EP#88 – Michelangelo Sidagni – Understanding Attack Surface Management and how it applies to your cyber security strategy

Introduction (00:06):

You’re listening to the Virtual CISO Podcast, a frank discussion, providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.

John Verry (00:28):

Hey there, and welcome to yet another episode of the Virtual CISO Podcast. With you as always, your host, John Verry, and with me today, and I’ll try to get this name right, Michelangelo Sidagni. Hey, Michelangelo.

Michelangelo Sidagni (00:41):

Hey John, how’re you doing?

John Verry (00:43):

You’re Irish?

Michelangelo Sidagni (00:44):

No, I’m Italian. I got the joke though.

John Verry (00:47):

It took you a second.

Michelangelo Sidagni (00:47):

Yeah.

John Verry (00:52):

You’re off to a rough start, Michelangelo.

Michelangelo Sidagni (00:53):

Yeah, I know. I’m prepared.

John Verry (00:56):

Did you grow up in Italy, or did you grow up in the …

Michelangelo Sidagni (00:58):

Yeah.

John Verry (00:58):

Oh, you grew up in Italy?

Michelangelo Sidagni (00:58):

Yeah. In Italy, yeah.

John Verry (01:00):

Okay. Are there a lot of people named Michelangelo in Italy, and did you get made fun of as a kid? Because if you grew up in the US with the name Michelangelo, it probably would’ve been kind of a tough upbringing. You know what I mean?

Michelangelo Sidagni (01:11):

Yeah. Not many in Italy, neither. Yeah, I got make fun of. You always have to keep up with the expectation. That’s what I’m going to do here.

John Verry (01:22):

Oh, that’s a little bit hard. Michelangelo’s … I think the only person, he’s an amazing person out of history. My favorite person also happens to be Italian, it’s Leonardo da Vinci. I think da Vinci is the single most brilliant guy that’s ever walked the face of the earth. It’s good that you’re not named Leonardo, because I’d have a higher expectation than I do for Michelangelo.

Michelangelo Sidagni (01:42):

Do you want to know something funny? My son’s name is Leonardo.

John Verry (01:45):

Is it really? That’s a lot to live up to.

Michelangelo Sidagni (01:45):

Exactly.

John Verry (01:50):

All right. Let’s start easy. Tell us a little bit about who you are and what is it that you do every day.

Michelangelo Sidagni (01:59):

All right. I am the CTO and co-founder at NopSec. NopSec is a vulnerability risk management SaaS solution and service provider. The company started as a red teaming, penetration testing company, and then evolved naturally into a SaaS product, taking care of vulnerability, risk management for companies, in a easy-to-use SaaS solution. We also continue to do vulnerability research and penetration testing, as we did since the beginning.

My background goes back to about 25 years. It’s kind of hard to say, but I got to that age, still doing penetration testing and vulnerability research, which is amazing. I started my career doing security audit, when penetration testing didn’t exist. We look at the hardening of operating system, as well as network security audit. Then, I evolved into red teaming and penetration testing.

John Verry (03:01):

Gotcha. Thank you. Before we get down to business, we always ask, what’s your drink of choice?

Michelangelo Sidagni (03:07):

My drink of choice is Aperol Spritz.

John Verry (03:12):

Apple Spritz? Okay.

Michelangelo Sidagni (03:13):

Not Apple, Aperol.

John Verry (03:15):

Oh Aperol. Oh. I like your style. I’m a Campari. I love the bitters.

Michelangelo Sidagni (03:22):

Yeah. Absolutely.

John Verry (03:23):

A lot of the drinks that I drink that I’ll drill, like a Negroni, right? That’s a nice Italian drink, where you’re blending the gin with the Campari. Aperol is what? Paper plane, which has Aperol in it. It’s a bourbon drink that I enjoy-

Michelangelo Sidagni (03:38):

Nice.

John Verry (03:38):

… with lemon.

Michelangelo Sidagni (03:41):

Nice.

