Vulnerability Management
  • July 12, 2022
  • Scott Kuffer

Risky Biz Soap Box: Running a global vulnerability management program

Nucleus Cofounder Scott Kuffer demos Nucleus and discuss enterprise vulnerability management on Risky Biz Soap Box.

Listen to the podcast here.

Risky Biz Soap Box: Running a global vulnerability management program Transcript

Patrick Gray:
Hey, everyone. Welcome to this special soapbox edition of The Risky Business Podcast. My name’s Patrick Gray. For those of you who don’t know, these soapbox podcasts are wholly sponsored. That means anyone you hear in one of these podcasts is paid to be here. Today’s soapbox is brought to you by Nucleus Security. Nucleus makes a platform that ingests vulnerability scan information from all of your vul-scanning tech. So that you can normalize that information, and then do stuff like assign different vulnerabilities to different teams for them to manage and remediate.

Patrick Gray:
You can send these ones to infrastructure, send these ones to your app teams, send everything up and down this particular stack to this department, that sort of thing. And yeah, if you want to see nucleus in action, I have recorded a demo of it with Scott Kufer, our guest today, and it is on our YouTube product demos page. I link through to it in the show notes for this podcast.

Patrick Gray:
And of course our guest today is, as I mentioned, Scott Kufer, who is the co-founder of Nucleus. And the topic is running a vulnerability management program for a very large enterprise. The ins and outs of all of that, and how that’s changing. It’s very interesting stuff. I will drop you in here where I ask Scott the first question. I hope you enjoy this conversation.

Patrick Gray:
All right. So Scott, why don’t we talk about the ins and outs, the complexities, the perils of managing a large-volume program. And now, when we talk about a large-volume program, we’re talking big company. Global. Divisions in 20 countries, hundreds of thousands of staff, that sort of thing. I’d imagine, probably people who aren’t familiar with super companies like that, super, mega enterprises, would think that everything’s uniform. There’s a standard operating environment across everywhere. And it’s all singing, all dancing. That’s not really how those places tend to work, is it?

Scott Kufer:
No, that’s absolutely right, Patrick. It’s actually funny, because it’s something that we realized we haven’t talked much publicly about before. And there doesn’t seem to be a lot of material out there about how to manage processes, especially in the vulnerability management space, in really large environments. Which are just, by definition, extremely complex.

Scott Kufer:
And we start to see that easy things become very difficult at scale when you’re just trying to do very simple things, like figure out if you even have a vulnerability, much less how to fix it, and to triage it, and all of the processes where everything needs to work together.

Scott Kufer:
And honestly, I don’t know any enterprise that has a uniform standard process across anything, especially within security or different vulnerability management aspects. I mean, we’re even just looking at multiple different business units that don’t even use the same tools. And there’s always these 10-year-long projects just to standardize on the same vulnerability scanner. And then you go make an acquisition and all of a sudden…

Patrick Gray:
Yeah, that goes out the window because they’re using something else. And it’s embedded in there like a tumor, basically.

Scott Kufer:
Exactly. It’s been there since 1999. They’ve got a whole bunch of folks just out there doing things. Sometimes they’re delivering reports to somebody’s desk. It’s a whole thing.

Scott Kufer:
And then you have to change an entire process. And I think the old adage is, it’s hard to steer an aircraft carrier. Well these companies, especially in a global scale, is like trying to change an entire fleet of aircraft carriers at the same time.

Patrick Gray:
Yeah, I was just, yeah. That’s what came to mind, is like trying to steer 10 in a storm.

Patrick Gray:
So how have companies traditionally tried to wrangle this issue, right? Because, it’s funny. Because I’ve known you since the start of your business. And when you started off, you were thinking very much along the lines of typical enterprise. Not Megacorps, just typical enterprise with a bit of a mix of technology. And we can help them sort of deal with that.

Patrick Gray:
And then where you’ve actually wound up doing quite a lot of your business is in these absolutely gigantic corporations, which are much bigger than the types of organizations that you were initially intending to help.

Patrick Gray:
But ignoring your technology piece of it, how is this problem typically managed by these extremely large orgs? Do they typically sort of deputize people in the regions to manage programs locally? Do they have any sort of, is there any sort of uniform guidance that comes from corporate HQ? What does it typically look like?

Scott Kufer:
The short answer is that it’s all over the place. So you actually see, traditionally, one of three different models. The first model that we see be pretty successful, sometimes depending on the organization and a whole bunch of political stuff going on in these giant enterprises, is a global services team.

Scott Kufer:
So what they’ll do is they’ll almost create a managed service provider inside of the organization, and they’ll consolidate all of their cyber security services capabilities into one place. And then all of the business units will essentially contract to this internal team that essentially is just serving as an internal services provider.

Scott Kufer:
And so depending on your organizational layout, that can be successful, because you might have certain directors that all roll up to one global security team. And you get some benefits to that. But the problem is, is that you’re trying to build a one size fits all approach at that point.

Scott Kufer:
And so how you’re operating in Asia is most of the time completely different than how you’re operating in Europe, how you’re operating in North America, and then even within different regions.

Patrick Gray:
Yeah, and it seems crazy to have a centralized team at an American HQ that has an Asia division for Asia, and it’s not in Asia.

Scott Kufer:
Exactly.

Patrick Gray:
It just seems that’s where it starts getting a bit screwy.

Scott Kufer:
Exactly. And so most organizations start there. And then they decide, oh, this is actually not working. So what we need to do is, we need to enable and democratize the entire process. So we’re going to start farming out and delegating essentially the responsibility for all of these different processes to different teams. And then what ends up happening is that you lose a ton of visibility. Because…

Patrick Gray:
I was just, yeah.

Scott Kufer:
So it’s kind of a…

Patrick Gray:
You got no insight into what’s happening. And then you ask them to provide reports, but you don’t really know if the reports are any good. Or if they’re just telling you what you want to hear. And yeah.

Scott Kufer:
Exactly. So it becomes very difficult just to manage the complexity. Of just, again, being able to say, Hey, do we even have this vulnerability? What does our patch cycle look like? And then having to aggregate that across a whole bunch of different business units.

Scott Kufer:
So those tend to be the two models that we see most commonly. And then the third model is somewhere in between, right? Where you have essentially an oversight layer. And this is where it kind of gives me a little bit of PTSD flashback to federal government, right? Where you’ve got this bureaucratic layer that is meant to essentially quote-unquote, “manage” the process. And then they essentially farm it out and enable different individual offices around different regions.

Scott Kufer:
And so you have somewhat of the challenges in-between the top level overall management of the overall process, and then some of the challenges of the visibility aspect. And they’re trying to bridge the gap in between the two. And then when you start talking about that, and how do you even make that decision, is very difficult.

Scott Kufer:
And we have organizations that we work with that have tried all three of those in the scope of 10 years. And you know, there’s a lot of expertise that’s missing because it just hasn’t really been done before in these super corporations, if you will.

Patrick Gray:
Yeah. So what’s the recipe for success in doing that? Is there one, or it’s just kind of luck of the draw? Because I’d imagine a little bit of both, really.

Scott Kufer:
Yeah. Honestly, I hate to be the bearer of bad news at this point, but there are not many corporations or organizations in general that have been super successful with widespread vulnerability management deployment. And, which is funny. I was talking to a CISO the other day. And he basically said vulnerability management has become the dirty little secret of cyber security, specifically in these big organizations.

Scott Kufer:
And there hasn’t been a whole lot of visibility into the overall process. And that’s why everybody’s like, Hey, here’s our scan results. And they try to Jedi mind trick their way through the compliance audit of, we’re fine. Nothing to see here. Right? And so…

Patrick Gray:
That’s kind of what I was saying about people just saying what they think the people above them want to hear. Right? Because there is a bit of that sort of thing.

Patrick Gray:
Well, which when you’re in a position where you can’t really give them what they’re demanding, that’s always going to be your result. Right? You can’t just tell people, do something impossible and tell me you’ve done it. They’ll just say, yeah, okay. We did it. Cool.

Scott Kufer:
Exactly, yeah. Here’s the numbers, here’s our PowerPoint slide. And it’s starting to not work anymore to do that. That’s been something we’ve seen historically. Where we’ve even worked with customers that say, hey, we can’t change the metrics we’re using. Because if the metrics and the numbers change that much, even just from the ability to monitor, we don’t know what the impact that is going to have on the board. Right? The board might come back and get really upset, or make some drastic decisions, and they don’t even know what they’re what they’re trying to do.

Scott Kufer:
And especially when they start thinking about business context, and how do we … If I’m a chairman of the board of a giant organization and somebody brings vulnerability management metrics to me, it’s like, what does that mean? And how do you translate that into a real business process? Especially in a global setting.

