a lot of different teams that interchange those tools quite regularly. And I want to really talk about the pros and cons and where we’re at with that. And then as we mature, how can we make our reporting more dynamic? How can we make it more prolific and so that it’s more pungent as we’re talking about all the pwords and everything else. And then finally, how do we integrate all the teams on a social and environmental level to bring them into harmony as much as competition? We don’t want to be at a place where we are, where we’re siloing and we’ve talked about this probably for the last 20 years that we want to get away from siloed organizations. But yet every time that we look at organizations, we find that we start to look at tribalism, we start looking at processes that one person comes in and goes from there. So those are the things that we’re going to be looking at. All right, now let’s start talking about our primary goals for those who have been in the industry for a long time.
We recognize that whether it’s pen testing, which is going to be that physical getting in there, can we do it, can we break it, can we go? Or the vulnerability assessments. When we really look at that vulnerability assessment, we really look at what we’re doing. It very much fits into the same category. It fits into the same classification structure. We’re going to identify the risks, we’re going to make the plan, we’re going to figure out who owns it. That one’s a big one for a lot of organizations too. Hopefully we can remediate it or we can exempt it.
We’re hoping that the exemptions are very limited, but they do happen. Then we have to validate, retest, identify risk. Now when we’re talking about that continuous assessment, this is the heart of what it is. This is where it’s going for, this is what’s going for it. But really, we come back to a place of saying, I’m going to assume that a lot of you are going to be fully aware of this. There might be some of you who aren’t. But really when we start breaking it down for those people who are just getting out of their CISP or whatever that their term is, that we start taking a look at the triad, we push the triad, we push everything that’s out there.
But really if we take a look at different organizations and we take a look at what they really push across the board. Isca comes back and says that the goal of information security is to enable the business to succeed by protecting its information information systems from unauthorized access, use, disclosure, disruption, modification or disruption while preserving the confidentiality, integrity and availability to information. Information systems really, that’s pretty straight metrics. It’s like, hey, we want to make sure that our information doesn’t get to become their information. We want to make sure that our data is not their data or whoever there is. When we’re looking at confidentiality, we’re kind of coming back to saying what’s sensitive information? When we really break down vulnerability management, we break down pen testing, we break down compliance process, we break down auditing. It just comes down to what is most important to us and how do we prioritize those things.
When we look at integrity, we’re talking about accuracy, completeness consistency over a lifecycle. Are we getting data validations? Are we in the right version control? We’re talking about a lot of the configurations, a lot of the versioning, a lot of patches that we’re setting up and we’re going from there. And then finally with the availability, we’re really talking about do we have redundancy, fault tolerance system, disaster recovery systems? Those are not necessarily going to be following as much under the vulnerability management and the pen testing side of the world. But when we really break it down, that’s the triad, that’s what we have. Do we have these things that are here and this really fits it within that range. If we’re identifying the plan, is that plan, what happens if we fail? Where are we at? When we take a look at reports and we’re going through this process, reports are nothing more than a story. It’s a dedicated story that people are trying to take data and turn it into an actionable plan if we look at it.
One of the things that I found, and I think back once again to high school this time, but I remember I had the science teacher and they were talking through the scientific notation and nomenclature and I remember sitting there thinking about kingdom, phylum class species, all of those that go along with it. And like any high school or middle school kid would look at say, where on earth am I ever going to use this? The funny thing is that we use it every day, whether it’s organizational nomenclature, whether it’s whatever, it’s the scientific method, it’s the adding method, it’s every cycle that exists. At the end of the day, we see if it exists, we check it, we go from there. This is really where we’re going to start talking about as we grow and as we do more, how do teams interact and how do they go? When we are looking at organizations, we find that organizations, there’s a few different organizations that are out there those organizations oftentimes. We’re going to see your small organizations. Small organizations. When we really start looking at things, we’re going to see things such as you got that company that has 100 endpoints, maybe a few servers, maybe a few other things that are there, pretty easy to handle.
