With the help of new exposure management capabilities now available in Sevco's next-generation asset intelligence platform, CISOs gain quantifiable insights to manage remediation programs, highlighting where efforts are working and where they aren't.
Last month, Sevco unveiled new capabilities in the Sevco platform to help manage and remediate risks for a new asset class – software vulnerabilities (think CVEs) and environmental vulnerabilities (think missing security tools, EOL systems, and IT hygiene issues). Sevco’s exposure management capabilities centralize known and surface previously unknown vulnerabilities in one place, prioritize the most critical issues across the environment (based on technical severity and nearly unlimited business context derived from Sevco’s asset intelligence), automate the remediation to fix priority issues and validate that remediation efforts are completed. With the help of these new capabilities in the Sevco platform, CISOs gain quantifiable insights to manage remediation programs, highlighting where efforts are working and where they aren't.
Why does this matter: The systems that typically track and report CVEs, don’t report on vulnerabilities in categories such as cloud, identity, system misconfigurations, and more. Those have to be uncovered from data found within different (typically siloed) tools. This visibility issue has caused CISOs to drown in vulnerabilities without the ability to identify the ones that present the highest risk to an organization. With asset intelligence as the foundation, the Sevco platform’s exposure management capabilities help CISOs and security teams solve this challenge by proactively prioritizing, automating, and validating the remediation of all types of exposures, including software and environmental vulnerabilities. Additionally, the Sevco platform validates the successful completion of vulnerability remediation when it’s observed on the asset itself, not just when a ticket is closed. This enables Sevco to highlight actionable metrics that allow CISOs to see what’s working and what’s not working in their remediation programs and break down cross-department silos that can cause visibility issues in the first place.
How does it work: Sevco's approach to vulnerability prioritization differs from existing tools because the Sevco platform integrates with existing security tools to aggregate, correlate, and deduplicate the data in those sources to surface important context and assess the risk and business impact for each asset. With this knowledge, Sevco can automatically detect and proactively alert an organization’s security team to vulnerabilities in their environment, including software vulnerabilities (CVEs), missing or misconfigured security controls (security gaps), and IT hygiene issues (unpatched devices and shadow IT). Additionally, Sevco helps to prioritize the CVEs, missing endpoint agents, and other IT hygiene vulnerabilities so our customers are always working on the highest risk issues first based on their specific business needs. Sevco's remediation management workflow helps to reduce risk dramatically with automation, key integrations that allow for collaboration and visibility across IT and security teams, and validation that remediation happened -- no matter the ticket status. Additionally, Sevco provides reports on remediation metrics that arm CISOs with the knowledge needed to understand the utilization of specific IT and security teams.
Learn more about Sevco: https://itspm.ag/sevco250d8e
Note: This story contains promotional content. Learn more.
Guest: J.J. Guy, CEO and Co-Founder, Sevco
On LinkedIn | https://www.linkedin.com/in/jjguy/
On Twitter | https://x.com/jjguy?lang=en
Resources
State of the Cybersecurity Attack Surface (June 2024 Report): https://itspm.ag/sevco-l9bl
Learn more and catch more stories from Sevco: https://www.itspmagazine.com/directory/sevco
View all of our OWASP AppSec Global Lisbon 2024 coverage: https://www.itspmagazine.com/owasp-global-2024-lisbon-application-security-event-coverage-in-portugal
Learn more about 7 Minutes on ITSPmagazine Short Brand Story Podcasts: https://www.itspmagazine.com/purchase-programs
Newsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/
Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-up
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Sevco Sets a New Standard for Vulnerability Risk Prioritization with the Launch of New Exposure Management Capabilities | 7 Minutes on ITSPmagazine | A Sevco Brand Story with J.J. Guy
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Here we are. We're ready for another seven minutes on ITSP magazine with a new short brand story. Today I'm joined by JJ Guy, CEO and co founder at Sevco, the asset intelligence company, delivering enterprise wide visibility and prioritization across all classes of vulnerability by automating, validating, and tracking vulnerability remediation to drive more proactive security for its enterprise customers.
There we are. JJ, welcome to the show. Thanks, Sean. Happy to be here. And, uh, I'm glad, glad to have you on. I'm excited to hear about, uh, what you and the SEVCO team have built. Uh, traditional systems typically track some vulnerabilities, CVS and things like that, but leave a bunch of stuff uncovered, which, leaves them exposed.
And I know the term exposure management is something that you hear quite a bit. So kind of frame the picture of, for us about what. You're hearing from customers .
J.J. Guy: Yeah, I mean, that, uh, 20 years ago, [00:01:00] when we, um, they say first started vulnerability assessment programs and build in our vulnerability management programs, uh, the definition of vulnerability was CVE.
