KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Well, good afternoon or good morning, ladies and gentlemen, welcome to another K. Call webinar. My name is Alexei Balaganski. I am the senior Analyst Analyst at K Cole. And today I am joined by agen, who is a co-founder and CEO at PON security. The topic for today is vulnerability assessment. 2.0 improving accuracy and reducing costs with behavioral analysis before we begin, and also to let more people who are still a little bit late to join a few words about cooking a call. So cooking a call is an Analyst company. We are based in Europe, in Germany.
What we have an international team all around the world. Our three primary areas of activity are enterprise it research advisory and events, events like this webinar and other three webinars as well as largest European conference around identity and cloud topics, the European identity and cloud conference, which usually takes place in Munich every may. And next time they going to have our 10th anniversary. So besides usual, tightly packed program have a lot of surprises in our sleeve. So you are very welcome to come and visit us in Munich. In next may, before we begin some guidelines.
So you are all muted centrally. You don't have to worry about it. We control this features. We will make a recording of this webinar and publish it as a podcast on our website. The latest tomorrow, we'll also send each one of you or an email with the link. As soon as it's available, we will have a Q and a, the questions answered section at the end of this presentation, but please submit your questions early using the questions tool of the go to webinar control panel. We'll pick them up and read them aloud and onto them at the end of this webinar. So here is our agenda. We'll have three parts.
First I will be talking about kind of the, the general or overview of what current enterprises or which security challenges current enterprises are facing in this turbulent and extremely quickly evolving digital environment and about the new emergent technologies that help address the security challenges. Then I will switch back, switch to, we will provide the deeper insight into the new technologies of vulnerability scanning based on behavior analysis. And as I said, at the end, there will be Q and a session. Now without further ado, let's start.
If you have ever attended an earlier crypto call webinar, you have probably heard the topic my colleague used to like to use a lot computing, this probably Russian carriage with three horses pulling at the same direction. And these three horses are cloud computing, mobile computing, and social computing together. They have made a profound change in the current information and business environment in, in which our modern companies, modern businesses have to operate this. So everything is now connected.
Our companies have to maintain a lot of new ways of communication with their partners, customers, employees, they have to support connectivities with or mobile devices, which are their employees and their customers are using all the time. And they have to access and manage their information, which is no longer stored somewhere on premise, but in the cloud. And most recently they have to support all these smart devices or things which played increasing role. The modern information technology. This has led to the emergence of another new term, which my colleagues like to use a lot.
The new ABC agile business is connected. Agility has now become the most important asset, the most important quality of a company without agility, without business agility, the companies can no longer adapt quickly enough to ever changing or requirements and demands from the customers. So innovation is now increasingly driven by business demands and it has to implement those challenges. They have to support what businesses need and they can no longer decide whether they have enough resources. All they have enough time to implement. They just have to have to label it.
And as I said, the computing Toka has opened a huge amount of new business models, but this has also stretched their scope of information security extremely thin, and it has to keep up it. Security has to keep up, you know, here in Germany, the term industry 4.0 is extremely popular right now talking about the next industrial revolution.
However, myself, I prefer another term Skynet, 1.0, this is where we are going to end up. If we do not care about information security.
Now, as I said that our, the digital digital environment is ever changing and threat environment, threat landscape is also ever changing since more and more data is being, available's been store digitally. There are more incentives for hackers, spies and other rogue entities out other two M illegally network, pretty much as eroding since small and more data is no longer stored on premise, but somewhere in the cloud. And the data is accessed from somewhere for mobile devices. The number of attack surfaces is growing extremely quick.
The number of the number of actors, which are out there hunting for our data is also growing. You can see some of them just a little bit, little simple of them on the screen. And of course visits ever growing, or third landscape, traditional security tools just cannot keep up anymore. Number of hiking tools and exploits and other types of malware is simply growing much faster than any class of security tools. Now we've probably heard a lot about data breaches. They are. So they happening so often people just growing board about, oh yeah, another company had been breached. So it's just boring.
And apparently researchers say that even we have already reached the beak, the plateau of the number of bridges. So apparently they won't happen more often. They won't grow in size anymore.
However, what we do know, and that they are damage the direct damage to lost information, as well as collateral damage such as reputation, legal costs and so on, we will be growing. We definitely know that on this slide, you can see a few examples of the recent high scale. British is covered a lot in the price. And whereas the EBI brief has happened almost two years ago was a huge amount of user accounts stolen. It was somehow downplayed. And I mean, the actual reputation damage for eBay was not that large.
However, when you look at more recent examples like Sony pictures, the data they have lost was so much more sensitive that the reputation that much has been huge. And the latest example, the notorious actually medicine hack were over 30 millions of customer information records and all the internal communications and all the databases, and literally everything has been stolen and then made public on the internet shown that the damages can be huge. And in fact, we now have the first confirmed case of human victim of a data breach.
