Name: Cut through the Noise: AI Analytics for Vulnerability Intelligence
Uploaded: 2025-09-10T16:01:12.498Z
Duration: 34 min 44 s
Description: Cut through the Noise: AI Analytics for Vulnerability Intelligence

Transcript for "Cut through the Noise: AI Analytics for Vulnerability Intelligence": with that, I wanna hand it over to Kevin and Tony. Kevin is Thrive vice president of product cybersecurity, and Tony is, Nucleus' channel field engineer and enablement manager. So I'll hand it over to you guys. Take it away. Nice story. So one too far. So most of you are probably familiar with Thrive, but for those that aren't, we are a managed, service provider with a number of different areas. Our newest area that we just launched is managed AI. I believe we're doing a webinar on that next month, so, stay tuned for that. Tori can correct me if I get the date wrong there, but I believe that's coming up in October. Today, we're gonna be focused on cybersecurity. And all of these different, service offerings that that Thrive offers are powered by our Thrive platform, which we do now have a new, interface for, the Thrive client portal. Hopefully, some of you have seen that in beta. We are looking for your user feedback on that. So please, check that out when you get a chance. Thrive can help, build a comprehensive cybersecurity offering across a number of different phases of security, starting with preparation, lowering your risk, and reducing the potential impact of an event, try to prevent them from happening in the first place. We also offer detection and response services powered by our 24 by seven SOC to help respond if there is an incident that needs attention. And then as much as we would like to prevent these things from happening, realistically, we know that sometimes there will be events that impact the business. So it's all about that recovery, getting back online, getting up and running as quickly as possible to minimize that impact. We offer recovery services around that. The theme of today's webinar is gonna be more on the on the left side, the preparation. How do we limit our exposures and reduce risk in the first place? So there has been a a shift in the industry lately moving from traditional vulnerability management to what has been termed Continuous Threat Exposure Management or CTEM. We like those acronyms. This was coined by the Gartner, consultancy, and we're seeing a lot of different players in the industry starting to align with this framework because it's it's a bit more comprehensive. One of the big differences is really incorporating more of the business strategy and business impacts into your vulnerability management, starting with scoping. So scoping, traditionally, we wanna know which what are the assets and what's the infrastructure that we want to scan and and look for exposures on. But as part of c 10, we also wanna consider what are the business, metrics we need to consider related to those assets. And you really gotta step outside your your security, cave and talk to your colleagues and understand what would really happen if this server went down. Would that be inconvenient to your team, or would that be catastrophic? And we need to understand those impacts that feeds into the rest of the the c 10 cycle here. Secondly is discovering those exposures. This, we we do pretty well these days. A lot of great vulnerability scanning tools are out there, give us a lot of great data on on what's vulnerable, but we need to we need to tie those back to the business impacts because that's gonna that's gonna determine how we prioritize things, how we validate things moving forward. Prioritization, we can't fix everything all at once, so what's most important? I'm gonna come back to this one in a second because we're gonna dive into this a lot today. Validation. That's something that's that's, come to the forefront lately. It was it was part of vulnerability management in the past, but really difficult to do. What it means is we wanna validate how an attacker would exploit these, vulnerabilities. And so it was a very manual process. Penetration testing is a good example of of one way to do this, where you're taking the attacker's point of view, you're actually trying to exploit the vulnerabilities to figure out what are the different attack paths I could use to get to that vulnerability. And, you know, five years ago, that wasn't feasible. Companies maybe did pen testing once a year because it was manual. It was expensive. It took a lot of time. But we've had a a big change here around AI analytics. We can automate a lot of this validation now. Thrive uses, an autonomous pen testing tool where we go in and look at these attack paths. There's other ways you can do it, but it's really become an important part of exposure management now. And then lastly, mobilization. We've come to the realization that it can't all be on the security team or on the on the IT team, the network team. We can't go out and and address all of these exposures in a vacuum. It needs to be part of a larger business, and we need to mobilize different parts of the business to go and make these changes because it may impact business processes. It may affect systems that are under the control of of other teams within the company or the or the organization. So in order to do that, we need to mobilize those people by giving them a a reason. Right? We've gotta have some data on why this impacts them, how likely is it to be exploited, have we validated that it could be exploited, and and and how that that could occur. That helps us go motivate these other teams to help us reduce these exposures. So this is this is where the industry's been moving in in terms of of CTEM. Number of challenges are are here in trying to get to this process. It's an ongoing, you move. We're not gonna be able to do this first time out. One of the challenges we ran into at Thrive was around prioritization. So our scanning tools are great. They find a lot of vulnerabilities, but that in itself is a challenge. Where do we start? How do we prioritize these? Some of you are familiar with CVSS. That was a traditional way of scoring these vulnerabilities, but it wasn't always the best way. And so one of the reasons we partnered with Nucleus was to get a better handle on this part of the of the cycle. So we we invited Tony to join us today, talk about, you know, how they think about this and and some of the things that that they're doing to help companies like Thrive, help our clients get a handle on this. So, Tony, anything you wanna add to to my description of CTEM here or No. That was perfect. Really, that hit the nail on the head as they say. And, you know, it's a it's a really important thing to recognize that CTEM isn't a tool. It's a process. It's a framework. It's something that, you should be trying to follow in order to improve your, you know, your remediation and patching processes. And, you know, you guys really have a handle on that. You really understand the entire cycle, so that's awesome. And and that kinda leads into what we'll be talking today, which is that prioritization part. That prioritization part is super challenging. And it's challenging because historically, you know, we've we've gone through a lot of changes as an industry. We had to figure out how are we all going to agree on what bad looks like, what is bad, what what do we wanna say is critical versus a low, and that's what the CVSS scoring really is. So for those of you who aren't familiar with it, CVSS stands for common vulnerability scoring system. In my days as an analyst, when I was, you know, when I was doing pen test security testing, you know, I spent a lot of time playing with the CVSS calculator to measure the severity of, misconfigurations, findings, vulnerabilities, CVEs that, you know, I would come across when doing, assessments. So what I would say, you know, if this is your first time hearing of a scoring standard, I would say go out, go on first.org. They're, you know, they're the in the industry standard that it that created this, as a, you know, as a calculator to use. Because it is fun. You go in there and you start looking at, hey, based on these things about the vulnerability, the the finding, the issue, you know, this is what makes the severe versus not severe. And it's a little fun because you get to see stuff go from a zero to 10, anything above a nine being critical, anything, between seven and nine being high, and it breaks down, continuously down like that. So, you know, it's great because before we had CVSS, vendors would be kind of like, you know, your your niece, nephew, kid, they'd come up to you and go, mom, dad, uncle, aunt, something bad happened. You need to fix it. It's bad. And and everyone was talking in their own language. So eventually, this the industry transitioned and I'll say this, we're on actually our third or fourth version now of the CVSS scoring system. So it's changed a lot, but here's the problem. Vendors weren't agreeing on scores. We came up with a standard. We're lucky in that we live in a world where there's a database of all the vulnerabilities. It's called the the CVE database. I I recommend checking that out too just to get a sense of, you know, what's the challenge here. But we had to come up with a way to measure the severity. The problem is is that that severity score is unfortunately a theoretical score. What that means is people are taking that information, they're plugging it in, and they're giving you a, hey, we're in a lab, we're in a hypothetical environment, here's the worst case scenario. This is what could happen. The problem is is that it doesn't really take into account what's really going on in the world. So you're gonna hear me say this phrase, exploitability, a ton. Basically, what that means is that somebody's able to take that problem that was found and use it to, gain access to systems, to exploit databases, to really take advantage of that vulnerability and use it in a malicious way. So you're thinking to yourself, well, okay, great. That's, you know, we wanna prevent that. If it's a CVSS nine or above, it probably means we should fix it right away. The problem is again, when we start looking at the statistics, we start looking at what's actually being exploited, CVSS doesn't really accurately represent what's happening in the wild. So the graphic I have in here, this is from a report that was done, late last year around vulnerability analysis and CVSS and moving forward in the process. And what was found was that a lot of the vulnerabilities that were being discovered and being marked as critical were actually false positives. They weren't able to be exploited. So so this circle, you could think of it as, you know, this is everything that's been discovered. The blue circle is these are all our criticals, and then that red circle represents what's actually something that an attacker can take and turn into an exploit. And that's what we're really concerned about. So when we look at that information, we can see, hey, like, only a small sliver of that is actually a true positive, you know. Not all the criticals actually need to be remediated. And in fact, some of the stuff that isn't even marked as critical, is exploitable. So now we have to think to ourselves, you know, is CVSS really representative of what's important to fix? And this is really where I'll tell you, is CVSS a bad score? It's not a bad score. It's a baseline for understanding the vulnerability. It doesn't represent what's actually going on in the world. It's a static score. So we need to consider, you know, how can we take real world results, information that's going out in the wild, and actually take that into account to how we wanna go out and make change. And that kinda leads us to this other piece of the direction we wanna go because, you know, we can't use a static score to determine a vulnerability severity or its overall threat. Threat intelligence is the way we start determining that. So what is threat intelligence? It's basically evidence that attackers are doing bad things and there's a bunch of different ways that can be presented, but you should be thinking of it as vulnerability exploitation. So, you know, that could mean looking at, you know, who's creating proof of concepts. A proof of concept basically means a recipe to perform that exploit. That recipe basically means somebody's figured out and documented. If I wanna perform this attack, here's how I would do it. Here are the conditions I need. Here's the code I need to deploy. Here's how it works, and here's what I should expect as an outcome on this type of system. So that's one piece of evidence that would be threat intelligence in determining, maybe I need to prioritize this vulnerability because a POC exists. There's a ton of other examples of threat intelligence because there's tons of feeds. There's literally, dozens and dozens of feeds because researchers, companies, government entities are all looking into threat intelligence, and they're trying to provide it to everyone across the industry. So, you know, each of these items is important. Each of these is a a piece of the context that's important for determining if that finding, that vulnerability needs to be prioritized. So, yeah, to give you an example, you know, threat intelligence also has another, overlay on top of it and that's in industry and geography because attackers aren't just targeting, everyone. They're targeting specific industry with certain types of attacks. They're targeting certain demographics, certain geographies with attacks. So that's another piece of crucial information in context that comes into play when we're looking at threat intelligence. Each of these are levers. Each of these are, you know, things we can pull and kind of understand how important is this vulnerability. So one thing I would say, when we start looking at vulnerabilities, that proof of concept is kind of the hourglass. That's really the thing where when you see that the hourglass flips and the time starts to count down because that's when an attacker says, oh, this is available. This is easier to do. But with that said, not every vulnerability that's being exploited has a proof of concept tied to it because there are medium and low severity vulnerabilities out there that attackers are using to exploit. And people are trying to figure out how did they do this. And those are ones you have to be concerned with too because they may be targeting your your demographic. But again, what I wanna stress with you is that we wanna take a dynamic approach to understanding the vulnerability. We wanna take an approach that says, this is, you know, this is a more important vulnerability because information is tied to it. But, of course, this brings on a new set of challenges. We're talking about tons of data that's fragmented. You're probably pulling in a ton of vulnerabilities per asset. To be honest, this is a little bit anecdotal, but in my experience, I'm seeing, when I work with clients, somewhere between, you know, 150 to 300 vulnerabilities per asset. It's really common to see that and a lot of organizations are trying to consolidate that information, make sense of it. And what's really interesting is there's a statistic that came out in the same report that was doing that analysis of CVSS. They found that 95% of those vulnerabilities are actually just noise. Only 5% of them are leading to exploitability or company breach. So that's a huge challenge. You have to make sense of all that information and that further kind of dives into that. How do we organize that information? How do we make sense of it? And what's great is, you know, organizations like Thrive and Nucleus Security, we're working together, are providing AI to correlate that information. We're in an age where we can start bringing that information together, making sense of it. We wanna be able to take the context that Kevin was talking about earlier. Hey. I have a