The reality is that vulnerability management is mostly about catching up. You find out about vulnerabilities and then rush to patch them based on priority. If we’re already building out zero trust architecture to secure systems we know to be by default vulnerable, why are we still messing around with vulnerability management?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Howard Holton, COO, Gigaom. Joining us is our sponsored guest, Rob Allen, chief product officer at ThreatLocker.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Full Transcript
Intro
0:00.000
[David Spark] Is it possible to have a secure software environment without traditional vulnerability management? Could you actually avoid VM by applying zero trust principles?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series and we have a guest co-host for this episode. Very excited to have him on board, a friend of the show, as we like to say. It is Howard Holton, chief operating officer, COO, over at GigaOm. Howard, say hello to the audience.
[Howard Holton] Hello, audience. I’m so happy to be here. I love being referred to as a friend of the show, David.
[David Spark] You are a friend of the show.
[Rob Allen] I’m kind of jealous that I haven’t been referred to – well, maybe you will – but I haven’t been referred to as a friend of the show.
[David Spark] You are also a friend of the show. We like having you on.
[Rob Allen] Am I? Ah, I’m touched.
[David Spark] That, by the way, is Rob Allen, who piped in a little early. I was going to introduce him later, and I will later because he’s with our sponsor. That would be ThreatLocker, zero trust endpoint protection platform. And Rob, by the way, is the chief product officer over at ThreatLocker. Rob, say hello to the audience.
[Rob Allen] Hello, audience. You didn’t refer to me as a friend of the show, David.
[David Spark] You are a friend.
[Rob Allen] You told me I was a friend of the show.
[David Spark] You are a friend. We like you as a friend of the show.
[Howard Holton] But just a friend. We just like you as a friend.
[David Spark] Yes, we do only like you as a friend.
[Laughter]
[David Spark] Howard, by the way, thank you for clarifying that. It’s not a friend with benefits of the show, I will say that.
[Laughter]
[Rob Allen] Perish the thought. Perish the thought.
[David Spark] All right. Can I get to our topic at hand, which, by the way…
[Rob Allen] You can try.
[David Spark] Yeah, we’re going to try to get [Inaudible 00:01:44] at hand. The reality is that vulnerability management is mostly about catching up. And nobody says, and I haven’t heard it, and you tell me, nobody says, “Ah, our vulnerability management program is perfect. We’re all caught up. We feel good about how we’re handling vulnerabilities.” Nobody says that.
So, you often find out about vulnerabilities and then there’s a rush to patch them based on priority, and then that becomes a whole industry in itself. So, if we’re already building out our zero trust architecture to secure systems we know to be by default vulnerable, why are we still messing around with vulnerability management?
I’m going to ask you first, Howard. Why do you think we’re still messing with it if we’re trying to build out a zero trust program?
[Howard Holton] I mean, I don’t think they’re mutually exclusive.
[David Spark] Okay.
[Howard Holton] The reality is vulnerability management and patching is one layer in the Swiss cheese of layered defense. It would be great if we could say, “I fully trust all the other layers and I no longer need to worry about this layer,” because no one’s ever caught up. Everyone’s always behind.
And I burn a lot of political capital with vulnerability management because vulnerability management is not a zero disruption layer.
[David Spark] So, that is a good point. All right, Rob, we’re going to bring you in. I know you want to talk about this topic. You are passionate about this because I know that zero trust and ThreatLocker are intertwined. So, we’re going to jump into this. Are you for it, Rob? Yes?
[Rob Allen] Absolutely, David. Born ready.
Is anyone happy with this solution?
3:13.822
[David Spark] Dustin Sachs, who’s with CyberRisk Collaborative, said, “Traditional vulnerability management is inherently reactive and ineffective at eliminating risk, making it more about mitigating exploitability than truly managing vulnerabilities. A more secure approach definitely integrates zero trust principles, strong software engineering practices, and runtime security controls to assume compromise and contain threats rather than relying solely on patching after the fact.” This is kind of a theme right there.
And let me also mention Martin Rivera Neuhaus of Enstal Technologies, who said, “Zero trust should be first and foremost effectively enforced at the network layer with need to access specific applications allowed for specific users, allowed based on active directory/MFA authentication. It’s hard to remediate vulnerabilities, but it’s not hard to lock down who has potential access to exploit those vulnerabilities.” So, both Martin and Dustin here, Howard, are saying, yeah, you got to start with zero trust and that vulnerability management is just harder than doing zero trust.
