Do you have something cool to share? Some questions? Let us know:
This episode explores the surprisingly stagnant state of Vulnerability Management (VM) despite rapid advancements in other cybersecurity domains. The discussion highlights that while some organizations have matured into proactive attack surface reduction, many remain stuck in decades-old "scan and report" cycles. Key themes include the persistence of resource constraints, the critical distinction between authenticated and unauthenticated scanning, and the often-overlooked value of "VM Tabletops" to validate patching processes. The conversation concludes with a sobering reality check: while defenders struggle to improve patching speeds, threat actors are leveraging automation and AI to accelerate exploitation, widening the risk gap.
Detailed Discussion Summary
The Stagnation of Vulnerability Management The discussion begins with a candid admission that VM is often viewed as unexciting compared to modern detection and response disciplines. Caleb Hoch notes a bifurcation in the industry:
The "Bad": A significant portion of organizations still operate on a 2005-era model of running a scanner and generating massive, actionable PDF reports.
The "Good": Mature organizations are shifting toward proactive attack surface reduction, configuration management, and the disabling of outdated protocols to prevent zero-day exploitation.
Anton Chuvakin observes that the time lag in VM practices is measured in "fractions of a century," with many current problems mirroring those from the late 1990s. The consensus is that VM lacks the "cool factor" of Threat Hunting or SOC work, leading to chronic under-resourcing. There is a dangerous misconception that deploying modern tools like EDR negates the need for rigorous patching, a fallacy often disproven by the reality that endpoint controls are not perfect mitigations for infrastructure vulnerabilities.
The Mitigation & Compensating Controls Debate The group discusses the complexity of "compensating controls" (or mitigations). While valid in theory (e.g., PCI DSS frameworks), relying on them is risky without rigorous validation. Caleb argues that unless an organization can validated—with 100% certainty—that a specific mitigation (like an endpoint firewall rule) is active on every single endpoint, the risk remains. Given the organic growth and complexity of IT infrastructure, such validation is rarely possible, making patching the only reliable course of action.
Authenticated vs. Unauthenticated Scanning A significant portion of the dialogue focuses on the legacy struggle between authenticated and unauthenticated scanning.
The Fear (FUD): Many IT teams resist authenticated scanning due to fears that logging into devices (like F5 load balancers or edge devices) will cause outages. Caleb notes that while this is technically possible, it is statistically rare.
The Reality of "False" Scanning: Consultants frequently encounter organizations that believe they are running authenticated scans, only to find the scanner failing to log in, returning minimal data (basic port information) rather than a true vulnerability assessment.
Root Cause: This failure is attributed to a lack of technical acumen within governance-focused VM teams who may not know how to verify scanner logs or troubleshoot authentication failures.
Prioritization Strategies The team moves to the "Gold Standard" of prioritization. With the volume of vulnerabilities making "patch everything" impossible, Caleb outlines a multi-faceted approach used by Mandiant:
Threat Profile: Align prioritization with the specific threat actors targeting the organization's industry and region.
Asset Exposure: Is the asset internet-facing? (External exposure drastically increases urgency).
Exploitation Status: Is there active exploitation or known exploit code?
The "Critical" Definition: True "Critical" status should be reserved for the top ~5 vulnerabilities that require immediate, all-hands-on-deck remediation—or even shutting down the service.
Operationalizing VM: The "VM Tabletop" A key insight from the episode is the application of Tabletop Exercises (TTX)—usually reserved for Incident Response—to Vulnerability Management.
The Scenario: Instead of just having a policy that mandates "patch within 3 days," organizations should run exercises simulating a zero-day on a critical edge device (e.g., a VPN concentrator).
The Value: These exercises often reveal that the theoretical patching plan is impossible due to business uptime requirements or lack of rollback procedures.
Recommendation: Organizations should create "Playbooks" for VM similar to IR playbooks, ensuring IT owners know exactly how to patch or decommission a critical service under pressure.
AI and the Future of VM The conversation addresses the role of Generative AI. Contrary to the optimism seen in other domains, Caleb suggests AI may initially make the VM landscape harder for defenders.
Defensive View: AI use cases for VM (prioritization, automation) are still nascent.
Offensive View: Threat actors are likely using AI to accelerate exploit development, reducing the time from disclosure to exploitation from days to minutes.
Conclusion: The "time to exploit" is shrinking rapidly due to automation and AI, while the "time to patch" remains stagnant or is worsening due to increasing asset complexity.
Timeline of Key Topics
Introduction and Host Banter: Tim and Anton introduce the guest, Caleb Hoch, and joke about the historical "un-excitement" associated with Vulnerability Management (VM).
State of the Union on VM: Caleb describes the current landscape, noting that while some transform, many organizations are stuck in "scan and report" cycles reminiscent of 2005.
Why VM Stagnates: Discussion on why VM falls behind other security areas; lack of "cool factor," under-resourcing, and the false security blanket of EDR tools.
Compensating Controls: Analysis of why "mitigations" (firewalls, etc.) often fail as a substitute for patching due to the difficulty of validating them at scale.
Authenticated vs. Unauthenticated Scanning: Exploration of why organizations still struggle to perform authenticated scans, citing fear of outages and lack of technical skill to verify scanner performance.
Prioritization Methodologies: Caleb outlines the Mandiant approach to prioritization, combining Threat Intelligence, Asset Exposure, and Business Context.
The "Shut It Down" Discussion: The rare but necessary recommendation to take a service offline entirely when risk outweighs business value.
Over-reliance on Threat Intel: Anton asks if focusing only on "active exploits" leaves organizations vulnerable to N-day exploits that haven't hit the news yet.
Human Factors and VM Tabletops: The concept of running "Tactical Technical Exercises" for VM processes to prove that patching timelines are realistic before a crisis hits.
AI's Impact on VM: A look at how AI accelerates the adversary's ability to write exploits faster than defenders can adopt AI to fix them.
Closing Advice: Recommendations for automation, fitting VM into existing workflows, and using threat reports (like M-Trends) to build business cases for resources.
