Hello everyone! This episode will be about the AM Live Vulnerability Management online conference. I participated in it on May 17th.

Alternative video link (for Russia): https://vk.com/video-149273431_456239090

The event lasted 2 hours. Repeating everything that has been said is difficult and makes little sense. Those who want can watch the full video or read the article about the event (both in Russian). Here I would like to share my impressions, compare this event with last year’s and express my position.

Let’s start with the format of the event. The AM Live platform is absolutely unique, because it allows representatives of all the leading Russian VM vendors to have a direct dialogue. It is even difficult for me to imagine something similar in the West. This is too bold and perhaps dangerous for marketing. Huge respect to Ilya Shabanov for developing such a format in Russia. This is a real breath of fresh air. Lev Paley is very cool as a moderator of the event. I really enjoyed participating in the event and planning the program. It is a real pleasure to discuss the topic of VM in detail, with people who have a lot of experience and knowledge in this. Many thanks to all participants!

VM vendors

Compared to last year, the main change is the New Reality of Information Security (TNRoIS), which affected Vulnerability Management. This time there were no foreign vendors, and a year ago there were Skybox and Tenable (their distributor Tiger Optics). This time there were almost all companies on the Russian market that have a solution for detecting vulnerabilities: Positive Technologies, Frodex/Vulns.io, Echelon Technologies, Altx-Soft, Rostelekom-Solar. Kaspersky and Vulners did not participate. But we also mentioned them.

VM process and people

It seems that this time we talked much more about people. But still not enough. It seems to me that we could talk for 2 hours exclusively about the problems of the VM process related to people. Why is it important? You can say a lot of correct things about Plan-Do-Check-Act, which in the case of a VM has the form Scope-Assess-Prioritize-Remediate. But this does not bring us closer to how this process should be arranged in practice and how a particular CISO should effectively implement this process.

• Obviously, most of the maintenance work falls on Vulnerability Management analysts. But it is not entirely clear how to determine how many people are required depending on the size of the organization and its infrastructure, should they only work on VM tasks, should they only address infrastructure vulnerabilities or all organizational vulnerabilities (including AppSec/SDLC), what algorithms and playbooks they should use, should they investigate specific vulnerabilities from a practical exploitation point of view, should they be directly involved in fixing vulnerabilities?
• If IT staff is directly involved in fixing vulnerabilities (which is the most common), this can cause many problems. What to do when it is not clear who is responsible for fixing a vulnerability on specific hosts? Or when it is known, but this person does not want or cannot do this work?

I know many examples of how VM processes have been implemented in organizations. But do I know the 100% correct and optimal way? Rather not. I think that serious methodical work is required here in order to understand how to properly build a VM process in practice. Should VM vendors be involved in developing such guidelines? I think yes.

Can you really do it?

It’s great that Vulnerability Management solutions make it easy to manage assets, detect vulnerabilities, prioritize them, and even perform automated patching. But the question is, how much can it be trusted?

In the question “can you really do it?” there is no disrespect to VM vendors. This is an invitation to move away from traditional marketing slogans and take a closer look at how it’s implemented.

• Asset Management. Can you guarantee that you will collect all the hosts that the organization has? Are you sure you will do it better than the CMDB or monitoring system supported by IT? A simple active network scan, such as nmap does, may not be enough, and it may harm the network.
• Vulnerability Detection. The process by which VM vendors collect data for their Knowledge Bases is not very transparent. But it obviously depends on the data provided by the IT product vendors. If an IT product vendor does not issue security bulletins, then finding vulnerabilities for such products would not make sense. This will also happen if the VM vendor for some reason does not support vulnerability detection for some product. Will these limits be visible? To assess the completeness of the vendor’s VM Knowledge Base, you must have access to it. Unfortunately, most VM vendors only provide this information to customers. Although access to such information is needed primarily to decide whether it makes sense to become a customer.
• Vulnerability Prioritization. The completeness of the VM vendor’s Knowledge Base affects the ability to prioritize vulnerabilities. Does the VM vendor really know enough about exploits and exploitation in the wild to make adequate recommendations? How can this be checked?
• Vulnerability Remediation. If we are talking about automated patching, the question is which products can be updated in this way? Obviously not all products. And who will be responsible if such an update breaks the host? But even in the context of traditional patching, as we are now forced to treat IT vendors with distrust, the procedure becomes much more complicated. Can the VM vendor guarantee that the client will be able to download and install the patch and that installing this patch will not lead to more problems? And should the VM vendor guarantee this?

In general, my questions to VM vendors are about limitations in their products and how those products can be controlled. But of course in the current situation, the main advantage of the VM vendor is the fact that its products are still available on the market and the VM vendor provides at least some level of customer support. Therefore, if last year I said that the best goal for VM vendors is to turn their solutions into VMDR and develop automated patching, now I can say that the best goal of VM vendors in Russia (and most of the world) is to keep up with the trend of de-Westernization of IT infrastructure and support it in the best possible way.