Name: APJ | Demo: Identify Vulnerable Assets and Prioritise Remediation
Uploaded: 2025-11-26T04:49:06.428Z
Duration: 33 min 8 s
Description: APJ | Demo: Identify Vulnerable Assets and Prioritise Remediation

Transcript for "APJ | Demo: Identify Vulnerable Assets and Prioritise Remediation": Hello, and welcome, everyone. And thank you for joining us at today's Armys demo. I am Antonio Querales, one of our campaign marketing manager at Armys, and I will be here your host today. In this session, we will discuss Armys centric for vulnerability prioritization and remediation. But before we dig in into our demo, I would like to cover some housekeeping items. This is a thirty minute demo session. This session is being recorded, and it will be available for you on demand. Please submit your question in the chat, and we will address them at the end of the presentation. We have provided some additional resources for you on the topic. Please check them out after the webinar. With that, I would like to introduce our speaker, Terrence Davis, senior sales engineer at Armys. And now, Davis, I hand this off to you. Thank you. Thanks for having me. So we're talking about vulnerability, prioritization, and remediation. The short way to say that is, we call it viper. Okay? So what it really talks about or what we're really trying to get to is the fact that, the things that are broken in the model that we currently have is that there's just millions and millions of CVSSs that are coming out, CVEs that are coming out, I should say, and that the CVSS scoring system is really broken. Right? There's there's really no true way of trying to prioritize correctly because the fact is that you wanna prioritize vulnerabilities against exploits and not just by the fact that some arbitrary system scored it by a 10 or scored it by a five. If a five is exploitable, then that's probably as high as it needs to go. Right? It's a 10 at that point, but it's it's a system that's broken. The other problem that we have is, you know, we we have this form of, what we call modeling, which is called EPSS. And EPSS, what that does is it's called it's exploit prediction scoring system. It was created by Kenna and a person by the name of Michael Reutman in conjunction with the Syenca Institute. The problem with, the way the EPSS scoring system worked is that the scientitude the scientia institute actually worked with Michael Reutman, who was a data scientist at Kenna, and created the scoring model, but then graded the scoring model, and they were both in working together on this system. Right? The the problem with modeling is exactly that. It is just a model of of prediction, and it really doesn't look at the actual sense of where system or or actual data is coming from. Right? It doesn't look at any kind of research or it doesn't go out to the dark web or the clear web and scrape that for information, for intelligence, and trying to find out exactly what is happening within that environment to see if there's any kind of exploits or rootkits that are being built against a specific type of vulnerability. Right? And so it's, again, if you're just trying to model it, it's a guessing game. And even if you're forty, fifty, 60% accurate, you're still 40% inaccurate. Right? So modeling is not really gonna solve the problem that we have in trying to figure out what we need to prioritize. So what it really gets down to is we're trying to save you time. Right? If you prioritize against the vulnerabilities that are being exploited in the wild currently and then you have an early warning system that can provide you additional information on vulnerabilities that we have done the research on or have caught information in a honeypot to show you that this new exploit, or this new vulnerability, I should say, should is going to be exploited in the next couple weeks or the next couple months or even ten months later down the road. That is really what's gonna, you know, provide you the information that you need in order to cut the amount of time that you spend fixing vulnerabilities that don't matter and prioritizing and fixing the ones that really do matter, you know, that much more important. Right? So that's really where we're trying to get to when we talk about Vypr. So here's the new approach. Right? You you you get a you get an alert, you get a vulnerability, but you wanna look at the things that are being exploited versus the things that are not being exploited. It could be a CVSS score 10, but here's the thing, CVSS scoring just really doesn't work anymore. It was created by NIST. And the idea behind that, is taking those MITRE scores and, associating them doesn't take all of the information into play because when the vulnerability first comes out, it may not have an exploit against it. So you give it a score of eight or you give it a score of five depending on the information that you have available at the time, but you never go back and create a new score once that exploit comes out. So that's not the the the real way to understand what's happening within your environment. And and it's better if you look at how critical, number one, that vulnerability is on the in or the on on the assets that would be impacted in your business that are gonna make a difference. Right? So it doesn't take any of that information into consideration. So there's a lot of things that Armis can do where we look at the business impact. We look at how critical the CVE score is inside your environment, but also look at any kinda early warnings that might say, hey. This is a low CVE, but, the CVSS score is gonna be wrong because, in the next couple months, there could be a