Hello all! 2 weeks ago I participated in the best online event fully dedicated to Vulnerability Management in Russia. It was super fun and exciting. Thanks to all the colleagues and especially to Lev Paley for the great moderation! I have talked out completely. Everything I wanted and the way I wanted. It seems that not a single hot topic was missed.

You can see the two hours video below. It is in Russian. And it’s pretty complicated to translate it all. I won’t event try. ? If you don’t understand Russian you can try auto-generated and auto-translated subtitles on YouTube, but the quality is far from ideal.

To give you the idea what we were talking about I added the timecodes in English.

Timecodes

Section 1. Vulnerability Management Process and Solutions

• 5:18 Vulnerability Management Process Definition
• 10:53 Vulnerability Management is the opposite of the admin’s saying “If it works – don’t touch it!” The main thing in the process is to somehow fix the vulnerabilities. (Leonov)
• 12:30 Sometimes a basic vulnerability scanner and Jira is already a Vulnerability Management solution (Leonov)
• 13:30 Difference between Vulnerability Management Solutions and Vulnerability Scanners
• 17:09 Vulnerability Management and Vulnerability Scanners: “in our restaurant we call rusks “croutons”, because a rusk cannot cost $8, but crouton can“ (Leonov)
• 23:00 Licensing schemes, delivery options and costs
• 28:48 Module-based licensing and the situations when modules can be excluded from the subscription (Paley)
• 30:24 Commercial Vulnerability Management solutions are expensive, especially when licensed per host (Leonov)
• 31:00 Maxpatrol unlimited licenses (Bengin)
• 34:08 Perimeter scanning: very critical, low reliability of banner-based detections, it’s better to assess hosts accessible from the Internet with internal authenticated scans. Criticality of the network as an element of scoring. (Leonov)
• 36:50 The impact of Regulators on the Vulnerability Management Market, a free ScanOVAL tool
• 39:10 What to do with vulnerabilities in local software products that are not supported by foreign VM vendors?
• 44:00 When it’s enough to use a free scanner? Could there be a full-functional and free vulnerability scanner? In theory, yes, but it is not clear how the vendor will finance the maintenance of the knowledge base. In practice, we see how such stories collapse. You need to understand the limitations of free products (such as OpenVAS). Including the completeness of the scan results and the ease of building the VM process. (Leonov)
• 47:19 Poll: what is used in your organization?

Section 2: Technical Details of Vulnerability Management Solutions

• 49:00 Who finds vulnerabilities faster: VM or IPS vendors
• 53:26 Tenable removed API support from Nessus Professional
• 55:10 What can influence the choice of a Vulnerability Management solution?
• 1:01:38 It is useful to take several solutions for a PoC and compare their knowledge bases and scan results. (Leonov)
• 1:06:10 If you decide to use several VM products, you will need another solution for storing and prioritizing vulnerabilities or doing custom prioritization. Or, it should be possible to add a third-party vulnerability feed to the commercial ready-made solution. (Leonov)
• 1:09:20 Filtering, prioritization, reachability assessment tools
• 1:14:23 Vulristics – an open source framework for prioritizing vulnerabilities (Leonov)
• 1:17:25 Poll: What is important to you when choosing a VM system

Section 3: Asset Discovery, Scanning and Patching

• 1:19:40 Asset discovery, patching, auto patching
• 1:26:50 Asset Management is important, it does not have to be part of the VM, it can be implemented by IT. It is also necessary to manage the accounts for scanning and network access. I would like to have an automated Patch Management, but subtlety who will be responsible if something breaks? Scanning can break the host too (Leonov)
• 1:32:58 Automatic patching is possible, but a system that allows automatic patching is much more expensive to develop and maintain (Leonov)
• 1:35:10 Agent and agentless scanning
• 1:38:40 The agent can be very simple. As an example, you can collect the list of packages and OS versions and get vulnerabilities using the Vulners Linux API. This is less annoying for system administrators (Leonov)
• 1:40:38 Proper organization of Vulnerability Management Process
• 1:44:14 Why Vulners.com closed API access at free and lower plans. The main problem with building a process is how to negotiate regular patching. (Leonov)
• 1:46:05 Regularity of scanning and patching
• 1:50:17 It is necessary to separate external and internal scanning. External scanning is very useful for detecting unauthorized publication of services. The normal frequency of such a scan is a couple of times a week. Active internal scanning depends on agreements with the system owners. If you can say “we scan everything – if you are not ready, your problems” is good, but it does not work everywhere and not always. (Leonov)
• 1:54:14 Poll: what will you do if a vulnerability cannot be fixed by an update

Section 4: Vulnerability Intelligence and Vulnerability Management Solutions Perspective

• 2:00:38 How to search for information about hyping vulnerabilities
• 2:04:42 Telegram cybernews aggregation channels @avleonovnews
• 2:06:32 How will vulnerability management systems change in 3-5 years?
• 2:08:16 I think that VM systems will evolve towards VMDR and automated patching, they will provide better information on exploitability, right up to the actual exploitation of vulnerabilities on a test host. The entry of large vendors like Microsoft with Defender for Endpoint narrows the space for traditional vendors. (Leonov)
• 2:15:30 Poll: your opinion on Vulnerability Management systems after the current event