business system. If this goes down, this is important. I also have four systems that are not important, and they all have that vulnerability on them. They all have that CVSS 10. Well, is this something that's exploitable on that system? Is that something that has threat intelligence? Are there mitigations in place? All of those are challenges in determining the prioritization that I need to set for that vulnerability. So that means that threat intelligence is another lever to pull. We can look at the industry. We can see what's going on. There are so many feeds out there today that we have to actually look at all of them and start making decisions. One thing that Nucleus does with Thrive is we provide them a threat rating. So we can determine, hey, from a low to existential, how important is this based on the information that's coming from these feeds, from those companies and government and researchers and nonprofits that are looking into this. We wanna be able to consolidate all that information to make it more actionable. Here's the other thing too. You might be asking yourself, you know, we're talking a lot of reactive approaches using information to make a reactive decision. We're lucky too because we live in an age now where that that scoring system is changing too. We have a new scoring system. It's called EPSS, the Exploitability Prediction Scoring System. It's by the same organization, first.org. So what they're doing is they've built an AI model that's looking at what's the likelihood of vulnerability is going to be exploited in the next thirty days. And that's another lever to pull when looking at these vulnerabilities. So I would say, hey, that threat intelligence, is that enough to make the decision and prioritize? I would say that's only half of the journey in determining your prioritization. The reality is, is you need expertise in determining what systems need to be prioritized, what systems need to be remediated or immediately patched immediately. So one thing I'll say is, you know, you're lucky you have an organization working with you like Thrive who can actually go and look, hey, there's a mitigation here. Do we care about this vulnerability? No. Because there's technology on this device or there's architecture that was built around the system that prevents that vulnerability from being exploited. And that's something that requires having an expert who can validate that information and help you predict what you need to mitigate immediately. So, you know, really vulnerability management, it's not an easy thing, but we need to transform it to a continuous process. We need to be able to prioritize vulnerabilities using the data we have. I'm gonna hand it back to you, Kevin, because I think you have some information to share around what you're gonna be offering. Thanks, Tony. So hopefully, that gives some some food for thought, for those that are thinking about how to prioritize, all of the vulnerabilities that come in from from the the tools we have today. If you feel like you need some help with this, Thrive does have services around this. We have a vulnerability management service that incorporates the Nucleus security platform to help with that, bring in that threat intelligence, use the AI to make sense out of it. We pair that with, expert security engineers. As Tony mentioned, you're still gonna need, someone to take a look at it and supervise, and make some of those those tough decisions. The way we like to describe this service, though, is is it's co managed. We're trying to take this vulnerability, management service we have, fit it into that CTEM framework, but we need a lot of collaboration with our clients around that. So we need to understand what are the most important things in your business that helps us with that prioritization, and then we can come back to you and help you mobilize other parts of the organization to make changes that we need to make together. So it's not just something where you can hire Thrive to take care of it. This is a a a co managed collaborative, service where we work together on this. We provide the tools. We provide the experts, and we work with you to help help lower the exposures in your business. So at this point, we'll open it up to some questions. Please feel free to, pop those into the q and a box, and we'll take some as they come. And let's see. Tony, yeah. We had a couple questions coming in. It looks like a few more coming in right now. If you guys wanna go ahead and dive into that. How about I take the first one, Kevin? Sure. I see I see a great one. What's a zero day? You know, you might have watched that Netflix series that came out a couple months ago with, who is it? I can't remember. Robert De Niro. But, think of a zero day as a vulnerability that was discovered before, you know, before a patch was released for it. It's basically like a, you know, Log four j was a couple years ago, but it's a great example of one. The reason it creates a ton of a ton of information, a ton of, hype around is because usually when these vulnerabilities come up, somebody a researcher finds a way that it's discovered and they'll tell the vendor and they'll go out and patch it. But when vulnerabilities are exploited before that happens, we'll call that a zero day. And those are really a truly dangerous scenario because