John Verry (03:41):

Yeah, I’m also a fan.

Michelangelo Sidagni (03:43):

At the beginning of the night, I want to take it easy. First, I start with the Aperol Spritz. It’s like a blend between Prosecco, and a little bit on the lighter side.

John Verry (03:53):

Yeah, no. The other thing too, that you have the advantage of is, it is definitely a digestive, right?

Michelangelo Sidagni (03:53):

Right, exactly.

John Verry (03:59):

The nice thing, it really does settle a meal. I agree completely. All right. I was looking forward to our conversation, and the reason is, is that you think about what’s happened over the last two and a half years or so, we’ve got the pandemic, which we’d already had rapidly rising Cloud adoption. We had the pandemic, which moved us to a work from home in a real scramble. We’re still trying to play catch up and get equivalent security treatments for people working from remote as we do from people working in the office.

Many of our security treatments were centered there. Any client I talk to has a concern about their current exposure. One of the things that you guys promote that you do is a phrase, which I’m intrigued by, attack surface management. Would you be so kind as to define what you guys think of as being attack surface management?

Michelangelo Sidagni (04:52):

Yeah, exactly. It’s like a comprehensive term, that once you include the continuum of the old vulnerability management. Vulnerability management goes from asset inventory management to vulnerability assessment, to vulnerability prioritization, as well as remediation, as well as security testing. Could be manual, can be automatic security testing, but it is a continuum.

Some people, now there’s a buzz where it says inventory, we focus on inventory management. We want to look at the asset, at the dark web or the shadow IT, to discover what’s the asset they are exposed to the internet or the hidden internal network. We can find them, manage them, and find out if they’re vulnerable or not. Also, there’s the newer part of prioritized vulnerabilities.

I come from a world where the vulnerabilities are into the thousands, the hundreds of thousands actually, and that idea shifted into, it’s not enough finding all the vulnerabilities, we have to find those that matter the most to my network. Meaning, there are areas that are more important than others. The domain controllers are more important than a workstation. The PCI area is more important of any other areas of the network. A prioritized vulnerability is key.

Attack surface management is basically, wants to try to unify them all in a holistic approach, meaning finding the asset, finding the vulnerabilities, but also most importantly, for an attacker, connecting the dots, meaning, it’s not enough to have a vulnerability instance, that to be exploitable, that to be under direct attack, but is it exploitable in my environment? If I’m a attacker and I hit that vulnerability, I can exploit it by … Can I get like a direct connect back shell to my attacker machine, so I can control that host and start moving laterally?

That’s very important to understand, because not all the vulnerability are created equal. Some are exploitable, but some can create a real problem for the defender.

John Verry (07:23):

Okay. Question for you, another phrase that you use, and I wonder if it’s just another way to say the same thing. I believe you use cyber threat and exposure management. Would you consider that to be an analog or equivalent of attack surface management?

Michelangelo Sidagni (07:36):

Yeah. Cyber threat and exposure management is definitely a part of it. It’s basically focused on the threat. When you define a vulnerability, a vulnerability is a state. It can be, stay there, idle or [inaudible 00:07:52] there for years, and nobody will touch it. Then, you have to have an exploit. Then, you have to have an actor taking that exploit, and take it basically a stack further.

Threat and exposure management is really focused on the threat management and modeling. Attack surface management is more taking this cyber threat and exposure management, connected to the asset and the mediating controls, and prove through the threat modeling or attack simulation, that is indeed something that an attacker could indeed exploit, yeah.

John Verry (08:30):

I gotcha. An analog might be that cyber threat and exposure management is to information security, risk management, as to, which is the parent of something like attack surface management. Because they were looking, like you said, specifically at a portion of the environment. It’s a logical subset of that cyber threat and exposure management, correct?

Michelangelo Sidagni (08:51):

Yeah, correct. Perfectly.