Scott Kufer:
So it’s one of those things where we haven’t seen a lot of success there, but we see appetite for success. And that’s something that I think is changing. We’re starting to see a tide, that’s kind of an undercurrent in the market and the industry, where everybody is trying to essentially figure it out. Because now we’re starting to see vulnerabilities being one of the top initial breach points into an enterprise. So it’s no longer fishing. So that’s their shout out to the proof points of the world, and the Novafors and whatnot.

Patrick Gray:
Yeah. Well, I mean, that high-impact stuff is mostly on the edge devices and stuff, right? So that’s what’s distorting those numbers. But even if they’re not the number one, even if they’re not the number five, you’ve still got to patch.

Scott Kufer:
Exactly.

Patrick Gray:
You’ve still got to patch your stuff. Because if people stop patching, they will become number one pretty quick. But let’s talk a little bit about how that reporting flow has traditionally worked. Because I’d imagine it would mean a binder full of Nessus, Qualus, Net Sparker and whatever scan results. Yeah, just sort of stuffed into a binder and sent up the chain.

Patrick Gray:
Which isn’t the easiest thing to interpret, but it’s better than what we used to have. That’s one thing where the scanners have got better, is their reporting is actually pretty good now. But only for the results from its own scan output. If that makes sense.

Scott Kufer:
Exactly. And the processes that we’re starting to see organizations build do actually reflect that, right? The increase in the productivity of the scanning tools. But what’s happening now is that we’ve got cloud scanners, and CSPM, and Wiz, and Lacework and all of those that now we’re trying to manage. And we’ve got all the AppSec stuff that you’re trying to build in an agile environment.

Scott Kufer:
And so now we’re seeing the vulnerability management is starting to become responsible for managing not just network security vulnerabilities and patching, but essentially somebody needs to manage all of it. Right? Because the board and the CISO is not asking about, hey, what’s our network vulnerabilities? They just want to know, hey, where are we at risk for all of our vulnerabilities? And how do we actually make decisions to invest in the right places to fix those?

Scott Kufer:
And so that reporting structure is we’re starting to see, we started to see this shift about five years ago, where everybody was now dumping all of this data into SQL databases and data lakes. Because data lakes and data warehouses were the new hot hotness at the time, right?

Patrick Gray:
Yeah, yeah.

Scott Kufer:
And so everybody’s trying to use Snowflake, and then they realize, well, that’s awesome, but now we don’t have the ability to execute and remediate and take action on it. So now we need this blend of, well, we need to be able to manage the data, and we need to be able to report on the data. And we need to be able to do that at scale across our entire environment.

Scott Kufer:
And if the CISO asks me, do we have a vulnerability? I want to be able to answer that question without having to go ask 17 other people, and then have them go ask 17 more other people, and more people until you get down to all the individual tools. It just becomes a nightmare really, really quickly when you boil it down.

Scott Kufer:
But that being said, I think the big kind of takeaway here is that we’re starting to see organizations shift, and wanting to invest in this type of change in their infrastructure. Because the cultures are starting to shift as well, where risk and vulnerabilities are actually starting to go hand in hand. Whereas vulnerability scanning was sort of the, hey, we’re doing our scanning, we’re fine. But that’s starting to shift.

Patrick Gray:
Yeah, yeah, yeah, yeah, yeah. No, that’s exactly it, right? Are you using Nasus, yes, no? Tick, move on. Right? Let’s go get coffee.

Patrick Gray:
And then I think it’s, yeah, it really is that realization that, especially now that everybody’s developing apps, I think that’s another big thing that’s changed. Is that you can’t just rely on scanners that are looking for known CVEs, right?

Patrick Gray:
You’ve got to look for dodgy input fields in your own applications, and SQLI, and all of that sort of stuff. So you’ve got your stuff like Sneak and I think Netspark was one I mentioned before. And yeah, just all of that different stuff. And as you mentioned, the CSPM. Which for those not familiar with the acronym is Cloud Security Posture Management.

Patrick Gray:
So that’s, yeah. Yeah. There’s a lot of different stuff in the mix now. Do you think that’s what sort of spurred people on to need that change?

Scott Kufer:
I think so. Right? There’s always been this concept called vulnerability sprawl, which is just vulnerabilities everywhere. But when it was all kind of contained in a single part of your tech stack, it was not that big of a deal. Right?