Hey, you’re using ad sscm, you’re using Jamf. You’re using some basic stuff really easy. Hey, do I have a version? Do I have some stuff that’s going on? What they don’t start paying attention to is, what about the guy who comes in and says, hey, I want Chrome because it’s not on the golden image? And then chrome is going to come back and say, I’m going to put it in, but I’m going to save it to my C drive. And then, oh, where did I find it? I’m going to put it over here. So we get to this point where that may seem significant, but what about when we go through and we do a vulnerability assessment or vulnerability management scan and we see that you’re holding a chrome version that is six months old, and you come back and you say, no, it’s not, it’s not. And then we start kind of coming back to this place of saying, well, we have false positives. I’ve seen a lot of organizations who love to throw false positives around, but we recognize that sometimes that we have to have a detailed view.
When we start taking a look at men market SMB SME level clients, we start diving into a little bit tighter element. We start going into maybe we have 4500 assets. It’s a little harder to manage. We’re starting to get to the point where we’re using something like an OpenVAS or Nessus or some of these other different vulnerability assessment tools, these tools, the same tools that we’re using for pen testing to come back and say, hey, now that we’ve identified, theoretically, let’s actually take a look at it, actually. And so this becomes where we’re starting to get into just that data churn that data. Like, what do we do for AWS environments? What do we do for any cloud environment when we have ephemeral devices? What happens when we pull them up and we pull them down? We start getting into the spot of who owns what, who does what, how do we get there? And this is where we start diving into more people. As we have more people involved, we’re starting to get to a place where it’s not just, hey, I’ll fix it, we’re good.
When we have these small organizations, I’ll fix it, we’re good is fine. But we start asking the question about for some of the smaller organizations, maybe that doing patch management where it’s automatic patch management makes sense. But then what about when we have multiple business units and organizational units? This is where it gets a little gnarly because we start coming back to a place and saying, well, if I automatically do this then? What happens if I already had an exemption that didn’t get set? What happens if it breaks an application? These are things that we really have to start talking through and start figuring out. It seems like it’s a little helpless and hopeless, but the truth is that here I really want to make sure that I’m breaking out for you. The need of the asset management systems. They are important. Having a really strong nomenclature, really important.
If you’re coming from a place that you have mergers and acquisitions, this one happens a lot. You end up at a spot where you have a merger and acquisition and say that you have five devices that are sitting on 1010, five different mergers and acquisitions, have a plan, have a thought process in mind, because what happens when you scan ten? And maybe that you’re using a tool that happens to have the ability to break out different groups and segments, but maybe you don’t. Maybe that you’re at a spot where 110 ten is in Denmark, one’s in Italy, one’s in Ireland, one’s in the US. And one’s in India. Things gets really difficult for organizations to start kind of figuring stuff out. You might figure it out, but it also in the same instance, put together a plan, figure out the best ways that you’re going to see that. And I’m kind of talking in regards to some of the M and A folks that when you’re doing that, really make sure that you’re bringing your It teams into it.
I’m sure that this is not something that anybody is saying. I’ve never had this conversation because I’ve had this conversation at least a couple dozen dozen times. So that’s actually a lot of but the thing that we also start looking at is buy in. Buy in becomes something that’s really critical and it’s something that we have to start to develop and guide and grind and kind of go from there. We’ll go back to those metrics that we talked about at the very beginning. What are the metrics that people want? If we’re talking to our CISO, what is the background of our CISO? Is our CISO someone who came from an audit perspective that’s looking for the nitty gritty details? Or is our CISO someone who came from operations where they just want to know, hey, you got it good. Are we at a place where we have a tight relationship or are we a multi level where we have an analyst, a manager, a Director, a Senior Director, a Senior Senior Director, a VP CISO, and then we go from there? These are some things that we want to consider.
And I’ve put together a lot of questions so far, but hopefully by the time that we’re done with this, we can kind of start going through there. At the end of the day, the comment comes down to we need to have a clear strategy, direction, guidance, for where we’re going, what we want to do outside of have no issues, no breaches, no problem.
I’m sure you’ve seen a million and a half LinkedIn articles. We always have to assume that we have been breached, but that we’re going to the next one and that we’re trying to do better.
So we’ve started talking through about all of these different things. There’s been a lot of high in the sky, different stuff out there. Let’s dial it in a little bit, really start to take a look at just two different ones. Now I use the term vulnerability management. A lot of you use vulnerability assessment. However, in the same instance, most of it are very interchangeable across the board. Most organizations, especially enterprise level, are going to use vulnerability management in general when we’re looking at It.
