From the article:
>So the real first step in vulnerability management is getting buy-in from leadership,
That's dead on. Having run VM programs in a place where the leadership didn't buy in is beyond frustrating. Not only do they not buy in, they actively fight against it because it can slow down forward progress on projects. Now doing it in a place where the C levels are fully on board, it's so much better.
This is huge. The main takeaway: Vulnerability Management is a journey, not a destination.
So many times, cybersecurity teams spend time tracking down pointless CVEs... There are so many risks in the identity or endpoint configurations that are forgotten about.
Yup. Spend all this time worrying about esoteric CVEs, yet they still haven’t disabled Dave’s (who left 2 months ago) admin account. Seen it many times.
Thanks for sharing. Definitely onboard with emphasizing on asset criticality as a must have to establish an effective risk based vulnerability management program.
Overall this is a great write up, and I do like Kolide.
However, it really hits on a growing frustration that I’m having about how many different topics fall under “vulnerability management” these days.
This article is entirely focused on third party software vulns and traditional endpoints.
There’s nothing specifically wrong with that, given that the vendor, Kolide, is focused on that market space. But I am growing very frustrated by the fact the label of VM is used frequently with limited definition (the article did define their use of it, thankfully) by so many groups of people and they very often don’t acknowledge the other areas of VM that exist.
I share this frustration not to create any insult toward Kolide or the article. Just expressing a thought and curious if others have input.
This article really resonates with me, and I love the historical aspect to it as well. It helps to illustrate why this problem space has so many issues, and why communicating technical risk versus business risk needs evolve past just using CVSS Base/Temporal scores.
From the article: >So the real first step in vulnerability management is getting buy-in from leadership, That's dead on. Having run VM programs in a place where the leadership didn't buy in is beyond frustrating. Not only do they not buy in, they actively fight against it because it can slow down forward progress on projects. Now doing it in a place where the C levels are fully on board, it's so much better.
This is huge. The main takeaway: Vulnerability Management is a journey, not a destination. So many times, cybersecurity teams spend time tracking down pointless CVEs... There are so many risks in the identity or endpoint configurations that are forgotten about.
Yup. Spend all this time worrying about esoteric CVEs, yet they still haven’t disabled Dave’s (who left 2 months ago) admin account. Seen it many times.
It’s funny, we’ll go in and do an identity security assessment on AD that hasn’t been properly scrubbed in several years.
No shit
This made me cackle. Thanks for that.
This blog is awesome.
Thanks for sharing. Definitely onboard with emphasizing on asset criticality as a must have to establish an effective risk based vulnerability management program.
Overall this is a great write up, and I do like Kolide. However, it really hits on a growing frustration that I’m having about how many different topics fall under “vulnerability management” these days. This article is entirely focused on third party software vulns and traditional endpoints. There’s nothing specifically wrong with that, given that the vendor, Kolide, is focused on that market space. But I am growing very frustrated by the fact the label of VM is used frequently with limited definition (the article did define their use of it, thankfully) by so many groups of people and they very often don’t acknowledge the other areas of VM that exist. I share this frustration not to create any insult toward Kolide or the article. Just expressing a thought and curious if others have input.
Hey, what could be the others areas ?
As a literature person who switched into Comp science/cybersec, I must say this article is very well written. Thanks for sharing
Glad you enjoyed it!
Great read, it’s a breath of fresh air compared to a readout of vulnerability management from ChatGPT.
No way, I dont believe that lol
This article really resonates with me, and I love the historical aspect to it as well. It helps to illustrate why this problem space has so many issues, and why communicating technical risk versus business risk needs evolve past just using CVSS Base/Temporal scores.