Ashish Rajan: [00:00:00] Are we currently exposed for any potential vulnerability in cloud as well?

Amit Sheps: Definitely. I think the world is merging. I think that what we can see is that vulnerability management evolves into something else. We can see that movement in the market for many use the word AI to solve it.

Ashish Rajan: If CSPM was the acronym that you thought was enough for cloud, we have a new one. It's called CTEM or Continuous Threat Exposure Management. Don't worry. It's not that complicated as you might think. Fortunately, I had a conversation with Amit Sheps from Ionix who came and spoke about what CTEM is and why is there a need for us to question how we do vulnerability management? Yes, that's right. We're talking about vulnerability management and the new evolution that's going through as per Gartner and many people who are questioning the need for us to just use vulnerability management as a way to do patch management.

And I empathize with people who have always traditionally in an on premise world done patch management as vulnerability management, perhaps. This is definitely the next evolution of what patch management or vulnerability management should be where we live in a world where we're not just dealing with virtual [00:01:00] machines.

We're dealing with platform as services. We're dealing with SaaS as services. We're dealing with AI. So what does it look like? And I think why is there a need to evolve vulnerability management? All that in this conversation with Amit Shep from Ionix. If you know someone who works in vulnerability management on premise, or is trying to see what is something they should consider for vulnerability management 2025, I would definitely recommend sharing this episode with them.

If you have been watching or listening to our episodes on Apple, Spotify, YouTube and Linkedin for some time, I would really appreciate if you can drop a subscribe on any of these platforms or even all of these platforms, because it also helps us know that you are enjoying what you're creating as well. So I appreciate all the support.

I hope you enjoy this episode with Amit and I will talk to you soon. Peace. Welcome to another episode of Cloud Security Podcast today. I have Amit Sheps with me and today we're talking about vulnerability management. I'm excited to unravel these things because let's just say I've heard a few terms when I was talking to Amit.

And I want to be able to explain that to people. But before I get into it, Amit, would you be able to share a bit about yourself and your professional journey so far?

Amit Sheps: I started as a [00:02:00] support engineer in the beginning, I was actually the person in the telecom domain. In telecom domain. So it was actually in all of those white rooms, these big halls of floating floor and stuff.

And yeah and, support is difficult. So the next step was pre sale. So I was a sales engineer for a few years. And there is always a interchanging or you are becoming to a decision point what to do from pre sale, whether you're becoming a sales person or product manager. I became a product manager.

And after a few iterations, I actually left the Telco and joined into the cyber security arena. The first role was in OT company called CyberX, which was acquired by small company named Microsoft. I mean if we are talking about cloud, so this is actually being in the cloud and from Microsoft I moved to Aqua Security, which is actually a cloud native security company.

And now I'm with Ionix, which is doing ASM

Ashish Rajan: [00:03:00] Awesome. Thank you for sharing that because clearly you've worked in the cloud space for a long time. And another thing that has been in the industry for a long time has been vulnerability management. But I was reading through and even through our conversation, you were referring to something called CTEM or Continuous Threat Exposure Management.

What is that?

Amit Sheps: CTEM is a new approach which was introduced by Gartner. Yet another new abbreviation to our landscape. It was on 2022. And I think the need for this approach was because of vulnerability management didn't have any changes. And we can see the growing number of vulnerabilities. We can see the growing number of domains and therefore Gartner came up with something new.

CTEM is actually built from five steps. Surprisingly they are quite similar to existing frameworks, but I will talk about the things that actually distinguish it from the existing one. So the first step, surprisingly, is scoping. Understand what you want to protect or trying to scope a perimeter or even a logical perimeter, since we are on the cloud [00:04:00] era.

Second one, discovery. This is the inventory part, where we actually need to understand what we are protecting and what are the assets that which are within this parameter and then prioritization. So we would like to prioritize or optimize our efforts in the way that we're actually addressing the most risky issues.

And here comes the two new, so to say steps, by the way, these three steps, according to the system called diagnose, in which you are diagnosing this problem, the second step is the action. So now you're being active. Going to the active side. So first you want to validate. So the first step is validation in which in validation what you are validating is that the vulnerability is actually exploitable is actually something that impose new risk or impose an actual risk to your environment, which creates a new layer of data, because [00:05:00] we know that today, basically, you are prioritizing vulnerability based on the data that you have, which is mostly internal. It can be referred to identity. It can be referred to passwords or roles and stuff, but you don't know if the vulnerability can be actually exploited and can be exploited from outside.

Once you validate it and you actually know that this is a risky vulnerability or a risky issue. They call it instead of remediation, they call it mobilization. So you will move this issue. You will mobilize it into the place, into the people, into the department, which is actually responsible of fixing these issues. So it's not only remediating, because I think because of new challenges or new architectures, you can see that one of their challenges is actually who should fix it to whom should I send this issue? Now that I identify it's a risk. Who should fix it?

Ashish Rajan: Interesting. Cause to what you said, the [00:06:00] diagnosis part, the first three steps sound very similar to what all of us have been doing for a long time. I would probably even challenge that the last two are also similar to what most people do as well. I don't think we were ever the ones who were solving a vulnerability.

We were just letting people know what vulnerability we need to solve. How different is this to how traditionally vulnerability management has been approached? Cause I guess why was there a need for a special one for now being it making a continuous one?

Amit Sheps: I think that the main challenge is first, they wanted to apply to many domains.

So now you actually need to think of how you're actually creating a framework and actually trying to apply it in any kind of domains. So they have a few vulnerable management domains. Whether it's on the exposure or manufacturing or cloud and stuff. And I think the validation up until now, CSPM or any other tools cannot actually validate if it's vulnerability, which can be exploited in your environment.

You might have something in your environment, which is, we are going back to, again, new key [00:07:00] chains or new attack path that have been built. So in the past there was mails and you need to actually infiltrate into the organization in order to get to the line. Today you have an exposed asset in the cloud and that's it.

If you don't know what's in there, so it's okay. It's exposed. Or maybe it's a website, maybe it's your own application. That's fine. But you need to make sure that the vulnerabilities, which are popping over there, you need to take in consideration that these are exposed vulnerabilities.

And this is the first place that you want to handle rather than an unexposed production environment that has this specific vulnerability.

Ashish Rajan: This is fascinating for me also because like we're coming towards the tail end of 2024. A lot of cybersecurity leaders are now planning for what they should be focusing on for 2025 onwards.

A lot of the leaders are in the vulnerability management space. That's what they look after and they take care of that. Now to what you said. Sometimes the CSPM, they might be using may not be the one that can help them validate [00:08:00] that, hey, is this really exploitable or is this not. So for people who are coming from a traditional vulnerability management?

And I know, as I talked to a lot of people, a lot of people are going into cloud in 2024, 2025 they're planning for it. What are the different ways they should approach vulnerability management as they plan their strategy for 2025. Like what kind of, some of the challenges that are in the traditional vulnerability management space that perhaps don't apply to cloud or should be applied differently to cloud?

Amit Sheps: If you will work as a traditional way. So let's assume that you continue. And I won't use all my marketing phrases of solving all problems. No, the problem stay the same and you still need your CSPM mainly because of compliance, vulnerability management still should be there. However, because of growing use of open source, because of growing use of cloud.

And multi cloud in some cases, the number of growing vulnerabilities is enormous. I don't know. I will give you [00:09:00] a trivia question. Do you know how from 2024 only, if we will go into the NVD database, do you know how many vulnerabilities are open as of today?

Ashish Rajan: No, I have no idea. 10, 000, maybe 30, 000, 30, 000.

Amit Sheps: 37, 000 and 18, 000 are waiting for re evaluation. So they are open, but, so it's a huge number of vulnerabilities. CSPMs are important, but if on the beginning, when you have a CSPM and it was enough to take a bunch of vulnerabilities and actually to prioritize them and get a reasonable list to actually start working on it.

Now you will have a long list of vulnerabilities with a long list of prioritized.

Ashish Rajan: Oh, and someone has to triage that to figure out of these 10, 000 priority, which one is the priority that I need to work on today?