Vulnerability management is the process of identifying, assessing prioritizing and mitigating risk just like we talked about before is what the focus of information security when we’re talking about Pen testing? We’re simulating real world attack on computer systems, network systems to identify vulnerabilities that can be exploited by attackers. There’s a lot of people, and I’m sure that you’re probably one of them, who really truly believe that there is this segmentation and part of it is because it always has, it’s always been segmented in many, many organizations. However, when you really start looking at It, the true intellect that we start running into is that we start getting comprehensive insights when we bring them together. When we have those vulnerability assessments and those syntax put together, then what we start seeing is that we have that theoretical process of theoretically wallet tenable rapid seven ATP orca whatever you’re using. Open boss is saying that this could be an issue. But now we start taking a look at our prioritization metrics. We start taking a look at is something actually a big deal? Is it sitting in a dev environment? And don’t get me wrong, there can be big deals in dev environment but is it as big of a deal as an application that you use on a regular basis that controls financial data? Are we dealing with PII? Are we dealing with HIPAA? Are we dealing with different things that are out there? Those are things that we really want to be mindful when we start talking about this.
These two fields, they really do fit really well in my perspective. I look at vulnerability management as that the fishermen that go out there and put the big trowel, they throw a big net out there and they’re going to say hey, I’m going to pull in everything from and see what I got. And at that point you might get 15 dozen types of fish, different types of animals. The Pen test is really coming back and say, you know what, now that I know that this type of animal is here, we’re going to go fishing for this one. We’re going to use this bait, we’re going to use this hook, this lever, this knowledge and we’re going to go after and say, now that we see that this is an issue, we’re going to go for it.
It really comes down to a dichotomy of theoretical versus practice. So one of the quotes that I really, really do like was done by Albert Einstein and it basically says that theory guides, but experiments decide when we’re really looking at this and we’re really breaking this down. Just keep this in mind. We have siloed so much over the last couple of years where we’ll have one group that’ll just push out things to your teams. You’ll push out patches, we’ll push out different things. People feel unheard. People feel like that they don’t have anything there.
We really want to make sure that everybody’s heard. I do value that. I do think that my organization does value that a lot too. Another quote that’s out there is vision without action is like a daydream. Action without vision is like a nightmare. If we don’t have something that if we’re not communicating back and forth, we’re going to really, really struggle and we’re going to keep on going from there. So as we dive in here, we start talking about the things.
So we talk about, hey, it’s important, talk together, communicate, bring it together, figure out what’s going on. But this is how we start to drive the needle. As we start looking at different vulnerability management tools that are out there, we’re going to see that the big things that every single one of them is going through asset management. So the Chasm space, the ASM space, these different spaces that are out there, they’re identifying first and foremost, what are the notable areas that you’re needing, what are your areas that you have your PII? What are the areas that you have? Financial data. Also we’re starting to see threat information and threat actors that are being noted out. We’re starting to see what’s in the dark web, what are the things that people are actually seeing that there’s payloads, that there’s actually things that people care about and go from there. That’s where we’re starting to drive that threat informed Pen testing.
The big difference at the end of the day between the standard pen testing versus non is that the standard pen testing a lot of times has been, hey, CISO, or a manager or someone else says, oh, I hear that this vulnerability is out there. Can we make sure that we’re not susceptible to this file? Can we make sure that we’re not susceptible to this framework playlist? Can we do this? The second part is that continuous assessment. Once we’ve done it, are we waiting for six months? Are we at a spot where we just set it and forget it? Oh, we’re good, good job. Most of the time I remember back in the day and not really that far away, that vulnerability management Vulnerability Scans. We go every two weeks, every month. Some organizations, every quarter. You really sit there and you think about it.
If someone was pretty smart about it, they’d figure out. They find out as soon as you scan every month. Just start attacking the try figuring out right after start figuring out what you can do. The day after they scan, they have a whole month to figure out that, oh shoot, we’ve got this. A lot of organizations, they come back and they say, let’s just take a look at the criticals and hide. But when we’re looking at CVSS scores, a lot of times people aren’t paying attention to the vector strings. They’re not taking a look at, hey, what exactly is network based versus local based? These are things that are really important.
