Archived: Vulnerability and Patch Management: Every day is a zero day

On-Demand Event

Earn up to 6.5 CPE credits by attending this virtual event.

ProxyLogon. Log4Shell. Print Nightmare – 2021 was the worst year ever for major vulnerabilities and exploits, and there’s no reason to believe the pace is slowing down. Rushed code development, third-party libraries, and a growing array of API bugs are overwhelming companies’ efforts to manage and patch vulnerabilities in their systems and devices. With that in mind, this eSummit will explore how companies can adjust their strategies for how they assess, identify, prioritize and resolve threats within their organizations. Topics include: 

  • CyberRisk Alliance’s exclusive vulnerability and patch management research
  • Lessons on zero-day triage, learned from the biggest vulnerability incidents of the past year
  • Tips for establishing a fair and resourceful bug bounty and vulnerability disclosure program
  • Asset visibility, risk assessment & prioritization, compliance mandates, and other patching challenges

Featured Speakers:


Day 1

11:00 AM
Opening Keynote: Escaping vulnerability debt: How to unburden yourself from a backlog of bugs
Joseph Gothelf: Senior Director, Threat & Vulnerability Management, Wyndham Hotels & Resorts

Vulnerabilities have a way of piling up -- and before you know it, you can be buried under an avalanche of bugs. Each of these flaws represents a certain amount of risk. But how much long-term risk are you willing to tolerate? What strategy should you apply to chisel away at this backlog? And what happens when vulnerable software is no longer supported? This session will aim to answer these and other pertinent questions for organizations looking to reduce their vulnerability debt.

11:30 AM
Insights from the 2022 ASM Report for Vulnerability Managers on their Attack Surface Management Journey
Abhishek "Abhi" Anbazhagan, Product Marketing Manager, Palo Alto Networks

The idea of attack surface management (ASM) is not new, but how organizations and vulnerability managers (VMs) view their attack surfaces should be updated. Traditionally, IT has looked at an organization’s attack surface from the inside out, asking questions like, “What are the assets that connect to the wider internet?” and “What are our mean times to detect and respond?”

VMs should be looking from the outside in, asking questions like, “How many unknown assets are connected to my network?” and “What is my mean time to inventory every asset that can put my organization at risk?”

Join this session to understand how:
• Challenges with the traditional methods of asset inventory
• Non-zero day vulnerabilities that don't get headlines but are on every attacker’s path-of-least resistance list
• Trends from a data analysis of 100+ organizations and their internet-connected exposures
• To tackle security issues, such as exposed remote access protocols and expired certificates

12:00 PM
The rise of RCE: why code execution is booming and how to fortify your defenses
Dan Murphy Distinguished Architect, Invicti

Remote Code Execution (RCE) is a class of vulnerability that we’ve heard a lot about in the news recently. Many organizations are still feeling the aftershocks of Log4shell’s exploit of Log4j. In fact, RCE does not seem to be going away. The latest Invicti research shows a 3-4x increase in Code Execution findings over the past three years. RCE is severe — an attacker can exfiltrate data, steal credentials, and forge database records. In this session, Invicti Security Distinguished Architect, Dan Murphy, will showcase the latest data around RCE and delve into techniques that even the largest of the organizations with thousands of web assets could use to safeguard their web applications from RCE.

12:30 PM
CRA BI study takeaways: Vulnerability management
Bill Brenner, VP Custom Content, CyberRiskAlliance

In July 2022, 200 security practitioners participated in a CRA BI study on vulnerability management. Join Bill Brenner, CRA VP of content strategy, and Dana Jackson, CRA VP of research, for a look at where security teams continue to struggle, which tools have proven most helpful, and where they will make investments in the coming year.

1:15 PM

1:30 PM
Addressing cybersecurity challenges in open source software
Matt Jarvis: Senior Developer Advocate at Snyk
Jason Lane: Director of Product Marketing for Open Source

Open source software (OSS) has had a tremendous impact on the development and distribution of the software we depend on today. Through its collaborative and open way of both developing and sharing software components, OSS has served as a key engine for innovation and encouraged the widespread reuse and sharing of core software components.

Snyk partnered with The Linux Foundation to develop a report that focuses on OSS security perspectives and how to improve OSS security and sustainability. This session will discuss:
• How organizations are addressing and prioritizing their cybersecurity needs
• The most important ways to improve open source software security
• Who should be driving open source software security policies

2:00 PM
Remote browser isolation and what it means for your business
Krystal James, Sales Business Development Manager, Cisco/Umbrella
Eric Trolan, Technical Solution Specialist, Cisco/Umbrella
Chris Riviere – Technical Solution Specialist, Cisco/Umbrella

In today’s ever-changing remote work environment, the browser is where most of the work happens. Umbrella remote browser isolation (RBI) provides an added layer of protection against browser-based security threats for high-risk users. This makes it possible for users to visit risky web destinations safely. Join this Cisco Cloud Security specialists panel and learn how:
• RBI moves the most dangerous part of browsing the internet away from the end user’s machine and into the cloud.
• Enables users to be productive and access the web destinations they need without negative impacts.
• Isolates web traffic between the user device and browser-based malware.

