Brad Hibbert: [00:00:00] The wave hasn't hit us yet. MITRE starts to disclose those 30,000 plus vulnerabilities, you're, you're gonna see the, the kind of the wave hit. Your months went down to weeks and in some cases down to seconds before these things can be exploited. The assumptions that sophisticated attacks required sophisticated attackers has kind of gone away.

Brad Hibbert: Three median vulnerabilities, th- leveraging privilege escalation could give them root access to a machine versus one, standalone critical CVE.

Ashish Rajan: 90% of the time, a lot of the lows were just simply ignored because like, "Hey, it's a low." Like, you know, y- you don't even talk about it. I don't know how many organizations have done this ever.

Ashish Rajan: Better to start today instead of waiting for Claude Mythos to become publicly available. Claude Mythos. Yes, I said those two words. In spite of all the marketing you would see on the internet about whether it's a great marketing exercise or the reality, but based on the conversations with a lot of people in the private programs of Claude Mythos, one thing is certain, that the volume of threats, exploits that we would see is definitely going to increase.

Ashish Rajan: It's already proven by some people who have been tracking the time it takes [00:01:00] for a discovery to happen all the way to exploit is reducing to just days now. And for this conversation, I had Brad Hibbert, the CSO at Brinqa, to talk about what does Claude Mythos means to your existing vulnerability management program.

Ashish Rajan: What does it look like from exploitability perspective? How much AI can be used, or what do you change about the program that AI continues to increase the volume of CVEs that we're gonna see across the board? One thing is certain, a lot of us do consider this as a this-changes-everything moment, especially with Claude Mythos, and especially as it's going to improve moving forward.

Ashish Rajan: Whether it's a cloud resource or applications that are hosted in cloud or AI workloads that's hosted in cloud, vulnerability management itself is evolving, and the way we used to wait 30, 60, 90 days based on the PCI requirement or another regulatory requirement we had is going to evolve and change very quickly.

Ashish Rajan: I hope you enjoy this conversation with Brad, and if you know someone who is working on vulnerability management, especially because of the announcement from Claude Mythos about the preview to a few people and what does that mean, [00:02:00] I would definitely share this episode with them as well. And as always, if you are here for a second or third time and have been enjoying Cloud Security Podcast episodes, I really appreciate if you take a quick second to drop in a follow, subscribe, whichever podcast platform you listen or watch this on.

Ashish Rajan: We're on Apple, Spotify, YouTube, LinkedIn. This episode has been brought to you in partnership with Brinqa. Thank you so much for sponsoring this episode. I hope you enjoy this episode with Brad, and I'll talk to you soon.

Brad Hibbert: Peace.

Ashish Rajan: Hello, and welcome to another episode of Cloud Security Podcast. I've got Brad with me.

Ashish Rajan: Hey, Brad, thanks for coming on the show.

Brad Hibbert: Good morning. Glad to be here. Thank you for having me.

Ashish Rajan: Maybe to kick things off, if you could share a bit about yourself just a 30-second version if you like.

Brad Hibbert: Yeah, sure. Brad Hibbert. So I've been in the security space for, you know, well over 30 years now started first on the, on the, on the client side, building defense, security defenses, and then moved into the vendor side, uh, at different, uh, different organizations through third party and privileged risk. And now I'm with Brinqa Software as their COO and chief strategy officer, uh, really helping organizations modernize and, and build out their exposure management a- and modern, modern exposure [00:03:00] management solutions to, uh, to take on today's threats.

Ashish Rajan: Awesome. Uh, I think maybe this is right in the pocket of the Claude Mythos thing that I wanna talk about today as well. So maybe to kind of, paint a few picture, when we were talking about this, we kind of mentioned Heartbleed was like a storm, whereas Mythos is like a climate change. And for people- Yeah

Ashish Rajan: who may not have been introduced to Claude Mythos, if you just wanna give a, like a short version of that and why is it different this time? 'Cause I'm sure many people would've been like, "Hey, you know, heard the word that Claude Mythos is changing everything." I'm sure people have gone through multiple versions of this changes everything when the internet happened.

Ashish Rajan: So how is it different now? So if you can, we can start there.

Brad Hibbert: Yeah. I mean, I- I, again, I've had lot, lots of CISO a- and, uh, just security engineer conversations over the last few weeks, and I guess the way I would frame it up is really, you know, if you think back through Heartbleed or maybe you know, Log4J's probably one that, that, that still gives people the sweats, right?

Brad Hibbert: So these, these things that happened in the past that, you know, and they... and of course they were [00:04:00] pretty high profile they got amplified by the media and so forth but those things were somewhat temporal. They were things that happened. They were typically they got, you know, the vulnerability of course.

Brad Hibbert: You, you have to, you have to get around that. You have to d- discover kind of where that impacts you quickly, uh, and then, and drive those to remediation very quickly, either through mitigating controls or the patches. But they were... They had a specific outcome, which was eliminate that specific vulnerability.

Brad Hibbert: So it was a temporal thing, caused a lot of activity and then, you know, k- it kind of had an end to it or a closing to it. I think why things are different with Mythos or AI, you know, 'cause other models are gonna be coming out as well is it's really changed the game, if you will, right?

Brad Hibbert: It's not just a, it's not a temporal thing, it's a persistent elevation of capability that the threat actors have, which is that they can discover uh, uh, vulnerabilities at, at machine speeds now. So... And I guess Mythos is a primary example of that. But not only that, but they can weaponize them much more quickly as well.

Brad Hibbert: So Mythos was, you know... where things would typically require, uh, manual intervention, like you find a vulnerability, you have to get some teams on [00:05:00] this and work on it until you can, till you can exploit it. Mythos does that automatically in the same tool, right? It's just there's no handoff, there's no human intervention.

Brad Hibbert: There's no, you know, eight hours a day. This thing can run 24 hours a day to, to, to exploit these vulnerabilities. And so your months went down to weeks, and in some cases down to seconds before these things can be exploited, right? And so that certainly has changed the game and, and to respond, defenders have to step up their game and- And I think those are what's driving a lot of the conversations I've had over the last few weeks, is, is kind of what, what is that response gonna look like?

Brad Hibbert: And, uh, and CISOs and, and security practitioners are being questioned, uh, on that specific, uh, specifically from the board and from their leadership on how they're gonna, how they're gonna respond.

Ashish Rajan: So does that mean my threat model, which I used to believe in... 'Cause I guess to what I was saying earlier, this changes everything and ma- many people may be skeptic to this.

Ashish Rajan: But is the idea that the threat model that we have built so far is no longer valid?

Brad Hibbert: Yeah, that's a great question. I, I think the threat model is valid, but I think it needs to be elevated, right? I think, I think there's, uh, some assumptions that, [00:06:00] that, that were taken when these, these programs were built. In some cases, they were built a number of years ago, right?

Brad Hibbert: And they continue to be tweaked and so on. But, but this is, is really a, a, kind of a level up that's required. I mean, the idea and the thoughts that y- you know, your, your, your organization only had to worry about, you know, sophisticated attacks required sophisticated attackers has kind of gone away.

Brad Hibbert: So, so I think the number of adversaries has certainly increased. So that that's something that, that you need to consider. You're gonna have a lot more, not just vulnerabilities, but, potential people trying to exploit those vulnerabilities. I think the other thing that... The more important thing is that I think a lot of these programs made the assumptions that they were gonna have time between when they found the vulnerability and when they had to remediate.

Brad Hibbert: Again, you know, if you have the 30, 60, 90-day cycle, "Hey, my PCI critic- critical vulnerabilities, they have to close those off in 30 days." Well, that, that timeframe's gonna get compressed. And, I think that's an issue. I think the other one, tying more back to the threat model, is that you can no just re- longer re- rely on the CVSS score anymore.

Brad Hibbert: It's a good guide, but you need to go further. And you're like, "Oh, well, I do go further. I use the [00:07:00] EPSS." Like, well, what's the chances of it's gonna be exploited? Well, if everything is exploited and everything's kind of ranked the same, you know, how do you provide better guidance to your team? And so again, I think you have to get the next level of calibration here with respect to prioritization and providing guidance to the remediation teams.

Ashish Rajan: Uh, to your point then, because, uh, I, I love how you frame this because, A, I guess we've established the fact that AI models moving forward, and so this one is just not Mythos, but moving forward, the potential for it to keep doing long-term attack chains is, uh, higher. It's not gonna go down anymore. We already established the fact that it's going longer.

Ashish Rajan: With-

Brad Hibbert: Yeah. And, and- ... with that in mind- ... and funny thing is, and, and that's the greatest, that's a great, uh, observation because the other assumption is it's not gonna get any faster. And models like Anthropic are only gonna continue to get better. So. That's right.

Ashish Rajan: Yeah. Yeah. I don't think they're going to, "Oh, we're gonna reduce the performance moving forward 'cause we don't like the performance anymore."

Ashish Rajan: I don't think anybody's- Yeah. Yeah ... gonna say that. So I guess just the reason why I bring that up is because, uh, a lot of people have [00:08:00] looked at this whole threat model, uh, of what their existing organization is. And to what you said, most people have a degree of, "Hey, my highest get resolved in 48 hours. My uh, out of a 30, 60, 90 day window to what you said about between high, low, medium, are we saying that the, the guidance that we have for exploitability, the CVEs of the world, is it, is...

Ashish Rajan: How do you even validate? 'Cause at this point in time, is an AI threat visible, and are we able to pick up on the fact that, hey, this is an AI threat, not my normal Ashish trying to be a script kiddie, trying to be an automated tool? Like, have we gotten to that point- Yeah ... where... Or is it more the fact that, hey, now we're gonna get a lot more CVEs, so we need a better way to filter out and not just be a ticketing system for lack of...

Ashish Rajan: this is obviously oversimplifying. No disrespect

Brad Hibbert: to that work. Yeah, yeah. No, it, it, it, it's great. I, I think that, Look, I think, I think a lot of the scanning tools that are out there have been and continue to use AI to, to help them find the vulnerabilities, and that's in code scans before they release software and so on, right?

Brad Hibbert: So I think that that [00:09:00] process has already started. So when you're getting your feeds from, you know, Qualys, Tenable, Rapid7, you know, you're not getting that it was detected by AI or not, but you're getting, you're getting that, that f- that the vulnerability exists, and you're getting the threat intelligence that, that goes around that.

Brad Hibbert: Now, I do think that the threat intelligence will be enriched by AI, and you might be able to tell if it's been enriched by AI, like Mythos will give you all sorts of additional how it came about, leveraging that. So I think, I think that will, will certainly be there. I think the biggest, the biggest change is, is going to be that there's gonna be more vulnerabilities.

Brad Hibbert: They're all being exploited much more quickly, and you're gonna get a f- your team's gonna get flooded with volume. And so really what it comes down to is how do you get to that next level of precision? And what we've been talking about with a lot of companies right now is you have to get down to exploitability.

Brad Hibbert: Like it, what that means is, like, uh, the exposure window in your environment. That exposure in your environment, how long has it been exploitable? Like, until you've removed, until you remove that risk from your environment. And to understand that, you have to understand the vulnerability, whether that's created [00:10:00] by, un- uncovered by Mythos or by my manual teams, is that, uh, exposure, is it valid in your environment?

Brad Hibbert: Like, taking into consideration all the things about your environment, not just your business context, right? Of course, that's, that's important, but your shielding technologies, your mitigating controls that you have, which can include things like your endpoint protection. You know, have you, have you partitioned your network in certain ways and segmented your network identity?

Brad Hibbert: You know, there's just so many different capabilities that your team has from a defense perspective. You have to take all that into consideration and understand what is actually exploitable in my environment right now, and that's difficult to do without using something like AI from a defense perspective.

Ashish Rajan: Yeah. I, I guess... And to your, uh, is... I'm glad you mentioned it because I imagine a lot of people are also thinking, "Hey, I have access to threat intelligence piece." What's required for someone to even go down the path of- Say, looking at exploitability, how, how do you even validate? 'Cause I mean, there's so much context as you kind of build this.

Ashish Rajan: Like, I think just because I say that, I don't know, my, uh, website is my AWS [00:11:00] S3 bucket, that's probably the most simplest one that people use on the internet, is open to the internet right now. People are, "Oh, exploitability in that context is my S3 bucket is open to the internet." But I imagine in enterprise it's a lot more complex than that, right?

Ashish Rajan: Is that something- It, it is ... like how do you validate an exploitability is what's while d- diving deep into?

Brad Hibbert: Yeah, and that, that's the hard part is how do you do this, and then how do you do it at scale? You know, if I understand that something is exploitable in your environment, and again, you have different layers, right?

Brad Hibbert: You have your code, you have your applications, you have, you mentioned your cloud environment.

Ashish Rajan: Yeah.

Brad Hibbert: You have your desktops, your servers, your infrastructure. So all these different areas, different remediation teams responsible for all of those things that could leverage different, you know, knobs and, and buttons to, to help you protect yourself.

Brad Hibbert: So how do you know at an instant, you know, if, if those things are, are exploitable or not right now? And again, that's where I think that the tooling has to pick up. And it's not about buying more discovery capability, right? You're, you're already getting all that information coming in, but how are you unifying that information to give you a more holistic picture, right?

Brad Hibbert: And creating a map, if you will, for all how all [00:12:00] these things connect. The exposure connects to your assets, connects to, to your identities, connects to your... You know, and, and also, you know, with the threat intelligence, you know, how are people exploiting this vulnerability? Are they going through certain ports?

Brad Hibbert: Is it a privileged escalation? Does it require a certain privilege? Like, you have to be able to tie all these things together at scale. And, and again, that's where I think that doing this with, with deterministic if this then that logic, it's too brittle. It doesn't work anymore. And where I really think organizations are gonna start to, and we're seeing it now, starting to leverage AI to help reason through all of this stuff and kinda, kinda tie these pieces together.

Brad Hibbert: And again, do that in a repeatable, uh, and predictable way.

Ashish Rajan: Is, is that the blind spot that we have today with the traditional operating model? I've... I mean, when I say traditional, I mean pre-AI and post-AI security models of how we have operated. Is that what the bl- oh, I'm curious if there are other blind spots that you've seen in the conversations you've had.

Brad Hibbert: Yeah. I think there's, there's two. Uh, one is getting that level of exploitability understanding during the early phases of the exposure life cycle. Like, you know, have discovery, [00:13:00] enrichment, then prioritization, and so there certainly has been a blind spot. You just... J- just not availability of, of, of a tool to help you do that, particularly when you have different uh, operating products or different security products operating in silos.

Brad Hibbert: It's difficult to get that holistic view of how everything connects together, right? So that's been a lack a gap in invisibility. The other gap in visibility is on the remediation side, which is, you know, if you can no longer wait 60, 90 days to, to patch something, you can't, you get the old model because it was very difficult to do. It would be you either patch it or you write an exception. Like, "Hey, I, I can't patch this right now because it's, it's crit- it's gonna impact the critical business application. It's, you know, it's the end of year." W- whatever the exception is, right?

Brad Hibbert: And that was it. Yeah. But I think from a mitigation perspective, they gotta get much more prescriptive. What can I do short term, what can I do long term to reduce that exposure window? So again, it's not about, eliminating or, "I deploy the patch in 30 days." It's I eliminated the exposure, made it inactive or inaccessible either by taking away the exploitability, taking [00:14:00] away the reachability, minimizing the blast radius.

Brad Hibbert: I did that in two days versus 10 days, right? And so the, the remediation teams have to get a lot more I think calibrated and prescriptive on these... on how they address these things in, in, in a more intelligent way as well. And, and so again, it's across the entire life cycle of, of exposure management from discovery to fix.

Brad Hibbert: And, and again, there's a number of capabilities that, that they can build up there and strengthen and as, as you invest in and modernize your program to do this.

Ashish Rajan: I, I'm curious to hear from you 'cause you must... you have been in this space for a while as well. Why have we not solved remediation? I feel like we've done s- we've done remediation almost, like, as long as security has existed.

Ashish Rajan: But somehow we still talk about it. Like, uh, has it changed because of AI? Is that just why it's tougher now or it's different now?

Brad Hibbert: Yeah. I mean, I think, I think from a remediation perspective, I think it's, it's a few things, right? I think I think... You know, I always come back to, you know, what's the outcome you're looking for from a, from a model perspective.

Brad Hibbert: And, and a lot of, like, people on the security team would say, "Well, the issue is because we don't own the remediation. We do [00:15:00]everything we can. We package it up. We help you get the prioritization pro- proper, then we pass it off to the remediation team." And, and again, I, I think if you have two teams that are, that are measured differently, one team's measured on how quickly they can identify and prioritize.

Brad Hibbert: The other team's, you know, measured on how quick a patch gets released. I think, I think that they're two different, they're two different measurements, right? So if you focus on the same outcome as a shared objective, which is reduce... what's the exploitability window and let's focus on reducing that.

Brad Hibbert: Out of that will follow a bunch of other decisions that your teams can align on. So I think that's one, one, one thing, right? 'Cause if you don't have that, that shared understanding of, of what you're trying to accomplish, then things get lost. I see a lot of organizations where, you know, you can add all this ex- you know, additional, like, next level prioritization capability about exploitability and, and, and so forth in the front end.

Brad Hibbert: But when you pass that to the remediation team, if they just cut all that off and just, you know, uh, cut off the business contacts, cut off this, and they just look at CVE or, or, or CVSS scores, then y- you gotta mis- you gotta mismanage [00:16:00] maybe in your handoff process, right? So- Yeah ... so I think that's a problem.

Brad Hibbert: And then, you know, the remediation teams are... again, you know, there, there are certain policies and processes that were put in place around change control- Like, I can't blow down a patch that I don't test if it's gonna impact, uh, uh, point of sale system or a production system or even, even, you know, take my trading floor offline.

Brad Hibbert: So there, there's some, some necessary things that the remediation team ha- has from a policies and procedures perspective, you know, that may need to be examined because i- if, if the risk of waiting to deploy is bigger than the risk of being, you know, of these, like, exploit, uh, of the- of these weaponized ex- vulnerabilities being in your environment for too long, then, then you need to change your policies and procedures to, to accelerate the remediation side.

Brad Hibbert: So- I think that- There's a number of other things, but I think those are some of the, some of the examples that I, I would start with.

Ashish Rajan: No, I, I love the, I love the direction you went down the path of, uh, also because, uh, you're absolutely right on two different objectives. And a lot of times I remember our team took the vulnerabilities to the developers or somewhere else.

Ashish Rajan: They, they just look at it as a [00:17:00] task. They don't look at it as, like, to what you said, we're trying to reduce our exposure. They... And because that's being directed as, "Hey, out of the 10,000 things you have to do as part of the sprint," uh, which is in- create a feature that makes money, uh, roll out a new software, all of that, and then there is this, uh, patch for CVE.

Ashish Rajan: And I think maybe to... You hit it on the nail because maybe that's where there's a lot of back and forth between security and-

Brad Hibbert: Yeah ...

Ashish Rajan: their development team just to justify why there should be time spent on this particular thing.

Brad Hibbert: Yeah, I, I've been in, in lots of, of organizations where the biggest, you know...

Brad Hibbert: It's the friction point between the teams, right? And, and, and both teams are trying to do the right thing. They're both trying to- Yeah ... work towards what their objective is. But if the remediation team gets a list, they wanna know why, you know, why is A ahead of B? Why is B ahead of C? And so, and so that's when you pass that information, if you have a shared objective and a shared understanding for how the security team is prioritizing, and an agreed upon approach, right?

Brad Hibbert: And whether that's, you [00:18:00] know, some sort of, algorithm you've come up with or whether that's, you know, some sort of AI reasoning, the logic that you've agreed on, that, then you have less of this, "Let me..." As a remediation team, that really that's the list. Let me export that to Excel. Let me compare that to my scanner or my, you know, my, my operational interface.

Brad Hibbert: And there's a lot of this manual validation that has to happen. And, and I do think that as the teams have a, a, a shared outcome and start understanding and, and, and sharing the, these policies and procedures and logic and, and, and explainability, and they start sharing these things, and they start building trust up between those teams, that slowdown, that friction point can start to go away.

Brad Hibbert: And so people can start to trust what they're being handed to them is the right thing. It- Mm-hmm ... it's helping them, uh, achieve their shared objective, so they can take action faster. And then again, once they know they can take action faster, of course there's going back and looking at all your policies and procedures and change control and things like that to make sure that they're, they've been, uh, calibrated for today's machine speed threats.

Ashish Rajan: Right. And do you find that in larger organizations, especially enterprises, what does this [00:19:00] even look like? 'Cause I, back to your point I... It feels like a lot of exercise, but it's mu- multiple, uh, applications. People have 600, 700 applications at any given enterprise. How does this even work at scale in terms of the whole...

Ashish Rajan: To your point, if the g- if you were to think of a goal for reducing the overall risk ex- risk exposure of the organization, how do you see this play out in larger enterprises who do it better?

Brad Hibbert: Yeah. And again, I, I, I think we're going through a period of change right now, right? And, and so I, I think that when I think about what, the conversations I've had with CISOs, they, they're asking the question, like, "What is everybody else doing right now?"

Brad Hibbert: Like, what's reasonable from a, from a, from a defense perspective? What's, what's expected of me as the market continues to shift? And so I would start again. I, I, I would say the ones that do it right will start with that shared objective across the teams. Like, the teams need to work together on, on, on that outcome of, of reducing the, the vulnerability that...

Brad Hibbert: or the exposure window. Like, how long was something exploitable in my environment? That should be the thing that you shrink and everyone should rally around, [00:20:00] right? So that, that would be the, the area I think that if I was gonna start a program today, that, that's the thing I would focus on.

Brad Hibbert: A- and is that, is that answering the question? The next thing I would focus on-

Ashish Rajan: Yeah. No, I was gonna say- ... is the

Brad Hibbert: process ... 'cause, uh,

Ashish Rajan: to your point, uh, would this work for the, uh... And going back to the AI thing, which was the Claude Mythos piece that we spoke about and AI models moving forward. In a way, in my mind, it ties to that as well because if, if we go back to what you said about the, the remediation challenge, the 30, 60, 90 days we have, and if the CVSS scores or CVE scores are g- starting to get a lot more, let's say, higher in volume at the o- And you can't just keep throwing the entire volume over to the development side or remediation side, go fix it.

Ashish Rajan: You fi- need to find a better way. And I think exposure definitely sounds like a good I guess, good angle to, uh, to at least double down on. I was just curious in terms of people who are building a program, they obviously... A lot of people already have a program, right? They've existed- Yeah ... for a while.

Ashish Rajan: How do you uplift an existing program? 'Cause a lot of people have [00:21:00] started thinking about, what does this look like in the AI world? What does it look like in a world where my CVSS score or my threat intelligence is gonna be a huge volume? Uh, w- what would that uplift look like, out of curiosity?

Brad Hibbert: Yeah, and I, I think that's where you have to start. Again, start with that shared understanding of risk and shared understanding of objective. But the next thing I would look at is the operating model. Like, before you look at, at any of the, of the technologies that you're gonna use, like what, what, like who owns the handoff between these different teams?

Brad Hibbert: What information are you gonna share between the teams that that we both agree on? What actions can you actually You know, automate, whether that be through deterministic automation or through, some autonomous automation, right? With reasoning with AI. And, and a lot of people think that, well, if you use automation, you're, you're, you don't have any oversight.

Brad Hibbert: But you do. Like if you... Really the oversight is in the policies and procedures that you craft together as a team, right? So if I'm saying that, y- because I think you're gonna have to automate more, not, not just on the front end o- of discovery and enrichment and prioritization. You're gonna have to automate more on the back end, which is, re- [00:22:00] reducing the exploitability of these things even before a patch is available.

Brad Hibbert: And so I think you have to start to, to, to really dig into at a fine grain perspective, what does that mean and, and what's acceptable in our environment? So I think you have to take a look at the, again from, from discovery to fix. Now, what is my policy at each of these stages and each of these stages of handoff, right?

Brad Hibbert: And I think that's something that, that needs to be uplifted and, and take a look at where automation and AI can certainly... I don't wanna say remove the human element, right? But have the human element focus on the outliers and more sophisticated, you know, escalations and things that, that actually require their expertise.

Brad Hibbert: So I think that's something that should be looked at and I think that, I think the days of doing this on a monthly basis are, are gone. I think you have to do... I think you have to... Your program has to run on a continuous basis. Con- continuously discovering, continuously reevaluating if it's exploitable in your environment based on the mitigating controls, the patch levels, you know, the changing business dynamics and those sorts of things.

Brad Hibbert: So it really becomes a living, breathing program, right? Policy-driven [00:23:00] program that you can operate at scale, right? And to your point on the integration, I, I think a lot of companies fall down here. You have to have tight integrations, and you have to make sure the program integrates with the interfaces and processes that those remediation teams are using today.

Brad Hibbert: So if they're using, you mentioned Jira or ServiceNow or whatever other, uh, uh, um, automated remediation tools they might be applying, like you have to integrate with those, right? And the simplest thing would be a ticketing system, but you have to make sure there are two-way integrations. So as those teams are performing their work, you're feeding back to you that they've done the work and they've verified that the fixes are done.

Brad Hibbert: Otherwise, there's too much manual emailing, chasing up and just, again, you start to have, Your, your efficiency starts to fall out of the program. So I, I think those are, those are just some of the, some of the things I think that, uh, that organizations are looking for. But the biggest one I think today is the biggest, you know, short-term thing that that CISOs need to do is they need to focus on ex- exploitability and explainability.

Brad Hibbert: And, uh, and if they can do that, that's the first, a good first step before they start to, to move down the, you know, kind [00:24:00] of that downstream work to the remediation team.

Ashish Rajan: I, I'm with you on the ex- at least the overall time window has to reduce considerably in terms of, uh, how quickly things can come back.

Ashish Rajan: 'Cause I almost feel like, I feel like the industry did try the remediation path and tried to improve it for a long time. I think cloud was the first example where a lot of people went, "Hey, I ha- I know the attack path I should just be able to switch a button and, uh, remediate automatically. And to your point, it goes back to the whole...

Ashish Rajan: there's a sense of not having enough trust on automation, whether with AI, not with AI. And human approval then becomes like this bottleneck in between that, hey, I can't automatically say shut down a exploitable path because I need approval from three different people. That's my pol- that's my quote unquote policy.

Brad Hibbert: Yeah.

Ashish Rajan: Before I can make any changes in production, I need a three p- three people approval stage to go through before I can make that change. Uh, whatever you... Either three key management, how-however you wanna explain it. Do you feel like is there a lot more, [00:25:00] uh, now with AI and Mythos and everything else, is there a lot more no, I won't say less skepticism, but acceptability for remediation being back on the table for, "Hey, okay, we should start auto-remediating if we can."

Ashish Rajan: And if that is the case, how does one, uh, say start validating that, hey, even though it was suggested by AI, I can still trust this? Or is there, is there a staged approach to it?

Brad Hibbert: Yeah. I, I think a, a staged approach is absolutely the right thing. I think the challenge in the past, like it's the same on, on, on the front end of, of doing prioritization.

Brad Hibbert: Like, you can have prioritization logic, you know, if this, then that. But without AI, that logic becomes extremely complicated over time. And if you talk to any companies and go through how they do risk scoring, you'd be like: Wow, this is like... this is crazy. Like, it's, it's so, it's so complicated 'cause they're trying to take every different nuance and outline and, and novel uh, situation into, into, into account.

Brad Hibbert: And when you do that, it becomes complicated to manage. Uh, nobody can understand it and, um, [00:26:00] and it becomes brittle as well because, you know, it starts to break as, as, as the environment changes. And so I think you saw the same thing on the remediation side. They try to automate things, and you can automate basic things, right?

Brad Hibbert: Like Y-you know, we've d- we've done some of that. But I think now with AI, w-with, with opinioning and you can actually tie things back like, here's a vulnerability. You know, here's how attackers are using it. Here's the recommended steps. Here's the technology you have that could implement these steps.

Brad Hibbert: Like, you have so much more processing capability that you can, that you can apply that I think getting finer grained on the remediation side is absolutely something that, that companies can do, but it's really hard. And then on an automation perspective, I do think you can automate a lot more. You know, as you go from the standard, you know, automating...

Brad Hibbert: Again, you can automate things that are simple, that have very minimal impact, that are reversible. That's great. But if it's not reversible and can have an impact, then you start to kinda get a little, a little, uh, queasy in your stomach, right? Like, should I, should I be able to automate these things?

Brad Hibbert: And so I think to your point, I think it's gonna start with, you know- A, trusting, trusting what the security team is telling you, which [00:27:00] is these are important. Here's the mitigations that we recommend. So I think that's the first step is the remediation team has to feel confident in the quality of, of those opinions that are coming across from the security team.

Brad Hibbert: Uh, and then they have to, you know, they have to build up trust as they start to automate these processes through reasoning and through AI. They will start, taking that 5% that they automate today, the 6%, the 10%, the 20%. But they're gonna do that over time. And as they, as they leverage the AI for the first few decisions, they'll probably want a validations and checkpoints, right?

Brad Hibbert: And then they can make sure that it's working, validate it, and then they can start to have more comfort that they're doing the right things. But in all of this, when they're leveraging AI, of course, they have to make sure that they're tracking everything. They can explain why they prioritize, they can explain why they took the action, right, from an audit, an audit and governance perspective.

Brad Hibbert: But yeah, I do think that there's, there's gotta be trust between the teams, and there's gotta be trust in the actions that they're performing. And that's... Trust is gonna be a muscle that they have to, have to work on over time. And, um, so yeah, that, that's certainly, certainly something that, [00:28:00] uh, that I, that I see.

Ashish Rajan: And I guess to your point, tying that back to the unified goal of reducing the overall exposure of-

Brad Hibbert: Exactly.

Ashish Rajan: Yeah, 'cause-

Brad Hibbert: Exactly ...

Ashish Rajan: I'm curious, 'cause you know how you mentioned that CVSS is not gonna be relevant with the volume. Is it b- not going to be relevant as much because of the increased volume, or is it because it's producing a lot more lows?

Ashish Rajan: Like, where do you see the industry go with the CVSS scoring system?

Brad Hibbert: Uh, look, I think it's still a good base thing to, to, to, to have a look at, right? But ultimately, you know, you have to look at what's exploitable in your environment, right? And, and again I think CVSS tells you, you know, it has the confidential, can...

Brad Hibbert: You know, can you, can you get information? Can you change information? Can you take down availability? So it has the whole CIA aspect to, to how they determine the, the levels. But at the end of the day, y-you know, if you have, if you have 10,000 mediums and 5,000 highs, and tomorrow you have 20,000 mediums and 40,000 highs, y-you've got a big problem, right?

Brad Hibbert: So it, it... The volumes are certainly gonna [00:29:00] impact you. But- Yeah ... but really what it comes down to is out of those, you know, 40 or 50,000, and we have some customers have hundreds of thousands because there's just so many assets and permutations. But now which ones are exploitable in your environment, right?

Brad Hibbert: And that's really what you have to focus on. So I think it's important, but you have to take into consideration I think the context of your environment and not just the business context, right? But the technology context as well. Is it reachable? Is it exploitable? And what's the blast radius in your environment?

Brad Hibbert: The other thing we haven't talked about is, it which even takes the analysis to the next level, is you can't just look at it node by node Because if you, if you saw a Mythos, what, what it did was it, it could chain together, multiple vulnerabilities. So three medium vulnerabilities, th- leveraging privilege escalation could give them root access to a machine versus one, you know, standalone critical CVE.

Brad Hibbert: And so now you've got to back up and take a look at, at it not from a node lens, but from a network path lens and attack chain lens. And so the co... And doing that, of course, is even more, you know, takes that complexity even to the next, to the next level, right? But that's kind of [00:30:00] how people are looking at things.

Brad Hibbert: It's not about individual CVEs, it's about how could they be leveraged together, right? And how are they exploitable together? And, and that's the, that's that exploitability context that it that I keep mentioning, right? And I don't think all programs are gonna be able to get to that lens day one.

Brad Hibbert: Uh, I think that's an incremental process, you know, starting with exploitability of, of individual nodes and so on, and building into this more graph, uh, attack path approach. But-

Ashish Rajan: Yeah ...

Brad Hibbert: but, uh, but again, you know, y- you can start to see that th- things like CVSS are good indicators, but, but again, not, it's not...

Brad Hibbert: the, the, the threshold or the bar has been raised and the teams have to evolve their programs to, to meet that.

Ashish Rajan: Oh, I, I think your, your, uh, example of yours, I think what you said about the CVE scores, 'cause the more you mentioned the low part being interconnected to build into something which is a privilege escalation, the first thought that came to mind was, oh gosh, there are so many low risks that we have just, quote unquote, "accepted" in organizations.

Ashish Rajan: Like I think 90% of the time, and I'm sure I'm not alone in this, when people who [00:31:00] are listening or watching this, it's like a lot of the lows were just simply ignored because like, hey, it's a low. Like, you know, you don't even talk about it because- There's so much volume. Yeah. Because- Yeah. And 100%, there's so much volume of low as well that you almost go, "That's not really a big problem.

Ashish Rajan: Let's focus on justifying why the developers need to solve the medium risk or high risk even, or even a critical risk for that matter."

Brad Hibbert: Yeah.

Ashish Rajan: The, all the attention was gi- always given to the critical high, followed by a medium, but we never really went down the path of interconnecting multiple lows into making it, oh, this together, if I zoom out and look at this, that is a privi- privilege escalation.

Ashish Rajan: I don't know how many organizations have done this ever.

Brad Hibbert: Very few, I think. And again, I alway- I always say start with the criticals and work your way down as you, as you expand your program. But again, it's very difficult to do.

Ashish Rajan: Yeah.

Brad Hibbert: Tying together all the different technologies that you have and the different, stacks you have.

Brad Hibbert: You know, you have a node that might be running in, in, in the cloud [00:32:00] that might be running an application that you guys developed. So th- there's so many different, you know, remediation orders that, that could be here as well. Yeah.

Ashish Rajan: Yeah. For, yeah.

Brad Hibbert: But again, that's where, you know, fr- from my, from my perspective, I, I think the people are gonna...

Brad Hibbert: You know, if I take a look at Mythos and how I think the market's gonna react to this, I think, you know, uh, I, I think a lot of, uh, uh, of security vendors are gonna say, "We have the solution, it's AI." But then what you're gonna do is you have these siloed security products making siloed AI decisions.

Brad Hibbert: A-and really what organizations need is they need to bring all this information into a global exposure, you know, repository, so they can understand everything from a global perspective that they can use to, to drive those decisions, right? If, if I have a- an AI plugged into that, where everything's connected and I can see it all in one place then I'm making more holistic, you know, decisions that I c- that I can trust, right?

Brad Hibbert: So having that trusted data repository, I think it's gonna become critical. And I think, you know, I think what's gonna happen... And we saw this with, with, with VM w- uh, you know, VM sprawl, and we saw this with, uh, SAST sprawl. [00:33:00] I think you're gonna see the same thing with AI. Like, you know, I guess time will tell if I'm right or wrong on this, but I think you're gonna see people playing Whac-A-Mole, trying to leverage AI all over the place in these siloed approaches.

Brad Hibbert: And they're gonna realize after a while that they're getting, you know, they're getting limited decision-making because they have limited purview into the data, right? Yeah. So you're gonna make the best decision with the data that you have, but it's gonna be extremely costly as well. Because that's the other thing people ha- haven't ever really thought through, is what's the cost of elevating my program with all this AI processing, right?

Brad Hibbert: And so I think there's gonna be, you know, 18 months from now, a realization that, hey, we have to converge. We can't just have everything running independently, running AI independently. You have to converge and have a great data set that we can drive our decisions off of. And so, you know, many customers that we're talking to are trying to build that global exposure repository that has high integrity that the AI models can, can trust, so that when the AI models come out with these solutions, people can trust the outcomes. And so, a-again, I see-- I think that's gonna transition over the next couple years. But but again, what comes around goes around. I, I, I see this with AI, I see this with, [00:34:00] virtual machines and images and, and certainly can see this with uh, with, with the SAAS. So you're probably seeing the same thing in your organization

Ashish Rajan: yeah. And I, I was gonna add to what you were saying as well, right?

Ashish Rajan: 'Cause I think every time someone raises this in our organization, a lot of people, uh, and, uh, all security people are to be blamed for this. We all sound like alarmist and, uh, the... For, for, for lack of a better word, we just basically paint a very scary picture for a lot of people. And I think a lot of people have come down to what's a reasonable security that people should aim for in an organization, right?

Ashish Rajan: Because to your point, if the volume of CVSS or CVEs are gonna increase, what... how does one approach the conversation of what's a reasonable security that most C- Yeah ... CISOs or practitioners can aim for that is, A, I guess I imagine for some extent, uh, helpful for audits, whether it's legal or liability or whatever it may be.

Ashish Rajan: What, what is something that you find is reasonable security? Uh, and obviously it's different for different organizations. I'm just if you have some general thoughts on this [00:35:00]

Brad Hibbert: Yeah, it's, it's a great question because as you mentioned, I think, you know, what's, what's reasonable changes with time. As we talk about like, 10 years ago or 20 years ago, quarterly scans of my PCI assets was reasonable, right?

Brad Hibbert: So that, that has certainly changed and, and, uh, you know, since the last time we spoke, uh, ma-many of the conversations that we've had with security teams where we're helping them modernize their, their programs ask the same question, which is like, "Hey, what is everybody else doing?" Because they, they wanna make sure that they're keeping pace with kinda what, what the expectations of the market is and, 'cause that's ev-eventually gonna be what the expectations of the auditor will be.

Brad Hibbert: And so, if I, if I have to think through, the next couple of years, I would say that the programs need to move away from, you know, weekly and, and even daily. They, they need to start getting continuous visibility into kinda what's going on in their environment, right? From a exposure perspective.

Brad Hibbert: That they need to rally around exploitability and the exposure window versus patch windows. I think that's gonna be something that that's going to, to, to come up. I think teams are gonna have to, [00:36:00] to leverage AI to do that, both on the, the exploitability front, uh, as well as the remediation front.

Brad Hibbert: And they're gonna be expected that if you're leveraging AI, that they have the proper governance in pro- uh, in place, right? That they understand like, you know, what is the exposure? Uh, what is the fix that, that AI... And why, wh-why is AI recommending this fix, right?

Brad Hibbert: If I do, I recommend this fix, you know, what should the outcome be?

Brad Hibbert: And, uh, and, again, all of that explainable and, and, uh... And so I think these are just going to be uh, things that are expected out of these programs moving forward.

Ashish Rajan: Yeah. Would you... What about the board? 'Cause I think, uh, one, one of the reasons why I asked about reasonable security is also sometimes it's harder for CISOs or leaders to explain to the board for...

Ashish Rajan: 'Cause Claude Mythos, people either go-- people read, uh, the marketing around it, and it's suddenly it's like a doomsday prepping at that point in time for cybersecurity. How do you, you see people, uh, talk about this to the board, uh, where it doesn't sound very alarmist, for lack of better [00:37:00]word, uh, that, hey, this is...

Ashish Rajan: Like to what you said, this... It's a reasonable approach to go down the path of exploitability, a staged approach. We start with, uh, things that we know we can have accuracy assurance for and start adding more AI to it. What have you found, like how, how are people describing this to the wider organization or to the board on how they're approaching this for sec- or the, or to, to tackle the Claude Mythos and moving forward any new AI model that comes in?

Brad Hibbert: Yeah. Well, first I, I think there's some education that has to happen. Like we, we get a lot of questions even, even from some customers like with, with Mythos coming out, like, do I need security tools anymore? Do I just throw everything out?" A- a- and of course, the, the answer is well, no. I mean, when you think about the exposure program that you have today, you get, I mean, discovery, enrichment, you know, prioritization, pre-verification, remediation, post-verification, this whole process.

Brad Hibbert: The process is still valid. Now you just have to uplevel the process and invest in certain areas of that process to take it to the next level. So the focus to the board [00:38:00] is that, that you have a, a way to do this. You have a plan to get this done. It's gonna take you some time, but here's the recommendations and, and again, we've been talking about some of those recommendations that, that we've been kind of focusing on exploitability and, and so forth.

Brad Hibbert: And then I think you're gonna have to change the way that you report to the board, right? It's not about, it's not about closing off your criticals in 30 days to meet PCI compliance. It's about how exploitable, what's that exposure window and the exploitability, and how am I showing that go down?

Brad Hibbert: And how am I, you know, how am I breaking the barrier down between security and whatever the remediation teams are, whether that's cloud ops or dev ops or development or IT ops. How am I breaking those barriers down and working with these other teams to, to, to, um, you know, to kind of improve the overall resilience of the business, right?

Brad Hibbert: And again, from my perspective, in order to do that again, it's three levels, right? You have to have a, a solid data foundation, exposure, understanding of the environment so you can really kind of make those next level decisions, if you will. So you have to have a living, breathing repository of, of your [00:39:00] exposure uh, uh, s- surface.

Brad Hibbert: And then if you have that and you can have trust across, all the teams have trust in that, then you can build AI on top of that, on top of that trusted model. And if you can do that, then the AI can make these decisions faster that you can trust. And if, if you can... if AI is making decisions faster that you can trust, then you can take action faster.

Brad Hibbert: And if you can take action faster, then overall you're gonna, you're gonna, you're gonna elevate the resilience of the business. And so really it kind of comes down to that, right? That you, that you have a plan in place. It's gonna require some investment, right? As I say, you know, implementing AI comes with a cost.

Ashish Rajan: Yeah.

Brad Hibbert: And, uh, and, and so, there's gonna be some budget dollars that need to be allocated to, to, to make these investments. But, but... I mean, to strengthen your, your current exposure program. But it's achievable. It's just gonna take some focus and understanding for, kind of where, you know, kind of where your program needs to be stress tested and where you need to kind of elevate it, uh, across that, that life cycle.

Ashish Rajan: I think to what you said made me also think about the fact that Uh, maybe a lot of people may go down the path of exploitability, exposure management, [00:40:00] but you don't wanna boil the ocean from day one, right? Are there any easier wins that they can have on the board in terms of applications or the kind of applications that they should focus on in the beginning as they uplift the program?

Ashish Rajan: Uh, or 'cause to your, to your point, maybe volume's already high for CVs and they may try and change the entire thing in- instead to what you were talking about earlier where you said, "Hey, if, if you were to start a vulnerability management program today or maybe even uplift one," are there any, uh, I guess quick for...

Ashish Rajan: Quick wins is probably a better word- Yeah ... at that point in time, uh, that people can aim for in terms of what's an easier task to do today? If there is one. I, I don't think anything is like a one-day period, but let's just say it's three months- Yeah ... one quarter period.

Brad Hibbert: No, I, I think I think it's a great question.

Brad Hibbert: Uh, you know, when I, when I think about kind of where exposure management's going, I, I think of like a pyramid, and at the bottom of that pyramid you have risk-based vulnerability management where you're using the CVSS score and maybe some EPSS, you know, kind of telemetry, and that's giving you a base, you know, risk capability.

Brad Hibbert: And on top of [00:41:00] that you have, you know, you kind of have what, what CTEM's really been working towards, which is continuous threat, you know, exposure management, right? You're continuously looking at this stuff and you're looking at exploitability and those sorts of things. I think the need for CTEM, the timeline's been compressed where people were, we're gonna, we're gonna build out this top of the pyramid capability elevated on top of your, your risk-based vulnerability program.

Brad Hibbert: I, I think if people were planning to do that over the next 12 months, that timeline's been compressed, right? They realize that Mythos and stuff has kind of compressed that timeline. But, but you're right, if you're gonna build on the top of the pyramid, don't try to do everything across the whole asset stack, but focus on, you know, an application, a high-profile application that could have significant impact to the business, and maybe focus on your external attack surface first.

Brad Hibbert: So pick, pick your poison. Pick, pick the area that you think could have the biggest impact. Work the kinks out. Work on that, that shared responsibility, kind of what the shared measurements are gonna be. Work on the handoff points, have that shared understanding of risk and accountability. You know, show the model working and then expand from there.

Brad Hibbert: And I think, you know, that, that's certainly been the approach that we recommend and, and [00:42:00] then demonstrate, not that you're patching faster, right? Because patches can only come out so fast. But demonstrate that you're reducing risk faster, um, and the exposure windows is, is collapsing, uh, on, on, on that, on those targeted assets that are within the scope of your program as you, as you continue to expand it So

Ashish Rajan: that's, I think that's my biggest takeaway from this episode is just the, the exposure window has to reduce dramatically.

Ashish Rajan: Uh, so that... and which ties into everything else. Your response needs to be quicker, detection needs to be quicker. There's like, Yeah, that, that hits the, hits the nail for a lot of things as well.

Brad Hibbert: And it's hard to do. It's hard to get all that- Yeah ... context pulled into one place, yeah.

Ashish Rajan: Yeah. I wish it was easy just to click a button and it would just happen. But, uh, yeah. Months of, months of work ahead for a lot of people as well. But at least it seems like to what you said, it is achievable, it just will take time. And maybe better to start today instead of waiting for Claude Mythos to become publicly available.

Ashish Rajan: So I think it's a good time for that conversation as well. Well, that's most of the conversation that I had. Where can people learn more about what you guys are doing at Brinqa, and how can they connect with you?

Brad Hibbert: My email, uh, [00:43:00] brad.hibbert@brinqa.com if people have questions directly.

Brad Hibbert: We have a lot of resources on our website about Mythos. We actually are coming out with a... The other thing we haven't talked about is that the wave hasn't hit us yet. You're right, like when Mythos starts to disclose those 30,000 plus vulnerabilities, you're, you're gonna see the, the kind of the wave hit.

Brad Hibbert: But we're already starting to see from those that are in the, in the program, and even outside the program that are leveraging AI to discover vulnerability, the vulnerability, like Patch Tuesday volumes, have continuously gone up, right? And then we're gonna, we're gonna continue to see those things go up.

Brad Hibbert: So we have some, some research on the website that can explain some of that. We have some top recommendations in our resource center. So if you just wanna learn more about kind of exposure management and, and some tips, then you can get that on our website at, uh, www.brinqa.com.

Ashish Rajan: I'll add that on the show notes as well.

Ashish Rajan: Thank you so much for your time. I really appreciate this. And, uh, looking forward to, well, maybe whenever Claude Mythos 2.0 comes out, hopefully we have, uh- ...

Brad Hibbert: solved our,

Ashish Rajan: uh, exploitability problems by then.

Brad Hibbert: Yeah. I'll have a lot of gray hair when that happens. But, uh, thank you so much for your time. No problem.

Brad Hibbert: Thanks everyone. Thanks for tuning in.

Ashish Rajan: See you. [00:44:00] Thank you for listening or watching this episode of Cloud Security Podcast. This was brought to you by techriot.io. If you are enjoying episodes on cloud security, you can find more episodes like these on cloudsecuritypodcast.tv, our website, or on social media platforms like YouTube, LinkedIn and Apple, Spotify.

Ashish Rajan: In case you are interested in learning about AI security as well, do check out our sister podcast called AI Security Podcast, which is available on YouTube, LinkedIn, Spotify, Apple as well, where we talk to other CISOs and practitioners about what's the latest in the world of AI security. Finally, if you are after a newsletter, it just gives you top news and insight from all the experts we talk to at Cloud Security Podcast.

Ashish Rajan: You can check that out on cloudsecuritynewsletter.com. I'll see you next episode.

Peace.

‍