Evolving beyond the vulnerability whack-a-mole game

Presented at LocoMocoSec 2019, April 18, 2019, 3:30 p.m. (30 minutes)

With more than 197,000 known vulnerabilities published and over 22,000 new disclosures in 2018, organizations must make constant risk decisions. In fact, each day organizations have to ensure they are aware of approximately 60 new vulnerabilities, evaluate the potential impact to their organization’s products, and then determine if it warrants action. This task is daunting even to large, well staffed organizations and thus typically decisions are not made at all or delayed. While understanding vulnerability data, prioritizing and fixing issues remains extremely important. It is a must that organizations evolve beyond the Whack-a-Mole approach to vulnerability management in their products. To enable this, a move to a strategic approach is required that focuses on problem management and root cause analysis. Insights derived from vulnerability intelligence provide the capabilities for software risk ratings and answering important questions such as: Which vendors/products are the ones that are most likely to cause a data breach? Which vendors/products cost the most to maintain securely? Which vendors fix issues quickly in products rather than leave organization vulnerable? Which vendors/products are investing in secure coding? Are there products and component that should be removed from the organization?


Presenters:

  • Jake Kouns - Risk Based Security
    Jake is the founder of RVAsec and the CISO for Risk Based Security that provides vulnerabilities and data breach intelligence. He previously oversaw the operations of the Open Sourced Vulnerability Database (OSVDB.org) and DataLossDB. Kouns has presented at many well-known security conferences, including RSA, Black Hat, DEF CON, DerbyCon, Bsides, CISO Executive Summit, IEEE, FIRST, CanSecWest, InfoSecWorld, SOURCE and SyScan. He is the co-author of Information Technology Risk Management in Enterprise Environments, Wiley, 2010, and The Chief Information Security Officer, IT Governance, 2011. He holds both a bachelor of business administration and master of business administration degree from James Madison University, with a concentration in information security. In addition, he holds a number of certifications, including: ISC2's CISSP, and ISACA's CISM, CISA and CGEIT. He has briefed the DHS and Pentagon on Cyber Liability Insurance issues and is frequently interviewed as an expert in the security industry by Information Week, eWeek, Forbes, PC World, CSO, and CIO Magazine. He has appeared on CNN as well as the Brian Lehrer Show, and was featured on the cover of SCMagazine.

Links:

Similar Presentations: