CVE Masters Workshop: Shift from threat to risk-based VM

CVE Workshop for Vulnerability Practitioners

Join our workshop to elevate your skills and become a distinguished leader in vulnerability management and cyber risk.

In this workshop, we’ll teach you how leading security teams build their vulnerability management programs. We’ll also use real-world data to demonstrate the pros and cons of various approaches to vulnerability prioritization, such as CVSS, EPSS, and SSVC.

Bonus: Exclusive tips on metrics for executive reporting.

Agenda

Welcome / Introductions

Introducing attendees and instructors
Understanding the attendee's objective from this workshop
Discussing the agenda, setting an action plan

Defining, Quantifying & Measuring Cyber Risk

Value, challenges and limitations of CVSS and EPSS
Quantification, the holy grail empowering unification and decision-making
Do we need a new risk scoring system and why?
Balbix risk framework and scoring system

Building the RBVM Program

Unified visibility across the enterprise - CAASM & SBOM
Risk-based prioritization at the scale and speed of today’s attacks

Hands-on workshop

Learn how to implement RBVM
How to get started

Case Studies & Wrap-Up

Examples/use-cases of a risk-based approach
Challenges they faced and how they overcame them

Post-workshop Activity

Practice your swing mechanics at our range clinic
Enjoy light bites and beverages on the course

Key takeaways

Learn how modern security teams prioritize vulnerabilities effectively
Understand the limitations of CVSS and EPSS.
Discover how threats, incorporating controls, and business context impact prioritization.
Learn to use metrics that will demonstrate your program’s success to executives.
Understand how to map vulnerabilities to TTPs

Workshop Overview

Your vulnerability management dashboard currently shows thousands of open vulnerabilities. As a security leader, you are likely overwhelmed and perhaps a bit exhausted from creating tickets for your IT team to patch these critical vulnerabilities. However, the cycle doesn’t end, as new vulnerabilities emerge daily. According to the 2024 Verizon DBIR report, one of the key findings was that vulnerability exploitation as a key step to initiate a data breach has increased 300% YoY. This requires a laser-focused approach to prioritize vulnerabilities that truly matter (and cause significant operational and business impact) while disregarding the rest.

Regardless of the traditional vulnerability prioritization framework, such as CVSS, EPSS, or others, each has its shortcomings. CVSS lacks exploitability context, while EPSS lacks asset/business context.

In this workshop, we will present a modern approach to vulnerability management that considers key aspects such as severity, threats, mitigating controls, asset exposure, and business context. We will also share effective but often overlooked metrics that successful vulnerability management teams use to demonstrate their program success to executives.

You will gain a comprehensive understanding of the current approaches for vulnerability management, along with their pros and cons. We will discuss the tactics, techniques, and procedures (TTPs) that attackers use, leading to a steep rise in vulnerability exploitation.

We will cover vulnerability management approaches for infrastructure, applications and containers and introduce an approach that unifies them. Finally, we will feature a leading organization that implemented a risk-based approach to vulnerability management. This success has helped reduce security risks, improve insurance coverage and lower premiums.

The workshop includes a hands-on component, and we expect to conduct group work to help you apply the workshop concepts in a lab environment. We will provide new ways to visualize vulnerability data and build dashboards on metrics that you can take away and implement in your environment.

Hosted By

Dragos Josanu
Sr. Director, Solutions Architecture, Balbix
Dragos has 25 years of experience developing complex IT and Cybersecurity solutions while working for Qualys, Mandiant, FireEye, Cisco, and HP. At Balbix, he guides organizations to quantify cyber risk across all their security tools, helping them prioritize, remediate, and inform decisions to reduce business risk efficiently. He has a BSc, MSc, PhD in IT and cybersecurity.

Ferenc Spala
Director, Solutions Architecture, Balbix
Cybersecurity professional with 17+ years of experience designing and implementing security solutions for complex environments and breaking into secured environments as an ethical hacker. At Balbix, he's in a pivotal role working with engineering, product management, and customer success to ensure product excellence and customer satisfaction.

Location

Cowboys Golf Club
1600 Fairway Dr.
Grapevine, TX 76050
Legends Range Room

Cowboys Golf Club is distinguished as the first and only NFL-themed golf club in the world, and one of the region's only all-inclusive world-class resort golf properties.