What do you think?
[Howard Holton] Ooh, no, I think there’s a little bit of a false dichotomy there. Vulnerability management is not hard from a technical standpoint. It’s hard from a bureaucratic political standpoint, I would say, far more than it is from a technical standpoint.
[David Spark] Yes. You mentioned that, and I would agree with that. Yes.
[Howard Holton] Zero trust is way harder from a technical standpoint. We’ve had network segmentation for, well, forever. We’ve had VLANs for 100 years at this point, in IT years, and no one really completed VLANs to a level high enough to do anything but restrict broadcast domains. We’ve had network segmentation for a very long time, and it’s only recently that the orchestration tools and management tools have become good enough that I would say that’s reasonable for a large network to do.
But we’ve been doing vulnerability management patching – that’s really what we’re talking about, we’re talking about vulnerability management – for a very long time. It’s not complete by any means, but I don’t think these things are mutually exclusive. I think, again, I think this is one layer that is in your stack, and if you can get to full zero trust, that is absolutely the best place to be.
That is absolutely the target. That is absolutely the goal. But in order to do that, there are definitely tools that can help. I’m sure we’re about to hear about one as soon as the guest on the show stops biting his tongue.
[David Spark] [Laughter]
[Howard Holton] But ultimately, there is still a little bit of a challenge there. I don’t think one replaces the other completely in any way. I think they complement each other fairly well.
[David Spark] All right. So, I’m throwing this to you, Rob. So, there’s two theories here. One is… And again, this is more, I guess, a thought exercise because you did make a good point that this is just layered defense, Howard. But from the thought exercise, could you successfully have a security program without a vulnerability management program if you were doing zero trust well?
And B, if not, where do these two coincide in a happy way? And can your, I guess, VM program maybe lower itself? Not be so hot, as it seems like the number one reason people are sort of managing risk? What do you think, Rob?
[Rob Allen] Well, without putting too fine a point on it, I think from vulnerability management perspective or patching perspective, I mean, you have to assume that the software that you’re using right now is full of holes because the software that you use right now is full of holes. I mean, all you have to look at is your average patch Tuesday and see how many things Microsoft patched, how many CVEs are dealt with.
I mean, I’m talking to you on Chrome right now. I have absolutely zero doubts that the version of Chrome that I’m running now is full of holes.
[David Spark] Yeah. It’s like taxes. It’s an inevitability. It’s going to come out. [Laughter]
[Rob Allen] Correct. It is. It’s just a question of whether or not those vulnerabilities are known and being exploited at any given time.
[David Spark] Right.
[Rob Allen] So, work on that assumption. It comes back to the idea of, broadly speaking, assume breach. So, assume a breach is inevitable or has already occurred. Assume the software you’re using is full of holes. And it’s just a question of when and where that’s going to be exploited. That does lead you quite nicely into the concept of zero trust, which is that you have to assume a breach is inevitable.
I mean, it is one of the tenets of zero trust is to assume a breach is inevitable and act accordingly. Assume that the software you’re using right now is vulnerable and act accordingly. And the act accordingly is basically where zero trust comes into it. So, if I’m using a vulnerable version of Chrome right now, so assume it’s going to be exploited.
Well, what’s the next thing that will typically happen if a vulnerability is exploited? Nine times out of ten, it’s something is going to try and run. If you block that something from running by default, then you don’t really need to worry about the vulnerability as much.
[David Spark] That, I think, is really kind of the crux of what we’re trying to get at is if you’re blocking the thing from running, the slew of vulnerabilities attached to it don’t become a problem.
[Rob Allen] Absolutely, 100%. It comes back, like there’s a much bigger question about the amount of software that is in use in a lot of organizations and whether or not all that software is actually required. Do we need five different PDF viewers to be running? Probably not. Can we not standardize on one?
Again, the amount of software that a lot of organizations run effectively increases the amount of potential vulnerabilities that are out there exponentially. So, if you can limit, standardize on what is being used, then you’re going to reduce the number of vulnerabilities and you’re going to have less to worry about.
But aside from that, you have to assume that those vulnerabilities are present, whether they’re known about before and whether they’re being exploited currently, and as I said, act accordingly.