Amit Sheps: And let's assume that you have 10, 000. So now you will have best case scenario, 1, 000, good luck of prioritizing.

1000. 1000

Ashish Rajan: Vulnerabilities. Yeah. [00:10:00] Yeah. What is the best practice then? Cause that's your point. If vulnerability management is becoming that complex that and everyone to your point about the five steps that, they were like, hey identify the, get the inventory, prioritization, validation, all of that.

So what is the best practice for vulnerability management and maybe assessment as well, that people should consider today in the new world of cloud and multi cloud that we live in, and maybe even hybrid cloud that we live in now.

Amit Sheps: So I'll give you our, we just launched a new feature, which is about to help, I don't know if it's the best practice, but we launched an integration.

We just launched an integration of our product into CSPM, CSPMs, which means is that we can actually take CSPM findings, evaluate based on your own finding based on your clouds, whether it's public or a hybrid and provide a additional layer of exposure. So we are bringing the exposure wall into the CSPM.

And now we can actually reclassify each finding and said, okay, you have [00:11:00] something critical. You have a critical findings by the CSPM. However, it's not exposed by any mean. So in order to reach it, I need to actually go around your firewall and make things which are very complicated. So basically it's not exploited.

By the way, maybe there is no APSS fault. So this is one thing. On the other way around, in some cases, you might have vulnerabilities which are exposed. This is where we will tell you treat them immediately because these vulnerabilities are exposed. So we are bringing that exposure, that new world of exposure to the CSPM, allowing cloud security practitioners to acatually gain benefit and reprioritize based on not what is, I call it theoretical risk.

Theoretical risk versus actual danger.

Ashish Rajan: So mapping vulnerabilities to the inventory that you have found out. And I guess and to, because to what you're saying, CSPM by itself is just not enough for you to have enough data [00:12:00] to make an assessment that, hey, is this vulnerable? Is that where the additional context and stuff comes in as well?

Amit Sheps: Exactly. So CSPM is, so to say, from inside out, you are going from the cloud and all the assessments that you are doing are internal. You don't have the attacker view and we are bringing the attacker view into the picture.

Ashish Rajan: All right. Okay. So I guess to summarize the best practice probably is, I guess A) to what you said, you probably need the CSPM for compliance and other things anyways, but it's an inside out view, the reason for the whole CTEM and the way of looking multiple vulnerability management in a different way is so that you are able to use the CSPM data to enrich information that you have. That's the inside out. But you have the threat exposure part to identify what are some of the exploitable vulnerabilities that you are looking at. You combine that to make an assessment for out of the 10, 000 priorities you have, which thousand or which hundred that I should be putting importance on.

Amit Sheps: Exactly. And by the way, we, our product actually does [00:13:00] validation tests, so we won't exploit it. We can make the first steps, let's say, let's call it unintrusive or something, which is very basic actually to make sure that it can be exploited. So it's actually a validated vulnerability that is a risk in the wild, so to say.

And you are vulnerable. So you're not vulnerable, you're exposed. So when you have the vulnerabilities, you are vulnerable theoretically, as I said, when we validate that this is an actual, you're exposed. So it's actual risk.

Ashish Rajan: I think when we were talking, you also mentioned something about lines of moving from vulnerability management to exposure management.

What's that about then? I guess what sounds like to your point. We need the CSPM data to enrich the information. So are we saying the way we have done vulnerability management in on premise, now that we move into cloud, multi cloud hybrid world. Why is there a need for us to move or shift our viewpoint from, or we're not doing vulnerability management.

We're doing exposure management.

Amit Sheps: I think it's a combination of both. And again, you won't hear me saying you don't need vulnerability management. [00:14:00] I think vulnerability management it's the first line of visibility. But I think there are, let's call it two parameters that have been changed. One is cloud stuff.

Everything is moving. So you need that vulnerabilities and you need that exposure in order to understand exactly what is exposed? You are also not providing the service. So that's also something in the past. You have vulnerability now. You need actually to understand which part of the organization you are exposing.

We have that we need the vulnerabilities, the for compliance. And again, there is something around that, and there is something that we need to take care of. But I think the second thing that was changed is that applications were now being designed differently. So now, I won't say everything is an application, but I think when you are launching a SaaS application on cloud, it will have a web interface and in some cases I heard conversation with our customers talking about exposure of URLs, talking about [00:15:00] exposure of their, so to say, digital footprint.

So for instance, how many websites you have or know that, or how many URLs you're handling. What is all the connectivity between them, how they are connected. So this is, I think, another layer of security that people need to be aware of. And it's not a incident response. It's not pure vulnerabilities.

It's somewhere between misconfiguration, but it's there. It should be treated. Because again, if your DNS, for instance, your DNS name was hacked or used, your website will not be available. Which is again it's not, you're not being hacked, but your service is not you're losing money.

Ashish Rajan: So I think you mentioned that as a best practice, you should still have CSPM.

You should still have vulnerability management. It's just, are we saying that the viewpoint should be different? So instead of looking at everything, what we've been traditionally taught in cybersecurity, that, Hey, vulnerability management solves all vulnerabilities and you're, what we are saying is, and CSPM does your [00:16:00] compliance and inside out view.

But the exposure management view is more like, Hey, where am I exposed? And how do I prioritize that? Is that what the whole CTEM and continuous attack surface management, all that is?

Amit Sheps: It's like positioning. How am I positioned in the network? Which part of my organization are exposed outside?

Whether it's on physical assets, whether its URLs, whether it's domain names, all of these, whether it's a physical footprint or a digital footprint, which is out there and I need to make sure that it's being handled properly risk wise.

Ashish Rajan: Yeah, because I think I that also because you're almost asking people to, hey, instead of trying to say this is a cloud problem, hybrid cloud problem or multi cloud problem, because exposure is one word that kind of, looks at everything.

That's why you mentioned the data center, the network, the DNS and everything else. And as a vulnerability management person who may traditionally, a lot of organizations have gone down the path of saying vulnerability management is literally just patch management. Make sure your operating system is patched.

And that's is like the, [00:17:00] it used to be the end of it. But here we are asking people that, Hey, if you have a vulnerability management team in the cloud or hybrid cloud or multi cloud world. There's a lot more. I don't know if I'm overstepping by saying that good vulnerability management, switching the view to exposure management could be a great way to identify, are we currently exposed for any potential vulnerability in cloud as well?

Amit Sheps: Definitely. I think the world is emerging. I think that what we can see is that vulnerability management evolves into something else. We can see that the movement in the market for many, I will use the word AI to solve it in the end of the day before we are using sophisticated models of AI in order to solve that problem.

I think there is an understanding that its a new problem. Okay. The number of vulnerability cannot and doesn't allow us to actually, to stay as thing has been here today. Now we need something different. And I think that first step is the exposure and that exposure brings you another level of prioritization.

If I want to [00:18:00] use, or if I want to avoid that name prioritization, because again, it's very vulnerability. So to say, so it allows you to focus on where the risk is. Again, I'll give you some marketing stuff. We changed the word vulnerability into exploitability. Exploitability is basically a vulnerability, a validated vulnerability, which can be exploited.

So now let's assume that you're working with exploitabilities. So this is the list that you need to prioritize. So you are not reprioritized vulnerabilities again and again. Yeah. You are working with exploitabilities, which is again, an evolution of vulnerability management, taking vulnerabilities, identifying with CSPM, give them the right classification in the cloud.

You can actually work with, as I said, the real risk, the imminent risk, rather than the theoretical vulnerabilities that is being published daily, basically.

Ashish Rajan: Yeah. So I guess this is probably for the people who see a lot of wall of red as [00:19:00] alerts on their screens and don't know where to start or where to go from there as well.

Are we saying that if there is a leader listening or watching this, who's planning the 2025 cybersecurity strategy? I think in the previous statement, you called out. And to summarize, changing the viewpoint from vulnerability management to exposure management across the entire organization is probably a better way to look at if someone is thinking over the 2025 cybersecurity program to hey, what should I be, or how should I be approaching vulnerability management?