When we start taking a look at the reports, are we reporting just based off of someone says it’s a bad thing, it’s important, or are we actually utilizing what we have? And then finally, when I first started in the industry, I remember I would get a report and we get a report and it was like 250 pages and it was just basically just we just keep on going through. And most of the time what would end up happening is that it’d be nothing better than Christmas paper. It would just be like the guys would be like, all right, we’re going to go ahead and do our patches and we’re good. Many organizations aren’t like that anymore, but there are some that are. There being at a place where we have dynamic data that comes to us. This is really a good way that we can change the tip of spear, where we can really start to be at a place of instead of just, this is what we had two weeks ago, but this is where we’re at together. When we really start looking at it, we really want to be mindful of if we’re utilizing tools that happen to have agent networks, make sure that you’re not sitting there just assuming that you’re getting everything.
Remember, agent networks are going to get everything on the endpoint. They’re not going to get the network in the same way that if you have a scan and you don’t have good Credentialed data sets, you’re not necessarily going to be able to get in and see what you need to see. They all work together in the same way that these organizations need to work together.
As we say, the times change. Social. All right, so what we’re looking at now is we’re building out streamlined remediation and priorities.
I cannot sit there and say this enough. Please come together as an organization and figure out what is prioritization for you. All of the big organizations in general, all the big companies for the most part are going to black box and say, here’s your score. It’s a five, it’s a ten, it’s a 15. Come back to. A place where you’re actually building out. Take a look at vector stream.
I will say for a lot of people, I’m amazed at how many people don’t know that there’s training courses on first org that talk about CVSS of what it is. I am dumbfounded by how many people don’t understand vector stream. And it’s okay because if you’re in marketing, you don’t need to, but if you’re in security, that’s a pretty big thing. There’s also a lot of people who come back and I’ve heard a lot of people who will say, oh, forget CVSS, I’m smarter than that. Cool. I hope you are. I haven’t seen anything else.
I do know that CVSS by itself is not worth it. It does not stand alone, however, that if you can start to remediate and streamline that process through communication, collaboration with your stakeholders and really just be at a place that you’re not throwing that 200 page book at someone, but instead that you’re actually giving them saying right now, here are your essentials, tomorrow here are your importance. And then you know what, next time we really want to take a look at these and be here because fatigue, data fatigue, is real. When we start looking at this, we do come from a traditional approach. We look for the biggest things and we try to fix the biggest things. But if we look at these 1617 year old hackers, we think about nation states, but a lot of times we do. We’re going to see script kiddies, but we’re also going to see a lot of these other kids.
I know a kid who’s 14 years old. She writes python fluently.
She’s one of those kids that I’m like, you’re 14 years old, so I can’t bring you into a whole lot, but we’re going to get you doing a lot of cool stuff. She can write Python fluently and she can and she can weaponize a lot of stuff. We’ve had multiple conversations. Luckily she is a white hack. But you know what, she didn’t go to class. She didn’t go through such and such university learning how to do it just right. They don’t play by the same rules.
If I was sitting there and I wanted to break into something, I can guarantee you I’d be looking for a medium or a low vulnerability that I could use to exploit it. In fact, path to go after versus saying, hey, I’ve got a zero day, I’ve got an O day. It’s like O days are cool and O days are important. O days are also one that I don’t know. I’m not going to tell you that the zero days are not something that you guys want to take care of, but I think that most of the research has shown that it usually takes about 30 or so days and on average, so you may be susceptible to an attack on day one, but on average, to get weaponized takes about 30 days. So you do want to be ahead of the curve, but you also want to make sure that you’re being mindful of things. When we are talking about organizations in general, one of the big things that I personally feel like is one of the biggest things that we run into is corporate tribalism.
In 2021, there was a poll that was done by Kapirski, and it’s a poll, but this number has been pretty similar across the board. And what the poll came to find was that the average length of a general T cell is 26 months.
Sometimes it’s burnout, sometimes it doesn’t work. Sometimes they want to grow. Sometimes that they there’s many, many different things. But the reason I bring this up that people want to make their mark, people want to know leave a legacy, and sometimes that legacy is a growth mindset for the organization. And if you don’t know much about growth mindset, I would highly encourage you to take a look at it. Carol Dweck has a book actually labeled Growth Mindset, and it’s very fascinating read, talking about how we are continuing to grow. I know it’s been around for a little while, so if you have questions, I’m happy to talk about it later on.
But really looking at that growth mindset is to say, hey, what we’re doing now, we’re going to grow better, we’re going to grow better. We’re going to do 1% 2% better every day by doing that. If we can do 1% to 2% better every day, by the time that we get done for a year, we are so much better than we were before. And I know that some of you might say, hey, it’s 100%, it doesn’t work past 100. But the truth of the matter is that perpetual growth is perpetual growth.