I mean, again, the other thing, if it isn’t something running as a result of a vulnerability, obviously, remote code execution is probably the biggest and most scary one for most people, but again, if you’re blocking code from running by default, it’s not going to be able to run. It could be that an attacker is going to try and leverage something like PowerShell or going to use a built-in “living off the land” type thing.
So, again, if you can control those applications, those things, the reality is it’s going to be less of an issue if a vulnerability is exploited.
What else are we missing?
9:17.792
[David Spark] Arnel Manalo of Convergent DS said, “In a larger, highly regulated enterprise, you better have very well-documented compensating controls and a well-versed compliance team to deal with external auditors when they ask you, ‘Do you perform vulnerability scans on your code?'” Okay, so this becomes a compliance issue.
And Duane Gran of Converge Technology Solutions Corp said, “Vulnerability management is a winning move when it does two things well – prioritizes the stuff that matters, and too, B, includes configuration management. I’m a big fan for zero trust, but I think if you approach vuln management with a mindset of doing the 5% that matters, you can eliminate a lot of risk.”
And Steve Wingate of CyberGuard Advisors said, “Skipping traditional vulnerability management means you’ll need a strong security setup, which can be more complex and resource heavy. Vulnerability management helps you find and fix known risks in an organized way. Without it, you’ll have to rely more on threat intelligence, behavioral analysis, and incident response to keep your system safe.” I’m getting the sense from all these comments that the vulnerability management program can not go so deep, and like what Duane said, if it can prioritize and give configuration management, you really just need to do the top 5% of stuff.
What do you think, Howard?
[Howard Holton] I think people do rely too much on vulnerability management. And I think Rob made a really, really, really good point, which is ultimately, you can only patch the vulnerabilities you know about. You can only patch the vulnerabilities that you’re aware of. So, there is no point at which vulnerability management will be complete in and of itself.
There are, I don’t know, 3,500 or so CVEs released every year. That’s 10 a day. If you’ve got five PDF viewers, if your tech stack that should be 50 is 500 things or 250 things or 150 things, you’re tripling the amount of things you have to protect right out of the box. And the reality is, if you approach all of this from the perspective of a hack absolutely unequivocally will happen if it hasn’t already, you will absolutely be attacked constantly forever and ever and ever until somebody finds a way in, then reducing the blast radius and disable by default and restrict by default has to be the way that you approach these things.
The politics of the situation notwithstanding, I don’t think that there’s a single solution that does solve all this. But yeah, without a doubt, right, if you know what is vulnerable, if you know what you have external, and you lock all this stuff down and reduce that blast radius, that is by far the best thing that you’re going to get to.
I do think we’re beating around the bush a little bit, which is to say, we’re constantly underfunded and we’re constantly under pressure by the business to not interrupt anything at any cause. I’m willing to bet that even the things that shouldn’t cause a tremendous amount of risk, like Chrome being updated, if you go through an organization of 5,000 people, you’re going to find 4,880 of them that haven’t restarted Chrome to update to the latest version, right?
Like there’s basics here that we’re not even doing.
[Rob Allen] What about my 500 tabs?
[Howard Holton] You only have 500 tabs open, Rob?
[Rob Allen] I don’t have 500 tabs. I am very, very, very careful about my tabs. I’ve got one tab open right now.
[David Spark] That’s good.
[Howard Holton] Did you just wake up five minutes ago?
[Laughter]
[Rob Allen] I’m a big believer in tab cleanliness and hygiene.
[David Spark] He’s very tab clean. He looks like Mr. Tab Clean too, for that matter.
[Laughter]
[David Spark] For those of you just listening, Rob is a bald man with a very impressive beard. Let’s get to the subject at hand. These comments here are all saying you can do this, meaning go very zero trust heavy with less vulnerability management, but you need to keep other things in mind here. Like you need to keep compliance issues in line.
You still need to do VM, assuming it’s prioritizing configuring correctly, and then you can sort of narrow to the top 5%. And then with Steve mentioning, well, other things need to come into play like threat intelligence, behavioral analysis. So, as you said, certain problems go away as your zero trust program emboldens itself.
Yes, Rob?
