EPISODE 075 — Why “Scan, Find, Patch” Is No Longer Enough

The traditional “scan, find, patch” method is falling short against today’s threat landscape. In this episode, Mark Goldenberg, Sr. Security Solutions Advisor at Defy Security, outlines a modern approach to vulnerability management. Tune in to learn how to level-up your proactive security efforts by focusing on risk prioritization, fostering collaboration, and defining metrics to measure success. 

Show Notes:  

• 01:04: Cyber as a Career 
• 02:12: Evolution of Vulnerability Management 
• 04:15: Noise to Signal Ratio 
• 06:44: Shifting Away from ‘Scan, Patch, Repeat’ 
• 09:09: Security as an Enabler 
• 10:48: Common Mistakes in Vulnerability Management 
• 12:26: Metrics to Measure in Vulnerability Management 
• 14:33: Frameworks to Measure Success 
• 17:28: Defining Success for Asset Visibility Coverage 
• 19:50: Cross-Department Collaboration 
• 21:37: Maturing Vulnerability Management Programs 
• 23:53: Hobbies Outside of Security 

Transcript between Nabil and Mark 

Topics covered: Vulnerability Management, Risk-Based Scoring, Security Measurement, Asset Visibility Coverage, Maturing Vulnerability Management Programs 

This transcript has been edited for clarity and readability.  

Nabil Hannan: Today we have with us Mark Goldenberg from Defy Security. Mark, welcome to the show. 

Mark Goldenberg: Thank you for having me today. 

Nabil: Mark, to get started, why don’t you tell us a little bit about yourself and where you are today professionally? 

Mark: Oh, wow. I can’t believe it now – it’s already been 25 years since I started my career in cybersecurity. So that was back when I worked at a data center company leading a team of firewall engineers doing firewall deployments and a new technology called IDS, intrusion detection, that nobody really knew what was going on with. Really one of the first MSSPs, looking back on it. And then moving throughout my career, various roles, some within security, product developing services, and most recently at Defy Security, we are a value-added security reseller, 100% focused on cyber and security consulting for our clients. 

01:04: What is it about cybersecurity that excites you most?  

Nabil: So obviously being in the space for 25 years means you actually have a passion for it to some degree. What is it about the space that excites you the most? 

Mark: You know, as your career develops, you kind of go through various stages. Right now, I’m really focused on helping clients save time. One of the things we used to hear is solving security problems for our clients. But realistically, clients can be reluctant to share their exact specific problem. So rather than trying to solve problems all the time, it’s just, hey, where can I save an hour of time for a client? 

An hour of time a week doing research, hearing what’s working across the industry, what’s not working, doing research projects, comparing different technologies, really aligning those technologies to our clients’ use cases. An hour of time, a couple hours a month, it adds up over the course of a year. And to me, that’s the most beneficial, rewarding part of what we’re doing today. 

02:12: How does vulnerability management look today compared to when you started?  

Nabil: I know that part, a big part of what you do is around vuln management and you have focus around vuln management space and the threat landscape is constantly evolving. Can you share with us a little bit about how vuln management looks today compared to how it may have looked when you started your journey? 

Mark: Yeah, I mean, I look back on it now and I remember back when I started, it would be just, hey, deploy an Nessus scanner, or ISS scanners were big back in the day. Deploy it out there on the network, get your vulnerability, get your CVE, and then talk to the owner, and go ahead and patch it, and then you’re done. 

Looking back on it seems so simple. But really over the last number of years, of course, it started with cloud, but really a major shift as security technologies started being embedded within public cloud infrastructures. 

Things like CNAPP tools, and now all of a sudden you have the explosion of information and visibility to what’s happening within the cloud environment, some configuration issues, but a lot of it is vulnerability information. So people standing up their AWS, their Azure, their GCP environment, now putting a cloud-specific tool to look into what’s happening in the depth. Now you’re getting sometimes hundreds of thousands of alerts when you turn these tools on. 

How are organizations having to deal with that? 

So that all ties back to vulnerability management and customers now having to deal with all that telemetry data, all that valuable vulnerability data coming from their cloud environments. 

I would say the other major shift that we’re starting to see, and it’s not all the way there is around application security and how organizations, product security teams, are now thinking about integrating with traditional vulnerability management teams – that unified approach. 

04:15: What approaches are you seeing organizations take to better manage all the noise? 

Nabil: When it comes to the noise and the amount of signal that you’re getting from all these tools, the telemetry, given the nature of how cloud also has assets that are always spinning up and spinning down at a very rapid pace, assets are elastic in nature, what approaches are you seeing organizations take to better manage all that noise? 

Because the noise to signal ratio of all this telemetry coming from all these tools is very high. There’s definitely a lot of noise that comes in. What approaches are you seeing people take to manage that more effectively? 

Mark: Yeah, assets in the cloud are ephemeral in nature, as you mentioned. So a vulnerability coming up on one, you may have a very short timeframe for remediation. Tools can help there. There’s a whole new set of tools that are really going through a renaissance, I would say over the last couple years to be able to provide a risk-based approach to vulnerability management. 

Before, we talked about you have your scanner or your tool, give you your CVE, that’s your vulnerability. You would typically find the asset owner, be able to go ahead and work through some prioritization. It could be CVSS based, but now we have all sorts of other information at our fingertips. Things like CISA KEV, EPS scoring. 

I was working with a client back a few weeks ago and they had their own risk model that they wanted to go ahead and pair with CVSS and KEV. So now you have all these different points of data. It’s all in an effort to really prioritize what’s right for that organization. 

Out of the tens of thousands of potential vulnerabilities, what do they need to focus on in order to make a risk-based approach to go ahead and then contact the asset owner for remediation pieces.  

06:44: How can leaders shift their mindset away from ‘scan, patch, repeat’?  

Nabil: The traditional approach of doing vuln management was this concept of you scan, you find, you patch, rinse and repeat. There are still a lot of leaders out there and organizations that are stuck in that cycle, but that doesn’t really work anymore in today’s modern technological ecosystem. 

What advice or guidance would you have for them on how to shift their mindset and why is that so important? 

Mark: Whenever I’m talking to an organization that would like to start and understand what is their roadmap around vulnerability management, and I have a lot of sympathy coming from my roots on the operational side, on the front lines. So I have a lot of sympathy for VM teams out there because what they’re doing is hard work, and oftentimes they don’t even have even time to think about a roadmap. I’m talking to a client and they’re saying roadmap? Mark, what are you talking about? 

I have 1,000 vulnerabilities that I need to go ahead and work with the business owner and get patched. I don’t have time to think about a roadmap, but if they can set aside a little bit of time to come up with a near-term, a mid-term, and a long-term roadmap, that’ll go a long way. 

The near-term roadmap, I typically advise: don’t have that be tool-based. There are so many no-cost options that you can do from a vulnerability standpoint, starting with collaboration amongst teams. 

How are you working with the business owners across the organization? 

We talk a lot in security about people, process, and technology as being key to security drivers, and I think that’s a little bit overplayed these days. But when it comes to vulnerability management, the people piece, I like digging in a little bit further and really talking about collaboration. 

It’s collaboration with your peers, the business owners. Who owns that asset? It could be IT, it could be the people that are administering your laptop environment or your cloud environment. Work with them to understand what are their critical considerations when it comes to vulnerability remediation. Rather than just saying, “Hey, we have a high CVSS; we need you to go ahead and patch it and adhere to our SLA,” you can understand what their priorities are and develop an SLA that’s specific to them. Having that part of it is going to be key as well. 

09:09: How do you influence security as a partner instead of a blocker?  

Nabil: How do you make the cultural shifts from organizations or parts of the business of viewing security as a blocker and get them to see security more as a partner? 

Mark: Yeah, it’s very organization specific. Every organization’s going to have its own unique culture. We’re at RSA Conference this week, and I was just talking to somebody the other day and they have their internal company conference coming up in a couple weeks. 

The individual’s task is to go ahead and work closely with his network peers to build that relationship. When we’re talking about culture, we’re talking about, hey, maybe it’s at an offsite, a conference, and building that rapport, building that relationship. So when they come to you and say, look, we have a CVE, it needs to be patched on this legacy hardware device that’s been sitting out in the network for a number of years and people are scared to patch or reboot. 

It’s understanding from the security perspective why that matters. 

It was interesting the Mandiant threat report just came out a couple weeks ago, and I was looking through the highlights of that report and one of the findings was that still over one-third of incidents, the first attack vector was through a known CVE. 

So just thinking about that after all these years, it’s still the number one criteria that you have to go ahead and patch those open vulnerabilities. 

10:48 – Are you seeing any common patterns or mistakes when people set up a vulnerability management program?  

Nabil: Are there any common patterns you’re seeing in the industry or common mistakes people still make when setting up a vulnerability management program? 

Mark: Again, it’s very client dependent. 

I was just working with a CISO the other day, and he was telling me about a project that he worked on. This was a number of years ago, and it wasn’t vulnerability specific, but it reminded me of some similarities to vulnerability management. 

This was an eight-figure budget that he had, so he had a security budget. He went ahead and made the investment. But at the end of the day, he was able to go ahead and show the board level the risk posture to that organization improved substantially. 

So going back to the question or mistake is don’t lead with technology, thinking that it’s going to solve all your problems. But when you do make that decision that you need technology, then make sure that you have a measurable way to say that we were down here from a risk perspective, and the technology is in place, and here’s the improvements to be able to show that outcome. 

12:26: What are some measurable success criteria to determine success in a vulnerability management program?  

Nabil: Since we’re talking about measuring outcomes, what are some measurable success criteria or metrics that you typically would recommend organizations to look at to determine if they’re being successful in their vuln management efforts? 

Mark: Yeah, so many different measurables, especially when it comes to vulnerabilities. It can vary by department. What’s your mean time to remediate? A very common one that everybody has to adhere to is your SLAs for detection and remediation. Those are all going to be table stakes. A lot of it goes back to not having universal SLAs for everything. Your critical cloud environment, which is holding production workloads, is going to have a different SLA, and so your legacy data center environment, which is mostly used for testing dev now and then. Also not trying to, we’ll say play the same game as your peers. 

You may look to a peer and say, oh, well, their vulnerability management program is so much more mature, but it turns out that maybe they’re cloud native and all they have to worry about is a single cloud provider, and that’s all they have. Whereas another organization maybe has a legacy tech debt. They have data centers. Maybe they’re a manufacturing facility that has to deal with OT devices that have a whole different SLA tied to it. 

So don’t beat yourself up over not being as mature or as developed as a peer because when it comes to vulnerability management, everybody has their own issues. I would say taking the largest of the large 1% of companies out there, nobody’s doing it perfect. Absolutely not. Everybody’s going to have areas of improvement within VM. So don’t beat yourself up over it, and play your own game.  

14:33: Are there any frameworks or standardized industry-recognized ways to measure how mature your vulnerability management program is?  

Nabil: I know it’s really hard to compare like true apples to apples when you want to look at your program versus look at maybe a competitor’s or another businesses, a program itself. 

But I’m curious, are there any frameworks, or are there any standardized industry-recognized ways to measure how mature your vulnerability management program is? Is there one that is almost seen as a standard in the industry? And if so, why is that considered the standard? 

Mark: Yeah, there’s frameworks, of course, you can map to NIST Cloud Security Framework. 

Like we were talking about before, a critical workload in your cloud that’s running production is going to differ and have a whole different priority than let’s say something in a legacy data center. 

Understanding what the assets are in the environment, having a criticality to that, and then mapping it to industry standards. The asset piece is such an important piece for organizations. 

I was in a meeting with a client back a number of months ago and the CISO was saying that we have 90% visibility to our assets. And this was an internal meeting, so it was pretty collaborative. So he was saying, I just reported we have 90% visibility. There’s going to be some pockets of the organization where we’re still struggling with. And then his director of architecture looked at him and was like, no, not 90, but more like 70. 

And the look on his face said, oh my, what are the gaps? How do we have to go back to Ground Zero and build it up again? 

17:18 – What guidance do you have for organizations to better define what their asset visibility coverage should be? 

Nabil: When that happens, the difference between 70% and 90% is obviously drastic. And there’s clearly some sort of data hygiene issue where there’s a lack of understanding of what coverage there is for certain types of tool coverage or technology coverage. 

From that perspective, what is some guidance that you would have for organizations to better define what that particular coverage should be? Or what is the standard, what is the recommendation? And how do you effectively have a proper understanding of the expectations of what the number needs to be? 

Mark: I think in many cases, it’s just a matter of definition amongst different teams. I was working on a project back last year. It was around crisis management. And one of the things from a crisis perspective is if something happens, you need to be able to make sure that everybody on the team is talking about it from the same perspective, the same definitions. 

There’s a lot of synergies there with vulnerability management in that you may be talking to the cloud team and the difference between that 70% and 90%, it could be because there were tens of thousands of ephemeral workloads. They’d be like, oh, we don’t count those. 

They’d be like, well, why? Like they were up for a certain amount of time. So getting those definitions in place and maybe that’s a gap that on the cloud side they thought they didn’t have to worry about because those images are going away. 

But from a security perspective, it could still be a risk for the organization. So even though they’re up and down over time, they still have to have vulnerability management integrated and tied into it. 

Nabil: Yeah, and it’s another example we see often is the definition itself may be fine, but it’s how the measurement is happening. You could ask different people the same question. A simple one is like, hey, how many assets do we have? And how many assets do we have from the cloud practitioner is very different to the IT manager, which is very different to the CEO, which is very different to the risk officer, to the CFO, etc. 

