good afternoon everyone and welcome to today's session on hardening your moving environment accelerating detection and remediation to build cyber resiliency just a few housekeeping notes before we get started today this webinar is going to be recorded and will be sent out to all the participants afterwards all attendees will be muted at the beginning of the session we invite you to ask questions but please use the q a box on the bottom right hand of your screen and not the chat box the chat box is a bit harder to follow q a so if you put all your q a in the in the q a box we'll be sure to ask the companies the questions um at the end of the event and if you have any questions about the presentation servicenow or new rocket please contact kirk hogan who is our new rocket contact for this event and his contact information is on the screen or i can provide it after the event at this point in time i'd like to pass the presentation over to the u.s embassy's deputy senior commercial officer john fleming for welcoming remarks thank you tracy good afternoon and welcome virtually to today's information session as tracy mentioned my name is john fleming and i'm the u.s department of commerce's deputy senior commercial officer at the u.s embassy in ottawa the bilateral relationship between the united states and canada is one of the world's closest and most extensive this is reflected in the high volume of trade and investment as well as the way our two countries work closely together on multiple levels politically culturally militarily and economically in february of last year president biden and prime minister trudeau launched the road map for a renewed u.s canada partnership that provides a platform for increasing trade and investment combating climate change recovering from the pandemic and tackling other priority global issues together the us department of commerce's u.s commercial service in canada is supporting these lofty goals by assisting u.s companies to build and strengthen relationships with canadian government officials and business partners one of the ways in which we foster these trade relationships is by developing programs such as this one to introduce canadians to unique u.s strategies and solutions that can enhance and support global i.t security today's event was organized by tracy tracy ford is our commercial specialist and the commerce department lead for it and canada if you have any questions or wish to speak to someone about sourcing u.s products or solutions please connect with tracy now with those general comments let's turn out the focus now on today's program vulnerabilities no longer exist only in your data center they are on the move within all your mobile devices creating endless opportunities for digital attack so how do you secure how do you secure your moving targets and ultimately build a trusted relationship between your it and set gop steams that will create future operational resiliency in today's session we'll hear from servicenow and new rocket about how to harden your moving environment by accelerating detection and remediation to build cyber resiliency servicenow delivers digital workflows that create great experiences and unlock productivity the now platform provides a smarter way to workflow across industries and servicenow is leading the way to a new era of employee and customer experiences new rocket delivers meaningful experiences and extraordinary results with servicenow they are the ecosystem leaders in customer and field service implementations risk and resilience human experience design and one of only two companies worldwide to be awarded all four servicenow workflow badges and a lead achievement that recognizes certifications across the entire servicenow platform we have an exciting and talented group of panelists today representing both companies i would like to introduce claudius malinowski who is a security solutions specialist at servicenow and brings 20 years of experience in various technologies across integrated risk management cyber security solutions and robotic automation automation he spent several years working with the canadian federal and provincial governments as well as various other canadian organizations supporting their strategic and tactical transformation initiatives across security operations claudius i invite you to take main stage and start today's event thank you very much and thank you john for the very warm welcome uh and i'd first like to just take a moment and thank the us department of commerce and the u.s commercial service in canada for hosting us today it's an absolute honor that we get to spend the next hour with you folks to dive into a really top of mind discussion around hardening your moving environment now john you've already done a great job of introducing me i'm the national security solutions lead at servicenow canada but before we jump into the content i just like to give an opportunity for my co-hosts to introduce themselves as well so first over to you dale thanks very much claudius and uh thank you john for the great introduction really excited to be here uh with all of you for the next uh next 50 minutes or so i am the global i.t asset management practice leader at new rocket and i i'm very eager to help make connections between hardening your moving environment and being able to answer three very basic questions about your it asset management estate and that is what assets do you have where are they located and who's using them because that in and of itself will accelerate detection and really support your cybersecurity objectives and i will now pass it on to uh kirk thanks dale kirk hogan i run the global technology area uh for new rocket covering off the servicenow platform my experiences for the last 25 years have been mostly in systems design and implementation both tactical and strategic um most recently for the last uh say 15 to 17 is around building up socks and knocks and uh and anything to do with security technology i'm actually obsessed with how it all plugs together and fits so the last five to seven years i've been spending in innovation trying to find new ways to push the boundaries so i'm excited about today's talk because it all matters there's not one thing in particular i i think what we know in the the title of the event is is uh is actually trying to deliver three messages in one i think about the moving environment is underpins what's really happened to all of us for the last two years it was happening before the pandemic but no kidding everybody went home and all of the assets with them all of this provided a real challenge and people scrambled and did yeoman's work about trying to maintain sort of an understanding about what what where and who's using what um what we want to talk about today i think is having a more of a purposeful approach um that if we could go back and redesign that what we have what would we have done differently the hardening part is really about i think doing the responsible things in the right order because you know we talk about hardening that environment i think what we're really saying is do we believe that we can continue to deliver trusted products and services whether they be non-profit governmental private to the people that consume those so that we can get their trust and maintain their trust and i i think that the other panelists maybe have a different view on the same challenge but we have a different perspective on this for sure i'll jump in i and in terms of i i t asset management i really your it asset estate is really beginning to evolve over the past number of years and as kirk mentioned especially when covid hit and your it asset estate became distributed and remote i we really started to see that um that realm of responsibility expand and i now we're talking more and more not only about the traditional asset classes that are being managed through it asset management programs things like your hardware be that physical or virtual your software your network gear your mobile devices i but we're starting to talk more and more about the internet of things we're dealing with bring your own devices and one of the i messages that or pardon me one of the asset categories that is really starting to take center stage is operational technology devices and these are things like the hardware and software that traditionally controlled uh contained uh machines so equipment printing presses uh and and the like what has happened over the past number of years is that operational technology is now becoming networked so if everybody thinks about uh those great smart tvs that we have and the uh network connected thermostats and and even your appliances at home i these are services that i have been added on to networks where they used to be very contained they've now joined your traditional it asset estate and have access to your network and so that foundational data that you have been tracking as part of your it asset estate is now including these other pieces of hardware and software and with that expansion your attack surface your vulnerabilities are also expanding and i'm not sure claudius if you have any perspective that you'd like to add to this yeah i mean it all starts with we've heard this before you can't protect what you can't see right so that visibility theme across your entire digital infrastructure is is critical right but equally important not only identifying your asset information but understanding what type of data and information really what sort of business criticality does this asset have in my environment um so that of course that we can make the appropriate risk-based decisions around those assets as well right in order for us to be able to trust our data right we need to understand how do we keep that data healthy and trustworthy how do we populate the data for example in the cmdb here uh in a way that makes the most sense and and really we start to think about themes like automation right bringing that in um in an automated way allows us to ensure we've got relevant and refreshed data that's that's you know context aware right i wanted to kind of share some of those insights but kirk any uh any other thoughts or inputs on that oh i think you are one last thing and that is around visibility we we think that we've got a good view about what we have and i think most organizations do what happens though right in a mobile or a dynamic environment is things join and exit the environment all the time so uh it's it's important that that visibility flexes with what is coming and going because you may understand that new things are coming out of your environment but what about the things that you're not expecting that look like the things that you're expecting so i think the fidelity of what your information is around that estate and we did introduce the the term attack surface on purpose and i just want to draw specific attention to that because i think a lot of organizations talk about what does the business need in order to deliver those products and services well technology supports processes but if we don't understand necessarily where those things are in in their life cycle we don't know how to connect them back we don't understand their priority we don't understand their importance so it isn't just about the iit estate it's about its role within our delivery yeah i want to have one more comment here you know the title of this talk track or this this discussion hardening your moving environment that moving environment piece i think is so important right because um when you think about some of the statistics that are out there depending on on which study you read i was seeing things like uh on average um employees have 3.2 devices right and on average we see about 17 of those employees having movement in in change of role right when you start thinking about movers joiners levers some sort of change to that employees um privileges and rights and access um it's it's ever-changing it's it's constant it's moving right things are always shuffling around so kind of keeping up with that life cycle the asset life cycle it's um really you know you got to look at things like automation it's it could be a tall order as you start looking across all of these honeycombs and all of the different components to you know visibility and asset information okay and dale any other thoughts before we kind of move on to some of the next uh statistics and things i don't think so i think we can move on to the next slide thank you okay excellent so i want to share some insights on what we're seeing you know as we start looking at the digital attack surface expanding right here dale i talked about in a previous slide all of these convergence of you know ito tiot all all of these assets are are growing right so this digital attack surface is expanding and when you look at some of the information here on this screen things like digital transformation were already in motion right but mckenzie did a study not long ago that said that the pandemic had actually accelerated that digital transformation process by seven years so what that meant is a lot of businesses were suddenly forced to adapt to this transformation at somewhat of an unnatural pace right what that also meant is they are often moving workloads services and infrastructure to the cloud right to kind of help with uh easing some of that um you know that capacity and the growth that's needed really in these scenarios and then you look across that center uh statistics so you look at suddenly a ton of employees are working from home they're working remotely that also created new hurdles that we were dealing with so security teams are suddenly trying to protect things that they cannot control like employees home networks right that of course poses a tremendous visibility challenge to security leaders to keep a track of things like you know assets in those environments and then on the right hand side purple here you could see you know many businesses were also increasing their connection to third parties that could be your vendors that could be your customers but of course that's going to give you some benefits things like ease of access to sharing information which is great but that also means we're introducing additional risks and exposures that way as well to your sensitive data now interestingly enough forester conducted a study that showed that 51 respondents said that their organizations we're not actually assessing the security and privacy practices of all third parties before granting them access to the sensitive and confidential information right so that introduces potential risks and exposures so then at the bottom here you see you know our our our teams um on the security side they have a daunting task ahead of them they're looking for where are those exposures those vulnerabilities across a bunch of different you know flavors of vulnerabilities right you've got your it infrastructure which could be in the cloud it could be on premise it could be a hybrid environment then you've got vulnerabilities in in a sense of misconfigurations right those are exposures uh we don't want to be leaving things like default username and passwords or ports opened and things like that those are access points for thread actors to of course take advantage of so we're looking for miss configurations or configuration compliance then we're talking about application vulnerabilities these could be commercially off-the-shelf available applications or they could be your in-house developed applications so now we're starting to look at vulnerabilities in applications things like you know static or dynamic security application testing vulnerabilities and then there's penetration testing vulnerabilities as well whether you're doing that through some sort of machining tooling or whether you are performing that you know in a human resource uh who's who's looking for access points into your environment but all of these vulnerabilities need to be looked at and tracked and of course those vulnerabilities exist on some sort of asset or infrastructure component in your environment having to start now saying where do we start where do we prioritize what do we action first can certainly be a daunting task if you don't understand the business context of that asset as well right kirk what are your thoughts on you know these areas here that that are up on the screen so this is my first thought is actually the title of the slide and i just want to put in square brackets uh is expanding and contracting to my previous point about the you know dynamic nature in the environment it isn't about the fact that you don't know it is expanding contracting it's about getting those frequent updates so that you can trust the fact that you know it's it's about comparing your awareness with your expectations and i think that's the challenge because the volume is only getting bigger when we all left to go home for that you know two week period and two weeks ago or two years ago we all thought we'd be back and it wouldn't be a challenge but there were a lot of organizations that had to figure out in a hurry to move not just their digital assets but also their processes in order to manage those so this is not just a technology problem and a technology solution this is a people process technology uh challenge and as far as um you know the visibility into the remote employee network i'd ask everybody on the line to ask themselves do you have any one it asset from any of your previous employers and i'm going to guess that at least one of you is going to say yes because they didn't track when you left that organization and they didn't request it back that just proves that you know our appreciation for what the through the true value of life cycle management could actually be to our environment so if we aren't sure when it's leaving then we probably aren't necessarily knowing when things are are joining not that you may not have a like a network access control solution or a dlp solution something it recognizes but do we have the processes that plug into those alerts and awarenesses in order to update what we think is our total visibility and it's not going to be perfect but what we want to do is we want to get it as good as we can you know we just want to be responsible and to be able to demonstrate due diligence as far as misconfigured assets so i mean you talk about vulnerabilities claudius vulnerabilities yes we look for things that are known signatures etc but if we think about it's got good version of a software but it's this one bit that's been set and you know i'll use a swear word log4j i mean that was a uh that was a test for all of us to understand okay it's a configuration the software itself was not flawed but we need to be able to go out and understand that was so everybody scrambled to understand that was so if we take a leap forward if we had total visibility of our environment including what sort of application stack is sitting on our i.t assets perhaps we could have gotten a lot further down the field because everybody had that exercise and it went from days to weeks to maybe somebody are still exploring that challenge but the whole idea is the next time you run into it so when log 5j to make something up comes out what have we learned from that last event what things would be the best time spent and that's some of the discussion that we want to continue to have for the the rest of the time dale yeah and i wanted to i really add on to the point that you made and in addition to uh to looking at how your business processes are functioning uh even at the strategic level speaking about the governance and standards that you want to implement because the rules of the game changed and so organizations need to look at their asset standards and at their currency of their technology they need to look at the governance things