Applying Vulnerability Management to Zero Trust: Insights from Fortra’s Tyler Reguly

Catch this episode on YouTube, Apple, Spotify, or Amazon. You can read the show notes here.

Every organization relies on some form of technology to run, and each tool you add increases the risk of vulnerabilities causing problems. If you don’t stay on top of patching, you increase the odds of a bad actor finding their way more easily within your network.

This week, we chat with Tyler Reguly, a senior manager of security research at Fortra, who shares insights from his 18 years in vulnerability management. Tyler discusses the importance of staying on top of patching to maintain a Zero Trust strategy, the differences between vulnerability and patch management, and emphasizes that the Common Vulnerability Scoring System (CVSS) measures severity, not risk.

We also briefly nerd out about the significance of groups like the Canadian Cyber Threat Exchange (CCTX) for knowledge sharing and collaboration in cybersecurity. And then, we wrap things up by exploring the efficacy of existing security policies and benchmarks, such as CIS and DISA STIGs, and the role of vendor relationships in maintaining effective security practices.

Key Takeaways

• The Common Vulnerability Scoring System (CVSS) measures severity, not risk; a broader risk assessment methodology is necessary.

• Prioritizing public-facing systems and user base risks is essential due to common exploitation methods like phishing.

• Effective patch management requires vigilant testing to avoid false positives and unnoticed vulnerabilities.

• Collective defense groups like the Canadian Cyber Threat Exchange (CCTX) enhance security through knowledge sharing and collaboration.

• Security Configuration Management (SCM) and standards like CIS benchmarks are beneficial for enhancing security beyond just patching.

• Building a robust Zero Trust program involves leveraging community insights, prioritizing critical patches, and continuously validating security measures.

Editor’s Note

Transparency note: Elliot now works at MSFT and will not discuss anything that takes place there or about the company. You can check out the fancy threat intel podcast for that.

The Importance of Patching in Zero Trust

To set the stage, we kick things off by addressing a fundamental question: how critical is it to stay on top of patching in a Zero Trust strategy? Tyler offered his perspective, underscoring the surprising notion in some circles that Zero Trust could reduce the urgency of patching. He emphasized that, in his experience, patching remains a crucial element as you have to operate under the assumption that a breach is inevitable. He elaborated on the necessity of knowing what's out there, prioritizing risk, and knowing how to deal with vulnerabilities.

Community Involvement: CCTX and Vulnerability Information Sharing

Tyler shared one of his enriching experiences with the Canadian Cyber Threat Exchange (CCTX). He highlighted the enthusiasm and commitment within the community towards making vulnerability management programs work. Tyler emphasized the advantage of seeing cybersecurity as a team sport through such communities where knowledge sharing and active participation significantly enhance the collective security posture.

Zero Trust Policy and Vulnerability Prioritization

Neal then led us into a brief rabbit hole, diving deeper into the nuances between traditional vulnerability management and Zero Trust policies. Tyler explained the varying degrees of advancement within Zero Trust implementations, noting that the maturity level significantly affects the overall benefit. A key takeaway was the emphasis on prioritizing public-facing systems and user base risks due to the common tendency for humans to fall for phishing attempts or other exploitation methods.

Security Configuration Management and Standards

The conversation then shifted to security configuration management (SCM) and standards like CIS (Center for Internet Security) benchmarks. Tyler highlighted the importance of SCM, noting that patching, while essential, is just one layer of the security stack. Implementing robust configuration policies can make systems more secure even with vulnerabilities, further complementing Zero Trust principles.

The Role of CVSS in Risk Prioritization

Tyler touched upon a core aspect: the Common Vulnerability Scoring System (CVSS) and its role in measuring vulnerability severity, not risk. He clarified common misconceptions about CVSS, advocating for its use as a severity indicator while emphasizing the necessity of a broader risk assessment methodology to truly gauge the impact on an organization's specific environment.

Vendor Trust and Vulnerability Management

Understanding the credibility and context of information from vendors is paramount. Tyler shared anecdotes illustrating both the pitfalls and benefits of relying on vendor-provided data. He stressed the importance of validating vendor claims, understanding the nuances of potential media hype, and trusting reputable vendors who provide clear, detailed, and immediate action plans for critical vulnerabilities.

False Positives and Patch Management

Toward the end, Tyler discussed the ongoing challenge of false positives in vulnerability detection tools and the critical need for effective patch management. He illustrated real-world scenarios where lapses in proper patching resulted in unnoticed vulnerabilities, reinforcing the message that patch management requires vigilant testing and verification beyond just automated updates.

Our conversation wrapped up with a light-hearted but insightful dialogue on the intersections of vendor management, supply chain risk, and the personal nuances each brings to contributing to community-driven security initiatives. Tyler's contributions and insights undoubtedly highlighted the importance of proactive vulnerability management in shaping strong Zero Trust environments.

In essence, this episode underlined that building a robust Zero Trust framework isn't just about implementing technology but also leveraging community insights, prioritizing critical patches, and continuously validating security measures. Stay tuned for more deep dives with experts like Tyler who bring invaluable perspectives to the evolving world of Zero Trust.

Thank you for joining AZT, an independent series. For more detailed insights from our episodes, visit adoptingzerotrust.com and subscribe to our newsletter.