Yotam Perkal (Rezilion, IL)
Yotam Perkal leads the vulnerability research team at Rezilion, focusing on research around vulnerability validation, mitigation, and remediation. Prior to Rezilion, Yotam filled several roles at PayPal Security organization, dealing with vulnerability management, threat intelligence, and Insider threat. Additionally, Yotam takes part in several OpenSSF working groups around open-source security, several CISA work streams around SBOM and VEX, and is a member of the PyCon Israel organization committee. Yotam is passionate about the intersection between Cyber Security and Machine Learning, whether it be using ML in order to help solve Cyber Security challenges or exploring the challenges in securing AI/ML applications.
---
In the dynamic realm of vulnerability management, the proliferation of standards and frameworks like CVSS (Common Vulnerability Scoring System), EPSS (Exploit Prediction Scoring System), and VISS (Vulnerability Information and Severity Score) often leads to confusion, fragmentation, and inconsistency. This talk explores the underlying tensions between these standards, particularly in the context of vulnerability prioritization.
Our journey begins with an exploration of each framework, highlighting their unique methodologies, strengths, and limitations. Then, we will center our discussion around the Strategic Stakeholder-Specific Vulnerability Categorization (SSVC), a framework that can act as a unifying bridge in this fragmented landscape. We will dissect how SSVC's adaptable and stakeholder-specific approach can harmonize these varying standards, providing a more cohesive and comprehensive vulnerability management strategy.
Key aspects of this talk include:
- A comparative analysis of CVSS, EPSS, and VISS, underscoring their operational divergences and impacts on cybersecurity decision-making.
- An in-depth exploration of SSVC's methodology, focusing on its flexible decision trees that accommodate diverse stakeholder needs and environmental contexts.
- A proposed roadmap for organizations looking to synergize these frameworks effectively, leveraging SSVC's adaptability.
In conclusion, this talk aims not just to highlight the challenges posed by the diversity of standards in vulnerability management but to offer a pragmatic and unifying solution through SSVC, paving the way for a more harmonized and effective approach to vulnerability prioritization and management in the cybersecurity domain.
8 май 2024