Scott Kufer:
It’s hey, we’ve got a few million vulnerabilities, but they’re all kind of just over there, so we can go get them. But then as you start seeing that as organizations get more complex, we’re starting to see even the differences like, hey, there’s SAS scanners or whatever, we’re scanning and have product security for all of our apps that make us money, and that’s one team. And then we have our corporate AppSec team. That’s responsible for the apps that don’t make us money. It’s just our internally developed apps. And they’re totally different processes owned by different people. And they have completely different workflows and tool sets as well.

Patrick Gray:
It’s almost like this is a problem that’s quite contemporary, right? Because we have seen this big pivot to a lot more in-house developed stuff. And yeah, we just maybe didn’t foresee that this was going to turn into something that was going to greatly complicate our vuln management efforts.

Scott Kufer:
Absolutely. And I think the biggest takeaway at this point is that we just need to go faster, right? Our vuln management processes that they’re kind of working, but they’re very manual. And they just, they just need to go faster. Because our IT infrastructure changes all the time, and we need to be able to provision and manage the process as quickly as possible.

Scott Kufer:
And I think what we’re starting to see as well is, a lot of organizations are having a hard time actually hiring for this. Because there are a lot of folks out there who are really great at running Qualys scans, and being really great at going into the Qualys console or whatever, and generating the reports, and understanding that type of data.

Scott Kufer:
But when you start looking at, well, how do we join data across all of the different parts of our stack so we figure out what to do, and prioritize, and triage, and analyze all of that data at scale? We’re starting to see a need for those types of skills. And a lot of our clients, and just in the industry, we’re seeing that it’s really hard to scale a team across a global infrastructure.

Patrick Gray:
Yeah. Yeah. So a major bank, well, here, would have a cert with a couple of people in it. And now that’s a much bigger job, I think, is kind of what you’re getting at. Right?

Scott Kufer:
Totally, yeah. It’s like, who do we hire? Who can we hire? And assuming that there aren’t that many vulnerability management experts in the world, how do we build those? And how do we take people internally, and turn them into that? And we’ve actually started to see in those same challenges internally at nucleus, right? Because we’re trying to become the vulnerability management experts that help define these very complex processes and environments.

Scott Kufer:
And as we’ve grown super rapidly, it’s a similar challenge to what we’re facing. How do we train an entire cohort of people, who know just bits and pieces about vulnerability management, to be specialists across the entire stack and the entire process?

Scott Kufer:
And that’s a real challenge. I mean, even just looking at the industry as a whole, there’s not a lot of educational courses out there about how to do vulnerability management correctly. I think there’s only one Sans course that was written by a couple dudes that we know. And then there’s one by a woman named Dr. Nikki Robinson who works at IBM, and she put together a great course. But they all kind of touch different pieces. There’s just not a lot of standardization. And everybody’s just trying to figure it out.

Patrick Gray:
Well, I think that gluing this all together was a nice-to-have previously, and now it’s kind of a must-have for most orgs. I think that’s a big part of it.

Patrick Gray:
Let me ask you this. Now, obviously the reason we’re talking about all this is because you make tooling, which is designed to sort of solve a lot of these problems, or at least help people to wrangle them. You’ve gone into some very large organizations and helped build some of this reporting that gives them insight. When you turn on something like your software, when you turn on something like Nucleus and it starts populating data into a central place, what is the one thing that tends to pop up most in terms of, oh God, we’ve got to fix that. Right?

Patrick Gray:
Because all of a sudden you’re shining a light on the whole org and it’s vuln posture. Where are the horror shows? Where do they typically turn up?

Scott Kufer:
So this is actually a great question. Because mostly it ends up with the patch management team’s reporting, is where the biggest issues arise. Because patch management teams are reporting against kind of the patches that they’re running. And so they’ll deliver that to the CISO, or to whoever it is that’s monitoring that. And say, hey, we had 98% success rate on our patching for the month. Our SLAs were all hit, we’re good to go. And then you start looking…

Patrick Gray:
And then you start looking at the scan results, and it aint necessarily so.

Scott Kufer:
Exactly. And it can be simple, simple fixes, right? Where, hey, we’re not uninstalling old versions of the software. So actually, we’re just accumulating new vulnerabilities over time with new sets of the same software. And so the patch report will say one thing.