exploit against that vulnerability. And so we wanna also look at the assets that may be exposed by, you know, looking at the ones that are connected to the Internet versus the ones that already have compensating controls in place that you just can't even get to. So there's a little bit of play within how you prioritize vulnerabilities to make sure that you're looking at the ones that are truly vulnerable within your system and not the ones that are, already protected behind multiple firewalls or even because you micro segment segmented or, you have them air gapped for that reason. So here's here's really the solution that we're talking about. We've got different pillars within the SentriX environment that gives you and the SentriX platform gives you a lot of play within how everything flows from, say, from a s AMS all the way through to the end of actionable threat intelligence. But what's happening here is we're looking at vulnerability prior to xenon remediation. And what that does is it takes all the information that we get from multiple different integrations, not only into Centrix and the Centrix platform, but also takes all that asset information and bundles it all together. And I'll show you that in just a minute in inside the the viper demo. But it takes that information, bundles it together, and instead of showing you all the problems that you have in the in in your, environment, it actually gives you all the solutions. And that's really what you need is to figure out how am I gonna solve the problem, not just give me information on what the problem is. So how do we fill in those coverage gaps and we consolidate those vulnerabilities? I'm gonna show you when we get into the tool in just a minute how that really happens. But what we do is look for a couple things. Number one, you need to know about all of the assets that you have in your environment. So you have to have a true single source of truth within your environment that is accurate on all of the information on all of the assets and then all of the ones that have some kind of business impact to them, but also all of those assets that are connected to the Internet. Number two, you need to look at the ability to understand, how to assess those assets. Right? Are those truly assets? Are they code repositories? Are they vulnerabilities within those excuse me. Are those vulnerabilities within those code repositories something that you need to worry about? Are they hardware vulnerabilities, software vulnerabilities? And then really eliminate the inefficiencies within your environment by looking at at, assets that may be part of a test bed where why should I go fix the vulnerabilities that are part of a test bed when I have real vulnerabilities on devices that are impacted in my business. Right? So that's really what we're trying to do is fill in the gaps. Let's look at the things that really matter within your environment, and then let's help you prioritize and remediate those that are in your environment. So in summary of everything I just kinda said, what we're trying to do is, number one, is fill in those coverage gaps on those vulnerabilities. Let's look at the assets that truly matter, not the ones that don't matter within your environment. Let's look at the assets that are, connected to the Internet, not the ones that aren't and have some kind of compensating control. Number two, let's enrich all that information and give you the vulnerabilities that have the assets that have the most business impact. Let's start there, and then let's start looking at the CVSS scores and all of the other information like the exploitable, vulnerabilities that you have that are being exploited in the wild right now. And then let's manage or or let's prioritize those vulnerabilities so we're fixing the right ones, and then remediate or mitigate or look at the compensating controls and accept the risk on all of those other vulnerabilities that you have in your environment. And then lastly, let's start to track the progress of how well our remediation teams are doing to remediate those vulnerabilities on those assets because that's what's the most important. So what I wanna do real quick before I say thank you for everything, I wanna actually show you, get into the vulnerability, information and prioritization system. And let me share that with you real quick. So hopefully everybody can see my screen. We're in the VIPER dashboard. What this gives us the ability to do is number one. And and as you log in to VIPER, you're looking at the VIPER dashboard, but it's gonna show you all of the information that we have from critical findings, high findings, meeting findings, low findings, but it also starts to show you what those findings are. Is that on an on a EC two instance? Is it, an actual hard coded hardware vulnerability that we need to go fix? And then looking at the most common factors, what this really does is give you a way of starting to understand your exposure and the impact of risk to that exposure. And this is what really your board is going to look at. They're gonna wanna see how how, you know, how well you're doing across the board on findings and then how well we're doing as far as remediating those findings over certain periods of times. So let me get into this real quick. I wanna show you, real fast what the data flow looks like because I think it's really important to understand the data flow and then I'm gonna get into the findings. I know that's pretty small, so I'm gonna make that a little bit larger so that you can see it real quick. But what this is really looking at is pulling information, security findings. And again, security