like patching so misconfigured software assets aren't the whole picture from an i.t asset management perspective there's also the issue of currency and how many legacy versions of microsoft office are you um are you sustaining in your environment because there are not proper standards and governance around the decommissioning of of legacy versions because those legacy versions of software that are i would say proliferate in in many organizations are a really uh potent vulnerability that should be managed and so we really go from people process technology all the way up to strategic governance and standards i think that's uh probably a good a good point to uh to launch if uh uh absolutely dale in fact i was gonna you know double click into that some managing your software assets your applications across your entire infrastructure is critically important when you get into those scenarios that are end of life and a support right that means we're not getting those frequent software patches and updates to the end of life and to support applications because you know that that's just it's in the life right those those things are not perpetual so what that means is if you're dealing with applications in your environment that meet that criteria that means you've got stale software that is probably going through some sort of vulnerability exposure and threat actors know this they they actually um you know i saw some statistics that say it's easier to go after those medium risk vulnerabilities on those legacy software applications because no one's really looking there right and there's no patches that are available either right so those those kind of dormant scenarios sometimes pose those biggest threats yeah i want to talk about what we're talking about is assets so dale you talked about introducing different categories of assets you know we're focused on i.t but it comes in different forms one of the biggest risks right now is is api risk so the fact is if you can't understand necessarily what systems are connecting what other systems and model those is something you can talk about you know create some sort of an intangible object that you can then identify the risk and then what your mitigation strategies are that's another important thing so it isn't all just about maybe automated discovery it's also those things you know about and that you can model i just want to note about they know that the older things is i'm looking at a real-time dashboard and number one vulnerability i'm looking at is a cve with a 21 or 2010 date and uh for those that you know watch this news and i know everybody on this line is in the security game but you know the the the hacker that took north korea offline uh would not state which vulnerability they used to take it offline but they stated that it was ancient so regulators will typically give you a bit more leeway on the zero day attacks because who saw those coming but when you have something of vintage 2010 is a little bit hard to explain why we didn't uh address that and you're right claudius i think there's a misconception that if we go after the things that are risk rated higher by the way you know the the nvd risk rating is not a risk score it is a risk rating and if we use this and a lot of people do that you may be looking at the wrong things first so i really think it's important to bring in some of that enriched perspective of what your environment is and sometimes that is not something you discover but it's something you know absolutely so let's uh let's move on to this slide i thought it was interesting to share some of these statistic it actually was compiled from a few sources esg research checkpoint software edge scan and ponemon and we'll get into kind of what each of these mean but when we talk about seeing the threats is not enough what we're saying here is you know oftentimes as an organization we do a pretty good job of bringing in some sort of automation a tool to discover our vulnerabilities right so what that means is we're able to find our what i'm going to say problem statement right so we got we got a vulnerability or an exposure here but the challenge is finding that how do we understand and where do we start on that solution statement right in other words what actions do we now need to take to address this problem statement which we have just found right so these stats are are quite interesting that i want to share on the left hand side where it starts off with the 61 so a lot of organizations are saying it's really difficult to prioritize where to take the right actions on those threats and vulnerabilities that have the biggest impact to reducing that risk exposure in my environment and then when you double click into that you see another statistic that says that most organizations 57 percent don't always know which assets are business critical that goes back to the idea of where are our assets what sort of information does that house right what sort of information is processed on that asset and how critical is that to my business those scenarios are likely the ones you want to bump up the risk or bring more attention to an action first right so without knowing which assets are critical and also i'm going to say without having a centralized source of truth getting out of kind of data silos of you know security messages and tracks assets this way and it does it this way we need to centralize that view and give the right visibility so that we're working from the same source of information now in the middle here some some really interesting stats as well which is that most organizations right almost 9 out of 10 organizations or we're saying yeah we we have experience threat actors attempting to exploit vulnerabilities on known vulnerabilities in our environment the challenge is that those that actually were victims of a breach say that they were actually breed due to an unpatched and known vulnerability where a patch was available so in other words we know we have a vulnerability we've discovered it we know there's a patch we just didn't get around to it quickly enough right we were breached right so really interesting stats there and then on the right hand side what i also found quite interesting is on average it takes over two months to mitigate our most critical and high risk vulnerabilities in our environment right oftentimes that's plenty of dwell time for a threat actor to do a lot of damage and especially if it's a critical or high that means we know they are most you know riskiest threats in our environments and we should be you know tightening down that meantime a resolution as quickly as possible but yet the reality is it's it's taking us about 68 days on average based on that study and then a lot of organizations are saying that is because we are at a disadvantage because we're trying to handle this process manually right we're using spreadsheets we've got some data silos where we keep information here or here so of course naturally it's going to take a long time to try to get the right information to the right people at the right time it's not a technology problem it's a people process and technology problem as kirk said so kirk let me ask you are is there any any stat on here that quite jumps out at you or that you're surprised to see yeah i could talk to each of them but you did that but i do want to focus in on the 87 percent so it's about the existing vulnerability but if we dig into the types of vulnerabilities yes there's a lot of organizations that are seeing that those attempts if you look at the the different parameters around the cve the skill level you know whether the exploit exists in the wild or not so some of these need local uh you know credentials some are remote so by looking at those three attributes within the vulnerability that can really help you prioritize what it is because as you said if the goal is to reduce the mttr you can't do it all at once you've got finite resources so fair enough then how do we get better and if you understand the probability then within those numbers now it gives us a strategy one of you know end strategies to apply to what do we do first no what do we prioritize i will quickly uh focus on the the mission critical uh the 57 percent because i also believe that whether you have a system in place or not everybody on this line has probably been called into a meeting or some sort of uh you know called onto the carpet to ask okay so what are we doing with our most critical service whether you're an e-commerce whether it's a a site serving the citizens of your country it is uh something that if it failed you would no longer cease to matter and that is really what you need to focus on so whether it's the list on the back of a napkin or whether you're doing formal risk management around which ones are start somewhere because i would challenge you that your math is better until somebody comes along with better math so always start and you'll you will just you will evolve but you have to start somewhere gail any final thoughts on this one i yes actually i the uh the discussion that kirk was having around identifying and prioritizing uh your business critical systems is uh is really relevant i and it's uh it's one of the foundations of of an asset management program or a management system in that we need to be in regular communication and we need to engage stakeholders like our lines of business because just like your vulnerabilities you can't possibly manage every single asset that you have in your environment and so you need to know not only how vulnerable they are but how business critical they are and that's um certainly a way that i a well managed and structured it asset management program can begin those discussions and and can you can really leverage uh the business processes and the prioritizat prioritization exercise pardon me that uh that your i.t asset management team may have started and often have gotten to uh to the end of to be able to identify those and make that quick napkin list and marry those up and so it also speaks to your point claudius about being able to communicate across teams and breaking down those silos so you know leverage work together and break down those information silos that was spot on in fact this slide echoes exactly what you were just talking about then so you know why are we seeing kind of such lag and some you know mean time to respond and remediate uh outside of the parameters and targets we have and you know why is it taking so long to you know communicate and try to collaborate and get things done in our organization and this kind of depicts a visual image of of why that is so collaboration's a bit messy right and the more complex the messier it is in our environment you know that's the enemy of security on the left hand side here you see the security team on the right-hand side here you see the i-team i.t team at least that's how it's depicted it may be you know your vulnerability management team and your it remediation team or it could be any you know business name here but the general concept here is we've got a team typically in the security domain that's responsible for identifying those threats and exposures right where's my problem statement where are these vulnerabilities these exposures and threats in my environment we need to validate are they real are they false positives are these the same thing uh do we action these or is this just noise and then lastly we're they're trying to prioritize to say we believe these are the most critical let's kind of tackle them in this order the challenge is we're dealing with a tremendous amount of alerts right some organizations have thousands hundreds of thousands and some of our largest customers have millions of vulnerabilities uh across their uh entire infrastructure so tremendous amount of alerts really hard to map that to the right business context right or there's a lack of business context and we're trying to do this manually right and there's data and information available in different silos and domains that we're trying to glue together on the right hand side the it operations team typically says okay we we ingest the data from the security team and we need to organize ourselves in a way where we're organizing the right tasks to the right people so we're dealing with workflow management which could mean are we patching are we deferring the patch is this a false positive is this an emergency patch right we could we could have different outcomes based on what it is we need to do and we're trying to remediate that as quickly and efficiently as possible but of course the it teams their challenges tremendous amount of asks with ridiculous expectations sometimes and the data you just gave me is unreliable i can't really trust this it doesn't actually match to what we're seeing this center that says remediation gap in this red um dotted uh line here says we're trying to communicate through things like email spreadsheets you know uh teams chats calls emails so we're we're working in our silos and we're we're adding another element of an of a silo manual process to try to stitch things together to keep the wheels moving on on the truck right now threat actors know this right they don't care about your business silos in fact they take advantage of that dwell time because they know they've got a bit of a head start and and uh in a dwell time that they know you know no one's really going to be able to to get ahead of this as quickly as we're seeing things right we're seeing this means hey we got a backlog of threats and vulnerabilities and alerts we're addressing it it's a real challenge trying to communicate across these silos we're dealing with things manually it's really hard to prioritize the lack of transparency in the sense of who's doing what have we remediated that how far in progress are we in terms of that task or that effort are we hitting our targets are we missing our targets and then lastly if you're in a regulated uh domain you may inadvertently be dealing with some regulatory exposures of of missing some commitments there as well kirk what are your thoughts on this one here or do you feel like things like hiring more resources would resolve this issue no you know throwing more people at this problem they just couldn't keep up with the volume and velocity because you'd have to continue to hire more and more people as this expanded i think as as much as you've drawn the remediation gap going back to the title of this this talk today you know about accelerating detection and response or remediation i think active governed response is perhaps the way to do and that's how we find economies of scale and an example might be um if you wanted to and you talked about the different responses i'll call those the the outcomes i'll call those responses because if you're going to defer something okay you want to defer it but the scanners don't let you track the governance around deferrals the spreadsheet may allow you to do that but now you need to key multiple versions of the spreadsheet because you have literally millions of responses coming out with each scan so how do you govern that responsibly so we need to apply this aggregation layer so you can apply this accountability and governance to it on the remediation side if we want to silence an alert like we're aware of this vulnerability we're aware that it attacks this area of environment but everything we have in that technology stack is actually in an air-gapped environment so we're not going to address that if you want to have that exception track so you've got a complete view of your risk and remediation debt because that's really what we want to understand at any one point in time as much as the visibility attack surface we want to understand that what is the state of our response on that same surface that active governance is critical but we need to apply economies and scale you cannot work at the granular level of vulnerability you cannot work necessarily even at the volume at the granule level of an i.t asset we need to start a group and take group actions against these things and it all starts i believe with the life cycle of something coming online so that we understand what it is and we haven't really talked about who's using it yet because it may be a critical asset but based on the who is using it and where the asset is today the dynamic environment so it isn't that it's coming on and off network it's also where the acid is we're all we're starting to fly around the world again but we did that before so as that asset moves its threat environment changes so we need to have this dynamic but an active governance spot on gail any final thoughts on this yeah uh two things i first and foremost adding adding human resources to be looking at this problem i actually see that as an exercise in going past the law of diminishing returns because what adding more people does as you can see in this diagram is it actually adds complexity to your communication networks it uh it opens up other uh possibilities for information to be missed or not transferred to the right people and so where i always like to hone in on on these sorts of discussions is the bottom right bullet under challenges which is that's solving for unreliable data and by putting efforts into solving that data reliability and accessibility issue i think that's where organizations are going to be able to truly make strides forward in terms of their ability to govern and activate response in a more timely manner if you can get that data into the hands of the right people at the right time and you know it's correct you can mitigate a lot of a lot of the impact and and really shorten the dwell time i in i i almost compare it to um the colonial pipeline breach versus the accenture data breach which happened at roughly the same time and your ability to mitigate and respond to that was weeks to hours and it was because i accenture had a really good reliable data set that so they could only shut down what needed to be addressed because they could pinpoint where their issues were going to be all great points and just to circle back on that dale you said some interesting things earlier around more people i also more complexity and and by that i think about okay instead of having three people logged into this excel spreadsheet now we have six people logged into this excel spreadsheet but if we don't have things like a common view of assets and understanding criticality maybe those six people are working on the wrong things right so if we don't have a common view of assets where where things are slipping through the cracks because we're working on manual spreadsheets emails and and working in data silos and then when you think about the inside and oversight across the entire vulnerability management life cycle if you don't have an easy way to track which vulnerabilities are patched where where are we you know trending on track with our targets versus missing where our critical vulnerabilities when you can't have that visibility from a reporting kpi metrics perspective really what you're leading to is that what i'm what i'm going to call a security patching paradox right hiring more people without fixing those fundamental pieces means we're probably just tripping over each other a little you know a little more right that sort of thing so before you move on one more point and that's right we haven't really uh said anything about prioritization yes we can depend on the the cve attributes of something being found by a scanner that's good what is better is going to the cvss 3.1 model where we think about temporal environmental scores because now we bring in context what is probably best in class today is enriching it with threat intelligence because what was important yesterday at four o'clock could have changed overnight with the geopolitical situation the way it is uh president biden on monday said uh you will see an increase in cyber attacks so for that was based on you know the us intelligence they won't say what specifically but businesses have been warned that you know things are happening so the the prioritization using threat intelligence i think is critical because i have many clients that are doing this and i have some clients that luckily have a hundred thousand vulnerabilities that they're dealing with i have clients that have five million so it is really really important no matter what scale you're working on that you try to apply the best of those methods that you can because it will help you focus your limited resources so that is the counterpoint to you or do we add more people yeah spot on kirk in fact just to add one more layer to that right enriching it with that exploitability factor of risk is important right first of all is it exploitable right and what's that exploit behavior right that also helps us understand um you know do we bump up that priority or can we bump it down right and again on the asset criticality the type of information that's there that also matters so there's a number of risk elements that we need to look at to really have that confidence that we're making the right business decisions at the right time let's move on to this one in fact dale i'll ask you to kind of kick off this because there's really both elements here we've been talking about vulnerabilities we've been talking about it asset management as well but let's uh let's jump into the itp's the assets okay thanks claudius i and i one of the points i made earlier was about it asset management systems so the word itams in the title is not a typo it's very intentional i so an i.t asset management system is really that business framework uh that governance that uh that strategic process uh set that you are using to guide all of the it systems and supports that are going to be governing your i.t asset management your security and risk vulnerability management your hr systems your your customer service systems one of the i one of the key links uh between uh solving for the vulnerability challenges that we're talking about today in an i.t asset management system is uh what we have here on the left which is a capability maturity model uh for it asset management systems and and you'll see down at the bottom uh it begins with trustworthy data and so we've talked a lot about knowing what not only what your asset estate looks like but what your vulnerabilities are and having a current comprehensive and consistent data around that to be able to provide and and that links very closely the need for visibility in in that vulnerability landscape as as an it asset management system matures you're able to start leveraging integrated systems and and again start feeding into that prioritization activity and be able to start uh focusing your at your efforts more deliberately and then finally uh claudius you've spoken a lot today about the need to automate uh your your response uh again it's speeding your ability to respond and mitigate damage and and that's really an optimization level uh but i think if you take one thing away from from this entire slide uh it's the need to focus on establishing trustworthy data and getting eyes on the important vulnerabilities asset classes uh and and really your attack surface so that you can really start to manage it and and build your maturity from there and it goes back to a comment that that kirk made earlier on you need to start and uh you know it's not going to be perfect from day one but starting there with trustworthy data is is where um where i would begin absolutely so i'll add a couple of comments here automation certainly a theme we've talked about today and we mean automation in terms of discovering assets discovering vulnerabilities and threats but we also mean automation in a collaboration so automated and intelligent workflows to remediate these threats right when you think about a vulnerability management program it's a team sport it's not just one person or one team it's usually it usually goes across multiple teams so how do we get the right information to the right team at the right time with automated workflow management automated uh notification automated slas and and the the information at the fingertips knowing exactly how critical this is and the exact actions we need to take immediately right that automated prioritization is also something that's pretty important um in a way that we're looking at all the right elements right all the different risk factors and that we are prioritizing the work that is best suited for our business right not not everybody's going to have the exact same way you prioritize risk you need that ability to kind of configure and control in your environment how we prioritize risk and of course the visibility is is multifaceted across not only your assets not on your vulnerabilities but who's doing what right that insight and oversight and the understanding of our program through those kpis on how we're doing as a security united organization that we can also articulate the data up to like the you know sea levels the board of directors right it it cyber security matters uh up the entire uh chain of command if you will it's a it's a top of mind issue and without the right data it's really hard to have that conversation at the highest levels of the organization kirk any final thoughts on this i want to i want to share a favorite quote by peter drecker there's nothing so useless as doing that which had never been done at all and i think that speaks to level two and level three of this this visual and uh i'm it drives me absolutely nuts when i hear about wanting to automate the system and i get that that is a an outcome that you want to get to i think what we really want to say once you have level one is in level two and three what we're trying to find are good candidates that is a responsible pragmatic approach that will get you to the end goal to take any other you know way through that journey is i'm going to say irresponsible because there are things that provide massive value that are that should be automated but we first need to test whether it's effective and then back to trustworthy trustworthy isn't just about the data trustworthy is about the outcome of applying a business rule a business practice a response treatment because the the holy grail of this is actually being allowed to say i don't need a human to do this i need a system to do this by the way i have more work for the humans to do no don't go away because it is about prioritization