Patrick Gray:
Well, Adam Barlow actually has a rule for it, it’s Barlow’s Rule, which is the security of an organization is inversely proportional to the number of Java versions on their Unix service. Right?

Scott Kufer:
Oh, is that a law? Is that written down somewhere?

Patrick Gray:
Yeah. This was from a post he wrote for our blog years ago, but it’s, yeah. It’s basically Barlow’s law, which is the, yeah, the security of an organization is inversely proportional to the number of concurrent Java versions running on its Unix boxes.

Scott Kufer:
Honestly, that’s pretty on brand for middle.

Patrick Gray:
Yeah. But it holds true, right?

Scott Kufer:
It does, yeah. And you just extrapolate that out to all of the different vendors that you’re using in a global enterprise, and now you’ve got a little bit of a dumpster fire on your hands.

Patrick Gray:
Yeah, yeah, yeah. So that is interesting. Although I mean, you guys don’t really touch the patch management side, right? Like you’re not trying to automate patching and all of that. So even if you know your patches aren’t sticking, well, I guess that’s it, isn’t it? The first step here is knowing that you have a problem, as they say.

Scott Kufer:
Yeah, that’s part of it. I think another big part, and something that becomes really important at scale, is just prioritization. How do you actually figure out what you want to fix? And define it. Being able to define that, so it’s just every vulnerability from every scanning tool is being treated equally in your overall process.

Scott Kufer:
Because when you’re a giant global enterprise, you’re looking at 50 to 500 million vulnerabilities that you just have open at any given time. And so when you’re looking across that many, it’s just impossible to fix all of those, right? You maybe can fix 5%, maybe 10% if you’re really investing heavily.

Scott Kufer:
So being able to just define what you want to fix, and then just getting that information to the patch management teams. Right? Because the patch management teams are great. They’re doing their job, they want to be successful as well. But they don’t actually have the information. And quite frankly, they don’t care about vulnerabilities. They care about running their patches and…

Patrick Gray:
They care about hitting their SLAs, right?

Scott Kufer:
Exactly. And so if we can abstract the vulnerabilities themselves away from the patch. And just say, hey, run this patch. It came from the security team. And by the way, it’s high priority. And just roll it out with your next patch cycle that you’re doing. Or hey, this is really bad. We actually need to roll it out now. They tend to do it, right? So you don’t need to encourage people with sticks and throwing stones. You just kind of need to get them the information so they can do the job.

Patrick Gray:
Need to provide them with the information where you can say, from a position of authority, this is important.

Scott Kufer:
Exactly. Because the worst thing you can do, and one of the biggest problems we see, is bad data. Or stale data. Where you go and you give something to a remediator and they say, oh, this isn’t valid anymore. Because either the system’s no longer there, or the vulnerability is just not, it’s just a false positive.

Scott Kufer:
So that filter that you have to apply to large volume sets of data is very important. And it gets overlooked oftentimes by some of these vulnerability assessors because they’re just like, well, we need … This looks really bad. We need to ship it to somebody. But it’s like, well, who do we even ship it to? Has it been triaged appropriately? And then how do we manage that triage process at scale without thousands of people just pouring through giant volumes of data? Because that’s no good either. Then you’re in the same position you were in with Sims 10 years ago.

Patrick Gray:
Yeah. So I mean, you’re not the only company that’s making tools that are designed to solve this problem, or at least make a dent on it. But why don’t you talk us through what some of the other tooling has looked like, right? From a concept standpoint.

Patrick Gray:
Because I think everyone who makes tooling in this space has a slightly different approach. What are some of the other approaches that you saw before you founded Nucleus, to try to help people deal with this?

Patrick Gray:
Because it is, I mean, I remember stuff 20 years ago. I think it was, what were they? Trusted sec or whatever. I can’t, BeSecure. They went through about 10 different names and wound up being bought by Verizon. But even they had some sort of vulnerability inventory management kind of stuff back then that was useful for its time. It obviously wouldn’t work in a modern context, but yeah. Why don’t you walk us through some of the approaches from vendors in trying to tackle this?

Scott Kufer:
Yeah, sure. And actually that’s a great point, right? When you look at our market in this space, I mean, you look at even, I hate to bring them up, but like you look at a Gartner and they don’t know what to do with all the tools in our space. They kind of just throw us in with the Nexuses.