Now experts have been talking about it so much, but it happened in a totally unexpected way. And yet it happened. So we now know that it's not just your money. It's not just your reputation. It's actually be your life that is at stake.
Oh, this has led to a profound paradigm shift in information security. Since there is no longer a perimeter to protect the traditional security tools are simply not able to keep up. They leave too many gaps. And the attacks as well has become much more sophisticated. The so-called advanced persistent threats are things which that are individual tools like firewalls or antiviruses can no longer stop. And of course they can no longer stop attacks, which happens from the inside like fishing, malicious insiders, administrators misusing their privileges and so on.
Now their idea, the new idea is no longer to protect the perimeter, but to defend internal resources, whether it be individual host services, service database, and so on, or even each piece of the information, each document each file has its own material. So the assumption is like we have already lost. The hackers are already in. So all we have to do is to detect them as quickly as possible to prevent further damage. And the key here is to know as much as possible about what's going on in your network, where are your assets? Where are your users, where it's your sensitive information.
All this has led to the technology, which is called sea. So basically the idea is that you have a centralized security central within your company is a huge cockpit of hundreds. If thousands of sensors delivering you constant flows of information, what's going on in your network, and you have a dedicated team of security experts trying to react to that and ending flow of security incidents, which of course is only possible up to a certain scale. Only the largest companies are have enough resources to actually, even to operate such security centers.
Before we go on, I would like to make this distinction between our proactive and reactive security. Okay. The terms are a little bit vague. I have found a lot of conflicting definitions for them, but in essence, reactive tools are the ones which are try to prevent something which has already happened.
You know, like an antivirus or starting to block a virus, which is already on your computer or web application firewall system. They are designed to stop known rates. And we know that these tools have been failing. On the other hand, we have proactive security tools. Unfortunately they do not get as much coverage in like a technical nor general press recently because they are not as glamorous.
You know, if you allow me an analog, we can hear a lot of news about new types of cancer, vaccines, or new types of magic drugs to fight diseases. But you do not hear a lot of exciting developments in the area of general of fitness. Whereas if you just exercise, you don't get sick at all and you don't need all those drugs in vaccines.
However, it's not as glamorous. There isn't much going on. I have a listed three most important proactive measures, which are currently used within information security, which are of course, data encryption. This is your last line of defense. Even if the hackers already, even if they have stolen your data, they can still cannot do anything with it before they break the encryption. There is of course code analysis, making your applications essentially free of vulnerabilities. That's their ideal purpose and vulnerability management, which is the actual topic or of our today's webinar.
But before we go on talking about vulnerability management, I would like to make a quick introduction to this real time security, intelligence technology just ease a reactive measure, but it has in indicates quite nicely. What are the current trends within the reactive security tools to replace or huge, expensive and complicated cm solutions with a new generation of tools. And here I have listed the most important criteria of this cm.
2.0, if you wish, now they have to be realtime or near realtime to be able to detect and remediate or problems as soon as possible, they have to be, be able to correlate or threat information from various sources, both real time and historical, and to compliant with intelligence from other companies, thus detecting multiple security occurrences as single whole events. They have to provide a small number of clearly actionable alarms instead of a huge list, flat list of alarms that something has happened because even the best expert teams just cannot keep up with a first number of alerts.
A lot of them are actually false positives, so they have to be a small number of alarms. And each alarm has to be assigned at clear defined risk level and they have to be automated because current security tools still involve too much of manual labor, combining data from different tools or working with huge sheets of paper, you know, analyze the results. So it has to be automated so that even non expert, even business people can be able to use it and make decisions.
Of course, the key underlying technology for this is big data analytics. We have heard a lot. There is a lot of exciting developments here brought from large vendors and small startups. There's still mostly specialized tools solving or narrow areas fulfill narrow task within information security like detected network anomalies or analyzing or endpoint. So universal tools are still some, you know, question of the future development, but still we hear a lot of new.
We see a lot of new developments here in the reactive half of the security tools, but what are the developments which can be comparable to this revolution, to the change within the proactive, within the vulnerability tools. First thing about vulnerability management to that, it has been around for two decades. It has long glossing, all this flare of new, exciting technology.
There is a lot of vendors in this market offering very similar products, nearly most important criteria where they have been competing with each other is who produces the, the longest and the most detailed vulnerability report. Quantity is always before quality. There are too many false positive in those reports. So naturally the customers who are even border to buy them or to deploy those tools, they are unable to keep up. They cannot use them properly.
They have no resources to run these vulnerabilities scans often enough, and they have no not enough brains to actually understand what exactly is happening, which vulnerabilities have to be fixed first and which are not as important. And of course, nearly there are no nearly no organizations that have enough budget to fix all of them. So they just, you know, go into this denial. They have forget it. We just don't have enough resources to fix all the vulnerabilities. So just forget, let's run this vulnerability scam once in six months because our compliance auditor require that this is it.
And of course we Analyst expect this to change as well. We expect to see some new, exciting developments, some new technologies powering this new generation of vulnerability management tools too. And here is the list of criteria, which we at KU see as a defining criteria for this new generation of vulnerability management tools. So it has to be easy and automated in initial deployment and setup as well as daily usage.
It has to provide a managed cloud by service as an option, which is especially important for smaller companies, which do not have enough resources to attend their own security team. They have to combine all those different tools under one unified ation console. They have to provide as few false politics as possible, which is probably the biggest complaint for the current generation of tools, just like realtime security intelligence. They have to provide a small overseeable number of results.
And this result has to have a clear assigned score so that the team know where, where to start, which, which vulnerabilities have to be fixed as soon as possible, which can wait. It has to be business process oriented. So it has to be manageable for business processes without high it skills. And it has to provide high level of automation and integration with existing security infrastructures. And of course, the question is, is there any such development?
And we have AAM Jenny from beyond security who believes there is, and he's going to talk about their own technology of vulnerability scanning, which based on behavior analysis and which we believe addresses at least the majority of the criterias, which I have listed. So now I am switching to switching over to MRAM. Thank you, Alexei say, and thank you for, for the introduction. And I think most people that are listening would, would completely agree with your analysis.
I will try to bring in the vulnerability management angle of things and cover a little bit of, of what you said, which, which I completely agree with and maybe speak also about the term technical parts of how that solution that you've described that future one victim management, 2.0 would look like just a little bit about beyond security. We developed an automated scanning appliance hardware and software based solution. The what's a little different about our vulnerability assessment, vulnerability management engine is the behavioral analysis, vulnerability scanning, which, which I'll discuss.
And the result is a very, very, very small force positive rate, less than 0.01%. So it's, we're talking about a tiny fraction percentage of false positives, which is I think the key point, the result is a continuous network server data application security. So we test on all the levels. Basically what we claim is, is there's a sec. If there's a security hole on any device on your network, it is our job to find it. If we cannot find it, then we didn't do our job correctly. So sometimes we're asked what is the scope of the scanning?
Well, the answer is the scope is, is everything. If there is a security hole anywhere on your network that a hacker can use or the hacker can use to break in, then it should be our job to, to tell you where it is.
It's, it's all in the scope. I, I don't believe in, in saying we, we will do everything until this point. And from this point on that's someone else's responsibility. That's not how we work.
It's, it's a complete scan solution. We also operate security team.com. Some of you may be familiar with it. It's pretty big web security.
Porwal, it's, it's free. We got contributions from all over the world. You can check it out. security.com is basically our knowledge base for vulnerabilities. And just to complete the picture of security means privately held we're profitable. We're growing organically. We're not a.com company backed by a lot of venture money. We're just people who really love what we're doing. We love security and, and we love providing good security solutions. And I think we've been lucky to, to have customers that appreciate us and help us grow.
So I wanna talk a little bit about the, the whole idea of managing and, and, and reducing risks. So a lot of you might be familiar with statements from Analyst like Gartner, who will say something like what you're seeing here about how implementing a good vulnerability management program will really help you fix a lot of, of the security problems. So I think we all agree with this statement. The only problem is this is theory. So in theory, if you could establish implementing a good vulnerability management program, then you'd be, you'd be doing well, but here's the, the actual reality.
So in reality, and excuse me for, for using this, this language, but your vulnerability management sucks. You're, you're probably not doing vulnerability assessment, vulnerability management in a way that you're happy with.
And again, let's say pretty much covered all the reasons why I'm gonna try and focus on, on a couple of examples and then show you how, why we think where we see it differently or how we solved it. So the first, and I think pretty big problem is what, what is it that you don't know? So there's a really complicated, and I think a little funny statement by Donald Feld back in the day where he said, well, there are knowns that we know, and there are knowns that we don't know, and there's unknowns that we don't know.
And what this whole thing tries to say is what, what you don't know is what makes you very vulnerable. And what you don't know is both, of course, the vulnerabilities, your weak points, the parts you don't cover in the network. So what if you had a vulnerability management solution that could actually cover all of your network that could tell you which areas of your network are vulnerable and which are not vulnerable, or which are, or which are more vulnerable. So you know what to focus on?
What if we could say specifically, which servers really need to fixes, not theoretically, but which really have problems and how to fix them. What if you could see some churn analysis? So in most cases, our goal is not to reach a hundred percent.
We, I, I, I tell this to customers a lot. Don't, don't try to reach the point where you're 100% secure and I don't even want to argue if that point even exists, but it, it makes no difference. What you want to do is you want to do you want to be more secure tomorrow than you are today. If you do that, you're doing great. And then if next week, if you go be better than this week, then you're doing wonderfully. So what if you could see just this simple analysis of how are you doing, not compared to this absolute goal of being perfectly secure. Okay.