not just of the program and the vulnerabilities but also about what we do first i won't layer anymore i think you've both covered it off very well excellent we are down in the final few minutes uh tracy i'm going to ask you to kind of open it up to see if there's any questions that have come in and we'd be happy with yourself yes so we have received a few that came in directly through me to me through the chat uh specifically uh privately so i would ask you all if you have any questions for the group please put them in the q a box not the chat box it's easier for me to follow them in the q a box but i did manage to write down the ones from the chat box so we'll start with those um how can we maximize the value of an associate an organization in terms of the it asset life cycle so that's a really big question i and i and i will go back and it it really sounds like a broken record response perhaps but bringing that value across the life cycle is really about those those three questions that i that i brought up at the top of the the webinar uh if you focus on understanding what assets you have where they are and who's using them and begin when the decision is made to bring an asset into the organization and really make sure it follows all the way through deployment operations and especially deprecation decommissioning and the exit from the organization i would say that that's probably the area of the life cycle that gets the least amount of attention and it's going to provide some of the greatest benefits to your security and vulnerability response great anyone else that we're good on that one okay second question how can we enable productivity without compromising reliability i would imagine that is a cr well the question wasn't specific whether it's i.t vulnerability or the entire thing but maybe kirk i'm going to ask if if you know from your experiences you've dealt with a lot of customers across all maturity scales if you will what are your thoughts around that one so product productivity versus reliability um well i i i think we have to come down to prioritization uh sorry um tracy could you just reread the question again sure how can we enable productivity without compromising reliability okay yeah yeah it is it is about prioritization because um if you have finite resources we need to understand what do we work on first the other thing is um economies of scale so if we have say a similar vulnerability uh that can be applied to multiple assets that's an absolute you know productivity gain um but we're not we're not sacrificing reliability because we are confidence in the response uh the other thing is uh if we were to enrich uh some of this with threat intelligence a lot of that threat intelligence comes with mitigating plans so that increases our reliability because it really it increases our confidence in that response so we're not asking specialists you know god bless them within our organization but we're also looking at industry research to fortify our response i think those two actions alone will give you a tremendous productivity boost without sacrificing okay so question number three how do we choose it asset management software and maybe that's too big for the the little time that we have left but dale do you have any quick thoughts on that one how do you choose its management software well i i do i and and where i really think uh it's important i you have to understand that it asset management is really a business problem masquerading as an i.t issue and so whatever solution you're looking for you should make sure that it integrates with other systems that you're able to expand and i work seamlessly with other with other aspects of your business so with your procurement team with your operations team with your customer support teams and that for me is probably the biggest decision point we i know we're at the top of the hour actually we're just one minute past we started it a few minutes after so i'll just ask this one last question we have started implementing a cmdb what level of maturity do we need before starting to trust it for our vulnerability program don't wait for a level of maturity that is high start i i just can't harp on that point more sorry if anybody else is going to answer but i feel very passionately about the fact that if you wait for a certain level of maturity you will never start and i've seen some clients that are paralyzed and they just can't go and through a lot of i'm going to say painful conversation we've you know encouraged them to start and they look back and they say that was the right decision so i'd say if you even have a cnb absolutely go if you don't have the cneb talk to somebody who can help you get one up but you can run those programs in parallel agile versus waterfall approach right we got to be agile in this nature and you know we're we're building a car we're driving the car you know things things evolve and mature as as we go through this process in general yeah great so we have no further questions in the question and answer box at this time oops i lied some one just came in here let me the association of security with privacy and itc go together so you talk about the cyber resiliency but what about the privacy kirk do you want to take a first crack at that one or yeah so uh so privacy is about understanding what information uh would be i can say classified as pii um so it is important that whatever i'm gonna say process or solution you land on it can i'm going to say enforce and respect those rules again it's not about all information it's about some information so and again privacy is about you know having control over the use of information whereas confidentiality is about the protection of information that's more general in nature so i see privacy as a subset of everything we're talking about but absolutely it has to be part of the solution so it's a set of rules it's a set of logic uh and it really does become down to you know tracking uh permission consent etc perfect so that's great so we are actually at five minutes after the hour now so i think we'll need to close off in respect of everybody's time but again i want to remind you if you have any questions about the us commercial service please contact me tracy ford and if you have any questions about the presentation servicenow or new rocket please contact kirk hogan whose contact information is listed on the screen right now i'd like to thank both servicenow and new rocket for being our speakers today we hope you enjoyed the presentation and uh and if and any follow-up can be done with the companies thank you very much have a good day