[Rob Allen] I wouldn’t say they go away, but they certainly reduce. One of the comments there is absolutely true, which is you should prioritize. And there are certain things that, yes, you should patch, but realistically, is it dangerous? Is it that exploitable? Is it probable that this thing is going to be exploited?
And if it is, then what’s the worst that could happen? Whereas something that is, “Oh, my God, this is really bad. This needs to be patched yesterday,” should take priority. So, yeah, the absolutely common sense can be applied to these things, and people should prioritize the most important, the most dangerous, the most weaponizable things that need to be patched.
So, that makes absolute sense. Again, it does still come back to if you tie this in with controls, and I know one of the other comments mentioned controls. And fundamentally, that’s what we’re talking about here. Like, it’s the controls over things being able to run. It’s the controls over what things can do.
So, if you do combine a sensible patching program with controls, then you’re going to be in a much better place.
[Howard Holton] I couldn’t agree with that more. If you have the controls in place, then the panic and the timing around MTTR for vulnerability management basically goes away. You can get around to it in a reasonable amount of time, and none of that panic continues to exist. But I do think they have to work in concert, I do think they have to work in pairs, and it requires a lot of maturity within your cybersecurity operation to maintain that level of predictability and prescriptibility.
[Rob Allen] I’ll give you a really quick example. One of my favorite examples of this over the last couple of years was PrintNightmare. For those that don’t know, it was a vulnerability in the print spooler on pretty much every version of Windows, that when exploited could be used to effectively drop a DLL on a remote system and execute it.
So, it’s remote code execution through the print spooler. I saw that being exploited in both an environment without ThreatLocker running and an environment with ThreatLocker running. And when it was tried to run or when it was exploited in an environment with ThreatLocker running, you could see the DLL getting dropped on the system.
You could see the DLL trying to run, and you could see the DLL getting blocked because default deny. So, it’s just a really, really good example of, well, look, the vulnerability is there. We’re waiting for Microsoft to push out a patch. But in the meantime, what’s the worst that can happen if it gets exploited?
And as I said, in that particular case, it was nothing.
Sponsor – ThreatLocker
15:45.964
[David Spark] Who’s our sponsor this week? It’s ThreatLocker, and ThreatLocker continues to be an awesome sponsor of the CISO Series. So, as we all know, zero-day exploits and supply chain attacks keep all of us up at night. Nobody likes them. You don’t have to worry that much anymore, really. You can actually harden your security, what we’ve been talking about today, with ThreatLocker.
So, imagine this. You’re taking a proactive, deny-by-default approach to cybersecurity, blocking every action, process, and user, unless specifically authorized by your team. ThreatLocker helps you do this and provides a full audit of every action, allowed or blocked, for risk management and compliance.
That did come up.
So, onboarding an operation is fully supported by their U.S.-based support team. You can stop the exploitation of trusted applications within your organization to keep you running efficiently and secure, protected from ransomware. That’s a big thing. You’ve got apps you trust, but the bad guys like to take advantage of that trust to make things nasty.
So, worldwide, companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high. You can learn more about how ThreatLocker can mitigate unknown threats and ensure compliance for your organization. Just go to their website. Visit ThreatLocker.com.
What’s the issue here?
17:13.464
[David Spark] Nikolay Chernavsky said, “Prevention implies either knowledge of the exploit or a comprehensive understanding of the software’s normal behavior. If we assume vulnerability, we admit to lacking this crucial knowledge. Zero trust, in this context, attempts to protect against both the unknown functionality and the unknown malicious code.” Really good point.
“But can we credibly claim prevention when the very nature of the threat is unknown, as zero trust suggests?”
Mauricio Ortiz of Merck said, “Any software will never be 100% secure and would constantly need to be patched or upgraded to the latest version.” What you said, Rob. “Most organizations cannot keep up with that. The zero trust model assumes that threats can come from both inside and outside the network and therefore no user or device is trusted by default or should have free range to everything.
However, having exploitable vulnerabilities could weaken or break the zero trust model.” I want to double down on what Mauricio says here, pretty much echoing what you have said, Rob, throughout the show. But his last line, “Exploitable vulnerabilities could weaken or break the zero trust model.” Give us some examples of that.
Where can that happen?
[Rob Allen] Examples, I mean, as I said, I mentioned remote code execution. That’s clearly something that will be stopped or blocked. There are situations, there are things, there are exploitable vulnerabilities where, for example, I mean, some of the backup software vulnerabilities of late, you could create a user on a server by exploiting a vulnerability.