I might have to level up maybe that 50% for a junior analyst, and a 300% growth puts them into a regular engineer role. If we’re looking at it that way, and we’re looking at growth from a perspective that we are trying to drive, good. But what we find is that a lot of times we have CSOs, we have organizational heads that will come in and say, I like this tool, I like that tool. I only want this tool. And then the other teams come back and say, oh, you know what? We have our own inground, our homegrown tool. And so we start to develop this chasm, this rift, this rift that exists, and it becomes a problem, it becomes a major issue. And as a result, we find that the data is not complete or one data is better than another.
For those who’ve been in the industry for a long time, think about how many people. Think about how many in my experience, I’ve found that there’s many organizations that you’ll hear someone has left the organization and, oh, they were an idiot. Oh, they didn’t know what they were doing very hiring these people. The truth of the matter is that a lot of times it’s a whole lot easier to blame the guy leaving is that they didn’t know what they were doing versus is letting them speak for themselves. So when we start talking about tribalism, there’s a few different things that we can do.
We want to collaborate in a bipartisan manner. We want to be at a place where when we’re talking with teams, it’s not us. Is that the concept of a better me is a better week? If my team can be strong, our team can be strong. But in order for our team to be strong, yes, we can go back to the peanut butter and jelly mentality of hey, we’re still trying to make the best, most amazing, safe, delicious peanut butter jelly sandwich, but it needs to revolve around the peanut butter jelly sandwich. It doesn’t need to revolve around how great we are. Because the truth of the matter is that if you are really, truly amazing and you can take a look at any sports icon, you can take a look at any major manager, major mentor out there, the truth is that if you can put forth making your people better, everybody’s going to know that it’s you that’s doing at least most people.
As we talked about before, we want to make sure that we’re developing that growth mindset that we’re not just at a place of oh, look, I’ve done this for 20 years. There’s a lot of teams that don’t end up picking up new tools. And the reason that they don’t pick up new tools is because they’ve always used the old tools and they know it. They don’t want to learn something new because that’s just a lot of work and that’s for new kids. Think about how many times that we are in a place that I’m in my forty s. I know many of you guys might be fifty s, sixty s, but how many of you love the 70s music or love the 80s music or love the 90s music? And that’s okay. We grew up with it.
It’s cozy to us. It makes us feel good about ourselves. But the problem that we run into is that the organization of people who are coming in now, they may love the 2000, they may love the 2000 pens and we look at it and say, oh, they’re just, they’re so dated. The truth is, love the things you love, but understand the things that you don’t know. Make sure that you’re going from there. When we start talking about tools, seek to integrate as much as you can. Seek to make sure that you’re communicating with each other and that you’re doing the right thing.
Evaluate tools together. Don’t just have one group that’s sitting there saying, oh, I’ve got this. But if you happen to have a vulnerability management team and then a compliance team, hey, those are two teams that really probably could take a look at a vulnerability management tool because most of the vulnerability management tools have compliance in there and come back and come up with a sal list, with the statement of work of what you guys are looking for and going from there. Have interconnected KPIs teach each other, allow each other to speak into each other’s life. We know we’re busy, but in the same instance plan once a month that you guys share. This is the cool thing that we did here’s, the cool thing we saw you do. You know what stroke is a little ego and it goes a long way.
And then finally when we’re sitting there taking a look at it balance your automation and manual technique. I know that we’re going into the world of cat, GPT, and all of these other things that are going to do things for us, but never underestimate the fact that what we do is important, what we do is good. There are some things that there are smart people and we want to make sure especially it’s like for pen testing teams, there’s a lot of them that I hear all the time, hey, can you automate pen testing? Oh buyer. Beware careful if you’re at a spot where, hey, I just want to scan everything. Do you understand what that’s scanning? I also run into a lot of people, when we’re talking about vulnerability management who know nothing about TLS, know nothing about SSL know nothing about if you go through and talk about the different types of what’s a wormable item? And they’re like, I don’t know, it’s like, make sure that people around you understand the why, not just the what? And then finally come back and create a mission and strategy where wins are shared versus taken. Be at a place where we are going out of our way to try to put that onus of greatness on the other person. It’s not an onus of perfection, it’s an onus of greatness.
All right kind of coming down to the end of this bit here. And really what I want to do is I want to just kind of share with you when we summarize. I know that we went to a lot of different places and I hope that you guys maintained it. I really appreciate you guys taking the time to let me speak to you. Hopefully we can speak with you, but we want to make sure that we know clarity is key. If you know the who, the where and the why, you can report data without any issues, without any problems.
There’s a quote says, clarity is the antidote to anxiety, and therefore clarity is the preoccupation of the effective leader. Marcus buckingham. He’s a famous leadership officer. In order to make everything safe, we got to make sure that we’re connected with each other. Aristotle said, whole is greater than the sum of its parts. No, there’s a lot of times that we sit there siloed in our own groups and we really want to do that. Scaling requires foresight.
We got to know that just because that you might be small doesn’t mean that you’re not going to be big. I would highly encourage you to plan ahead. If you’re big already, all that means is that you’re going to have business units, organizational units that are going to make it even bigger.
There’s a Philippine author that says failing without wisdom is like doing a high speed on a dead end road. Sooner or later you’re going to crash. Make sure that you have wisdom, make sure you have guidance if you can explain what you want.
And then finally the last one is organizations not get their full potential met if they don’t work with each other. So this is going to come back to Steven Covey, which if you don’t know him, I would highly, highly encourage you to do.
Who is the Silo mentality only concerned with their department goals? It silences the synergies needed for overall. So the Silo mentality only cares about their individual goals. But if they silence synergies, they are going to end up being at a place where they are going to suffer. They have to make sure that they get rid of that.
With that being said, Tom, that’s kind of where I’m at right now and I hope that you guys got something out of it. I hope that that was beneficial. I really appreciate the time. Thank you, Chris. Good stuff, man. I’ve got some questions here for you, some of my own, some from the audience, but really just want to say thank you. And there is a huge danger in Silos.
I mean, you get the blinders on, you don’t really care about other people. And honestly, we’re all employed by somebody and to me, all of our roles, I don’t care if you’re an accounts payable, you’re a salesperson. In marketing, you’re supposed to be enabling the business to do what it’s supposed to be doing and security is not exempt from that. Right? So we all have to kind of bring all of us up together and yeah, you have to work in certain teams, but we’re all in this together. In businesses it’s like we got to start working together. And I say it all the time in the collaboration bit, but all right, I’ll get up to Soapbox. I got questions.
First one up, Kevin wants to know what platforms do you recommend for those looking to onboard mature activities like Threatenform, pen testing, continuous assessment and the dynamic report delivery? What do you think about that? Well, I’m definitely going to be biased on this, but I do believe that PlexTrac is really a fantastic tool to get you there. Really the primary point of PlexTrac is collaboration and consistency is taking all that data and bringing it together. I really want to make sure that I’m not going out of my way to make this sales call on that. But I’m really impressed with our product.
You guys must have something to do with it, otherwise we wouldn’t be talking about it today. So I think that’s fair. Another question for you. What is the most important step to framing a prioritization process for vulnerabilities? Great question from the audience. Yeah, I think that a lot of it really comes down to, first and foremost, understanding what your industry and what are the areas, the jewels, the keys, the kingdom, what are the things that you’re trying to get most? Are we at a spot where we’re talking about a heavily web app organization? Are we talking about an organization that has HIPAA data, that has a lot of medical device data? There’s still a lot. I know that the government has recently been talking about really making a lot of mandates for a lot of medical organizations and everything else. But one of the biggest areas that we have problems with in the world, right, or in the US.
Right now, is MRI machines, old data sets and everything else when we’re taking a look at those types of things because applications were built and that they weren’t updated. So being at a place where if you’re in a hospital, I would highly encourage we have some wonderful tools that exist that are really designed specifically for that. But prioritization, I would say network based prioritization would be really big, as well as physical security to make sure that people can’t, you know, someone doesn’t go into the hospital, have, you know, wander in, put in a disk drive and corrupt something. That’s probably a pretty detailed question, but at the end of the day, we really want to just make sure that it’s not just black and white, and that’s a big part of it.
Thank you for that. Keep those questions coming. We got a few more minutes so we can do some questions. I’ve got some more here, actually a question for me on this one. Tabletop exercises and how often should people do those? I personally think that it really comes down to the organization in some cases. What you’re going to find is that it’s reasonable to have it on a very regular basis. And other organizations, they have other maturity skills that are a little bit more extended.