But compared to yourself last week, last month, last year, what if you could see what you're not scanning again, it's those unknown unknowns like Donald Ransford sales. So you're not scanning some servers. There are your blind spots. What's what's happening there. What are you not covering? And then confirm all these issues. So everything here should be concrete solid in what are you scanning? What are you not scanning? What problems are there? And it has to be real. It cannot be theoretically, what might you be vulnerable to? Because that's, that means nothing.
Theoretically, we're, we're all gonna die, right? So what is it that we're vulnerable to right now? And what is it that we can fix? So confirming those issues. And I'll talk about the behavioral checks in a little while, and this is just this a tiny example. You should expect a pretty clear dashboard like this saying, here are my networks or my locations, or my servers, and which ones are compliant with, with whatever standard I need to be. And when were they last scanned, which is also important because if I last scan them, as you can see here eight years ago, then what good is the result?
And if I scan them one week ago, then obviously it's a little bit better. And then some, some quick actions that, that I can take, like seeing the list of vulnerabilities and, and starting scans here is a little more detailed view. If you wanna dive in and, and get some more information. So this will will tell you all your different locations, all your different servers, I'd say talked a lot about prioritization. So we think prioritization is, is very, very important. You can see the score from zero to a hundred. So you can start with the weakest points, which networks have the lowest score.
You can see the trend trend is another really important indicator. It tells you which networks dropped from, from their last scan that you did. So you can either decide to focus on the, your weak points, or you can decide to focus on the points or the parts that became weak that were better and now deteriorated. So bring them back up and you can drill down into any point in this to look at the technical details and, and the fixes.
Now, other than like the very broad view that I showed you, which I think is very, very important to get an understanding of what's happening in your network. There's another problem, which is a little more specific and a little more technical. And I call that the, the patch 22 problem. And just to, for an example, two weeks ago, we had patch Tuesday, Microsoft released 15 security bulletins. Five of those bulletins were critical.
Now, Microsoft, as you'll know, they don't like to scare their customers. So when Microsoft says critical, you better believe it's critical. So we have five potential. If you have any Microsoft technology on your network of any kind, then you potentially have five critical vulnerabilities. All of them allow attackers to get in to those devices.
Now, all of the, most of those patches actually require a restart and they, most of them will have side effects, which means it's not that easy to deploy those 15 patches, just like that. Even if you were just to deploy the five critical ones. And of course, this is only for Microsoft. I haven't mentioned a lot, all the other vendors, and there are a lot of them and most of them release out of band patches.
So, so that thing can happen once a week. And then there's nothing special about August.
In fact, as you know, August is vacation month. So it might have been even slower than usual. So this is, is sort of a ceremony that we have every month when there is a dozen or more security bulletins by each vendor. A lot of them are critical.
You know, it's, it's a big deal. Now, if you decide not to patch, let's say you ignore those bulletins. Then you will fall out of compliance. If you need to be compliant by, by almost any, I said, modern compliance game, you will just fall out of compliance because you will have vulnerabilities. And then you're exposing yourself to, to an attack or, or just a random warm, because they all exploit known vulnerabilities. And like I said, there's five critical vulnera, potential critical vulnerabilities on your network right now.
If, if you haven't patched since August 15, so you have to patch. Now I've got some good news. I'm not here to scare you. I'm here to try and help you solve the problem. So out of those 15 patches, you probably just need two that's. That's what our research show on the, on the average you need between 10 to, to 15% of the patches that are actually available. So you probably just need the two patches that are 15. So it's not so bad. Of course the bad news is you don't know which two.
So you either patch all of the 15 and suffer the side effects and the downtown and the downtime and the restart, or you take the dice and hope that you're not gonna be vulnerable to these. But what if you could know exactly what if you could have the scanner tell you and not you asking the scanner, but have the scanner tell you, Hey, there is a, a new security hole and it's critical. It's high risk and it's on this server and here's what you need to do to fix it.
Because the, one of the, the little ironies of the whole vulnerability management program is once, you know, for sure what the problem is, solution is really easy. Solution is a click away. You click on it, you download the patch or you connect it to your patch management solution, and it's done. So if you could, what, if you could have the scanner tell you, notify you, Hey, you've got a new problem and it's critical and here's the patch and please fix it. Then you wouldn't be sitting here wondering about those 15 security bolts by Microsoft, because you'd already been been patched.
And what if we could scale it? What if we could say something like this, here are the top 30 remediation or fixes that if you deploy around your network, we'll fix 92% vulnerabilities. Now these numbers aren't made up and they, they're not cherry picked that's it's, it's often like this. It's often a very small number of fixers will fix 80, 90% of every everything in on your network. And if you don't have time to apply 30 patches and I, I totally synthesize with you, then just apply the first one.
See the, the first thing here, the first vulnerability, this, this report is sorted by importance by priority, basically. So what we're saying is, if you wanna do just one thing today, or maybe this week, or this month apply that first patch apply that Ms. Zero eight dash 0 6 7, because it's gonna fix 10 vulnerabilities in your network across, across those affected hosts that, that you've got here. And that's gonna be the biggest positive impact to your security. So if you wanna do just one thing, that's absolutely fine. Just do that one thing.
And then next time you wanna do something, apply the second problem and, and upgrade your Apache, cuz that's, that's the second most serious thing you have. And then take step by step, fix one, and then move on to the other if, and then once you get to those 30 and it might take you a day or a week or, or a year, then you'd know that you've fixed.
Actually, if you get to that point where you fix 92% of your vulnerabilities, then my, my hat is off to you. What I would probably say is that you have too much free time on your hand because you should be doing other things. But if you've fixed 60, 70, 80% of your problems, you're in great shape. And if you've done something, if you're more secure today than you were last month, then I would say, you're you're good enough. You're good to go.
So what, this is what you should be demanding from your vulnerability management solution is a list of prioritization that says not here are the 1000 items that need to be passed or else we're all gonna die because the apocalypse is upon us, but exactly the opposite. Here's a list of things. Here's the list of items that you do. And then if you only do one thing, here's the one thing that you should do. That's the, the real actual, practical way to do one of the assessment for be management. Now there's a few other things you should, you should expect. You're gonna be management solution to do.
And, and this is what you'll, you'll get with our VDS solution. More, be more reactive. So if today you are used to scanning for a security problem. It should be the other way around, should be scanning all the time. And then it should notify you. If there's a new issue or you should be searching the report for a certain issue. If you hear about heart bleed in the news, your scanner should already tell you if you're vulnerable to heartbeat or not. You shouldn't be going out there and scanning that's the scanner's job.
You should be out there knowing patching the system, if you're vulnerable or opening a battle of champagne, because you, you know that you're not vulnerable, but the scanning part should happen automatically. And in the background and false positives, I completely agree with Alexa say that false positives are probably the biggest problem with vulnerability assessment. My lawyers won't allow me to write zero false positives. So I'm gonna put this still asterisk, but I think 0.01% is pretty close to zero.
We, the, the chances of you seeing a false positive in our report is very, very small. And if you do see, please call us because we, we wanna fix it right away. You should not have force positive. That's not your job to confirm if every vulnerability is, is true or not.
That's, that's why you bought a vulnerability management solution. Now the scanner should do that for you. And of course, integration is, is critical. Vulnerability management or assessment is a part of everything else that you are already doing. And you should have quick integration with SCMS, IM pen testing, tools, ticketing, everything that else that that's out there we integrate very well with. And then also the business oriented view is important. Grouping servers, asset tagging, seeing reports, according to business functions. That that's all very important part of the solution.
Now I need to say a word about the secret sauce, behavioral scanning, and the way we do that is a little different from other scanner is we don't actually rely on the version information. So instead of saying your server is version XYZ and therefore it's vulnerable to all these things, we'll actually confirm that the server is vulnerable. This is done in a non-intrusive way. We do.
We're not gonna execute payload, and we're not gonna have any negative effect on the server, but we will confirm that the vulnerability is there not in a hundred percent of the cases, but in most, most of our tests, that that's how it will be done. So our goal is to confirm is to tell you that we think the vulnerability is there because we, we confirmed that it's there. You don't have to go and chase ghosts. So behavioral scanning immediately increases accuracy. There's no trade off. So there's not gonna be false negatives either. And then it's very safe to use.
Of course, the solution we work on the internal internal network on the external network. You can see that both in an integrated screen, you can download reports. You can drill down for more information and to, to wrap up, this is why we're. So we're so good at what we do. We've been doing this for quite a while. So our automatic vulnerability detection system is based on 15 years of R and D and we've compiled more than 10,000 attack scripts. Those attack scripts are the, what do behavioral checks. And we cover just about every vulnerability that's out there.
So if it's a non vulnerability, again, it'll be our job to find it. And if we don't, then we, we messed up. And if we told you about a vulnerability, that's not there, we probably messed up even more because we're giving you twice the work to do so. Accuracy is incredibly important for us. We've using our own proprietary technology. We've developed a technology that does scan all levels. So network, database application, it's, it's a full solution all developed internally by us. And you can check out security.com.
If you're, if you're curious about our background now in the 1980s, there was a very famous commercial in the us, which was called the Pepsi challenge, where, where Pepsi tried to show that they're as good as Coke. So I'm gonna try and do the same with you. I'm gonna say try don't, don't take my word for, for any of that. Try try us out. Here's what you should expect should expect very, very, very, very low false positives, close to zero, that we can scan your network and we can scale to any size that will check everything.
So if you have vulnerability on any layer that, and if, if it can be used to, for an attack, then we'll detect it. That it's completely automated. There's nothing manual about it. It will replace the, the manual pen test that you might be doing now. And it's gonna be at a lower cost. It'll give you a report. You can actually do something with, and it'll make you compliant.
Now, if any of these don't work out for you and that's, that's the Pepsi challenge. Just, just say, Hey, that's not what your sales said on the webinar, or send it back. And if you want call me and I, and I apologize, or just send it back because it should do all of these things.
This is, this is our aim. We wanna sell you something that you can actually use and work with, and that that'll help you help you do job better. And we'll meet everything that I'm telling you that I will do. We're fairly active in Europe. Here is some of our customers in, in the area. And you can see some of them are quite big. Some of them are a little smaller.
We've got, we're happy to work with small customers, medium customers, very large customers, anyone who needs vulnerability management, or needs to find vulnerability, vulnerability on the network and fix them. We wanna talk to you. And as I said, it's true for internal scanning, external scanning and anything in between. If there is, I'll take questions now and I'll just leave this slide open. So you have our, our contact information and Alexei said, maybe that'll be a good time to open the floor for questions.
Well, thank you very much. Avira I will leave your slide for a couple of minutes on screen so that people could write down your contact information. And then I will switch back to myself and we will start answering questions. So please submit your questions using the questions tool, or don't hesitate if we will not have enough time to answer them, or we will definitely come back to your email or something like that. And actually have the first question, which is I find like almost existentially in the nature.
So basically vulnerability assessment tool makes a lot of work for my it department, but doesn't actually add any security itself. So how, why is it better than just, you know, installing another firewall or another tool, which actually does something to protect my information. Okay.
That's a, that's a you're right. It is an existential question. Okay.
There's, there's two answers to this question. I'll, I'll give you the practical answer and then I'll give you an answer that you can convince a CFO or someone who's not technical. Okay.
On, on, on white matters. So from the technical perspective, right? Right. Now you have security holes in your network. You have them right now with your firewalls, with your ideas, with all the other things, you, you have them right now. It's I think, I think we all know that the question is what are they and how can you fix it? So this is where vulnerability management comes in and management is, is something that you, you have to do at some point you, you are doing today.
Obviously you're either paying someone to do it for you to, to, to do a penetration test, or you're running some kind of tool on, on your own, because otherwise you wouldn't have installed the firewall in the first place. Right? You've installed it because you have vulnerabilities and you install the vulnerabilities somehow. So the question becomes, how can you do that in a real efficient way, not by hiring someone once a year and paying them a lot or not by running the tool manually and the way to do that. And you saw one of the slides.
If you haven't checked your network since August 15, you potentially have, and you have, if you have any Microsoft technologies and you must have, because you just logged into go to go to meeting, which only works in windows, then you may or may not have those 15 vulnerabilities. So how do you know if you have them or not? You have to use some kind of vulnerability assessment. So from a technical perspective, there's just, there's no replacement for vulnerability assessment from a more, let's say CFO, point of view, or a budget point of view.
I will ask you, I, I, I will, I will argue the opposite. I will say that the firewall that you have is actually the one that's not necessarily doing anything. How can you know what the firewall is actually blocking?
In fact, you probably have security vendors banging on your door every day, right? And, and telling you that you have this vulnerability and that vulnerability and, and you have to buy the solution or else you have a problem. But how do you know you have the problem that they're talking about and how do you know they solve your real problem?
Well, the answer is this. So with vulnerability assessment, you can finally say, if I buy a firewall, I'm going to mitigate all those 61 high risk that I have in my organization. It could be a firewall. It could be a application firewall. It could be the new technology of 2016, but that's the way to measure it. And what you need to tell your CFO is I finally have a tool for you that tells you what my security is, how it looks like, and is it getting better or is it getting worse? And you can see that trend over there on, on that little arrow.
And the, the, the key to say to the, because what you're doing today is you have a certain security budget and you're using it, but you don't know where it goes. And you don't know if you're more secure today than you were last year. You don't know. You just know that you are maybe spending more money or that you have more technologies, but you don't really know where, where, where you stand. And then you don't know how far you need to go. This is what vulnerability assessment tries to tell you.
So, in, in my opinion, vulnerability assessment is, is the foundation on which you, you should implement other tools on, because it will tell you where your weak points really are. What is it that you need to do? And then you can measure those solutions and see if they really get you to, to that space. Because let's remember our, our job is making networks more secure. It's not installing security solutions, right. That's the means to, to an end.
So I, I hope that that answered the, the, the question Alexei say. Okay, great. So let me switch back to my screen just a second. And I have already the next question for you. So isn't a false negative, actually more important than the false positive. So how do you, or measure, how do you, which matters do you have to ensure that you do not miss vulnerabilities? That should be detected?
Okay, so, so I I'll first tell you my opinion, which is not necessarily the, you know, the, the universal truth, but it is my opinion. So in my opinion, no, in my opinion, a false negative is not more important than a false positive. And it's it's, in my opinion is based on just our experience with, with customers, you probably have some vulnerabilities today on your network, which means as an attacker, I can, I can break in.
Now, if you have X vulnerabilities or X plus one that doesn't matter match to an attacker, I, I can, I can break in with X and I can break in with X plus one. So finding that extra vulnerability in my opinion is not the most important thing.
The, the reverse is not true for false positives. If you have a false positive on the report, here's, what's gonna happen. Number one, whoever is responsible for that server is now gonna stop fixing vulnerabilities, because now they have a case against you. You're gonna tell them next time they have a problem. And they're gonna remind you that first positive. They had two years ago, and therefore they're, they're not gonna patch everything else. And I I've actually seen that happen.
Now, even if it it's not from the outside, even if it's from you, let's say, I, I tell you, let's say you find a false positive in a report. And then a little bit after that, the scanner tells you there's a critical vulnerability all across your network. Are you gonna jump and fix it immediately? You're not right. You're gonna think about it. You're gonna confirm that it's there because your belief in your scanner now is not that high, because it's, it's the, the boy who, who cried Wolf syndrome.
Now, if you cannot trust your scanner, then force negatives fall out of the equation, because it doesn't matter what the scanner is reporting you don't, you're not gonna trust it anyway, you're gonna confirm it, which again, screws the whole process of vulnerability management. So in my opinion, for an effective, I mean, in a perfect world, yes, finding false, false negatives is critical in the world we live in now, which is not perfect, where networks have vulnerability.
I think force positive right now is the number one biggest problem that that scanners have and, and should be, should be dealt with. Once we fix that, we'll go back to false negatives.
Now, with that said, that's, again, that's my opinion. I, I don't think I'm allowed to use that as an excuse. So if our scanner didn't find vulnerability and that vulnerability is there, then that's a big deal. Then you should also, if you wanna add that to the, to the Pepsi challenge, you, you, you are welcome to it. We should find all the vulnerabilities that are there. We should not have false negatives and, and false negatives are problem because we wanna be comprehensive scanner. Okay.
But again, if you asking my opinion, which is worse, I think for the real world, I think most of you are, I think more of you are not doing vulnerability assessment because of false positives. Then the number of people who are not doing because of false negatives. And that concerns me because you are, you are missing out on a really critical tool that that can secure your network and you're doing it because of deficiencies in other scanners. And that's the false positives. Okay. Sounds reasonable to me.
And I would actually like to add from my side as well, a false negative in this case is not actually not something that really exists because, you know, if or a whole number of vulnerabilities was fit, then there would be such a thing that false negative. But in fact, there is a lot of vulnerabilities which have not yet been discovered at all. I think that's a good point. So of course you do not rely just on your vulnerabilities scanner for your whole security infrastructure. You also have to use other tools as well. Okay. Next question.
Have you considered liabilities for customers affected by missed vulnerabilities? That's I think that's a really, really interesting topic we have considered.
We, we are considering it. I think this is something that will be more involved in the near future. I think that it's, it's pretty inevitable because what we are all sometimes forget because, and I I'm including myself is we are all so passionate about security and we're forgetting that for all the businesses.
You, you, you all work in the goal, your goal is not security. Your goal is whatever the business is doing. So security is an enabler for, for the task that you should be doing. And it's not, it's not the goal, but by itself.
And, and, and again, we, we offer forget that. So I think liability insurance is one great way to do it, where you would say, I'm, I'm gonna take a risk of, of an attack happening. And if it does, then I will get compensated by an insurance company. I think there's, there's, there's two really, really complicated problems to, to first solve. Number one is how do we measure the cost?
So what, what is, what is the, the real cost here and, and, and what happens when, when an attack actually happens and I'm sure there'll be an answer for it, but, but I don't know whether the answer is, and number two is the standards and that's actually coming along nicely. So you have standards like, like PCI and, and CIS and they're all right, right now, it's mostly a stick. They're mostly telling you if you are not compliant, you're gonna be in big trouble. But I think very, very soon, it's gonna be a carrot as well.
And they're gonna say, if you are PCI compliant and your credit card detail are stolen, then visa and MasterCard will, will forgive you because you, you did try your best. So today it's, it's almost true. They're not gonna forgive you, but you're gonna be in a, in a much, much, much better situation than if you're not PCI compliant.
And I, I certainly see that gradually going to, to other fields as well. So I would love to see liability insurance based on vulnerability assessment.
We, we are actually engaging that it's not in the very, very near future, but I expect that to happen. Okay, great. And another question is coming. So you have talked, so let me just rephrase it from my point of view a little bit. So you have talked about assigning risk scores to vulnerabilities. So who decides on those scores, do you have kind of your own internal risk model or do you support more than one risk model for different use cases or can the customer sign their own can have their own say are more important? That's that's a great actually, that's a great question.
So, so the answer is all three and, and I'll explain what I mean. We, and I'll start with the I'll start.