John Verry (08:52):

Okay, cool. Question for you. There’s a strong analog, if you will, between attack surface management and vulnerability management. What about configuration management? You didn’t address that specifically. There is a very interesting and fine line sometimes between vulnerability and configuration management, because a bad configuration can be a vulnerability, but there are some instances of configuration management that are not vulnerability management.

Where does the attack surface management fit into, that attack surface management, vulnerability and configuration management?

Michelangelo Sidagni (09:26):

Attack surface management is basically the main umbrella that can take vulnerabilities as well as configuration. As you said, an exposed directory is not a vulnerability itself, it’s a misconfiguration of shares or a web server.

John Verry (09:44):

Right. An open S3 bucket is not a-

Michelangelo Sidagni (09:46):

Exactly.

John Verry (09:47):

It makes you vulnerable, but it’s not technically a vulnerability, because a vulnerability is a control … In a weird way, you could make an argument that an open S3 bucket is a control weakness, right?

Michelangelo Sidagni (09:55):

Exactly.

John Verry (09:57):

Yes, I would agree with you. It’s more of a configuration issue than it is a vulnerability issue.

Michelangelo Sidagni (10:01):

I’ll tell you more, because if you go into the Cloud world, as you talk about S3 bucket, AWS S3 bucket, every single real vulnerability of the environment is a-

John Verry (10:01):

True.

Michelangelo Sidagni (10:14):

… configuration issue or a lack of thereof. Meaning, you can literally define programmatically, how an AWS or Google environment, Cloud environment is defined.

John Verry (10:27):

Yeah. Infrastructure as a code, right? Yeah.

Michelangelo Sidagni (10:31):

Exactly. To complete the thought, you can think of vulnerability configuration management as a more of a configuration issue or strategy, because going forward, infrastructure as a code, to me, the scanning or the vulnerability discovery will go away. One won’t go away is A, configuration management and B, attack surface management.

Because regardless, even if you force all the vulnerability to be patched at the, let’s say, container startup, there might be a path which is still exploitable. You understand that there will be a shift between, “Oh, I use the scanner and I scan this network to configure correctly, Cloud.”

John Verry (11:19):

Gotcha. Tell me a little bit about how NopSec works in this space. Because when I think of conventional vulnerability management, we’re a pen testing firm as well, we go back 18 years in pen testing, the old days of Nessus, when it was Renaud on the old mailing list exchange, and you were exchanging Nasal scripts with him when it was free.

Michelangelo Sidagni (11:19):

I remember those days.

John Verry (11:47):

When it was free, and he was living in, I think France at the time. There was always a time difference, right?

Michelangelo Sidagni (11:52):

I lived in New York. Less terrible.

John Verry (11:56):

Now, he lives on a yacht, let’s be honest.

Michelangelo Sidagni (11:57):

Exactly. He left Renaud, by the way.

John Verry (12:01):

Oh, I know. Ron’s doing his own thing as well, Ron Gula. Tell me a little bit about, when I think of what you’re doing, are you gluing together these logical processes? Understanding what assets I have in my environment, understanding how they’re vulnerable using some type of active scanning or some type of audit, like a Nessus audit file type approach, where you’re an authenticated configuration scan, if you will. Are you benchmarking that against CIS benchmarks? Are you doing automated configuration pushes to fix stuff? Are you patching stuff?

Tell me what the NopSec, which pieces of this overarching process that NopSec-

Michelangelo Sidagni (12:42):

Absolutely-

John Verry (12:43):

… takes care of for me.

Michelangelo Sidagni (12:44):

Yeah. First of all, we’re not a scanner. We are a scanner partner, and we work with Logic Enterprise, that maybe they have five different scanners for network, and three different scanner for web application. How do you put all these pieces together on the vulnerability assessment piece? Also, maybe they work with the other asset inventory manager, CMDB. We take the data from them as well.

Basically, we have a machine learning algorithm that takes all these pieces together, with the help of more than 30 threat intelligent feed, calculate the probability that certain vulnerability will be used in a direct attack or into malware. Even though is not used in malware, and targeted attack today.

This is one piece. The other one that completes the attack surface management is that we take basically environmental factors, such as network segmentation, as well as other compensating control, the user, for example, of the EDR, antivirus. We joined them with vulnerabilities and misconfiguration to calculate, allow the attack paths.

It’s an algorithm that takes the risk of the vulnerability to be used, as well as all the environmental factor, and calculate the theoretical attack path that an attacker can take to actually exploit successfully, the vulnerabilities in the path. Obviously, those vulnerability there on the path, we prioritize them, because for obvious reason.

John Verry (14:37):

Okay. That’s interesting.

Michelangelo Sidagni (14:37):

I know that’s a lot.

John Verry (14:42):

No, it’s not what I expected. I’m trying to wrap my arms around it. I assumed that you were … What you’re really doing is you’re an intelligence engine, sitting on top of other sources of data, much to the same way a SIM is an intelligent engine sitting on tops of other sources of data, that being log data. What you’re doing is you’re enriching this data through this additional threat information. What you’re doing is, and you’re consolidating and normalizing this data so that-

Michelangelo Sidagni (14:42):

Absolutely.

John Verry (15:10):

… it’s all in one single place. Rather than me running to my Nessus, my Tenable, running to my SPI Dynamics for my app scans, or Burp Suite, you’re integrating all of this data, unifying it, normalizing it, and then making it actionable. You’re applying intelligence to it and making it actionable.

Michelangelo Sidagni (15:31):

No, because I tell you more, John, talking with large enterprises, this is at the beginning when we started talking with the larger enterprises, it was really surprising to me. Today, basically their manual process, it looks like this. Basically, they take the vulnerability data from Qualys, from these hundreds of thousands of great vulnerability, are found by this great tool, Tenable and Rapid7, they download it on a spreadsheet. Then, basically, they associate it with the value of the asset, which is all manual, that is gathered through [inaudible 00:16:10], some other source.

Then, they try to, through their various sources of threat intelligent, to basically try to prioritize which one should be fixed first, as opposed to fix them 100%.

John Verry (16:28):

Shouldn’t they just be using CVSS, right? Because CVSS does give you a measure of whether or not it actually is exploitable. Couldn’t they just use CVSS score? Why wouldn’t they?

Michelangelo Sidagni (16:39):

That’s a great question, by the way. CVSS score, I give you two statistics, of the 100% of all the CDE published, about only 0.7 or 0.8% is actively exploited in any given time in the world. Basically, if you use the CVSS, even if it’s a 10, there are vulnerabilities that, 10 on the CVSS score scale, basically only 0.8% is basically a score.

John Verry (17:10):

I gotcha. Of the 10, you’re helping them prioritize which of the tens are actually currently being exploited?

Michelangelo Sidagni (17:16):

Right. On the other-

John Verry (17:18):

That makes a lot of sense.

Michelangelo Sidagni (17:18):

… end of the spectrum, there are actually medium vulnerability that, in the banking-

John Verry (17:18):

Are being exploited.

Michelangelo Sidagni (17:24):

Yeah, in the banking world, they’ll never be considered for patching. They’re actually exploited. For example, there are some SMB vulnerability, lack of SMB signing, that we use all the time in lateral movement, and is a medium vulnerability.

John Verry (17:41):

Right. Or, it’s stringing together multiple medium vulnerabilities-

Michelangelo Sidagni (17:41):

Exactly.

John Verry (17:45):

… in a stronger way. That’s the one that’s always that I look at is, because if you think about it, most organizations struggle. They get a vuln report, you deliver them, we deliver them, hundreds of things to clean up. What’s the first thing they do, any criticals? Okay. Good, no criticals. Highs, all right, let’s get rid of these. Mediums, we’ll probably accept those.

Michelangelo Sidagni (18:03):

Then to bring it back also, in terms of attack surface management and environmental control, if you have a very tight environment, in a strongly tight control and foul PCI environment, even if there are vulnerabilities in there, but they’re not … An attacker cannot get in that environment.