You could have definition of an asset, but from their purview, what assets they look at and think about on a daily basis, that might be different. 

Mark: Oh, countless examples. 

You know, a client we’re talking to, how many employees do you have to identify the number of endpoints? And even that was different. It turned out that they weren’t counting contractors. Oh, contractors get a different image or it’s a BYOD device. But like you said, having that consistent definition amongst teams and then as it ties into the VM program, ultra important. 

19:50 – What are some techniques you’ve seen work well for that type of cross-department collaboration?  

Nabil: What are some techniques you’ve seen work really well? I know it just depends on every organization, but are there any techniques you’ve seen really well that enable that type of collaboration across departments and across teams?  

Mark: It really is hard work. It’s not hard work from the typical security practitioner perspective. Being in security, we have to work amongst various teams and get buy in. 

So, it really is that collaboration, and it’s understanding if I’m working with my, let’s say GRC team, what is their priority? 

Their priority next week may be just to pass an audit because they have the regulators coming in and they’re under tremendous pressure and tremendous scrutiny. 

What they may need from me if I’m leading vulnerability is a report showing that we’ve mitigated all of our critical and high vulnerabilities over this period of time because that satisfies their immediate audit requirement. 

Whereas if I’m working, say with my CISO, he’s going to be more worried about, look, how am I trending over time because I have to report that back to the board. 

So really it’s that hard work of understanding all of the business owners that touch VM and it’s a lot and having the time and the understanding of the organization really to allow you to do that and branch off, because you can get very siloed in just looking at the vulnerabilities, because it’s a never-ending cycle. 

21:37 – What advice would you give to help someone get to the next level of maturity in their vulnerability management program?  

Nabil: Let’s tie a bow around this vuln management process and talk about a vuln management program. If you had to advise someone on how to build the next generation or the next level, get to the next level of maturity for their vuln management program, what advice would you give them? 

Mark: It kind of goes back to building that roadmap. You have your near-term road map. That could be collaboration amongst teams. It could be putting in place, let’s say something basic is a RACI, to the midterm roadmap, that could be something like, OK, now that we have our processes defined, let’s go ahead and invest in a tool that’s going to help us. 

The good news is that there’s a lot of risk-based tools these days that are coming on the market, sometimes called unified vulnerability management, that’s really going to help organizations tie everything together.  

The final stage is a long-term roadmap. Long term for an organization, some organizations that could be a year, others it could be three to five years. I would say be aspirational from that perspective. What would great look like for your organization? That may be, hey, I want to have a report that shows zero high and zero critical vulnerabilities found over a period of time. 

Other organizations, it could be drastically different. It does remind me of setting up those long-term roadmaps, kind of what identity went through back a couple years ago, as identity being one of the number one attack vectors. I’ve seen large organizations really put the time and the resources in place to build out an entire identity team. That could be four members, for medium organizations, it could be larger. But I would encourage organizations to think about what would that look like from a VM perspective. 

If you’re putting together a long-term roadmap and you had your wish list; again, be aspirational about it. What would a team look like to be able to cover VM in that structure to allow your organization to grow and get to that maturity point? 

23:53 – What do you do outside of security in your free time?  

Nabil: Love that. Before I let you go, I would love to know more about what you like to do outside of security and when you’re not working. So what are some things you enjoy doing in your free time? 

Mark: Over the last number of years, I’ve been into obstacle racing, so that’s been a passion of mine. Spartan races. In the Spartan land they have what’s known as the trifecta, so they have different levels of races, small, medium and large, goes from 5K all the way up to half marathon, and even beyond that if you want to. 

Really, my goal this year is achieve a double trifecta. That’s running two half marathons, two 10 KS and 25 KS. And these are obstacle races, so it’s elevation, it’s hills, it’s carrying heavy things, throwing things, climbing things. So I’m really into that over the last couple years.  

Nabil: That’s awesome. What’s your target on when you want to accomplish that by this year? 

Mark: Well, I already have my first one done and in the books that was a half marathon I completed a couple weeks ago. 

Nabil: Awesome, congrats!  

Mark: And I got another one coming up in Monterey at the end of May this year. 

Nabil: Excellent. 

Mark: And I’m always trying to recruit security cohorts into the Spartan land, too, so we can create maybe a Spartan security group. 

Nabil: Love that. Well, thank you so much for being here. 

Find more episodes on YouTube or wherever you listen to podcasts, as well as at netspi.com/agentofinfluence. If you want to be a guest or want to recommend someone, please fill out this short form to submit your interest.