But I would also say don’t neglect processes. Make sure that you have a process that works, test it, and be willing to expect that you might need to change it. Kind of a tentative planning process.
Got you. I guess follow up from our other question. What is the most important step to framing a prioritization process for vulnerabilities? Did we not just do that one? Yeah, if we’re talking about prioritization process for framing vulnerabilities, the things that we’re going to be looking at when we frame out vulnerabilities, there’s a few different ways that we can take a look at it. One, a lot of the tools that are out there, they have really good groundwork and they have really good basis already. So we’re going to be taking a look at what types of vulnerabilities exist. If you take a look at any type of issue, are we seeing lateral function? Going back to the conversation from years ago, the Las Vegas casino that was breached because someone jumped into the thermostat and then ended up stealing multiple millions of dollars and sending it off. Those are the types of things that we’re going to come back to.
But when we’re talking about prioritization processes, for me, I personally look at I do utilize CVSS. I also recognize that CVSS in most cases was a point in time. So when we’re looking at point in time data, we also want to take a look what threat information are we getting? What are we seeing that’s actually to our organization? What are we seeing that actually really moves the needle at the end of the day? What are the things that if they were broken, that we would suffer, lose our job, or potentially, in recent cases, go to jail for? Those are the things that I would prioritize more than anything else. Got you. Thank you. Next one from the audience. How would you suggest a security team achieves buy in from upper management and even It leadership to promote good vulnerability management programs? Yeah, I’ve got two daughters that love Disney, and I think of the tale as old as time.
I think that when we really look at vulnerability management, I recall when I first started, my CISO came to me and said, well, we have this thing that’s kind of like compliance, but we have this thing that we really don’t know what to do with. And they see it as a preventative measure. The first thing that you need to take a look at from a vulnerability management perspective is, one, it’s not preventative. It’s something that you’re identifying your risks, you’re identifying your areas of neglect, you’re identifying your areas that you really need to adjust. Now, are you always going to be fully compliant? Probably not, because organizations are different. But when we’re talking about buy in from upper management, the biggest thing is that we have to dumb down the information. Not saying that they’re not intelligent, they’re just busy.
And we got to make sure that we tell the story to where that they see the value to the organization, to where that they come back to say, I see that this matters versus anything else. And really a lot of times that comes down to the financial element and understanding the ROI and understanding, hey, if we don’t do our job and you get breached, this is what happens. And if we go back to that net versus the Phishing, the Pen testing teams are absolutely critical. But if you have an organization that has 200,000 vulnerabilities, how do you pen test. That all. How do you do that? You end up at places where people are like, man, this is too much. I can’t do this.
So you do have to bring it down. And as we work in Synergy, they start seeing, hey, this is all part of the cog in the wheel.
Got you. Thank you. Next one. And actually, we’ve got one last poll question, actually. So I want to launch that while we continue talking. But how would you rate your from one to five? How would you rank your security team’s? Efficiency? Poor. Okay, good, great, or fantastic.
So I’ll let you guys ponder that one. Give us your answer when you feel good about it. Next question for Chris, though, in determining the risk of vulnerabilities, running tabletop exercises, prioritizing remediation, et cetera, it sounds like the key is performing a solid risk assessment of your organization to understand the threat. Can you recommend any resources for improving an organization’s risk assessment process? If we’re talking about the processes, I actually will break this out into two different areas. The first one is I find that lunch and learns, like having a dynamic lunch and learn, having a dynamic teaching opportunity, bringing in organizations. I know that we have the phishing, take this video, do this thing. The truth of the matter is that oftentimes we need to have this interaction of, like, let me teach you what I know.
If we really break down vulnerability management and Tom, we were talking about this here just a little bit ago. If we break this down, there’s very seldom that you ever run into a situation where someone went through and learned vulnerability management. You usually have a few people who know because that they learned it from that they figure, hey, this is a scam. This is this, this is this. But that tribal knowledge is not something that it’s something that’s earned. And unfortunately, it’s something that people have to slave away to get it. So to be at a place where that you’re in this constant educational process where that you’re constantly going back and saying, let’s have this conversation, let’s go from here.