John Verry (18:22):

Right.

Michelangelo Sidagni (18:22):

Nearly impossible to exploit them. What’s the point of try to fix everything? “Oh, I fix all the 10.” The problem is, for organization even, the large one, it’s an operational strain. It’s an unattainable. It’s also a whack-a-mole.

John Verry (18:41):

It’s a never-ending process, right? Software’s flawed. That’s actually true. What’s interesting though, that ties into the other pieces of your solution, right? On the one side, we’ve got this idea of cyber threat understanding. That’ll tell us which things we can ignore, or which things have the lowest probability. That’s understanding your threat, understanding your threat, understanding risk effectively. Then, what was the last piece you said you did that I wanted to touch on?

Michelangelo Sidagni (19:10):

Oh, basically the environmental control, meaning each organization are different from one another. You can have the same vulnerabilities, but you’re very tight with highly, very segmented environment, firewall environment, with mitigating control EDR on every asset, even in that circumstances, even if you have vulnerabilities, they are highly exploitable. I think one aspect is the exploitability and threat. The other aspect is the environmental controls.

John Verry (19:42):

Okay. Then, in terms of, we enrich this data, we give someone more actionable, more focused things to act on. Do you play any part … I’m assuming you’re tracking, they’re using your system to … Or, you’re getting a new feed, that will tell you that their actions have been successful. Are you any part of that patching, changing configuration side as well? All right, talk about that?

Michelangelo Sidagni (20:10):

Yes. Basically, we’re not patch management. We partner with BigFix, other CCM. We integrate with the system saying, “Hey, if you want to patch this, prioritize a vulnerability, it’s basically a click of a button.”

John Verry (20:30):

Oh, that’s cool.

Michelangelo Sidagni (20:31):

Or, automatically, basically you can set up SLAs. When the SLA is, for certain vulnerability products, vulnerability is about to be met automatically. You can connect to this system and patch them. We connected with patch management, we connected with the SIM and SAM, as well as, we connect with ITSM, such as a ServiceNow, Jira, a Remedy and so on.

We want to establish the entire workflow. As I said, John, at the very beginning, we made, I think, a wise decision to say, okay, we don’t want to recreate the wheel, we want to offer a service that basically put intelligence on the workflow, not recreate the vulnerability scanner. The vulnerability scanners are great. They do a great job. The problem is that, you’re overwhelmed with their result. It’s really harder to operationalize that flow.

John Verry (21:34):

Yeah. You’re glue.

Michelangelo Sidagni (21:35):

Yeah, exactly.

John Verry (21:36):

You’re basically … That’s nice, because if you think about it, one of the most longstanding problems that we’ve had in IT and information security is data silos. We’ve got the silo of, we’ve got our CMDB, we’ve got our network scanner, we’ve got our application scanner. We have our SIM, and everything, all of these great sources of data, which don’t talk to each other very easily, and we’ve got to build data bridges and figure it out-

Michelangelo Sidagni (21:36):

Absolutely.

John Verry (22:04):

… what you’re doing is you’re bridging all those sources of the data. I had two questions for you. One, on the patch management, are you seeing that people are willing to do automated patch management, or in so many environments, everyone wants automated and then no one will turn it on, because they’re scared to death it’s going to break something. It’s really funny. IPS is a phenomenal technology. The old Okena StormWatch product was one of my favorite things. Then, they got bought by Cisco. Cisco Security Agent, I thought it was going to be the cat’s meow and the end of information security, because everything was fixed. You didn’t need to do anything.

Michelangelo Sidagni (22:40):

Right.

John Verry (22:40):

But no one will turn them on. No one will turn on IPS. Will they turn on the automated patch management, or …

Michelangelo Sidagni (22:47):

It depends, asset management and risk management. Asset management, what I mean is, wise organization, they turn on automatic patching, for example, for workstation. Workstation can [inaudible 00:23:02]

John Verry (23:02):

Okay. Desktops. Okay. I gotcha.