2:30 PM
Closing Keynote: The federal push for SBOMs: A first step toward better supply-chain vulnerability management
Allan Friedman: Senior Advisor and Strategist, Cybersecurity and Infrastructure Security Agency (CISA)

Presidential executive order #14028 requires companies that sell software to the U.S. government to provide a Software Bill of Materials (SBOM), so that federal agencies will have the necessary supply-chain visibility to take action when a component is found to contain a coding vulnerability. And it’s only a matter of time before private industry organizations call for similar practices and protections from their supply-chain partners so they can also respond faster to exploitable bugs. In this session, Allan Friedman, Senior Advisor and Strategist with the Cybersecurity and Infrastructure Security Agency (CISA), will detail the benefits that SBOM practices will have on the vulnerability and patch management process and explain how the government’s efforts in this area will pave the way for more widespread adoption

Day 2

11:00 AM
Opening Keynote: Conquering the pyramid of pain: Prioritizing vulnerabilities as a developer and an end user
Andy Ellis: Operating Partner, YL Ventures

The bugs never stop coming. New vulnerabilities constantly materialize, and it's up to organizations to judge which issues need immediate attention and which fixes or patches can wait. That's true whether you're a developer creating various patches or an end user applying them across your organization. In this session, cybersecurity veteran Andy Ellis will detail the Severe Vulnerability assessment program he instituted at a major content delivery network and cloud services provider -- and explain how this system is applicable to not only DevSecOps specialists, but also security personnel in the end-user community who are responsible for patch management.

11:30 AM
Hacking gamification- going from zero to privileged PWNED
Joseph Carson Chief Security Scientist & Advisory CISO, Delinea

Staying up to date and learning hacking techniques is one of the best ways to know how to defend your organization from cyber threats. Hacking gamification is on the rise to help keep security professionals up to date on the latest exploits and vulnerabilities. This session is about helping you get started with hacking gamification to strengthen your security team. In this session Joseph Carson will choose two systems from Hack the Box and walk through each of them in detail explaining each step along with recommendations on how to reduce the risks. Going from initial enumeration, exploitation, abusing weak credentials to a full privileged compromise.

12:00 PM
Thought Leadership Panel: Patch me if you can: Fixing bugs in ICS & IoT environments where "keeping the lights on" is essential
Tim Chase: Director of EASE, the Energy Analytics Security Exchange, Global Resilience Federation
Christian Dameff: Medical Director of Cybersecurity at the University of California San Diego
John Sheehy: SVP of Research & Strategy, IOActive

Patch management can be an especially precarious proposition when you're operating in a work environment where machines and devices must constantly remain operational. Hospitals, factories and power plants are among the many examples of settings where security professionals need to "keep the lights on," even as they strive to ensure that software and hardware are hardened against the latest vulnerabilities and exploits. In this panel session, a series of experts will look at the challenges of patching in ICS/OT/IoT environments, and strategies for balancing security with operational continuity.

12:45 PM

1:00 PM
6 ways to accelerate time-to-remediation
Ravid Circus Co-founder & CPO, Seemplicity

Even with the most talented security professionals deploying the best security scanners, businesses today experience stubbornly long time-to-remediation.

Why? The reality today is that, before any security findings can be fixed, security teams are often forced to play air traffic controller – deduplicating, sorting, and prioritizing findings coming in from multiple siloed tools, then routing and following up with developers all across the organization to make sure problems get fixed. This leads to the ultimate irony - security teams become the main bottleneck for remediation.

1:30 PM
Closing Keynote: Zero-day triage: Lessons learned from Log4Shell and other king-size exploits
Brian Gorenc: Senior Director of Research, Zero Day Initiative

It seems as if CISOs can't even come up for air anymore, as one zero-day exploit immediately gives way to another and another. ProxyLogon, Log4Shell and PrintNightmare are just three examples of a bevy of vulnerability exploits that countless organizations have had to face down over the past year. This session will explore what the cybersecurity industry has learned during this latest barrage of threats, and ponder how infosec pros can continue to improve the practice of zero-day triage based on their recent triumphs and mistakes.

** Please check back for updates to this agenda**


DelineaDuo Security at CiscoInvictiPalo Alto NetworksSnyk
Registration is closed for this event, but there are related events that you may find interesting: