CC13: Dr. CVE Love, or how I learned to stop worrying and love vuln management

Описание: Ben “From KC” Webb explains why most vuln‑management data is junk—and shows a repeatable process to extract real security value.

Executive dashboards love CVE counts; defenders usually hate them. In this CactusCon 13 talk, Ben Webb (Recon InfoSec) dissects the pain points of enterprise vulnerability management and presents a pragmatic framework that ignores 80 % of low‑value data.

Highlights include:
Seven Precepts every program must accept—starting with “scanner output is mostly garbage” and ending with “you’ll never be finished.”
A four‑phase Process: gather inventories, rescore findings with external threat intel, re‑score again by business context (e.g., subnet or function), then combine the data together
The Point: focus on out‑of‑patch‑cycle systems, widespread mis‑configs, and orphaned assets—then measure progress using moving‑average KPIs instead of raw CVE totals.
Sample metrics (exception counts, SLA breaches, unknown assets) that spark management support rather than fatigue.


Whether you manage 100 servers or 100 000, you’ll leave with concrete steps—and talking points—to reduce toil while raising security value.

00:00 Introduction & session housekeeping
01:04 Why “Dr. CVE Love”? Title explained
01:42 Speaker background – Ben “From KC” Webb
02:52 Talk roadmap: Precepts, Process, Point
03:39 Precept 1 – Vulnerability data is terrible
05:31 Precept 2 – Prioritization pitfalls
06:58 Precept 3 – Most CVEs are noise
07:56 Precept 4 – You’ll never ‘win’ vuln‑management
08:50 Precept 5 – Vulnerability data is not a good measure of success
09:25 Precept 6 – Ops discipline before vuln‑management
10:20 Precept 7 – Safely ignore 80 % of findings
10:41 Process 1 – Gather inventories & patch cadences
11:29 Process 2 – Rescore the data with threat‑intel services
12:17 Process 3 – Rescore again with environmental context
13:24 Process 4 – Combine the data together
14:08 Filter out patch‑cycle & non‑fix items
15:19 The Point – Identify high‑impact fixes
17:24 KPIs & moving‑average metrics that matter
20:47 Conclusions – Value over vanity numbers
22:13 Closing thanks & community invites


#VulnerabilityManagement
#CactusCon
#CVE
#RiskMetrics
#CyberSecurity