Let’s see what we can do. Let’s drive it forward. Let’s see what we can get. If we’re talking about the risk assessment process, the best way that I know of is possibly worst way is get buy in from legal. Come back to a place where your legal team is coming back and saying, hey, in order to be successful, make that put to them. Some organizations that might be a red flag that you don’t want to do. Some organizations, it might make sense, but we want to really make sure that we’re in the same spot that’s through the results up there.
I’m really glad nobody selected poor because obviously that’d be really bad, but it looks like most people are doing okay or better. Does that kind of surprise you at all? I think that over the last ten years or so, we’ve seen a lot of growth in this area. It’s kind of started coming out under the cleft of just the thing we do and more into.
This is something that needs attention. I will say I encourage a lot of people, really make sure that you’re still hiring people who aren’t junior level for this position. Bring in junior level to teach them, but don’t make it just something that’s a remedial thing because, yes, some people view it as accounting and reconciliation, but the truth of the matter is that there’s science and art and you need to have some time under your belt in order to do it right.
Fair enough. Let’s see a couple more questions and then we’ll wrap things up. Let’s see this one. It’s similar to what we talked about before, I think. But tell me if I’m wrong. Is there a good way to evaluate for the risks of vulnerability chaining? Any decent resources for that? Let me see number seven. Yeah, to evaluate the risk for vulnerability chaining? Yes and no.
I think that the biggest thing that you’re going to find is that as we start to see more tools that are out there, there’s more organizations that are starting to do classes. I know there are going to be more data sets that are there. I do know that there is a huge need. There’s a lot of really great mentors and a really great training curriculum that is there. I’m not really super familiar with. I’m very familiar with vulnerability training and attack path. However, it is something that I do think that there’s probably about three or four different people that I know of that are kind of working on building out material and going from there.
If you want, you can reach out to Chris. His email is in the bio widget down there at the bottom. You can hit him up and I’m sure he can tell you who those folks are. Also have some resources there up on the screen that can probably help you guys with some of the stuff, particularly if you want to find out more about PlexTrac, get a demo, that kind of stuff. One last question here. Let me see where we at. I think that question five that we missed on there too.
Yeah, this one didn’t hear business and technical requirements gathering in, creating or expanding or selecting a solution. This is a single point of failure. I continue to come across the requirements, help set expectations and cost resources are flushed out. Give us some thoughts on that, Chris. Yeah, actually, Diane, you’re right. I didn’t go into a ton of detail and I more made insinuation on it. And when we’re talking about different teams, one of the things that I would highly encourage is when we’re talking about first and foremost the whole budget line of things, there’s a lot of times that people are just trying to, hey, I’ve got this money, I’ve got this money.
I’ve got these things that are there really working interconnectedly with different teams and then also really building out those requirements that exist not just for a single team, but for multiple teams. Because then you come back to a place of saying, hey, if this works for the VM team, but not the Pen testing team or not for the Auditing team or not for third party, and maybe the third party might not fit into it, but you can make that determination of this is critical for connectedness and this is not critical. But, yeah, you did bring it to just for the sake of time, I really wanted to make sure that I didn’t go down too many rabbit paths, and I think I might have gone through a few of them.
Good stories, though. I really appreciate the stories and the anecdotes. I think they helped me really get my head around the stuff, so hopefully that’s the case for the audience as well. But thank you, Chris, for a great job. Reach out to Chris. Like I said, if you want to find out more about some of this stuff.
If we didn’t get to your question, I’m going to compile the list and send those off to him, and he’ll get back to you as soon as he can. Of course, that includes the folks for the On Demand. If you’re catching this, maybe it’s not April 6, you’re checking this out at some other point, let us know. Throw a question in there. We’ll still send those off to him. Let’s see. We’ve got a lot more remote sessions on the way.
Next week on Tuesday, April 11, we have a master class on cybersecurity with Mr. Roger Grimes. He’s going to teach data driven defense techniques. April 13, why it’s time to break up with your VPN and firewall. Interesting one there. And on the 27th, the state of DDoS attacks emerging threats on our radar. So we should be checking into that as well.
There’s a link in the resource tab. You can actually register for any or all of those at the same time. All the upcoming ones, that is. That concludes our time together today, though.
Just want to say thank you again to Mr. Chris Rogers, the Swiss Army knife over at PlexTrac and the folks over at PlexTrac for making today’s remote session possible. That concludes today’s remote session. We will see you, apparently next week on Tuesday. Take care. Thank you, guys.