Michelangelo Sidagni (23:04):

Right. The servers, obviously there’s a compliance and change management to show. You have to test first, obviously a little bit more. I wouldn’t turn on automatic patching. Container is a moot point. Patching is built into the code of a container.

John Verry (23:26):

Exactly.

Michelangelo Sidagni (23:27):

Whenever, next time we launch, if it’s included in that Docker config, it will get passed.

John Verry (23:35):

Yeah. It’s a configuration file update.

Michelangelo Sidagni (23:37):

Yeah. Right. Exactly. Also, it depends on the risk management, because if you have a highly risky environment, I know organization, they do not care about breaking the hell out of their server, as long as they’re fully patched for security.

John Verry (23:55):

Yeah. Then, there’s some organizations that, we’re starting to see a little bit more the Chaos Monkey idea and they’re like, “Okay, if it breaks, it’s good to know that it’ll break.”

Michelangelo Sidagni (24:03):

Good to know, exactly.

John Verry (24:05):

We need to fix it anyway.

Michelangelo Sidagni (24:06):

Means, operational, you have a problem, because if it breaks, it’s not supposed to.

John Verry (24:11):

It’s going to break. Let’s let it break. If it does, we’ll figure out how to fix it, and then we’ll be more resilient going forward.

Michelangelo Sidagni (24:16):

Exactly.

John Verry (24:17):

Then, you mentioned that you also interface with SIMs. I’m assuming that is to give the SIM additional context, right? If I see what looks like a MITRE ATT&CK path heading towards a particular server, and it’s an attach against … It’s an Apache unicode exploit or something of that nature, I’ll be able to look to know whether or not that particular box is A, running Apache and B, is vulnerable to that particular exploit?

Michelangelo Sidagni (24:41):

Correct. In that sense, but also thinking, let’s say, a GRX or compliance system, CyberGRX or a third-party risk management like Security Scorecard. Basically, can give that extra layer of understanding, where this machine are and how they’re configured, whether they’re vulnerable, whether they have that attack path, as opposed to just saying, “Okay, you got this vulnerability, you got a patch it.” Why? That’s the question I ask the auditor. Okay, you’re telling me that I have to patch this machine because it has a CVSS score seven, but this machine is not reachable.

John Verry (25:27):

Yeah. It’s air gapped.

Michelangelo Sidagni (25:29):

Yeah.

John Verry (25:30):

Why? Right. Okay. Quick question for you though. That was the other piece that I remember before, that I couldn’t remember. Now I remember, the attack path analysis. Attack path analysis fascinates me. When you say attack path analysis, I don’t know if you’ve ever heard of a product, I don’t even know if they still exist, we haven’t used it in a long time, but it was a phenomenal product called RedSeal.

What they were able to do is, you’d put in all of your packet filtering configs for your entire network, and it could build what the network looked like off of the routing tables and the packet configuration. Then, what you could do is, then you would put in the vulnerability data, and then it would show you, you’d do a flood fill, and it would show you from where somebody might be able to get to that particular … What that path would be. Is that what you guys are … You’re doing as well?

Michelangelo Sidagni (26:13):

Yeah. Basically-

John Verry (26:13):

Wow.

Michelangelo Sidagni (26:18):

… the technology, obviously, is similar but different in the sense that, a lot of technology improved. We use machine learning, graph technology with machine learning. It calculates all the probability based on the exploitability and the routes. It got a little bit more sophisticated. You can render better threat scenarios with much more fidelity than before. Yes.

John Verry (26:47):

Gotcha. If this was in a network environment, a conventional network environment, would you need the router configs and the firewall configs to be able to do that?

Michelangelo Sidagni (26:58):

Oh yeah. We have taken those.

John Verry (26:58):

Okay. You’re doing the same-

Michelangelo Sidagni (27:01):

We have taken those. Yes.