Patrick Gray:
Gartner don’t don’t know what to do with an awful lot of stuff, right? They just don’t.

Scott Kufer:
They don’t. But that’s the interesting thing. So we get thrown in with a whole bunch of other just kind of stuff, right? That are all trying to solve at a top level, quote-unquote, “vulnerability management.” And so what we see is that are there, we do sometimes some similar types of things, but then very quickly they deviate based on what they’re actually trying to solve.

Scott Kufer:
And there’s so many issues to solve in this area that, I mean, it’s no surprise that we’re all focusing on different stuff based on our experience. Right? I mean, some folks are really plugged into the CICD pipeline. And they’re like, well, that sucks. We want to be able to shift left and just orchestrate scanners in the pipeline. And that’s a great use case, right? But it’s a similar concept of what they’re trying to do.

Scott Kufer:
But what we’re seeing just as a couple examples, prioritization was a big thing, right? You may have heard the term risk-based vulnerability management. That’s been around for about five years, six years now. That was one approach, right?

Scott Kufer:
Which is, hey, our biggest problem is prioritization. Let’s just solve that, and then we’ll figure everything else out later.

Patrick Gray:
I mean, that was what CVSS was designed to do, but it doesn’t give you the full picture, right? Like a CVSS 10 on a box no one touches that’s buried deep in your network, that’s one thing. But maybe a CVSS 8.5 on a border device, much more critical, right?

Patrick Gray:
So it always comes back to that thing of, it depends. Trying to prioritize is actually not as straightforward as understanding whether or not a bug is severe or not. I mean, it might even be exploited in the wild, but by an APT crew that has no interest in owning you, so it’s very low risk. Well, not very low risk, but you know what I mean.

Patrick Gray:
So yeah, there’s a lot to weigh up there, isn’t there? In calculating what is actually important to you.

Scott Kufer:
Exactly. And that’s definitely a big challenge, right? That is a big core, fundamental problem with this type part of the industry and those workflows. But it’s not the only problem, right? So if you look at some of the other tools out there, they just focused on prioritization.

Scott Kufer:
Because again, that’s a big, hairy problem that is not as super straightforward. But it kind of ignored the fundamental kind of process piece, right? And so we sort of fit in this fun little middle section. Where it’s like, Hey, we actually want to overlay the entire process. And there’s ninety-seven, a hundred and fifty different processes that you have to be able to kind of trigger and manage across your vulnerability management stack.

Scott Kufer:
Because for example, your GRCT team cares about vulnerabilities because they have to do their exception management. Your patch management team cares about it. Your dev teams care about it, your product owners care about it. Your CEO, your CISO. Maybe not the CEO, but your CISO cares about that kind of thing.

Scott Kufer:
And so we took the approach of saying, well, let’s build a tool that’s great for the analysts, who just have to do this process over, and over, and over again. And just be able to do it at scale. Because we’re essentially, quite frankly, we have all of these vulnerability analysts, which are being paid 150 $200,000 a year to just fill out spreadsheets and keep data up to date. And it’s just like a total waste of everybody’s time when we could start…

Patrick Gray:
It’s a waste of human endeavor as I would say, yeah.

Scott Kufer:
Yeah, exactly.

Patrick Gray:
I mean, and that’s why you created, yeah, Nucleus. Which is a pretty ambitious thing. Because the idea is, all of those people log into the … Now we’ve done a demo, a video demo of the product, which is going out on YouTube around the same time as this podcast. So I’ll link to it from the show description.

Patrick Gray:
One thing that you mentioned, which I found really interesting, is that one of your customers … You have, what, five or 600 daily users for just that customer? Of people logging into your stuff.

Patrick Gray:
And I think what makes that particularly interesting to me, right, is that this isn’t designed to be a tool that you log into once a month and it spits out a report. This is designed to be the master console. So your CISO, she might log into it and use it right down to the vuln analyst, to the developer, to the whatever, right? Of course it’s going to have some rough edges, Scott. We all know that, when you’re trying to build something like this from scratch. But that’s the vision, isn’t it, to actually create a place where all of this data lives?

Scott Kufer:
Exactly. And that was something that, when we started, we were trying to quote-unquote “democratize vulnerability management.” And we sort of had this idea and hypothesis in our head that, hey, there are organizations that if they’re medium, they’re not going to have vulnerability analysts where they can go in and just manage the data, day-to-day.

