Skip to content

RSA 2024 Preview: How to Manage Vulnerabilities at Scale

In the first installment of our annual interview series with experts speaking at and around RSA Conference, Focal Point asks Tanium’s Melissa Bischoping about vulnerability management – the blunders, best practices, and tools that can help.

Q&A

Just a few weeks after the world’s first webpage was published, in the fall of 1991, 50 cryptography experts gathered in a small California hotel meeting room for the first RSA conference (RSAC). Over three decades later, the web has transformed society, and RSAC is the central meeting place for those fighting to secure the ever-expanding digitized world.

Today’s much larger RSAC is ground zero for some of the most significant cybersecurity announcements from governments and enterprise security leaders. It is also a key debating forum for experts as they strive to stay one step ahead of attackers.

The 45,000-person conference, to be held May 6-9, is so large that it has its own gravity, attracting numerous satellite events near its home at San Francisco’s Moscone Center. One such event will feature Melissa Bischoping, director of endpoint security research at Tanium, who will discuss the problems companies face in managing a rising tide of cybersecurity vulnerabilities, and how they can meet the challenge.

Don’t just react to vulnerabilities – take a proactive stance with solid intel backed by precise real-time data and autonomous power.

Vulnerabilities are through the roof. According to the federal government’s National Vulnerability Database, about 29,000 common vulnerabilities and exposures (CVEs) were documented worldwide in 2023, compared to a mere 15 back in 1991. This makes for a complex – and just plain confusing – cyber environment for enterprise leaders to grapple with.

The trick to effective vulnerability management, says Bischoping, is to see both the challenges and the unexpected opportunities this landscape presents. New tech advances and automation at scale help you “cut through the noise,” prioritizing the vulnerabilities that pose the greatest threat to your enterprise, and fac facilitating strategies you can implement immediately to reduce that risk. (Her talk, “Actionable Insight for Vulnerability and Risk Management with Tanium Guardian,” will be held at the Stinson Room at Four Seasons SF on May 6 at 12 p.m. PT and May 8 at 4:15 p.m. PT.)

Focal Point caught up with Bischoping to get her take on the boom in CVEs, the common mistakes enterprises make, and what best practices should look like.

(The following interview has been edited for clarity and length.)

Vulnerabilities have ballooned over the past two decades. Why?

The first cause is increased technology adoption. Twenty years ago, not everyone had a cellphone in their pocket, a laptop in their bag, and a server to connect with at their office. Today, technology is everywhere.

We’ve reached the point where people can no longer understand every single line of code and whether or not it’s secure.

The second reason is that more people are looking for security bugs. Bug bounties and reward programs have motivated the good guys to find the bugs before the bad guys do.

[Read also: Fight fire with fire – 3 major ways AI fuels your cybersecurity arsenal]

Finally, software is increasingly more complex, with extra layers of dependencies. We’ve reached the point where people can no longer understand every single line of code and whether or not it’s secure.

What problems has this created for companies that must track all of it?

Everyone is trying to do more with less. They don’t have room for more headcount and they can’t increase their budget. Meanwhile, alerting tools and threat-intelligence feeds flood cybersecurity analysts with more vulnerability data. They get reports listing thousands of vulnerabilities in their environment, each with a severity score.

How do small teams prioritize what to act upon as the vulnerabilities pile up? Early in my career, I assumed you could just fix the worst bugs one after the other. It doesn’t work that way. You cannot scale human teams to cope with the rising tide of vulnerability data.

What common vulnerability approaches do you see companies taking, and how do they fall short?

The most common mistake is focusing blindly on the Common Vulnerability Scoring System (CVSS) number that indicates the severity of the bug. Headlines focus on high scores because those seem like the scariest. In reality, a CVSS of 10 on a user’s laptop sitting in their home office is probably less concerning to me than a score of 7 on my public-facing mail server, but the score alone won’t surface that. There are lower CVSS scores that allow breaches every day.

Everyone is trying to do more with less…. Meanwhile, alerting tools and threat-intelligence feeds flood cybersecurity analysts with more vulnerability data.

Another mistake is delaying vulnerability patching in network infrastructure. You don’t traditionally put endpoint agents on routers and firewalls, so there’s less visibility. The network is also mission-critical, and this low tolerance for downtime makes updates more risky. Network device software is often years out of date and subject to really dangerous vulnerabilities that get exploited by nation-state actors and ransomware operators.

[Read also: The essential guide to slow patching – the reasons, the risks, the remedies]

What should the best practices be for vulnerability management?

The first step is to track which vulnerabilities are relevant to your infrastructure. This means prioritizing visibility by using a comprehensive hardware and software asset inventory, along with collecting good telemetry.

If you’re not managing the vulnerability, then you have to accept the risk.

Once you know which assets are vulnerable, you need a strategy for vulnerability management that goes beyond simple criticality scores to look at factors such as exploit probability.

There are tools to help with this. I’m a big fan of the Exploit Prediction Scoring System, which estimates the likelihood of a vulnerability being exploited in the wild. CISA’s Known Exploited Vulnerabilities Catalog, which lists actively exploited vulnerabilities, is another useful tool, although there’s often a delay between the first exploit and a vulnerability’s publication on that list.

You also need to address a vulnerability’s real-world impact. Ask whether you are targeting the vulnerabilities that could potentially result in the most damage to your environment by giving attackers access to your crown jewels.

[Read also: RaaS class – a defensive guide to ransomware-as-a-service attacks]

Talk with business-unit owners to determine factors such as how much an exploit of a particular system would cost and how long it would take operations to recover from it. That’s how you start the risk management process. If you’re not managing the vulnerability, then you have to accept the risk.

How can technology help?

You need tooling that helps you to sift through the thousands of vulnerabilities announced every week and understand where to put your energy. Your tools should pre-scope the vulnerabilities for you and automatically tell you where the impact is. That means algorithmically weighting a combination of exploit prediction, CVSS scores, and criticality to find vulnerabilities with the most significant impact on your environment. Your tool set should be able to combine that with threat intelligence to give those exploits wider context.

[Read also: Here’s your security automation playbook for 2023, 2024, 2025…]

Technology should also recommend how to roll the changes out and pre-build playbooks to help remove some manual steps. That gives your team time to discuss with the business owner what’s about to happen.

Technology isn’t the whole story. It also helps when you augment the tooling with human intelligence through partnerships that give you trusted human insights into risk and vulnerability management. That can help you navigate a really complex tide of data and information that will only keep rising.


MORE FROM RSAC 2024

For additional highlights, check out these other exclusive interviews with participants speaking in and around RSA Conference 2024:

Danny Bradbury

Danny Bradbury is a journalist, editor, and filmmaker who writes about the intersection of technology and business. He has won the prestigious BT Information Security Journalism Award, including for Best Cybercrime Feature.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.

SUBSCRIBE NOW