John Verry (27:02):

All right. Cool. That’s fascinating. I’m glad I had you on, because I learned a lot more than I expected to. I thought you were just going to be a box in the corner and it’s like, “Why would I use that? I already have Nessus. Why would I use that? I already have ServiceNow.” Now I understand what you do.

What are the typical drivers to clients coming to NopSec and saying, “I need this”? Are there specific verticals? Are there specific company sizes? Are companies trying to deal with a particular regulation? What drives people to become a NopSec client?

Michelangelo Sidagni (27:32):

Yeah. Usually, it’s basically, there’re three drivers. Number one is lack of security expertise, or if they have the specific security expertise, they are overwhelmed by the number of vulnerabilities. That’s the number two driver. Sheer number of vulnerability, not being able to put together the right signal and sources, so they can decide what to patch first, because eventually, all the vulnerability will get patched. Let’s focus on the one that matter the most first for my environment.

Number three is compliance obviously. Especially for the financial … We are based in New York City. Especially for the financial and banking sector, they’re highly regulated, but not necessarily from the operational standpoint. They have the process to put all these pieces together. This is a one nice one-stop-shop, to put it all together.

John Verry (28:38):

Gotcha. Then, you mentioned the verticals. What about sizes? It was interesting. It sounds like you work with a lot of big companies, but you also mentioned companies that don’t have the expertise or bandwidth.

Michelangelo Sidagni (28:47):

Right.

John Verry (28:47):

When I think of companies that don’t have expertise or bandwidth, they tend to be small to medium-size businesses.

Michelangelo Sidagni (28:53):

Right.

John Verry (28:53):

Do you run the gamut? Is your stuff affordable for a 300-person company? Or, are you more Global 2000?

Michelangelo Sidagni (28:59):

I would say, John, we started with smaller company, but as we grow, we’re refining for small and large enterprises. That means that, since we rely on the data of vulnerability assessment tools, they already have to have that-

John Verry (29:21):

They have to already have that stuff. I gotcha. Yeah.

Michelangelo Sidagni (29:22):

Yeah. It’s quite an investment. For example, I already have an Qualys installation, a Tenable. The smaller, usually they use … We have a few legacy, smaller client, but it’s not our main core.

John Verry (29:39):

Yeah, no, you’re right. Because what happens I guess, is the value prop goes up the more of those pieces that you’re providing intelligence to, right?

Michelangelo Sidagni (29:49):

Right.

John Verry (29:51):

If they have just the vulnerability scanner and an asset CMDB, all right, there’s a little bit of value. Then, you layer in adding in, like you said-

Michelangelo Sidagni (29:51):

Absolutely.

John Verry (30:00):

… a SIM, a little bit more value. I gotcha.

Michelangelo Sidagni (30:03):

Yeah. The more they add to their security programs, such as a third-party risk management, like a CMDB, as you mentioned, but all other areas, more sophisticated, XDR and EDR, we can import those data, and it becomes even richer correlation and environment, to make decision.

John Verry (30:26):

Gotcha. Then, are CIS benchmarks in play for any of your clients? Is that something that you guys end up dealing with, or no?

Michelangelo Sidagni (30:33):

For the Cloud, yes. They’re usually … Or hardening, yes. I see CIS as more like a compliance benchmark. You can be having a CIS benchmark and still be vulnerable.

John Verry (30:51):

Of course.

Michelangelo Sidagni (30:51):

I think we really focus on those attack paths, as opposed to just, “Oh, you meet the standard, okay, therefore, you’re compliant and secure.” It’s a bit different than that.

John Verry (31:05):

Oh no, I agree completely. However, that being said is that, in way too many instances compliance has budget, security doesn’t.

Michelangelo Sidagni (31:13):

Yeah, that’s true.

John Verry (31:15):

If you’re able to have a compliance answer as part of a security solution, I tend to find those are the companies that end up getting purchased a little bit more often, because they can at least share the cost, or even sometimes, you’ll get the compliance people paying for [inaudible 00:31:28]

Michelangelo Sidagni (31:27):

One of the latest initiative that we have been doing is actually matching the CVE, with the MITRE ATT&CK framework techniques. Basically, people can understand, is this vulnerability related to what kind of exploitation? Privilege escalation, credential harvesting, or what they’re trying to do? Move laterally. That’s important, so even the defender can understand what kind of a framework they can put that misconfiguration or vulnerability in.

