Brad Hibbert: [00:00:00] It really wasn't about the tools. It was really about decision clarity and kind of moving 'em beyond the tools. The server team's not gonna know which one of these services is most important to the business, right? It would be the service owners would understand, am I willing to accept this risk?

Ashish Rajan: Who owns the fix as well? Like, I mean, it's great for me to find a vulnerability. But who's gonna patch the vulnerability was a big question.

Brad Hibbert: The team's really drowning in data. It's not, you don't have a telemetry, it's how do you kind of work through that data? I come to you as remediation owner, so you crack open a spreadsheet and start arguing that, that your data's different than my data.

Right? That happens a lot.

Ashish Rajan: There was this obsession with, uh, zero tickets or automated remediation. Is that even still possible or is too early?

Brad Hibbert: Compliance in many cases just proves activity. And, Hey, I closed my critical vulnerability in 21 days, but it's not tied to the actual risk.

Ashish Rajan: If you ever worked on vulnerability management, whether in cloud or data center, the same way I have, one thing was always clear, it was always a silo based approach.

We either talked to the cloud team for infrastructure problems, or you talk to the AppSec team for AppSec [00:01:00] vulnerabilities, and that used to be okay for a traditional world, but with cloud containers and now with ai. That world has gotten a lot more complex. In this particular conversation, I had a chance to speak to Brad from Brinka who spoke about how in the past 20 years, vulnerability management has evolved all the way from starting at vulnerability management to risk-based, vulnerability management, and these days a lot more about exposure management because it's not enough for us to talk about the infrastructure app in its own silo, but also talking about the critical vulnerabilities that are there across the board.

Is that what security's supposed to be keeping the critical assets secure? We spoke about how you can uplift your existing program to exposure management, how AI is impacting this particular field, and why is exposure management a better approach than the traditional risk-based vulnerability team management program that we would have been falling for years on end.

And I know for sure that used to have problems in terms of. Ownership. Who is the risk owner? Who is a remediation owner? Can I do autom remediation? All those questions are answered in this particular episode. And if you know someone [00:02:00] who's working on uplifting in a vulnerability management program or looking at a a vulnerability management program from scratch, definitely share this episode with them.

And if you have been watching in listening in episode of Cloud Security podcast and have been finding valuable, I would really appreciate if you can take a quick second to hit the subscribe or follow, whether it's on Apples, Spotify. Or on YouTube on LinkedIn. I really appreciate the support. It's free for you to do.

It takes only a second, but it means a lot when you support the work we do and help us reach more people by hit the subscribe, follow button. Thank you so much for taking that. One second, and I hope you enjoyed this episode with Brad and I'll talk to you soon. Peace. Hello and welcome to another episode of Classical podcast.

I've got Brad with me. Thank you for coming on the show, man.

Brad Hibbert: Yeah. Absolutely. Yeah. Thanks for having me. Excited.

Ashish Rajan: I'm excited for this conversation about wonderful team management because I, maybe before I jump into it, could you share a bit about yourself and where you are and what your journey has been?

Brad Hibbert: Sure. Yeah. I mean, uh, Brad Herbert, so I've been in the, uh, the security space for 25, 30 years now. Started back in the day as more on the development side, the, the development in computer science and [00:03:00] business and, and university. Kind of went on the vendor side about, uh, 25 years ago and got into the, the security space about 20 years ago and wearing different hats.

So been everywhere, like, vulnerability management. I was doing that in 2010 where we had our own vulnerability scanner. Our own endpoint protection solution was kind of back in the day when vulnerabilities were, uh. We're, we're fresh and new and, and, uh, programs are just kind of getting started.

And then, uh, uh, you know, as, as the market started to mature and things like the cloud started to explode and the perimeter started to dissolve, I got interested in insider risk. And so I went over to privilege access management for a while. Building up those solutions, uh, and then went over to third party risks.

So usually in, in the, in the, uh, in the role of, of product or, or corporate strategy and kind of building these solutions that working with customers. And, and I think over the course of that period, I, I kind of realized it really wasn't about the tools, right? It was really about decision clarity and, and kind of moving beyond the tools.

And that led me more towards exposure management as a discipline. And, and that's kind of what [00:04:00] I'm doing here at Brinqa. I'm the COO and Chief Strategy Officer for Brinqa. Uh, who, uh, we create, uh, enterprise wide or enterprise grade industrial strength exposure management decision layers and decision platforms for companies.

Ashish Rajan: Awesome. Yeah, because I think as you kind of said that, I was just like, oh yeah. 'cause. I think in a lot of people look at vulnerability management as just batch management. That's kind of where it starts and ends for a lot of people. And I'm sure it is still the case for a lot of companies. Um, you mentioned how it's kind of evolved with cloud coming into the picture and in such a containers and all of that.

It's kind of kept, kept kind of exploding at that point in time. Now we in this now we're, now we're in the world of AI as well. So

Brad Hibbert: Yeah.

