Patch ALL teh things we constantly tell CISOs and CIOs.
Thing is, let's be honest with each other right? we can't and this graph is telling.
Patching is a pain, we get it and we do need to revolutionise the approach. Two years ago, @LargeCardinal wrote a phenomenal paper
Thing is, let's be honest with each other right? we can't and this graph is telling.
Patching is a pain, we get it and we do need to revolutionise the approach. Two years ago, @LargeCardinal wrote a phenomenal paper
where, in essence, the idea was to prioritize patches by expressing the connectivity of various vulnerabilities on a network with a QUBO and then solving this with quantum annealing.
Now working with Mark often has me saying 'dafuq you saying bruv?'arxiv.org/pdf/2211.13740
Now working with Mark often has me saying 'dafuq you saying bruv?'arxiv.org/pdf/2211.13740
but once he's put down his markers and explained it to me like the child I am, it made sense.
A QUBO problem involves finding values for binary variables (i.e., variables that can only be 0 or 1).
A QUBO problem involves finding values for binary variables (i.e., variables that can only be 0 or 1).
You can think of this as 1 if vulnerability is to be patched in the current cycle or 0 otherwise. We cannot patch all, let's be honest with each other here, but what we can do is apply some logic to it, like:
Impact of vulnerabilities: Some vulnerabilities might have a more significant impact if exploited. Take a SSL VPN here, the border gateway device. This is a 'patch y0 shit now, done it yet??'
Dependency factors: Some systems or applications might depend on others, so patching one might reduce the risk or necessity of patching another immediately.
Patching costs and risks: Including the cost or potential disruption caused by patching (e.g., system downtime)
The paper is deep, as you'd expect from Dr Carney, but it has logic to it and the use of vulnerability graphs to help ascertain what to patch, based on the above
The paper is deep, as you'd expect from Dr Carney, but it has logic to it and the use of vulnerability graphs to help ascertain what to patch, based on the above
and by employing a QUBO approach to the problem of vulnerability patching, an organization can systematically analyze and prioritize patches in a manner that accounts for the complex interdependencies
between system components, leading to a more secure and efficient patch management process.
I didn't say it was easy but the graph showing how badly we are doing it now, kinda tells me we need to rethink our approaches to patching.
I didn't say it was easy but the graph showing how badly we are doing it now, kinda tells me we need to rethink our approaches to patching.
Still 60% for 47% of vulnerabilities not patched, this isn't ideal at all.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