And after hearing this conversation, They're like, Oh, okay. I do have a CSPM I also have vulnerability management software that gives me all the patching services, but I still seem to have a lot of the vulnerabilities that I need to, or still have a lot of vulnerabilities to work on.

Do you find that in this world of exposure management, where as a CISO or as a cybersecurity leader, you're responsible to protect everything irrespective of cloud or no cloud, AI as well. I just throw it out in there as well. What's a good way to approach vulnerability management? Cause I guess it's a very well defined function and most people would be questioning [00:20:00] like, why is there a change needed?

And I think we've put some points across for it. In a cybersecurity strategy context, how do you see vulnerability being included? Does it have to be, cause if it's everything. Does that mean vulnerability managers also distributed across everything, like your cloud people your application security people, or is it still continues to be its own function?

Amit Sheps: I think when, again, my opinion, when CTEM or the Continuous Threat Management was designed, the context is vulnerability management, but not AppSec, but not supply chain. Okay.

Ashish Rajan: So not exposing that to that.

Amit Sheps: And I think it's a different challenge over there. I think supply chain security and code security is different processes.

Therefore you have DevSecOps rather than the usual. So security guys, security operations. And I think there are different complexities over there. One of the things that I recognize is that, and you were there, you saw it as well, is that [00:21:00] every two, three years, we have new technology and a wave of tools to secure it.

And that waves probably will continue. And I think, and with them, you will have a wave of vulnerabilities, a wave of zero days, a wave of risks that will be associated with this. And again, we are not trying to solve everything, but I think we are providing a unique view with the system of how to handle vulnerabilities.

If you know where you are exposed, it's much more risky rather than the things which are very hard to exploit, or in some cases, as I explained, there are vulnerabilities that cannot be exploited on the first week they are published. So there is no exploit. And now I need to chase something again. And one, I think a number is not changing is the number of security professionals in the organization.

And again, there is a growing scope of risk, growing scope of environments, technologies. that you need to [00:22:00] support and your staff is not necessarily growing. So you need to find that things that will make you more efficient.

Ashish Rajan: And I guess talk about a team as well. Who do you see as people responsible in the organization for threat exposure management?

Is it a SOC team or is there a vulnerability management team?

Amit Sheps: So in general, it's pure vulnerability management. It depends on the size of the organization. One thing that you can see is that if this is a larger enterprise, then the problems that will be associated to exposure are being handled and questioned, such as what happens if I'm a huge enterprise and I have subsidiaries?

So in some cases, how do I monitor the attack surface? This is tricky because imagine that tomorrow Cloud Security Podcast become a huge enterprise and you have branches all over the world. But IT for AWS, for instance, is being maintained only on the US branch. And if you have Azure for any reason, then you need [00:23:00] to approach the UK branch.

So how do you work out all these issues? So this is one. And in some cases, the SOC guys wants to be informed. So let me know if there is a risky asset, because if I will see incidents, which is, which are related to this asset, then I want to bring the bills earlier.

Ashish Rajan: Yeah. And I guess do you find that with exposure management?

Cause I think the theme so far seems to be that we're definitely looking at Exposure management, vulnerability management. It's like the, this is the next evolution of vulnerability management, essentially what we're trying to get to. And that's what Gartner is trying to get to as well. Are we saying also that people who are probably in the space of vulnerability management, always looking at patch management and hey, I'm already into the cloud space or I'm looking at virtual machines.

Sounds like the scope of that is also expanding with DNSs and everything else that's in the picture. Yeah. That's where the whole continuous threat exposure management to me sounds like it's exposure across the entire environment that the organization is not just, Hey, I'm only [00:24:00] focusing on virtual machines in my cloud environment.

Amit Sheps: We started with a phrase which called you don't know what you don't know.

Ashish Rajan: Yeah.

Amit Sheps: Yeah. So now the, I think the boundaries of an organization undefined. In the past, as we said, you can claim that your perimeter is your boundary. But now the boundaries lay somewhere across the clouds and stuff.

So patch management alone would not help.

Ashish Rajan: Yeah. Cause and I think that's probably the one message that I would like people to walk away with as well, because I think vulnerability management traditionally has been looked at as a, hey, they do patch management. That's pretty much what the function is.

