So, we'll take another look on the same theme we saw with EPR, moving towards more innovative capabilities, including that in. Our next speaker will be taking a look at Modern Vulnerability Management and actually a Paradigm Shift towards Exposure Risk Management. So let's welcome our next speaker to the stage. So first of all, I don't know why the slides haven't been updated, so apologies if you were expecting Stefan. My colleague had a family emergency, unfortunately, yesterday and had to rush. My name is Mihai Butu, I am handling our channel and marketing across EMEA.
I've been with the company for pretty much about two and a half years and about 20-21 years in cybersecurity in various roles, product management, product marketing, vendor management, pre-sales up to strategic partnerships and overall go-to-market. Have worked in small organizations, have worked in larger ones up to the level of Vodafone and Microsoft, and also some startup and scale-ups in this space and not only.
And have pretty much seen it all, up to the level where probably about maybe 15 or 16 years ago, I got for the first time certified on Qualys Vulnerability Scanner, in the good old days where you're trying to preach cloud solutions in the cyberspace, which was quite a challenge. It still is in some areas, I guess, today, but back then it was really, really a challenge to actually convince people to rely on something that was cloud-based.
Now the reason that I've started with this slide is because we can't talk about modernizing vulnerability management if we don't look a little bit back and try and understand how things were done in the old days, right? About 10, 8, 10, 12 years ago, the focus was very much on infrastructure. You are relying on one tool that would help you uncover vulnerabilities. It was a basic scanning. And then you had a very small number of vulnerabilities as well. You had a fairly small number of assets as well.
And then there wasn't really an urgency for solution because the threats associated to it were not that big either. Also there was the security guy or girl that would handle all that kind of stuff. It was pretty much one person doing the job, or maybe it was just the IT department. So not as evolved as today for sure. And usually in the good examples, there was a patch applied to it. And that was it. Pretty simple, right?
Now, moving forward to today's landscape, it's completely different. So we're looking at different attack surfaces, very specialized solution to address each and every type of asset and each and every bit of your attack surface. You're looking at correlation between those. You're looking at links in the chain of attacks. You're looking at exploits, weaponizing vulnerabilities, and so on. And it's becoming really, really complex. It's becoming complex in addressing it. It's becoming complex in actually having a holistic view.
It's becoming complex in communicating with various asset owners or departments or stakeholders as well. In some cases, some of the assets owners have nothing to do with the security. So you need to try and speak their language. And you need to provide them all the proper tools to do their job on their bit, although you are the one responsible for it, if that makes sense.
And then when it comes to resolutions, different types of resolutions, starting from the standard kind of patching, through changes in configuration, through maybe changes in code, and many other options, and a very, very kind of manual way of reporting or tracking progress on that. So why am I sharing all this with you? So first of all, if you are part of different teams and not necessarily directly responsible for this process, to understand how big of a challenge it is. On the other hand, you might spot things that maybe you haven't considered.
Like an incarceration, when you're actually doing a proper risk assessment or cyber risk management program. So there is 100% a real challenge. And the challenge is not just on owners. It's on executives as well. It's on practitioners. It starts with the practitioner pretty much, where they need to work in a very kind of manual way. They need to work with different tools in a siloed approach. They tend to have an absolute overload in terms of data and vulnerabilities that they need to manage. And prioritization is pretty much done without a context.
So if you think about what the real end goal of a vulnerability management program is, it's always to actually reduce risk in order to improve your security posture. It's not acknowledging vulnerabilities. That's just the absolute basic steps. Then if you look at executives, it's really impossible to actually monitor and measure across the board.
Again, very siloed approach without dependencies between those elements. It's hard to communicate risk as well, because there is a lot of acronyms, a lot of very technical terms. And if you want to report back to board level and so on, you need to make it very simple, very clear why some actions need to be done or some investment needs to be taken. And also pretty much very reduced visibility as well. Now we're looking at remediation owners as well. Remediation owners, in most of the cases, is actually not their primary focus or work.
If it's IT, they will be focusing on keeping the lights on, making things run, and keeping the business going. They're not focusing on security. It might be an application developer, not necessarily his main or her main focus. There is very limited insight into remediation best practices. They don't have the luxury, they don't have the skill necessarily to actually do a lot of deep dive analysis and do investigations, which is the best option, why is that the best option, how do I apply that option to actually remove those vulnerabilities in my environment or in my own assets.
And then they tend to get a lot of duplicate kind of communications from various areas of the business or from various tools, which creates even more confusion. So all in all, all these challenges are creating what we call cyber risk debt.