Um, software vulnerability. Then you had a vulnerability assessment platform that reported that back. Well, there's a couple things that have changed in the industry since then. Um, I mean, you've got, um, the increased complexity of enterprise networks, the degradation of the enterprise perimeter, the adoption of sass, the shift to cloud infrastructure, mobile devices.
Um, and all of that is creating a whole lot more complexity and the way our networks are built and managed when compared to, say, the days of 20 years ago, where you had an enterprise network, a firewall, a whole bunch of devices that never left the physical location of your devices or your, um, your, your, um, uh, buildings, um, that, uh, has given rise to a whole slew of different kinds of Vulnerabilities.
Um, and we got a whole bunch of different [00:02:00] platforms these days reporting those. I mean, that external attack service management, the cyber asset attack service management, cloud security, posture management, data security, blah, blah, blah, blah, blah. And all of those are specialized platforms to study your existing infrastructure and help surface some of the, um, Vulnerabilities, for lack of a better word, right alongside the rest of the software vulnerabilities that the vulnerability assessment products are still producing.
Um, that's in addition to the challenge that it used to be. We had just one vulnerability assessment platform reporting software vulnerabilities and like these days because of that explosion and complexity and all the infrastructure like folks have half a dozen. So now the vulnerability management teams in any given enterprise have got a dozen or more different platforms, all reporting different kinds of vulnerabilities, half of them CVEs and software vulnerabilities that are overlapping in complex ways nobody can tease out.
And then [00:03:00] all the rest of these other classes of vulnerabilities that folks have to pay attention to. And working through all of that is a huge amount of manual toil.
Sean Martin: Yep, overwhelming. Just the CVEs alone is enough. So how does that impact, uh, remediation?
J.J. Guy: Yeah. I mean, there's a huge amount of complexity there. It starts with. Which one of those problems is the most important? Um, the, uh, which one of those is the most critical? Like in the world of CVEs, at least, we've started to talk about vulnerability prioritization, risk based vulnerability management, you know, et cetera, et cetera, et cetera.
Go down the list. Um, but because there's been such an increase in the volume of CVEs, it's outstripped our ability to patch all of them. Um, the, uh, so organizations have to decide where to start. And then at the same time, you've got to. Compare those. Where do you spend your time? You've got all these vulnerabilities reported by your external tax service management players, chasm the players like us, and a limited [00:04:00] number of resources to go fix and address those issues.
It's made prioritization that much more important
Sean Martin: Talking a bit about validating the results and actually measuring the results.
J.J. Guy: So that's part of what, uh, Sevco is focused on. Um, the, uh, but one of the high, the things we highlight in our, um, as part of our traditional asset intelligence platform is the deployment of your various endpoint agents.
Yeah, there's three key ones at every enterprise, your vulnerability assessment agent, the your, Your patch management agent, um, the, uh, and then your endpoint security agent that makes sure you have visibility into the traditional software vulnerabilities from any given source that you have the tool chain in place to be able to fix those.
And then three inevitably, when you miss one, you've got some insurance policy to make sure the inch point security agents going to block it. Well, our numbers show that, um, in general, every one of those end point agents is under deployed, missing on 20 percent of the machines is supposed to be on. Um, the, uh, [00:05:00] like, listen, it doesn't matter how many times your vulnerability analyst.
Opens a ticket with ServiceNow to go patch a given CVE. If the patch management agent is not present, nothing is getting patched. And if your team is spending more time patching CVEs and turning the crank on a list of software vulnerabilities, then you are making sure that the, um, tools to see those vulnerabilities and actually fix those vulnerabilities are in place.
Well, like, You need to reassess your priorities
Sean Martin: and let's speak to the, uh, the CISOs now, what, um, customers of yours, what, what are they telling you they're finding the greatest benefit from ,
J.J. Guy: oh man, like I can give you, um, anecdotes for days. Um, the, uh, I mean, let's see, just last week we had an, uh, like, uh, um, an enterprise with like 10, 000 employees.
Um, the, uh, they had spent, um, the, uh, uh, over a million dollars. on outsourced consultants, um, over the course of two [00:06:00] years with two failed projects trying to get ServiceNow to do this. Um, the, uh, then they found us, um, and, uh, we were done in a week, including pushing all that data into ServiceNow for a substantially lower cost.
And, like, there's another client, um, the, uh, whose vulnerability assessment platform was reporting hundreds of thousands of vulnerabilities, and they were deep into researching vulnerability prioritization platforms to go figure out how to chip away at that. But after deploying Sevco, they realized that all of those bones came from just a few hundred machines in one particular remote business unit that were all in life.
They didn't have a vulnerability management problem. They had an end of life operating system problem with this one business unit, and it changed their entire focus. And that insight was not possible without joining the vulnerability data with a robust asset data. Thanks to SEBCO.
Sean Martin: And, uh, with that, that is seven minutes here on ITSP magazine. . JJ, thanks for sharing your story.
J.J. Guy: Sure. And [00:07:00] thank you.