Again, that’s not great, and that’s something that you really don’t want to be able to happen. So, obviously, patching a vulnerability like that is really important because again, being able to create users is not a good thing. But if you do, and to some extent that is going to weaken your zero trust model, but then, okay, a user’s been created.
I mean, the fact is if they’re able to exploit a vulnerability on something like a backup server, they’re probably in already.
And to the point that the other person made, you have to assume threats are coming from both outside and inside the network. So, they’re already in at that point. So them being able to create a user, is it really that serious an issue? Well, you don’t want it to be able to happen. It’s not ideal. But the fact is, okay, so I’ve created a user on that server.
I can now log into it. Can I run ransomware? No. Can I exfiltrate data? No. Can I do all the things that I want to do as an attacker? Realistically, probably not. So, absolutely. Having exploitable vulnerabilities, particularly serious and dangerous ones, is not a good state to be in, and you should absolutely try and patch those vulnerabilities and exploitable problems.
But again, combining it with a set of controls fundamentally with zero trust, two things combined, they basically help each other. They leave you in a better place.
[David Spark] What do you think, Howard, about where the exploitable vulnerabilities are in a well-honed zero trust model?
[Howard Holton] I mean, they’re everywhere. Like, the whole point of this is none of this is actually secure. You still, even within zero trust, even if your zero trust is perfect, you still have to assume compromise. You still have to assume attackers are in and have compromised some piece of the network.
So, they’re still everywhere. That’s why you can’t disregard or discard vulnerability management. I mean, it has its own inherent issues, but so does every layer within your security framework. It’s why you always have layers in your security framework. If zero trust was perfect, you could just have one layer, but it’s not.
So, you still have to maintain these layers. However, what zero trust allows you to do is be far more reasonable with all of the layers.
[David Spark] I think that is the theme. I think we’ve been dancing around that very theme right there. Zero trust allows you to be more reasonable because imagine, you don’t have a zero trust model. Your vulnerability management program is on fire, and you’ve got political nightmares, don’t you, Howard?
[Howard Holton] I mean, for sure. It’s also impossible to keep up with. Like I said before, you have 4,800 people. I mean, even if you remove the political nightmares, the second you remove the political nightmares, now you have human barriers. I don’t have enough people to patch all the things that need to be patched to reduce my vulnerabilities to zero.
Then I have time problems. So, even if I had an infinite number of people every 24 hours, every 24 hours there’s more vulnerabilities. So, what do I get? I get five minutes of perfection in an absolute utopia system. Then I do a single M&A and oh, look, I’ve got 243,000 more vulnerabilities [Laughter] that just showed up because we did an M&A.
I don’t think there’s a world in which vulnerability management could be solved. So, then the best layer that you could ever add is zero trust.
What’s most important?
22:09.179
[David Spark] Mike Gibson of Rapid7 said, “I feel the real evolution we’ll see is a shift towards exposure management and a more proactive, continuous approach that goes beyond traditional vulnerability management. Zero trust doesn’t address the full spectrum of exposures that attackers exploit, such as misconfigurations, identity risks, attack paths, and shadow IT.
Exposure management brings context-driven risk prioritization, aligning security efforts with real-world attack scenarios rather than just patching vulnerabilities or enforcing strict access controls. I think, Rob, you would disagree with some of the things that Mike Gibson claims about zero trust. Yes?
[Rob Allen] You’re going to be shocked to hear this, David, but I do. I do.
[David Spark] [Laughter] All right. Your thoughts?
[Rob Allen] Well, look, I mean, the likes of shadow IT is exactly what applying zero trust principles will take care of. It’s what it stops. I mean, it stops somebody from having 15 Chrome extensions, including Chinese coupon clippers in their browser. It stops people from having remote access tools running on their machine that can be used or utilized.
It stops me from having WinRAR on my computer, which fundamentally has all of the characteristics of ransomware because it can encrypt data, it can transmit data, and it can delete data. And if you’re an attacker, that’s all you need. Whereas, again, applying zero trust principles, denying by default, blocking everything that isn’t specifically allowed, is exactly what’s going to solve that problem.