You're always going to be behind if you don't tackle it in the right way, with the right processes, with the right frameworks, if you don't have a unified view across your entire state at an organization level, if you don't use the same metrics to actually measure risk, and if you don't have the tools, processes to empower people to actually remediate at scale and exactly what they need to as well. So a couple of things. I'm going to stop here just to share some numbers. Scary numbers, I got just one good news for you, tomorrow is Friday.
I don't have any other in regards to these numbers at least, but reality is that about two thirds of enterprises have a backlog of more than 100,000 vulnerabilities. Going back to the idea, yeah, they do invest. They actually invest quite a lot. The larger the organizations, the more subject to regulations and compliance with certain standards and so on, the more they will invest in tools, but those tools actually are creating additional workload. It's good to invest in tools. It's even better to actually make the most out of those tools.
There is also research and a quote that I've always found very, very useful from a couple of years ago, two years or so from the Ponemon Institute, and they were stating that although more and more time is spent on detecting vulnerabilities, on even remediating vulnerabilities, there is no real improvement in reducing the risk of an attack. Why? Pretty simple, because they're not focusing in the right place. It's nearly impossible when you have hundreds of thousands in some cases of different assets and an asset can be anything.
Traditionally, we look at an asset as a server or maybe an endpoint or a network device, but now it goes beyond that. It goes into codes. It goes into applications, websites, cloud resources, and so everything is considered more or less an asset if it can be, you know, if it drives, if it brings value, and if being impacted actually stops delivering that value or even worse.
So that's the reason I wanted to share a few of these percentages with everyone, real numbers, and again, a real challenge across the board, hence why we consider that there is a need for a complete shift from what used to be called vulnerability management or even cyber risk management into full exposure risk management.
The reason why it's exposure risk management is because it is across the board, because you need to look at risk not purely from a vulnerability management or from a vulnerability point of view, but you actually need to look at it in the context of what's the threat associated to it. Is it a real threat? Is it a concentrated one? Is it something that is targeting my own industry, for example, very specific? When it's targeting it or when it's been weaponized or, you know, when you have an exploitable vulnerability, is it on an asset that I care much about?
Maybe it's a test dummy environment with absolutely no confidential information, which is completely isolated from the rest of the network somehow, it's behind a firewall, it's got some controls. And then I have exactly the same server with very similar, if not exactly the same applications that are exposed into the public domain. And then it's got information, critical information, confidential information, and it might impact me and my business, including brand damage and so on.
So you need to look at it from all those different angles, not just from what's my vulnerability or what's my CVSS score. So what does that mean? One approach, very siloed, one-dimensional approach versus having a fully integrated way to look at risk and consider it, including dependencies between different assets, covering all attack surfaces, regardless if we talk about public cloud, if we talk about infrastructure, if we talk about applications and so on, a very consolidated and correlated approach.
And then when you talk about processes, usually, unfortunately, it's still very manual and very, very time consuming and mostly critically or focused on the criticality, not necessarily of the asset, but rather of the vulnerability. But then again, criticality being given purely by a technical score. So it's just not good enough. It's basically stating there might be an issue or there is an issue there, but nobody else here is looking at it. So if it's nobody looking at it, should I really focus my efforts there or maybe spend some time somewhere else?
Versus from a process perspective, having, again, an integrated and as much as automated approach rather than manual, having a prioritization based on actual risk, taking into consideration business context and potential business impact as well, and also pretty much an end-to-end process that can be easily tracked and measured from the time you discover up to the time when you apply the remediation. And reporting-wise, again, very often we still see people exporting, importing into Excel, trying to do a lot of pivot tables and likes and so on.
And some maybe more happy places, they will have a Power BI that will help with that. But again, very manual, very prone to human error, and very prone to mistakes, and very time consuming, whilst with a targeted approach, then you'll have all that. First of all, you have a very clean, complete and clean data set with duplicated data as well and automated end-to-end with something that you can easily plug into and have a real-time reporting without the need to spend hours or days and a lot of resources that you still are not sure how accurate it is.
So, very simple, five easy steps on what is required. First of all, a way to consolidate all asset and risk data. That means that it might be the case that you need to pull in asset data from different sources, not just one. It might be the case that you need to pull risk data from various tools as well, and then have it in one place because you would be missing on the bigger picture if there is a truncated approach. Then in reaching all that initial data, you need to be able to spot which are the most targeted and which are the biggest threats to such vulnerabilities and areas of risk.
You need to be able to look at it from a business impact perspective. Is this targeting my crown jewel? If that happens, what risk should I assign to it? And that will help you actually achieve a specific level of prioritization where you can actually manage the workload.