And in some or more organizations, but now we're saying is that with the growing usage of cloud multi cloud and other services to what you said as well, the network perimeter is basically non existent sometimes, because you could be publicly exposed to one side, not even using virtual machines anymore.

What happens at that point in time? PaaS services.

Amit Sheps: What we actually can show is that in some cases you might have issues on your [00:25:00] AWS, which will impact your Azure because you're a multi cloud. You can find an attack path that will start in a cloud and end up with another cloud, again, because of your issues, internal vulnerabilities.

Ashish Rajan: So yeah, it can happen. Yeah. Wow. It's definitely interesting to have people challenged the way they look at vulnerable team management as they go into 2025 though. That's most of the technical questions I had. I've got three fun questions for you as well. So people get to know a bit more about you as well.

The first one being, what do you spend most time on when you're not trying to question the current approach of vulnerable team management?

Amit Sheps: I'm running. I'm, I did three marathons. Oh, wow. Okay. Yeah, so I'm out of the streets, so you'll find me in the streets running probably.

Ashish Rajan: Oh wow I was gonna say what was the last marathon you did, but was there one recent, that you did?

Amit Sheps: No, but there was a famous one. I did Berlin. Oh, Berlin. Oh, wow.

Ashish Rajan: Okay. Cause that's one of the, that's the same as the one in Boston, same in London. That's one of the big ones, right?

Amit Sheps: Yeah. Yeah. I think it is the biggest one in Europe. And I think, and it's the most flat one, which is important [00:26:00] when you're on a marathon.

Ashish Rajan: Yeah. Yeah. Yeah. Second question. What is something that you're proud of that is not on your social media?

Amit Sheps: My daughter,

Ashish Rajan: Probably share this with her as well. Final question, what's your favorite cuisine or restaurant that you can share with us?

Amit Sheps: I like ice cream. Ice cream or

Ashish Rajan: gelato?

Amit Sheps: Gelato is in the upgrade of the ice cream, so I would go for gelato definitely.

Ashish Rajan: So you're more gelato Perfect. That's a great answer. And I'm the same as well, man. I think the gelato hits you differently. Where can people find you on the internet? I know you've written a few blogs on this as well. I can link them to the show notes. Where can people find and connect with you just to know more about the CTEM and how vulnerability management needs to be questioned differently, where can people find you on the internet?

Amit Sheps: I am available on the LinkedIn and I'm sure, and we can provide my email as well. It's just at amitsheps@ionix. com. Simple as that.

Ashish Rajan: Oh, awesome. I'll put the LinkedIn information of your URL on the show notes as well. But dude, thank you so much for coming in and talking to us about vulnerability management and how it's actually going through the evolution.

[00:27:00] And the next evolution of CTEM, another acronym that we're going to probably learn over the next coming few months and years, we'll talk about, yeah, probably it's going to be, it's going to stick around for some time, CSPM, we're still talking about it after six, seven years. I think CTEM is going to be another one as well.

One of those. Thanks so much for this time, man. I really appreciate this.

Amit Sheps: Thanks for having me.

Ashish Rajan: Thank you for listening or watching this episode of Cloud Security Podcast. We have been running for the past five years, so I'm sure we haven't covered everything cloud security yet. And if there's a particular cloud security topic that we can cover for you in an interview format on Cloud Security Podcast, or make a training video or tutorials on Cloud Security Bootcamp, definitely reach out to us on info at cloudsecuritypodcast. tv. By the way, if you're interested in AI and cybersecurity, as many cybersecurity leaders are, you might be interested in our sister podcast called AI Cybersecurity Podcast which I run with former CSO of Robin Hood, Caleb Sima, where we talk about everything AI and cybersecurity. How can organizations deal with cybersecurity on AI systems, AI platforms, whatever AI has to bring next as an evolution of [00:28:00] ChatGPT and everything else continues.

If you have any other suggestions, definitely drop them on info at CloudSecurityPodcast. tv. I'll drop that in the description and the show notes as well so you can reach out to us easily. Otherwise, I will see you in the next episode. Peace.

‍