John Verry (32:07):

Yeah. Last week, I was in New York, and spoke at a New York League of Independent Bankers event. It was kind of cool, because I was on a panel with … It was a guy from the Federal Reserve Bank, there was a guy from the OCC, a guy from the FDIC, someone from the New York State Department of Finance, and one other person, I’m drawing a blank on who I’m missing. Anyway, one … FTSS, FDIC, anyway. A lot of the big agencies, but one of the big things, which is interesting and ties into what you’re doing is, you’ve seen their new cyber incident reporting requirements that they just dropped.

Yeah, I think with what you’re doing, if you can actually support that, that’s going to be another place where, especially in the financial services area, where a tool like yours are going to provide a lot of value.

Michelangelo Sidagni (32:51):

That’s good to know.

John Verry (32:52):

Because the new reporting requirements are really difficult. Take a look at those. They’re really cool.

Michelangelo Sidagni (32:52):

Absolutely, good to know.

John Verry (32:58):

All right. Anything we missed?

Michelangelo Sidagni (32:59):

No, I think [inaudible 00:33:01] pretty comprehensive overview, definitely.

John Verry (33:03):

Cool. Excellent. All right. In fairness to Michelangelo, and that normally, this is the part of the thing that I harass somebody and say, I hope you have a good answer, I gave you time to prepare. I screwed up and I did not give Michelangelo time to prepare. We’re going to see if he can think while he’s talking, because that’s about all he had the chance to do.

Can you think of an amazing or horrible CISO? Give me a fictional character or a real-world character if you want, that would make either an absolutely amazing or an absolutely horrible CISO, and why?

Michelangelo Sidagni (33:33):

That’s interesting. On top of my head, I would say probably Austin Powers would make it an amazing CISO, because a CISO has to be creative, and every day is a new challenge, but also has to be a people person, and sort of a spy, because has to be playing on the strategy, and know where to go next. At the same time, being entertaining. I think that’s something that is a character I always love. I think the creativity as well, being strategic, and being a ladies guy, why not, makes it fun.

John Verry (34:23):

Is the natural corollary to this that Dr. Evil would be a horrible CISO?

Michelangelo Sidagni (34:28):

Dr. Evil, it’s …

John Verry (34:31):

I’m going to give you one billion reasons why he’d be horrible.

Michelangelo Sidagni (34:37):

Yeah, one billion … Yeah. Dr. Evil is interesting, because he’s the opposite of the successful part. I guess he’s too stuck on his super destructive weapons and being super evil, then he forgets to have fun, so to speak.

John Verry (34:55):

Yeah, and shark lasers are just never going to work. He doesn’t realize that water and defraction with lasers is a problem.

Michelangelo Sidagni (35:03):

It is a problem. Also, the underwater hideout or something like that, it’s not-

John Verry (35:13):

It’s not going to work. All right. If somebody wants to get in contact with you, what’s the best way to do that?

Michelangelo Sidagni (35:20):

Ping me on social media, LinkedIn, send me an email at M-S-I-D-A-G-N-I, [email protected]. I’ll be more than happy to have conversation about vulnerability management. Why not? Red teaming, whatever keeps you up at night.

John Verry (35:38):

Excellent. Michelangelo, this has been fun, man. Thank you.

Michelangelo Sidagni (35:41):

Thank you so much. Thank you for having me, John.

Introduction (35:47):

You’ve been listening to the Virtual CISO Podcast. As you probably figured out, we really enjoy information security. If there’s a question we haven’t yet answered, or you need some help, you can reach us at [email protected]. To ensure you never miss an episode, subscribe to the show in your favorite podcast player.

Until next time, let’s be careful out there.