CC13: Dr. CVE Love, or how I learned to stop worrying and love vuln management скачать в хорошем качестве

CC13: Dr. CVE Love, or how I learned to stop worrying and love vuln management

Ben “From KC” Webb explains why most vuln‑management data is junk—and shows a repeatable process to extract real security value. Executive dashboards love CVE counts; defenders usually hate them. In this CactusCon 13 talk, Ben Webb (Recon InfoSec) dissects the pain points of enterprise vulnerability management and presents a pragmatic framework that ignores 80 % of low‑value data. Highlights include: Seven Precepts every program must accept—starting with “scanner output is mostly garbage” and ending with “you’ll never be finished.” A four‑phase Process: gather inventories, rescore findings with external threat intel, re‑score again by business context (e.g., subnet or function), then combine the data together The Point: focus on out‑of‑patch‑cycle systems, widespread mis‑configs, and orphaned assets—then measure progress using moving‑average KPIs instead of raw CVE totals. Sample metrics (exception counts, SLA breaches, unknown assets) that spark management support rather than fatigue. Whether you manage 100 servers or 100 000, you’ll leave with concrete steps—and talking points—to reduce toil while raising security value. 00:00 Introduction & session housekeeping 01:04 Why “Dr. CVE Love”? Title explained 01:42 Speaker background – Ben “From KC” Webb 02:52 Talk roadmap: Precepts, Process, Point 03:39 Precept 1 – Vulnerability data is terrible 05:31 Precept 2 – Prioritization pitfalls 06:58 Precept 3 – Most CVEs are noise 07:56 Precept 4 – You’ll never ‘win’ vuln‑management 08:50 Precept 5 – Vulnerability data is not a good measure of success 09:25 Precept 6 – Ops discipline before vuln‑management 10:20 Precept 7 – Safely ignore 80 % of findings 10:41 Process 1 – Gather inventories & patch cadences 11:29 Process 2 – Rescore the data with threat‑intel services 12:17 Process 3 – Rescore again with environmental context 13:24 Process 4 – Combine the data together 14:08 Filter out patch‑cycle & non‑fix items 15:19 The Point – Identify high‑impact fixes 17:24 KPIs & moving‑average metrics that matter 20:47 Conclusions – Value over vanity numbers 22:13 Closing thanks & community invites #VulnerabilityManagement #CactusCon #CVE #RiskMetrics #CyberSecurity