I'll, I'll do it in reverse order. Some customers that we talk to have a very clear security policy and they know exactly what the risks are and where they are, and they know which assets are more important than other, and what, what a critical problem is. And what's not a critical problem. And that's great. If you have done that thought process, then we will allow you to adjust vulnerabilities according to business rules, according to assets, according to will allow to modify severity.
Vulnerability is because if you've done that, thinking that that thinking process, then we're gonna say, yes, you are absolutely right, because we're gonna say that because you are the, in the best position to know what's good for your own business. There's a second case as well. So going back, some, some of our customers say, we, we have not done that thinking process ourselves, or we're not going to because it's too complicated, but we do want to be, to stick to compliance or to industry standards. So for those, we will say, yes, we have CVE CVSs. We have all the relevant scores for you.
So you can see everything. According to those scores, we'll have all the compliance templates. So if you wanna go by against C S PCI, every other compliant template, you you're welcome to do that. And that's again, a good solution because you're probably doing it for business reasons. And as I said, business is the driving factor here, but there's also a third. And that's the first case that you said, you may say, we haven't done that process of, of thinking what's exactly right for us. And we don't necessarily wanna follow an industry standard. So beyond security, what do you think?
So I would say we're really happy you asked, because we happen to have our own opinion on what what's critical. So we have our own rating system, which is three levels, high, medium, low, and it takes into account things like how easy is it to exploit? If it's really easy to exploit, that's something you should fix quickly. If it's really hard to exploit, even if, even if the result is full control over the system, but we know it's very hard to do then it's not as important. How easy is it to deploy the patch?
Again, if it's really easy to fix, we'd say, please fix it quickly. If it's really hard to fix, we'd say, you know what, wait with it a little bit. So we'll tell you which ones are critical. The high risks, that's gonna be like the 10% of the, of the problems that should be dealt with quickly, and then which are the medium risks and which are the low risk, which we think that if you never, ever, ever fix, you'll still be okay. And that's our opinion. It's a little bit based on CVSs.
And it's a little bit based on our secret recipe and a little bit on our experience and a little bit about from customer feedback. So you could see one of those things, you can use our high, medium, and low.
And, and just, if you're satisfied with, with our opinion or trust us, you can just stick with an industry standard, which is great. And you can customize the whole rating system completely. Which again, I, I, I think it's phenomenal because it means you've done your thinking, you know, what's good for you and we'll say, yes, exactly. So all three systems are, are available for you. And I think all three are great.
Okay, great. Here comes another question. So how does your scale detect zero day vulnerabilities?
Okay, so that depends on the definition of zero day. So like Alexei, I said there are some vulnerabilities that we don't know about case we cannot detect, by the way, we have another tool for finding unknown vulnerabilities, which, which I'll be happy to, to talk about separately. So send me an email if you're curious about unknown vulnerabilities, but this tool, the vulnerability assessment, we management focus on focuses on problems that can be solved, which means known, known issues. So if by zero day, you mean a problem that was just released, then our tests update within 24 hours.
So if you scan daily and if the problem that you're talking about was, was discovered or released in the last 24 hours, or often even shorter than that, then we should already be scanning for it and telling you if you're vulnerable or not. So if you're to finish of zero days, something that was just published, then yes, we, we cover that by just quick updates to the system.
And if you are talking about vulnerabilities that are not yet known, that are out there, then we should have a separate discussion about that, but it's not gonna be covered by, by the, the assessment solution I'm showing here. Okay, fine. And we really have time for one last question and it's really tricky one. So how does PON security, well, I see, how does your solution differ from other products like from other vendors like IBM or in Porwal Great.
So it's, it's, I love this question because I got a really simple answer instead of showing you by PowerPoint, why don't you try and see? I think you're not happy if, if you're, if you've seen those solutions or if you have one, I think you're not happy with it because of all the, all the reasons we said. And I think if you run our system side by side, you'll see the difference.
And then, you know, what, if you don't see the difference, send it back and say, I'm, I'm happy. And then you you'll at least know that you've made the right choice for your organization. So rather than telling, tell you a lot of long stories about how great we are, I'll just tell, ask you to, to take the, the Pepsi challenge, just like Pepsi said, you know, taste Coke, taste Pepsi, tell us, which is better. I'm asking you to do the same, try that, that other solution that, that you have, or that you're evaluating, try the, the solution by beyond security, just try us out and then seems better.
If we cannot show you the value, then everything that I'm gonna say now is, is a waste of both of our time. Right? Okay.
Well, that sounds reasonable too. And we have just reached the top of the hour, so I can only say thank you IRA for really interesting and quite deep presentation, thanks to all the attendees for being with us and for submitting such interesting questions. I hope to see you in one of our next webinars, we, our website, you always find the recent, the latest information about our future events and the recent research items we publish regularly. So thank you much. Have a nice day.