So, instead of focusing on everything that you have, you can take that down by 85 to 90%. Obviously, there's a lot of, and it's a wide conversation around risk management and risk acceptance versus risk mitigation and risk outsourcing and so on and so forth. But at least you have a really good starting point and you know where to focus, which will provide the biggest positive impact. The fourth step is actually collaborating with remediation owners.
That means that you should be able, first of all, to provide data that is trustworthy, that is up to date, that is useful to them, and to communicate it to them in a very simple way that can also be tracked back and maybe apply some SLAs and so on to make everyone's life easier. Basically, just telling them, you know what, you don't need to know what a CV is even, or what that vulnerability is. All you need to know is that this asset, according to this analysis, has a vulnerability, has this kind of threat associated to it.
By the way, that asset is one of the most important assets in our organization, is driving business. We consider it to be critical. From all those reasons, here are some options for you that you just need to deploy or need to change some configuration to remediate. Very simple, simple language, simple language communication towards them. And last but not least, going back not only to regulations and compliance, which is super, super relevant, to be able to put together those kind of proofs or reports that you're actually doing the right things.
And in the light of all the latest regulation, I think it's becoming even more relevant to be able to report that, but also to actually track how you are performing. Has my security posture actually improved? Where am I doing a good job? Is there a specific team, for example, a specific department, a specific geography, whatever you want to call it, and however you want to group those kind of assets that you're managing, is that more performing better or worse? Maybe I need to do some additional work in terms of trainings, in terms of best practice sharing.
Maybe I do need some additional resources, but I can actually build that justification with real numbers, with real data on why I need those kind of resources. So very quickly, because I don't want to turn this into a sales speech, you can join me and we can show you what we do at Vulkan. What we've developed is basically a platform, a SaaS-based platform, where through our pre-built connectors, we provide about 100 plus integrations into most of the tools that you're used to work, and pretty much we can bring data from any kind of security tool and platform.
And we import that in what we call our exposure data lake. It's a huge data lake play where we do the normalization of the data, where we do the clustering, where we do the merging and deduplication, so that, for example, if you have a server that sits in a public cloud environment, you get the information from the public cloud environment here normally. And then you have a Qualys or Tenable that is scanning it, you have some information here. And then you have a CrowdStrike or Sentinel1 or Tenium that is scanning it, and you have some information here.
We bring all that together, assign it to one asset unique, and then we provide much more visibility and more accurate data. Once we do all that and deduplicate and structure the data, then we enrich it with threat intelligence. Being open source, we plug it directly into the platform to highlight whether there are some specific threats associated to the availability, or it can be complemented with commercial feeds like Mandiant or Recorded Future and so on.
And also, we look at it based on the metadata and tags that exist in all different systems or you might have into your asset management tools to define the criticality of the assets. So there can be some rules that you can basically apply to say, if it meets this criteria, very similarly as you do into a CM tool, for example, then increase the criticality to this level. And that will allow the first bit around prioritization. Then we do integration into ticketing tools to orchestrate all that remediation process end-to-end and assign it automatically through playbooks to the right asset owners.
Again, very simple rules. Whenever it meets that criteria, please assign it to that individual, give him or her an SLA, track it, report back, and share all the relevant information so they can actually do their job.
And the last big bit is reporting, where you can basically do either a snapshot of where you are and all the different areas of your vulnerability management program, or you can do even historical analysis and trending and see exactly how things are performing to make even more strategic decisions around resources and tools and everything else, including some very specific compliance reports. We've recently built one that would serve the purpose.
I'm carefully choosing my words because I think there's no silver bullet for anything that's either DORA or NIST and so on, but at least it serves the purpose to get you a step closer in terms of what you need to be able to report pretty much very quickly to a regulatory body. And then various use cases, for sure, because, again, this is a data lake play. This is a very smart way to bring data, to correlate it, to enrich it, and to pretty much improve the processes and the workflow. And for us, guys, the limit where we stop in terms of use cases. Last slide, I promise.
What you can expect, I would say the very left side of this slide is generic to my previous conversation. What can you expect from moving to an exposure risk management approach rather than a standard?
Well, you have a unified attack surface view, visibility across the board, you take away a lot of the noise that you shouldn't be focusing your time on, and then it helps you basically improve the risk mitigation and better collaborate with all the asset owners. That's one of our big, big challenges in this space. And then you'll see some examples of some of the things that our customers have achieved, including a reduction in mean time to remediate of about 75%. And I think I'm off by 20 seconds or so. So apologies for that. Any questions? Yeah. First of all, a big thank you.