that means the software's already out, people are using it, people have it on their systems, they're already reliant on it, and to make that patch change isn't always something that's easy to do. That's why when people talk about that, you know, vulnerability information, it becomes immensely scary. Yeah. And I'd say on the on the response side of that, since since you can't necessarily patch it right away, this is where layers of security come in. You wanna make sure you've got tools in place that can help you prevent zero day exploits, and that's part of the shift from signature based tools where there isn't a signature available for that yet because it's a zero day. If it's doing something like behavioral analytics, like, an EDR tool, for example, with AI analytics built into it, that's gonna help you a lot more against those zero days than something that needs to download an antivirus signature, in order to detect it. So that's where the layers come in. Patching, certainly, a a big part on one of the most important layers. But if there's a zero day and there's no patch available yet, you gotta make sure that you have some other layers, to help around that. Absolutely. Alright. Tony, let me give you this one. It's, who decides what a CVSS score is, and and how they, decide the severity. I think you were talking about some different Mhmm. Knobs you can turn on that in terms of maybe the attack vector and what kind of access would need to it. But who who is who is managing all that? So it's security researchers. There's a couple organizations that, there's there's one called MITRE. There's one called the National Vulnerability Database. But security researchers are looking at these vulnerabilities, and they're dialing those things in based on what they know about the attack, what they know about, the consequences of that exploit, and that's how they're actually tuning in that score. So again, when when these get submitted to, you know, to those public organizations, those public non profit organizations, government run organizations, they're actually going through, they're vetting it, they're taking the time. That's why when new CVEs come out, there isn't always a score right away. It takes some time to actually get a score, which is a whole other piece of that challenge. Yeah. It it exactly. And I and I suppose those scores can also change over time Mhmm. As new information comes in. Yeah. Well, that's that's the thing that's, even more challenging is that a vulnerability can have a score and they'll have that score for years, but the exploitability, can change around it. So even though the consequences and all the, you know, the attack factors don't change, once somebody finds a proof of concept or a way to actually deploy that, you know, deploy that attack, it becomes a huge challenge. And that brings up the other part of that, which is, now your older medium low vulnerabilities actually are the more dangerous ones because those are the ones that, you know, I like to think of this I've I've heard many people say have said this for this. This isn't a new thing. Attackers have unlimited time. You don't. And attackers will look at, hey, they're not gonna fix the lows. They're not gonna fix the mediums because they're below their threshold. Let's let's target those. Let's use those. There's no doubt that there's kids out there, like script kiddies, who are using a POCs, criticals because those are well documented. But those medium and lows are the ones that are really truly scary, especially when they become exploitable. Alright. Let's look through here. We've got another one asking what are some good threat feeds to review. Do you have any recommendations around that? Yeah. A couple of them that come to mind. I would say check out EPSS. EPSS isn't a threat feed, but it is an operationalized score of the exploitability of CVE. Highly recommend checking it out. It's becoming it is kind of the industry standard for prediction of exploitability. You know, it's from it's a percentage score. So it's gonna be from zero to point nine nine. So you're again, it's a zero or one. It's actually, you know, you know, a decimal score. The other thing I'd recommend if you're, you know, if you're working in, you know, FAD, CISA CAB is a really great one to check out. That's the, you know, Sysacav maintains a known exploitable vulnerability list, and it's a great one to just see because it's it's super important, you know, that that's a great one to always know, like, if that if I have one of those, I need to patch those right away because, you know, those of, those are usually the ones that are really bad. There are a ton of feeds though. There there are so many. Some of them are paid. A lot of them are free. And and the thing too is is that they're they're constantly updating and none of them have the same information because they're all scanning different parts. They're all cruising different networks, different forums for this information. So my my recommendation is, you know, check out a couple of them, but the reality is is you really need to have a complete view of a bunch of them to have a, you know, a a better approach. Yep. Yep. And I know there's some some industry specific ones too. So if you I would say if you're a member of an industry organization, they may be able to provide