findings meaning misconfigurations, w, EC two code repository, weakness enumerations, common vulnerability enumerations, all of that information where you have a risk associated to an asset and pulling those findings in. It also is going to pull that contextual data about that asset in so that you have a better understanding of those assets that are gonna have business impact versus those assets that may be in a test bed that you don't wear care about. Right? And then you're gonna pull information in for maybe check marks and Black Duck and CrowdStrike and and, you know, GitHub and and Veracode, all of these different, repositories of different types of information, pull that in and ingest it into the Vypr platform. The next thing we're gonna do is we're gonna normalize that. And what I mean by normalize that is to put it into a single language so that we can understand it and then deduplicate all of that information. So when we started out with over 354 problems, we're down to a deduplicated 60,000 problems. Right? And then we're gonna add that contextual enrichment. Right? What is the asset? How is it gonna impact my business? And then reprioritize that by looking at labels. Is it connected to the Internet? Is it Internet facing? Or is it behind a firewall? And then take that information to reprioritize it and say, look. If it's behind a firewall, let's drop the score by 40 points. If it is connected to the inter Internet, let's let's raise the score by 40 points. And then lastly, what we're gonna do is take that and group that into fixes as opposed to just saying, hey. You've got 60,000 deduplicated problems. Let's go ahead and show you, hey. Now you've got 3,000 fixes. Let's send the fixes to those remediation teams, those business units that are responsible for the fixes. And that way, you can get to work right away on trying to solve those fixes as opposed to looking at the huge number of problems and saying, I don't even know where to start. And then we'll have the ability to automate that that ownership. Right? Take that information and say, who's responsible for the fix of this information? And then send it actually to the ticketing system that they normally use. And what you'll see is, you know, somebody that's working on code repositories or e c twos is normally gonna work within Jira, but those people that are working in the IT department are probably gonna be working in either ServiceNow or Freshservice. So let's make sure we're ticketing in their environment. So let me show you what that really looks like from a finding standpoint so that we can understand what I'm talking about real quick. You can see all my findings here and I can start circling through all these findings and looking at certain things. But as I jumped into the findings, one of the things that you'll notice is I can look at all findings, but I can actually look at different types of findings, for instance, too. So if I wanted to just look at the vulnerabilities and host vulnerabilities, I could click there, understand what those host vulnerabilities are looking at, and then take any one of those findings and open the drawer so I can read more about what that real finding really is. Right? So you can see here that, under this finding as an overview, I can get an understanding of the description, where that information was coming from, whether it was deduped with other findings, for instance. I can see the original findings as they're associated to that first deduped finding. I can find out who the viper team owner is or the asset owner is. So the asset owner is normally going to be the person that's responsible for the fix on that device. Right? It's not gonna be the vulnerability management team. It's gonna be the asset owner that's going to be fixing that. So I could say, hey. I wanna create the ticket, find out who that asset owner is, click click, click on create that ticket, and then send him that information. There's a couple other things I wanna show you real quickly before I go up to the top again, and that's looking at the details. I can find out what the severity findings are, the category of the type of finding. Is it a OS update finding? What type of OS is it? How long has it been open from the first discovery? And how long do I have in my SLA? What are the affected hosts? And then you can see even some more information on the types of computers, the boundaries that are associated to it, the labels that we're pulling down, lot of additional information. Also, you can see CVEs. You can see all the CVEs associated to that device, but you can see across the board here that we can even show you when it was an early warning from the standpoint of the Centric Centrix platform. Also, if that exploit does exist and when it does exist, that's why you're gonna get that scoring of a 100. That's always gonna be higher. And then also some other additional info as if it's added to the CISA well known, exploit database, remotely exploitable, which is always something to worry about. Right? And then you can start looking here. There's a couple more that I'm not gonna go through, but I'm gonna start looking at what are the CVEs that this one fix is going to solve the problem on. You can see here that there's some additional info on the the KB articles that are gonna have those fixes that you can go out and download those. And then what is related to that, if there's anything that we already have information wise that is related to this specific fix, and then what are the activities that are happening right now. And those activities, I can go in and start commenting on it and say, this is high business impact and get somebody working on it. Well, if I can spell, I can get somebody to work on it. Impact and get somebody working on it right away so that they understand this is a high business impact. Let's get to work on this. So you can see that there's a lot of information that we get inside these drawers. Now real quickly, I just wanna show you that we have information on inventory. So if you wanted to look at Docker container images images or something like that, we could go in and look at Docker container images as well. Those, again, are risky pieces of information, and then you have your remediation owners. What's nice about what Vypr does is it will look at some of those repositories like Okta or or, Active Directory and pull down information that can figure out using AI to figure out who's responsible for what kind of devices. Now, of course, you can go in there and manually add some of the information as well, but usually it can it can figure out, who's responsible for a specific type of host or a specific type of patch, specific type of vulnerability, and be able to automate most of those processes. Now one one thing I wanna show you real quick because I know we're running out of time is getting into the labels real quick. You can see that as we create these labels, that these labels have that ability to start to be used for, finding severity. And that means either raising the score or lowering the score based on the labels that we're getting in. We're pulling labels from all of those, integrations that we have within Viper. And then lastly, real quick, understanding that you can create campaigns. And what are campaigns? Campaigns are these ways of tracking specific types of groups of vulnerabilities. So if you were looking at all the vulnerabilities related to Log four j, you could create a Log four j campaign and then start pushing that Log four j campaign so that your, your board members, the people that really care about how well we're getting things fixed can monitor the fixing of those campaigns. So you can always create a campaign off of the findings page, or you can create a campaign right here just by clicking in and then starting to choose or filter through the findings. For the most part, that is basically working through Vypr Pro, but I wanted to, leave us enough time to maybe, check the chat real quick and see if there were any questions. And looking at the chat, let me see here. Yeah. I have a couple real quick coming in. And the first question is, isn't a list of CVEs prioritized by severity? And is that all we need? Well, let's let's face it. First and foremost, CVEs are prior prioritized by the MITRE score created by, the National Vulnerability Database of CDSS. But the problem with CDSS is that they create those scores and then they never get changed after the fact. So you could have what I would call a CVE that has a low CDSS score, but then there's an exploit that gets created six five six, you know, ten months later and they never change the score of that CVSS. So if that CVSS score started at six, that score is never gonna get changed. The second thing to think about from the standpoint of just looking at CVSS scores is that there are actual political nation states now that have been told that they are going to work on everything that's a CVSS score of seven or below because they already know that in most cases, everybody works on highs and criticals because that's all the time they have, and they can't look at things that are lower than that. So if you're only fixing your highs and criticals, there's gonna be exploits against lower scored CVSS, CVEs, and those are gonna become the problem. Those are the ones that are gonna catch people off guard, and you're gonna get hacked and and exploited by those lower CVSS scores. Next question. How can Armas help us automate vulnerability management? Great question, by the way. With Vypr Pro, as I showed you, some of the things that we can do as we talked about is number one, we can start to understand automatically where these people are responsible and what they're responsible for, number one, so that as we start looking at the findings, whatever those findings are, and then we open the drawer on those findings, we can actually automate that process to create those ticket. So if we can automate the process of finding out who's responsible for the for the fix of a problem, and then we can automate the actual creation of the ticket, we can start that automation process right there all the way through pushing that ticket out to the responsible party that that is, responsible for the vulnerability and the patching of that vulnerability. So, yeah, we can start that automated process now. Is that gonna be perfect? No. It never is perfect because there always is gonna be times where you don't wanna create vulnerabilities or you don't wanna create automations against vulnerabilities that might be on OT systems for number one or medical devices. Number two, you wanna kinda test those in an environment first before you automate that process. But it can certainly help you with the IT, devices that have vulnerabilities and then move on from there. So, hopefully, that helps you understand what Vypr Pro can do for you inside the platform of everything that is Centrix. And, I'd like to shoot it back to Antonio to, close us out. Thank you, Terrence. It is now the a nozzle session, and we have received many questions. We will answer the rest of your question via email. I want to thank everyone for joining us today. Thank you, Terrence, for your amazing presentation. For more information about Armys, please visit armys.com. Have a great day. Thank you.