And again, is exposure management going to say, “Hey, WinRAR is on this computer, and WinRAR can be utilized by attackers”? Is exposure management going to say, “Well, I can see Rclone is sitting on the server over there”? Rclone is very commonly used for exfiltrating data. Reality is probably not. So, again, if you just stop all of those things from being able to run, i.e., zero trust, then you’ve…
I’m not going to say you’ve solved the problem because again, none of these are problems that can be 100% solved. I mean, first of all, again, you can’t just go out and buy zero trust. You can’t say, “Hey, this product is zero trust.”
[David Spark] By the way, that was the early day marketing that was done often that you could buy zero trust. People have wised up.
[Rob Allen] Zero trust is a journey, not a destination.
[David Spark] All right, Howard, you’re getting the last word on this. Your thoughts?
[Howard Holton] I think it would be hard to rewrite Mike’s quote so that I could disagree with it even more than I do. I really disagree with it. And I don’t disagree that exposure management has value and has a place, but it has a place, and that place does not at all replace zero trust. Not even a little bit, not even slightly, because in order to replace zero trust, what you have to say is exposure management is perfect.
It’s not perfect, right? It is another layer. Is it better than vulnerability management? Yes, probably, but it does not replace zero trust. And to Rob’s point, zero trust starts as a philosophy. It is not a product. It is not a suite of products. There are products that conform to zero trust principles that follow the zero trust philosophy.
However, they are also part of the solution and not the entire solution.
[David Spark] A perfect comment to end this discussion.
Closing
25:22.049
[David Spark] Now, I’m going to take you first, Rob, since you’re the guest. I would like you to tell me which quote of all these quotes was your favorite and why?
[Rob Allen] I have to say it was the very first one, which is Dr. Dustin Sachs, who said, “Traditional vulnerability management is inherently reactive and ineffective at eliminating risk.” And I think that’s absolutely true.
[David Spark] Good point. Good point. Howard, your favorite quote and why?
[Howard Holton] Oh, I’m so happy. I’m so happy because it’s not the same one as Rob’s. I like Nikolay Chernavsky’s.
[David Spark] Yes.
[Howard Holton] “Prevention implies either knowledge of the exploit or a comprehensive understanding of the software’s normal behavior.” I absolutely love that quote. I’m not a big one for making T-shirts, but if I was to make a cyber T-shirt, that one would definitely be on there.
[David Spark] All right. Good job, Nikolay. And good job, Dustin, as well. All right. Well, that brings us to the very end of the show. I want to thank both Rob and Howard for being my guests today. And also, Rob, your company, ThreatLocker, for sponsoring yet another fantastic episode of the CISO Series.
Remember, everybody, if you want to get help in building out your Zero Trust program, you need to go check out what they’re doing over at ThreatLocker. Remember, ThreatLocker.com. And I’m going to actually quote you, Rob. ThreatLocker is never not hiring, correct? Did I get that right?
[Rob Allen] ThreatLocker is rarely not hiring.
[David Spark] Rarely not hiring. Okay.
[Rob Allen] Okay. No, realistically, it’s never not hiring.
[David Spark] It’s never not hiring. So, if you would like to work with a phenomenal team, they have a job board on their site, so go check it out. Any other last words you’d like to say, Rob, about this topic or anything else?
[Rob Allen] Well, funnily enough, since we’ve, well, okay, we haven’t spent the entire conversation giving out about patch management or saying patch management isn’t a necessity. We have a patch management solution. ThreatLocker reintroduced it at Zero Trust World. So, we also do patch management. So, we do recognize and realize and accept that patch management is important.
And so, it is something we now offer as well, much more in depth than a lot of other ones, basically because we’re only interested in the actual files, the actual hashes, the shards of things that are running. We’re not looking at registry keys. We can see stuff that’s sitting in downloads folders that is out of date and needs patching.
So, yeah, we are in agreement that patching is important, but again, it’s patching as part of a bigger picture. It’s not the be all and end all.
[David Spark] Excellent. I’m glad you mentioned that because that definitely had to do with today’s conversation. So, if you’re looking for a zero trust solution, one that will help you towards that goal, since it’s a journey, not a destination, and you’d like some help with patch management, why not check out what they’re doing over at ThreatLocker?
Remember, ThreatLocker.com. Huge thanks to Rob, huge thanks to Howard, huge thanks to ThreatLocker, and thanks to you, our audience. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.