Ashish Rajan: In how have you seen that change? 'cause I imagine. It's not that we don't care about patch management anymore. We still, that's still important. Right.

Brad Hibbert: That's great. Yeah, I mean, it certainly has changed.

I mean, the, the market's certainly evolved as I said, you know, 20 years ago we were dealing with large customers, as you mentioned. It was all about the servers and patching servers and, you know, they might have done a [00:05:00] scan once a quarter. To meet their compliance requirement. Then they moved it to monthly, right.

But the market certainly evolved quite a bit since then. Yeah. Still many of the same challenges. Just too much data, too many teams, you know, working in silos and those sorts of things. But I think that, you know, generally speaking, you're right, I, I think that the market shifted. I think that, you know, the cloud explosion, uh, certainly.

Today, assets are a lot more dynamic and interconnected than they were in the past. It's not just about a server, it's about the business services that server is supporting. And so a server could be supporting multiple services. Those services could be spread across multiple, processing units and storage units and those sorts of things.

So, so everything's more interconnected now than, than it's ever been in the past. And I think that with all of this explosion of assets and different layers of exposures. Certainly I think that, you know, context matters a lot more than it did in the past, right? It's not just about getting the raw findings, but it's figuring out kind of the, with the context of, of, of businesses, kind of what the focus your team's on to have the biggest impacts on, on risk reduction.

And [00:06:00] that, for that, I would say a lot more of it now is on prior kind of prioritization versus, versus discovery. Uh, which would, which I think it was more in, in, you know, 20 years ago.

Ashish Rajan: Interesting because I think you mentioned risk there. 'cause I was gonna say, most of the vulnerability management business units that I was managing or the teams that I was managing, a lot of the conversations always came around.

I mean, I guess risk was that, for lack of a better word, a stick that we were using, not the carrot to go, Hey, this is the high risk vulnerability. It needs to be patched within 24 hours, high, low, medium, however you want to take it. So. Z And maybe if you can start, 'cause maybe some people don't know what is risk-based man, vulnerability management and how it's different.

Brad Hibbert: Yeah. Sort of, uh, sort of risk-based vulnerability management and then kind of it's, yeah. So in its evolution into really into exposure management, I guess is kind of where it's at today. I think. I think as you mentioned, I think, you know, vulnerabilities are just weaknesses. So it could be weaknesses and, and, uh, and software could be configuration weaknesses and those sorts of things.

And as you mentioned, you know, I, I think a lot of people who they, they start their vulnerability [00:07:00] programs would start with something like infrastructure scanning. So they would, they would start with scanning their, their desktops and their servers and, and those sorts of things. And and then as you mentioned, you know, sort of the whole cloud came into to being, and that brought with it additional.

Types of, of, of, uh, of exposures, right? So now you had, uh, cloud management layers, you have containers. You have these environments that are much more software defined than ephemeral. And, you know, you're trying to manage all of these things can have, it can have these, these vulnerabilities are like exposures, if you will.

And many of them are being managed by different tools, right? So different teams have different tools. You have code scanners. It finds like, you know, open source, you know, issues or issues within your code and application scanners. You have API scanners, you have, uh, you know, traditional vulnerability scanners and so forth.

You have scanners that can scan just the cloud environments. All these different tools being used, and they're really kind of siloed, showing you a parcel view of. And so, um, I think initially when you, you, you kind of started looking at these lists of, of [00:08:00] exposures. Certainly I think risk-based vulnerability management helped with that.

Uh, it improved by giving you some level of prioritization on this backlog of, of increasing exposures. But it was still very narrow. You're still looking at it from that view of that tool. Right. And I think that, you know, that that was the first kind of going from just raw list into, kind of risk-based vulnerability management and then exposure management kind of just.

Grew out of that, which is really how do you connect risk across all these different domains and all these different tools and look at it from a more holistic level. Yeah. And not look at it so much as, uh, reporting or prioritizing the risks, but really looking at it from what are the outcomes and how do you drive that, that risk out of the business.

Ashish Rajan: Interesting, because I was gonna say I'm, I'm glad you mentioned it's a natural evolution of it as well. 'cause initially, uh, one of the bigger challenges people had was. Who owns the fix as well. Like, I mean, it's great for me to find a vulnerability, but who's gonna patch the vulnerability was a big question.

So does exposure management kind of address that as well in terms of prioritization or where, where does that sit into [00:09:00] this picture of, uh, exposure management and risk based vulnerability management?

Brad Hibbert: Yeah, I think, I think it's changed. I think from a fixed perspective, teams are gonna have to go ultimately do the work.

I like to think of it in terms of who owns the risk. Then who applies? Who fixes it? Who's the remediation owner? And I think traditionally in the past you know, you would do a mapping of, you know, a server to a team mapping. So the risk on this server belongs to the server team as an example.

Yeah. But I really think it, you know, the way that things have evolved where, it's not just about the service, it's about the services, it's about the value that that the services are providing to the business. That you need to kind of, you kind of need to map two things. One is the service owner.

And so, for example, if a server has multiple applications or is supporting multiple services, right? One might be a service that, that that's, uh, uh, providing a service to your internal employees, right? It might also be providing support for a service that's providing, uh, a service to your customers, right?

The server team's not gonna know which one of these services is most important to the business, right? It would be the service owners that, that understand, that would understand, am I [00:10:00] willing to accept this risk? Or how do I want to, how do I want to take the next steps of addressing the risk? So there's, there's those that own the risk itself.

And then there's those that actually would go and perform the remediation. And so if I take a look at something like a service that service might be running on servers, might be in cloud containers. Running, uh, might be a custom code within your internal development teams, right?

So I own the risk as, as the service owner. But when, when exposures happen, that could impact my service. I have to mobilize those remediation teams to go fix it. And so those teams could be, if it's in the code, could be the code team. If it's in the cloud, it could be the cloud team, it's on the server.

It could be a server team to do a patch or make a configuration change. And so I would say that, the fixers are still similar to, to what they've been in the past, but exposure management is just a way to coordinate better prioritize based on, on, on the needs of the business and to coordinate the fixes across those different teams right, across those different stacks.

Ashish Rajan: And I guess it goes to your point, what you said earlier as well, because previously when the vulnerability management [00:11:00] days were a lot more simpler, and I say simple with the asterisk, I'm sure it was complex for a lot of people. It used to be as simple as, I have a data center, I have some web servers that are facing the internet, which needs to be patched.

The internal ones could be patched, not patched, depending on the risk that there was. But with the new workflow that we have in cloud where, I have internal services that are perhaps used by external people as well. We have APIs, containers, cloud

Brad Hibbert: identity.

Ashish Rajan: Yeah, yeah. I mean now AI as well. Actually our of curiosity.

How is AI impacting vulnerability management? Is there an impact from it onto this particular space?

Brad Hibbert: Oh, oh, yeah, absolutely. I think, you know, as you, as you think about, uh, again, the telemetry that's coming in again, you have these more interconnected, more dynamic, more ephemeral, you know, assets that you're trying to protect, right?

So not just servers and, and, and, and workstations and so forth, and cloud workloads and APIs and containers and, and, uh, uh, identities and all these sorts of things. You're doing that across teams and there's, and plus threat intelligence that you want to [00:12:00] start pulling into the environment and additional telemetry and, you know, context coming in from your, for your assets, from, from your asset management solutions and so on.

So the team's really drowning in data, right? And, and it's not, you don't have a, you don't have the telemetry, you have a lot of data. It's how do you kind of work through that data, right? To make sure that you're focusing not just on, on exposures, but exposures that could impact your business.

Are those. Are those exposures in your environment? Are they reachable? Are they exploitable? If they are exploited, what's the blast radius? So there's a lot of data that you can use to help you kind of refine that prioritization and decisioning that you, that you need to do. And AI is certainly a great way to help you kind of do that.

A it can can help you make the connections. That as a human is difficult to make. So if you start to, to look at attacker behavior, to attack techniques to the, the way that they're, these exploits are being leveraged to what mitigating controls you have in place. And so there's just a number of, of different uh, data elements that could be tied together.

And the use of AI certainly helps you make those connections. Very quickly and allows you to, you know, the, [00:13:00] the challenge is, is that you have to trust the opinions that, that, that are, that these AI models are producing, right? Yeah. And, and so, uh, so for me, you know, I always tell people AI's great.

You know, automation's always great. It can speed things up. You want it to speed the right things up. So you want to make sure that, that your AI is based on a sound data foundation. So you're bringing all this information from all these different systems, right? Yeah. This exposure management kind of sits across, above the tools.

So you're bringing all this information in, you're normalizing that, uh, you have a shared understanding of, of, of risk, uh, and how you're, how you're measuring risk and, and prioritizing risk, you know, across the different teams. But ultimately when the, when the when your AI models start to work on that, on that data that you have high confidence in, then you can start to trust.

AI models, right, are making those decisions that you can trust and that that allows people to take action on those opinions or those decisions that the AI models are, are, are providing to you much more quickly if you don't, if you don't believe in the data, uh, if you if you're suspect over the opinions coming out of the ai.

And then you're not gonna take action based [00:14:00] on, on those outputs, right? And so I certainly think that, that it can help you surface what actually matters, uh, in the environment. But it has to do that in a way that's explainable and defensible. Uh, and if it does, and, and, uh, and it can do that across the teams, and it can build trust in that prioritization process much more bulk quickly than you can do without, without the machinery in place.

Ashish Rajan: I, I guess, sounds like AI is making a positive impact if you can get it to a point where you can trust it. How, what was it before? Because obviously we spoke about the vulnerability management as it used to be before, where for life was a lot more simpler, then you move to the risk-based vulnerability management.

Now we are in this world of exposure management with sprinkle of AI complex workflows, complex environments. How is this all mapping together in how vulnerability management let's just call it what's the ma vulnerability management flow is like today compared to what it used to? 'cause you've been in this space for a long time.

How do you see it done differently now in the customers you're talking to? Is it like a, a a lot more [00:15:00] people using AI or is it more exposure management? Is the new way that you guys are seeing it's moving forward with helping prioritize these complex workflows? It's a, it's a majority use cases that you come across.

Brad Hibbert: Yeah, I, I certainly think exposure and management is on the rise. I think organizations are taking a step back. Um, they're realizing that they have too many tools. They have too many teams working in isolation. Uh, each team has their own understanding of, of prioritization and how it should work, right?

And so it's really not, not efficient and it's not effective. And so organizations are realizing they have to take a step back and look beyond the tools, right? And implement the program. That kind of kinda goes back to the. The people, processes and technology, right? And implement a shared understanding of risk across these teams to get alignment, to really focus on the outcomes, which is reducing, kind of reducing exposures that that can impact the business, which is typically tied to, to the business services.

And so we are seeing organizations really kind of, lean into this where they, they starting with [00:16:00] risk-based vulnerability management. And again, so that's just kind of taking your raw lists and you're starting to add some level of say, core grain level of context. Where you're bringing in some asset context and maybe some threat intelligence to help prioritize the risks.

But, but again, risk based is a good step, but it's, again, it's very siloed into, into those individual, teams and individual you know, platforms or tools that they're using. And so the next step is a layer above, above that risk based vulnerability management. You're kind of get that to that next level of diligence, it's not about, it's not about uh, how many vulnerabilities or critical vulnerabilities did you close that day? It's about how much risk did you take outta the organization, right? That, that could impact the business. And again, typically tied back to some sort of business services. And, um, and from that perspective, it's really about not just do you have an exposure in your environment, but again, it's getting to the next level.

Is it reachable in my environment? Is it exploitable? Environment? Environment. Again, radius. So, that, that context to the next level and getting more laser focused and fine grain on focusing on really what could impact the business. Right. And it, it's shifting the [00:17:00] conversation from a risk-based vulnerability management, which is typically here's a prioritized report of exposures. To now I gotta go do something about it.

So it's a shift from reporting to remediation because exposure management is all about getting that prioritization done at a finer a finer level, but then mobilizing the, the orchestrate and orchestrating the, the remediation that needs to happen to, to remove that risk from the environment across the different teams.

Right. Does that make sense? Do you find

Ashish Rajan: that sorry, I'll let you finish your thought.

Brad Hibbert: Yeah, I just wanna make sure that, that, that makes sense. And, and, uh, any follow up questions there?

Ashish Rajan: Yeah, yeah, yeah. Uh, it does. I was also gonna say a lot of organizations also have multiple CMDBs, uh, asset inventories and sometimes unknown users as well.

There's no asset owner sometimes because a person moved on and there was no replacement, or the team name changed. I've been in organizations where I was part of, I don't know, some team name, which is a, everyone has an interesting team name for the development teams and everyone else. But suddenly people decide [00:18:00] that, Hey, is that no longer the team name?

It's gonna be another team name, but then what happens to the assets that are assigned to it? A lot of people may already have I don't wanna use the word spaghetti, but there's definitely a lot of processes are already implemented and they've been doing this for a long time. And risk based vulnerability management was that thing that they decided on because to what you said, it gives you a clear picture for, Hey, where's my.

What's my exposure to high risk vulnerability today? And how many of them are actually exposed? Moving from that kind of approach to exposure management, I'm curious, what do you see as some of the challenges that people come across?

Brad Hibbert: Yeah, it's, it's a bit of a, it's a bit of a mind shake, and you think about exposure management, it's sitting above the tools, right?

So the tools can change over time. You know, you might get different scanners and different application scanners and you know, as you mentioned, your C MDBs may change. You may have multiple C MDBs. So the, so exposure management sits on top of that, and it curates and normalizes all of that, all of that telemetry, if you [00:19:00] will, to give you, uh, really a program that, that, that's, that has l longevity in it, right? So all these things are changing, but your program continues to operate effectively and efficiently. But to your point, I mean, the challenge is, is it's a mindset. It's really a mind shift change, right? People are moving from tools.

And above the tools to think about exposures more, more broadly, you know, across the business services. And, and one of the biggest, uh, challenges that we have are, as you mentioned, it's, it's the data inconsistencies. This is what my tool says. Your tool says something different.

So when you're making a risk-based decision. Which tool do we believe in? And, and so that certainly, that certainly comes up and that's kinda one of the things that we need to do when we work with companies looking to, to evolve their programs into, into more exposure management is like, how do you define risk?

Let's have one prioritization strategy across, know, across the, the program and get the teams to, to agree to that ahead of time. And so I think that's one is, is just, which you, what you don't wanna do in a, in a, in an exposure management program is I, I come up [00:20:00] with this great list of things I need to get done, but then I, I come to you that as the remediation owner and I say, Hey, can you go fix this?

And you crack open a spreadsheet and start arguing that your data's different than my data. Right? That happens a lot. And so I think having that shared, you know, understanding of risk and how you're gonna calculate risk is critical. And then, uh, having explainability on on why, you know, you're, your, your, your you feel that your data has given you the best decisioning capability that you can, is pretty important.

And then having that shared ownership of risk is also critical. I mean, if you're a server guy looking at the server vulnerabilities. You're gonna, you're gonna look at them one way, but if your server is running multiple services and I'm, I'm the service owner, I might be telling you to do things a little bit differently, right?

And so there's a show, shared ownership, kind of over that, over that over that model. But clearly I own the risk. I'm, I'm the risk owner. You're the remediation owner in that, in that particular case. So I think that that's an issue. I think the other issue that comes up, you mentioned it earlier, is trust.

As you're collecting all this [00:21:00] telemetry, even when you have a shared understanding of the data model and how you're going to how you're gonna prioritize, the risks in, in your environment or what algorithms you're gonna apply and so forth, or what AI you're gonna apply, it's when you start coming out with, uh, the outputs of those decisions, right?

Like you having opinions coming out of your risk models or coming out of your AI models. Like how do you trust that? And, you know, how do you as a server team, trust that what I'm telling you and how you wanna mobilize your teams, I is the right thing to do and is the most optimal thing to do to reduce risk, uh, you know, across the business.

And so I would say that, you know, the lack of trust in how you're doing the scoring, the lack of trust in the ai. Again, the more transparent you can be the, the, the stronger the, the, the more trustworthy or the higher level of confidence you have in that data layer. These are all things that go towards, you know, establishing, you know, a good foundation of trust.

Right. And I think that that certainly, that certainly helps out quite a bit. And I think the other one is, you know, uh, you know, organizations try to do too much. I think don't try to, to start your [00:22:00] exposure management program. They're going after all your infrastructure, all your applications, you know, all your code repository.

Just, you know, start small and kind of show success and kind of grow from there. So

Ashish Rajan: is there like a readiness check that people should have before they start the exposure management journey? Sounds like, obviously clearly you've seen this quite often based on what you're sharing, I'm curious, is there like a, obviously every, each one of us would like to believe that we have the best program, but we all know all the bandage bandages that we have put in across, over the years, uh, as well. Is there, and in my mind, is there a minimum standard or a readiness criteria that you think people should consider before they go down the path of moving from, say, a risk-based approach to an exposure management approach?

Brad Hibbert: Uh, yeah, there, yeah, we, we certainly have a methodology that we've been implementing successfully for a number of years. And, uh, and, and again, I think a lot of it is beyond just the technology. It's not about the telemetry. It's not about finding, the exposures. It's about, you know, what do you [00:23:00] do with these exposures?

How do you prioritize? Right? How do you, uh, you know, mobilize the troops, if you will to take the most, I think, impactful action. I think a lot of that just comes down to, there has to be executive commitments, at, at the top layer. That exposure management is a discipline that that an organization wants to embrace.

And I think from that perspective, um, there has to be a shared, shared responsibility across the different teams. They have to have a shared understanding of risk. Across the different teams. In many cases, I would say there needs to be a shared incentive program. So they're all working towards the same goal, across the different teams.

If different teams are incented different ways, Hey, I gotta close vulnerabilities faster. And you know, based on CVSS, if different teams are, are being mobilized in different ways today that could create friction and, and, and conflict, right? So I think it's gotta start with that, that. At higher level, and then you know, you have to have that shared understanding of risk.

You have to have a shared and agreed escalation path of risk. You have to have a clear decision authority for who owns the risk. Versus who's [00:24:00] gonna remediate the risks. And then I think you also have to have dedicated resources, you know, most of the programs that we've seen, just to drive the accountability and the movement across the different teams and coordinate the activities, across the teams.

It does require some resourcing and, and some investment. And so I think exposure management itself can't be looked at as sort of a side project. Mm-hmm. Uh, people have to be serious. It's a different discipline around security to help drive more and, and derive more value out of the investments you've made in those existing tools.

But we have a more technical and tactical, you know, methodology that we follow as well, you know, with, with respect to connectors and normalization of data. But at a high level, those are, those are some of, I think the more important things.

Ashish Rajan: And because I think the, as you were saying this, the first thing that came to mind was, I remember the first vulnerability management team that I was working with.

Uh, there was obsession with zero tickets or automated remediation, especially when we started in cloud. Because at that point in time, uh, a lot of CNA providers or or CSPN providers back then, were talking about automated remediation as the answer to vulnerability management, [00:25:00] especially in the cloud context.

Yeah. How does this work in the and maybe I, how much truth is there? In doing that with exposure management or is that like a parallel path that people should follow? Or is, does that come under exposure management? Where do you see the automated remediation on? Is that even, is that still possible or is it too early?

Brad Hibbert: Yeah, I, I think it's still possible. I, I think when I take a look at the market, you know, from an exposure manage. Evolution perspective. I think the first sort of wave of, of enter of EE exposure management was really about data orchestration.

It was really about taking all of those feeds and as you mentioned, you could have multiple C MDBs and multiple scanners and multiple threat intelligence feeds and so forth.

So it's taking that information and normalizing that and the way that people could do something with it. And I would say that was more. Data orchestration. I think where we're at today is really more decision orchestration, where people want the exposure management solutions to have opinionated, uh, interfaces, right?

To tell you. We used to think, you know, based on our modeling and based on the [00:26:00] AI models, this is what you should do and here's why you should do it across the different teams. That would've the biggest impact on risk reduction. So it went from data orchestration to decision orchestration. And to your point, I think the next point would really be around, you know, action orchestration or mediation orchestration.

Right. And I still think that, that some of that can be done today. Right? There's a lot of automated remediation companies that that, that. We'll do that. We'll take some telemetry and based on some modeling, we'll go and do some fixes. I think really what it, what it comes down to is, is how much do you want to trust the models that are telling you to do the fixes?

If you don't trust the model to have your teams go do things and configuration and patches and so on, you certainly don't wanna have that automatically happening, your teams involvement. So I think that, I think it will evolve. I think that automation, works well for known patterns. Like if it's, you know, it's a simple fix or configuration change or something you've done in the past where the AI can look back and see previous behavior and say, Hey, I have a 90% confidence that this is the right thing to do.

And so I think if you put some golden, rules or go golden images or guardrails in [00:27:00] place, you can start to automate some of those. Kind of known patterns, but but if it's risky change, if it's something where it could have a, an impact on a, on a critical service, we're talking about those services earlier.

Like if it's a, a customer facing service or, you know, or, or something like that, or,

Ashish Rajan: yeah.

Brad Hibbert: Or it could have significant damage in some way, then, then. You know, you may not automate it a hundred percent. You still might want a human in the loop where you, you know, you can automate everything, but a human has to click the button.

But I do think that that's the, where the market's kind of moving towards kind of autonomous remediation. And, and I think, you know, I think that, um. I think that exposure management really kind of balances that, that speed and control, right? Where you, you wanna be very prescriptive on, on what you're fixing.

Ashish Rajan: Mm-hmm.

Brad Hibbert: Uh, you wanna get to that level that next level of, of prescription. Over what you've done with, with with risk-based vulnerability management, right? So again, is it exploitable? Is it reachable? Is it, what's the blast radius, right? You want your remediations to be more prescriptive as well.

So what, what, what is the, the minimum, uh, amount of effort that you can do or that the least impactful. [00:28:00] Remediation for this particular, exposure that I have. And as long as you're getting that level of prescription, uh, you're removing the risk of uh, or minimizing the risk of impact, then, then you can start to, to automate those things more and more over time.

And I do think that's kind of the where the market's gonna continue to move towards.

Ashish Rajan: Interesting. 'cause I was gonna also say a lot of the organizations are compliance driven. You mentioned the organizations are evolving as well as they approach this from moving from data to decision.

Now we've collected data for a long time. We now we are automated decisions, hopefully then dealing onto autom remediation in terms of. Companies that are driven or driving vulnerability management through the, the stick of compliance, especially in the regulated bodies, which a lot of enterprises are.

Yeah. Uh, if they see, I, I have a PCI critical in 30 days. Yeah. How does exposure management work in this particular case where you're still able to show demonstrably that you are reducing risk quarter by quarter? 'cause as a, as a cso, that's what I care about. [00:29:00] I mean, I want my team to be able to report back so I can report to the board that, hey, yep, it's all under control.

Uh, but I still need some budgets. That's a different story. But

Brad Hibbert: yeah.

Ashish Rajan: How does exposure management network work in that kind of, uh, environment where it's more compliance led?

Brad Hibbert: Yeah, no, that's a great question. And it goes back to what I mentioned like 20 years ago when people would scan, they'd scan on a quarterly basis, you know, and as you mentioned for PCI, I have to close my critical vulnerabilities in 30 days, right?

And so again, things have evolved past then, and compliance tend to, tends to drag behind kind of the realities of what CSOs are facing today. But I would say that that compliance in many cases just proves activity. So, as you mentioned, hey, I closed my critical vulnerability in, 21 days or 18 days, right?

So you're, you're, you're proving that there's activity, but it's not tied to the actual risk, right? That you're taking outta the environment. And so I think that when you think about, you know, compliance proves activity, exposure management, pr, you know, I think proves impact. Risk reduction in the environment.

So you tie it back to, you know, again, I, I, I removed this much risk from this particular [00:30:00] business service as opposed to like, Hey, I, I cleared off my critical vulnerabilities off my servers. Right? So it's, again, it's a different, it's a different way to look at risk. And I would say, you know, you're kind of moving from sort of SLA adherence to your PCI example, uh, more towards, you know, exposure reduction and exposures that will.

And can have a significant impact on the business. So they're exploitable, they're reachable, all those sorts of things. And to your point though, I think it's, it's not just looking at a number, it's, it's showing that quarter over quarter improvement as well. Like I've, I've, here's my critical business services and I've reduced.

My, my risk or my exposures to these services month over month in a very methodical way. So I think, I think that's the difference. One's kind of focused on outcomes and impact.

Ashish Rajan: Yeah.

Brad Hibbert: Where one's kind of more focused on kind of, you know, checking, I don't wanna say checking the box but demonstrating that activity.

Has been prescribed activity, has been, has been, uh, performed.

Ashish Rajan: So someone who's, I mean, I imagine most enterprise already have a vulnerability Imagine program. They either have the risk based vulnerability imagine program, or they have some kind of a tooling like a CMDB, which is [00:31:00] just some kind of tag to say if it's vulnerable or not.

For people who are already running a program for vulnerability management in their organization. And looking to transition over to uplifting it in the new year with, uh, ex exposure management. What are some of the maturity milestones that you can throw as examples for, hey, this is level one, this is level two.

Are there any examples that you can share that people can use as a metrics for, uh, this is how, maybe they're even collecting data today. They just don't know that they were so close to exposure management. So are there any maturity levels that come to mind that people can look at themselves for?

Are they even a, are they ready for exposure management? And if they are, these are steps. You can probably look at milestones.

Brad Hibbert: Yeah, I think that, um, I think there's two point, point, point points to that. I as you mentioned, I think the risk-based vulnerability management's a great foundation to kind of build exposure management on top of kind of to, to move beyond, you know, beyond, beyond the tooling.

Yeah. Um, and I think that, you know, I think that as people, I [00:32:00] think the one, the one thing people get worried about is they, as they move to exposure management, is that, are they gonna have to give up all that domain knowledge they built into all those tools?

Ashish Rajan: Yeah.

Brad Hibbert: Because again, you know, a lot of the, a lot of these teams have been doing this for a long time and they're rather good at, at kind of prioritizing things within their Yeah.

The process is already defined as well. Everyone's using it e exactly. So they're already, you know, so they're already doing things their way. And so I, I think you, you know, as you look to embrace something like exposure management, you don't wanna lose that domain knowledge, right? So if there's domain knowledge, you wanna make sure that you can retain as much as you, so again, exposure management kind of sits above the tools.

Kind of work across and normalize and, and then curate that, that, those insights from across those different teams. And so if there's knowledge that those different teams have that's important to the business, you wanna make sure that you keep that. And so, um, so again, you, you wanna make sure that you can pull that in.

If there's, if there's processes that are static and not really viable in today's kind of dynamic world, then you might wanna retire some of those, some of those decision making workflows and, and you know, kind of just making sure that they're [00:33:00] there. You know, robust enough and sustainable enough.

And, for, from a more modern decisioning process milestones is difficult. And I, I would say that, if you're if organizations are gonna start with, uh, exposure management, I think, I guess the one thing would be, you know, don't try to boil the ocean would be my, you know, understand, first understand and, and get that shared understanding of risk across the different teams.

Like what's important to the business.

Ashish Rajan: Yep.

Brad Hibbert: And you're never gonna start with perfect data. But, perfect systems. But pick an area of the business that you want to evolve beyond risk-based vulnerability management to an area where, you know, risks are, are visible where they're painful in the organization today.

So that could be on a certain, a set of services. Maybe it's one service, uh, or two services that you want to focus on getting that next level of prescription. Uh, maybe it's your external attack surface, whatev, whatever the area is within your organization. Focus on that first. And. Anything that has like exposure, external exposure, you know, uh, crown applica critical applications, the crown jewels.

So focus on a couple of those things and then focus [00:34:00] on the decisions. Don't focus on the scope of the program. So just kind of make sure you, you you kind of dig in, get to that next level of prioritization. Uh, that takes in consideration, you know, the different, the different constituents in the program.

Uh, and then show, show that you have success. We have many customers of ours have dozens of, of different applications that they've kind of brought into the program, but they started with. And, uh, and then kind of once they showed some value and showed how they're making better decisions, that better aligned to the, to the business itself.

Then they expanded kind of, once they prove, once they've proven that the, that the, that the model was working. Okay.

Ashish Rajan: So go for the friendlies because to your point, it's not just a change in the tooling or you're introducing a new tool, but you're also changing the way ownership is done. The responsibility, uh, you, you to what you mentioned, the remediation owner versus the risk owner.

This a organization change as well in a way. So you probably want some friendlies in the beginning to start the program going so you can show some points on the screen to go, oh yeah, this actually works. Now we can start scaling it out across the entire [00:35:00] organization.

Brad Hibbert: That's right. And, and, and demonstrate that you've actually reduced impactful risk to the business, right?

Yeah. In, in, in a meaningful way. And, uh, and again that, you know, I go back to, you know, making sure that if you're gonna be doing it, some milestones would be, you know, making sure you do your, your preparatory work. So as I, as I mentioned, you know, we bring on a number of organizations that start with, you know, more of the infrastructure, maybe their external tax surface.

And then very quickly want to start pivoting more to more critical services like business services or applications.

Where they're cranking out, you know, code, every day Yeah. To support these different applications that their businesses rely on. Yeah. And, but every one of those, of those teams, every one of those development teams does things differently.

They use Jira differently. They managed tickets. Differently. And so, you know, I would say one of the things you want to make sure is that, that you can accommodate that as you onboard those teams, you wanna force them to some sort of corporate, you know, kind of way of doing things. And everyone has to use, the standard workflow.

Yeah. Um, certainly that helps, but, you wanna make sure that you can accommodate those teams. If, if [00:36:00] they want to see tickets by technology, that's fine. If they want to see tickets bundled by sprint. Because that aligns to how they do their coding. You wanna make sure you can accommodate those teams to reduce the friction where possible, and, uh, and, and kind of make sure that they don't see the that they don't see the, uh, uh, or remove the friction points of them embracing the program, I guess, as, as much as you can, right?

We're not changing all of their day-to-day workflows and tasks. So we, we've got customers who use 20 different. Flavors of Jira, and, uh, and we can accommodate that with our products. So we're not asking them all to change the way they develop code, but we're showing them, where in their code that they should fix, you know, exposures by using a a a a, a broader, more business aligned, uh, prioritization and, uh, model that's, that's, that's explainable and defendable.

Ashish Rajan: Awesome. No, thank you so much for that. Those are all the technical questions I had. I've got three fun questions for you as well. Uh, it shouldn't take that long, but for the first one is, what do you spend most time on when you're not trying to solve exposure management problems of the world?

Brad Hibbert: Oh, well, yeah, that's, uh, I take on another challenge I've had for the last [00:37:00] 30 years.

It's just trying to learn how to golf. So that's, uh, I'm getting a little older now. That's the, that's the, uh,

Ashish Rajan: handicap.

Brad Hibbert: Yeah. I have a handicap, but it's, it's not something I'm gonna share on, on, on the online today. Oh, fair.

Ashish Rajan: Second

Brad Hibbert: question.

Ashish Rajan: What is something that you're proud of that is not only a social media,

Brad Hibbert: something I'm proud, like I, I, you know, I think, uh, over the last number of years, I've really got to work with some great people, I think and, uh.

I think that, um, you know, we've really established I think some good, good programs and, and some good you know, defenses and a lot of the big companies kind of around the world that are still being used today. So I'm pretty proud of that and I'm pretty proud of the fact that it, the people I've worked with, I continue to work with over the last 20 years.

So it's been, I think the security industry is, is very tight. A lot of, a lot of great people in the industry and I think I've built up a lot of friendships and both, both personal and professional friendships that have lasted, a couple of decades. So I'm pretty, pretty happy about that.

Ashish Rajan: That's awesome, man. And uh, final question. What's your favorite cuisine or restaurant that I can share with us? [00:38:00]

Brad Hibbert: I know the new one here is a called a Turkish kebab house. I, I'm up in Ottawa, Canada, so it's, uh, it's been my go-to place now for the last few months.

Ashish Rajan: Kea, you can never go wrong with Kea. I'll, uh, I'll definitely agree on that as well.

Uh, I mean, those are all the questions I had. Where can people connect with you to know more about Brinker, the work you guys do, and maybe connect with you as well on, uh, talking further about what we spoke about?

Brad Hibbert: Yeah. So, uh, you know, again, I, we didn't talk too much about the background of exposure management in general.

What we do as a company, if you're interested in exposure management or you wanna evolve your program to that next level where you're looking kind of beyond the tools and trying to get more focus and outcomes, uh, versus prioritized lists of, of things to fix you can get more information from www do brinca do com.

Uh, or you can fire me an email at, uh, Brad Hibbert, bradhibbert@brinqa.com as well.

Ashish Rajan: I'll put your information, uh, and your LinkedIn, uh, link as well as well as the Brinqa website on the show notes as well for people to follow up. But thank you so much for tuning in and, uh, thank you everyone for tuning into the episode as well.

Thanks, Brad. Thanks everyone. Thank you for [00:39:00] listening or watching this episode of Cloud Security Podcast. This was brought to you by. Tech riot.io. If you are enjoying episodes on cloud security, you can find more episodes like these on Cloud Security podcast tv, our website, or on social media platforms like YouTube, LinkedIn, and Apple, Spotify.

In case you are interested in learning about AI security as well. To check out a sister podcast called AI Security Podcast, which is available on YouTube, LinkedIn, Spotify, apple as well, where we talked. To other CISOs and practitioners about what's the latest in the world of AI security. Finally, if you're after a newsletter, it just gives you top news and insight from all the experts we talk to at Cloud Security Podcast.

You can check that out on cloud security newsletter.com. I'll see you in the next episode, please.

‍