Q: How do you determine which security vulnerabilities to address first? What factors influence your decision-making process?
Obinna Eze: One way our team determines what security vulnerabilities to address first is through triaging.
During this process, we leverage threat intel, asset, and business context to prioritize vulnerabilities that will have a high impact and ultimately lead to risk reduction. In effect, our decision is influenced by business needs and security requirements.
Q: Can you describe a situation where you collaborated with other departments to resolve a significant security vulnerability? What steps did you take to ensure the solution was effectively implemented?
Obinna Eze: In general, my focus is always on risk reduction. I separate reality from the noise, and there is a lot of noise when it comes to vulnerability management.
To be effective in doing this, I ensure that I provide full service to my customers (various business units).
Some of the steps taken include assembling the list of affected assets (asset inventory), reviewing threat intel (exploitability, exploit PoC availability, ease of exploitation), performing a triage, and researching workarounds and fixes where possible so that they come in handy when I reach out to affected teams.
In some cases, I perform a lot of handholding, especially when working with less technical teams or business units.
Q: What are your main considerations when selecting tools for vulnerability scanning? How regularly do you reassess your choice of tools?
Obinna Eze: It’s hard to make a switch. I always keep this at the back of my mind.
Experience has shown me that it is important to get this right the first time. But generally, my focus is on integrability, extensibility, and reporting.
A tool that is extensible will always win over tools that are packaged as complete. No tool is complete, but they should be able to work well with other tools. Granular reporting through tagging is always desirable.
Q: How does your role in vulnerability assessment fit into the wider incident response framework of your organization? Could you provide an example of how this alignment has helped manage a security issue?
Obinna Eze: Vulnerability assessment is a proactive engagement.
However, there is a lot of overlap with incident response. For example, my team is closer to the assets and can easily provide the needed data, threats, and vulnerabilities associated with any asset.
This comes in handy during the detection and analysis phases.
Q: In an ever-changing cybersecurity landscape, how do you stay informed about new vulnerabilities and threats? Can you discuss how a recent update in your field impacted your work approach?
Obinna Eze: Subscriptions to threat intel providers, hackers’ forums, and mailing lists have been most beneficial.
Rapid prototyping or a fail-fast approach to innovation has led to shorter asset lifecycles. These ephemeral assets, powered by Infrastructure as Code (IaC) and what I call extreme DevOps, account for about 40 percent of a typical organization’s assets. As a result, most vulnerability reports are already obsolete by the time they make it to the asset owners.
This calls for a new approach to vulnerability management. Traditional patch management will be a thing of the past in this paradigm. My guess is that these days, it is easier to rebuild and redeploy workloads.