Scott Kufer:
And so we just assumed, hey, if we build all this automation that’s going to be great, right? It’ll be an easy sell. We don’t even need sales people, right?

Scott Kufer:
And then very quickly, our very first prospect, and our very first customer were Fortune 500 company. And they basically came in and said, hey, all of our analysts are working out of a spreadsheet and we don’t want them to do that anymore. We would like them to have an updated list of all of data, and to just work out of this one place with everything kept up to date. And I want their managing directors. If she wants to log in, if the CISO wants to log in and review it, pull whatever data they want at every layer of the tech stack and every layer of the organization, we want that. We want that right now.

Patrick Gray:
Yeah. And that was great, that was great. And then you had to build it.

Scott Kufer:
Then we had to build it, right. We were like, yes. Give us a few months, we’ll be right back. Right?

Patrick Gray:
Yeah, yeah. And that’s the thing, right? Because once you’ve brought all of this, you take in all of the vuln scan data, put it in one place. I mean, that’s half of it. We spoke about this yesterday, that’s half of it.

Patrick Gray:
And then from there, it’s just feature requests, right? From your customers, and that’s what’s guided your development. And it’s not like, you know how you get these EDR tools and stuff with feature sprawl, and they just wind up really unruly. The whole point of your thing is to have a ton of features for everybody, to allow you to slice and dice and have workflows and whatever. But I mean even walking through the demo it’s clear that this tool, it’s a powerful tool, but you’re going to have to spend some time with it to learn how it works.

Scott Kufer:
For sure. And that’s easy to overlook when you built it, to be able to say I … To me it’s just, I could do it with my eyes closed, right? But as you definitely get to these onboarding sessions and you realize that, hey, every big enterprise is doing things a little bit differently. And so they want to be able to slice their data just a tad bit kind of off kilter from everybody else.

Scott Kufer:
And we have this larger vision for the product, right? We have all of these items that we want to build, that we know from our experience … And that’s actually the cool thing, right? We’re working with all these big corporations, and some of the best of the business. And they’re helping synthesize all of that data across a whole bunch of different verticals. Pharmaceutical, logistics, energy, government, just manufacturing.

Scott Kufer:
And we’re able to take all this data, and build this as a bigger movement than just, hey, we’re a couple guys that had an idea. And that’s probably been the coolest part of this entire journey, is just getting to work with essentially all of these high-level folks that are honestly just as, way smarter than any of us.

Patrick Gray:
Well, you get some interesting insights out of the data that you aggregate too. And I mean, you’ve got an on-prem version, but it’s mostly a cloud service, right? As is the story for everybody else.

Patrick Gray:
I remember I just recently doing an interview with HD Moore about Rumble. And that was funny, actually. Because he said that in the holiday seasons in the US, people go out and buy the latest internet-connected dohickey. And then of course he sees it in Rumble as an unknown device, and has to figure out what it is.

Patrick Gray:
And quite often he’s like, ah, that’s actually a cool dohickey. And then he like adds one to his cart and buys it. Right? So that’s the way he’s actionable intelligence there for Rumble. But I’d imagine you’d get some real insights into the types of things that different verticals struggle with.

Patrick Gray:
I mean, I don’t know. It’s going to be some good blog posts. I don’t know if it’s earth shattering and going to change the world, but it would be interesting.

Scott Kufer:
Oh yeah. It’s super interesting. Maybe not as interesting as the newest Roomba. HD, please let me know. Amazon’s finding new ways to target you.

Patrick Gray:
So you’ve been doing this a few years now, are you noticing that there are more players entering the space, or other vendors that are trying to create stuff that’s similar? Are you, do you have competitors now where you see something they’re doing and you’re like, oh, that’s a good idea. And you’re learning from them. I guess what I’m asking is, is this, are we going to see more tools and tooling designed to do this sort of thing, do you think?

Scott Kufer:
We are, actually. It’s funny because a year ago we used to laugh and say, hey, there’s not really anybody else that kind of is trying to emulate us. And then now we laugh because basically every week some new company that basically just copy and pastes our messaging from our website, and puts it up. And you could even tell that it’s almost a direct carbon copy.

Scott Kufer:
And then sometimes they will take screenshots, and they’ll basically just change the colors and things. And say, oh we do the same type of thing. So we totally expect that to happen, and it’s going to continue to happen. But I would say the thing that we…

Patrick Gray:
Yeah, but I’m not talking about them. I’m talking about the ones that you worried about. Not the ones that the ones that … The ones that you worry about, not the ones that you don’t worry about.