you a feed. I know I know in financial services, there's a few, that that are specific to that industry. Mhmm. Yeah. Absolutely. Got one requesting the slide set. We will absolutely send those out. Tori's Tori's on it. That's right. You'll get the, recording and the slides tomorrow. Alright. How do attackers exploit an unpatched system? That one's a pretty broad one. I guess it Mhmm. It really varies depending on what type of vulnerability it is. Mhmm. It is sometimes, it could be something that allows you to intercept communication in between two systems, that that should not be accessible to you. Could be something where you could in inject some some code to run on that on that system. Tony, what what, I guess, the training needs to be be, you know, could be the, you know, the USB drive on the floor, could be a network based attack. The the amount of attack vectors available is, it's hard to say to tell you, hey. This is how this unpatched system will be attacked. And and even more than that, sometimes it isn't your Microsoft patch that actually fixes the problem. Sometimes it's a component in one of the softwares you're using. So, just just be aware that, you know, vulnerability management, isn't isn't going to always be an easy point of direction that, hey, it's this vulnerability. It's really hey, it's this component within the system or it's this patch on, this operating system, and it becomes really complex to to patch those systems because of that. And it becomes really hard to answer that question of, hey, what are, you know, how are they explaining? Just remember, I'll say this again, attackers have unlimited time. They can recreate your systems. They can test it out and then they go out and, they perform these attacks. But, you know, that's that's their information that, you know, they keep they try to keep it secret, and that's why it's so important to, you know, be aware of what's actually happening in the real world. Yeah. And that attack vector, obviously, part of part of the scoring. So do they do they need to be on the network in order to exploit that vulnerability? Do they actually have to be on that machine itself? Do they need to have a physical access to the machine? Those are different levels of access that someone would need, which is obviously gonna drive, you know, what what kind of mitigations we wanna put in place and how Absolutely. How worried we are about it. Alright. Will our Thrive account manager be contacting us? I believe that is a yes, Tori. We'll be following up with attendees. Right? Yes. Definitely, our Thrive clients will be followed up with by their AMs. If you if you don't hear from us, please let us know. We'd reach out. We'd be happy to to talk through, understand what you're doing today, what what maybe challenges you're you're having, and see if if it's something we can help with, or if we can point you towards a a solution that that will help you. Alright. Is or will there be any risk quantifications in the future? So where where are we headed in terms of how we quantify your risk, Tony? How's that how's that how do you see that changing? Yeah. I think what you're gonna see if you're working with, you know, with Thrive using, you know, Nucleus platform to do some of these processes, one of those things that we do is we do quantify risk. But the way we're doing it, just to provide you some context, is we're looking at that threat intelligence. We're looking at, you know, the vulnerabilities. We're looking at the the asset context. So going back to, like, what Kevin was talking about, asset context really matters. That's really how you operationalize understanding risk. Because risk is gonna be, these are my systems, this is my vulnerability, and I have 10 systems or five systems, and not every one of those systems is at risk as much as, you know, as each other just because even if the threat is the same, the, you know, the environment is the same, it's gonna be different because all those systems are different. They all they all manage different data. So that's something you should totally talk with your Thrive account manager about. That's something we can, you know, talk about in the future. Yeah. And there's, you know, there's there's the the model that that's in Nucleus that that tries to quantify that risk, really, the equation is dollars, associated with the impact times the probability of that thing happening. Right? And so it is tough to get an exact quantification, but trying to estimate how important is the system helps you figure out sort of that dollar value or, you know, some estimate of that. Yeah. Probability of it happening is related to the, you know, the the severity, the exploitability, which Tony keeps saying. Those are kind of the factors that go into it. You could build a couple ways to to score that, but the at heart, that's sort of the equation to solve for. And Alright. Let's see. Any last minute questions here? Yeah. We can give another second if anybody else has one. Otherwise, I I believe that we made it through all of the questions that have come in. Yep. Alright. Well, thank you so much, everybody, for joining today. We do appreciate your time, and really thank you, Kevin and Tony. This was really informative. So thank you for your time. Thanks everybody for today. Day. Thanks. Thanks so much.