Scott Kufer:
Yeah. There are. I mean obviously there are other tools out there that are competing as well. I think that where we sort of see a lot of our competitive moat is actually the complexity of environments is really hard to emulate if you haven’t worked there before.

Scott Kufer:
And so, because we come from DOD and we worked, essentially built this tool with the idea of just giant enterprise, giant organization, most of the other tools that we see start to have a lot more kind of utility in the small to medium business market, where we originally thought we were going to have a bunch of success.

Scott Kufer:
And whereas we start to really specialize in those big, complex, big, hairy problems is kind of where we do it.

Patrick Gray:
But I mean, you did start off thinking sort of medium enterprise, right?

Scott Kufer:
We did, yeah.

Patrick Gray:
That is where you did think. But then you wound up going, okay, we’ll do the giant org thing.

Scott Kufer:
Yeah, absolutely. And that absolutely, I mean, that’s definitely going to happen. Right? And we totally expect that to be a thing. I mean, and honestly I think it’s more just proof that this is something that people care about now, which is great.

Scott Kufer:
I mean, honestly, anything to move the industry forward from the 1995, we’ve got one open source scanning tool and we’re good to go, needs to change. And so honestly, we view this sometimes in less competitively, and more collaborative, right? Is, hey, what can we do to work together to just educate people that this is a problem, and here’s how we can solve it? Right? There’s always going to be two, three players, big players in the space ultimately. And that’s where you want to end up anyway. Right? So it’s just a kind of a matter of, can we get the market there?

Patrick Gray:
I mean, I think it’s a little bit a failure of the tenables of the world. Those big vuln-scanning companies that just have rivers of revenue from selling scans. The fact that they don’t tend to be properly serious about allowing other scan tools into their fancy consoles and stuff. It’s just the nature of the beast, right? You don’t want to be giving a leg up to the competition. And that’s kind of how we wound up requiring other vendors to come in and actually interpret the data that they out.

Scott Kufer:
Right. And I mean, it makes sense. Because if you think about it, Qualis doesn’t want to give their data to Tenable. Because now Qualis is no longer the console that is being used for the management of the vulnerability data in their console. And it’s like there’s this jockeying to be the iPhone for the vulnerability data. And it’s really hard just to imagine that, oh, hey, tenable and Qualis are going to pay each other money to build integrations, and be able to do that across an entire market.

Scott Kufer:
When there’s a lot of great reasons to do so, but it’s just really, it’s really difficult. And especially to have special … If you think about even just companies like that, most scanning tools start out specializing in one type of scanning. And they’re really great at that one type of scanning. But it’s like, oh, well now you want me to think about cloud? Well, I’m just going to go try to acquire people.

Patrick Gray:
Yeah, and that’s cloud covered. Right? And it’ll be one approach, it’ll be one thing. Yeah. No, and it’ll never be properly comprehensive. It’ll work nicely out of the box though, right? That’s the advantage, and that’ll be enough for some. But it’s not going to be enough for some of these mega companies.

Scott Kufer:
Absolutely. Right? And there’s so many different use cases. Even just looking at hardware and firmware, vulnerability, scanning and management, your requirements are so different. Where it’s like, hey, we can use this special, specialized scanner. And we have to. Because we have to provide specific types of reports to specific regulatory bodies.

Scott Kufer:
But pre-compilation of code, post-compilation of code, and then actually scanning the hardware before we ship it. Right? And so just very specific use cases. You’re just, it’s unrealistic to expect one vendor to be able to do everything. And I mean, we see every year at RSA, there’s like 30 new scanning tools that pop up. And there’s reasons for that. Is that there’s opportunity.

Patrick Gray:
There’s always a gap, right? Yeah, yeah, yeah, yeah, yeah. Yeah.

Patrick Gray:
All right. Scott Kufer, thank you so much for joining us on the old soapbox to have a bit of a chat about the excitement of running a global vulnerability program for a huge company with a zillion different scan tools. Very interesting stuff, my friend. And of course people can check out the demo that Scott and I recorded on our YouTube channel. I will drop a link into the show notes for this podcast episode. Thank you again, Scott. And we’ll talk to you soon.

Scott Kufer:
Thanks again, Patrick. Always fun.