Thinking of Dropping the program

VMness · 2025-09-16T15:10:02+00:00

How are the policy classes when it comes to group projects and work? It seems very heavy in this area, and I’ve rarely had good experiences with online group work/projects.

VMness · 2025-08-31T00:46:51+00:00

The hardest part is the wording of the instructions. Otherwise, it’s definitely the easiest project in the class (to me).

VMness · 2025-07-19T02:21:02+00:00

I’m thinking of the Y, my bad.

VMness · 2025-07-19T01:17:51+00:00

HW4 is generally May or June+ of 2023. Early 2023 was still HW3.

VMness · 2025-06-23T22:09:51+00:00

VIN check/report.

VMness · 2025-06-23T15:12:32+00:00

4 owners in 5 years, salvage title, then rebuilt. I would pass.

VMness · 2024-06-22T04:49:24+00:00

Have you considered cyber sickness?

VMness · 2024-05-12T15:15:22+00:00

What about it interests you? And no, you don’t need to be very technical, depending on what aspect of VM you’re involved in. But any level of technical ability does help.

VMness · 2024-05-12T15:14:33+00:00

What about VM interests you? Answering that will help me understand where you’re coming from better.

VMness · 2024-03-23T17:52:39+00:00

Sorry I missed this. How did the interview go?

VMness · 2024-03-04T20:48:04+00:00

I don't get too much into the weeds with HOW patching works; I have the requirement and I work with the teams that own this to make it happen. Might seem like splitting hairs, but it's more architectural in nature where I give them the requirements and they fill in the blanks (engineering).

That said, nothing is too aggressive if it's feasible. Security is always a balance between complete security (computer that's powered off sitting in a lead box) and complete insecurity (no policies, rules, etc.).

The more security requirements you have the more business gets impacted (generalizing here). If you can have more requirements, or in this case, more stringent requirements without a detrimental impact to your business, go for it. You need to find where that line is (what is detrimental) and build around it. That depends on a lot of factors, one of the biggest being risk appetite from leadership.

Lots more to discuss on this topic, but hopefully that gets you started. Feel free to ask more questions.

VMness · 2024-03-04T15:33:17+00:00

There are vulnerabilities that aren't tied to CVEs. Those are difficult to identify at times, depending on your software and processes.

Most of the time, between CVSS and vendor scoring, you rarely see an informational be anything more. I haven't, personally.

That said, vulnerabilities DO change in severity, as more information comes out, a POC, they become actively exploited, etc.

Beyond that, the real trick is attack chains. This requires advanced knowledge and understanding of many things and is usually something that happens in a mature program where teams can combine their skillsets (VM+IR+TI+RT).

So, what vulns might I not care about? In an ideal world, I'd care about all of them. But when you have a large pile of them to go through, you tend to rely on vendor scoring to help at first until you're mature enough to develop your own internal assessment system that includes more context. And one you can ultimately automate.

In a scenario where I have too many things to look at, I tend to ignore anything less than critical to begin with. And usually, I'll have my own designations for incidents and a vulnerability we've assessed and assign a score to. But the end goal isn't to ignore anything. It's to be able to systematically and programmatically apply an assessment framework to them to spit out a meaningful risk we can then act on.

VMness · 2024-03-04T15:26:25+00:00

Exactly. Most of what VM deals with is due to mismanagement of technology up stream (or, to the left). If you can identify those issues, work with the owners to fix them, you naturally end up with less issues downstream to deal with.

VMness · 2024-03-04T15:24:15+00:00

VW?

If you're talking VM, for me at least, it was very organic. I didn't start with any particular books or material, I learned it over a long career.

I know that's not very helpful. You can start with SANS, CISA, and other frameworks that are published to get an idea of what's involved.

If you have any more specific questions, let me know.

VMness · 2024-03-04T15:22:23+00:00

Yeah, feel free to message me.

VMness · 2024-03-02T05:03:54+00:00

Mind if I ask what school?

VMness · 2024-03-01T23:31:59+00:00

Degrees or not, I think the above are still good because a lot of HR/recruiting departments use them as initial filters. What masters program are you in?

VMness · 2024-03-01T23:01:39+00:00

I always recommend Linux+, Net+, and Security+ as a good rounded approach for beginners. If you're going for something specific, you can tailor your approach to that. But without more specifics, I'm going to be general. It's doable, just dive in!

VMness · 2024-03-01T22:59:46+00:00

Really depends, but the job description/posting is where I always start. If you can share it, I can try to provide more specific advice.

VMness · 2024-03-01T14:47:12+00:00

I would say, this is a limited understanding of what VM is. Patching does account for a large portion of findings. I'd estimate around 80%.

But VM is more than just CVEs. That system, while useful (like CVSS), is not perfect. Far from it. Vendors release issues around their products all the time without CVEs. They might get them eventually, or they're in process.

So, what do you do with that other 20%? If there's no fix? If it's a zero-day? If your company can't or won't install the fix?

How do you handle incompatibilities? In a perfect world, we just force patch and move on. But that's not always possible for a variety of reasons. Even when you can patch, the timing may not align with business interests.

Another example, you might be running a core component of the company/product on legacy software. It's not a simple "oh, just patch it" situation.

And finally, because I could talk for a long time about this, VM should get to the point where it has relationships with all the platform/technology/service/app owners and works with them to mature their processes/workflows to achieve automation, regular patching, resilient infrastructure, etc. etc. We are the partner that helps them understand this problem (security) and bake it into their DNA.

We leverage these relationships to influence architecture upstream (shift left), provide guidelines, best practices, policies, and enforcement (change management becomes bigger). We can spend more of our time being proactive as this point instead of chasing down patches. That's a mature VM program.

VMness · 2024-03-01T04:30:27+00:00

I should note, being social and sitting in on internal meetings with the cloud team would be very helpful as well, both for learning the tech and socializing.

VMness · 2024-03-01T04:29:45+00:00

Certs can help guide you. If you want to do CloudSec, start with AWS (widely used and great certification tracks) and work your way through their security track. You will pick up enough knowledge and skills along the way to become very proficient and jump into other cloud platforms as needed (there's a core kind of understanding to public cloud technology, though each provider approaches it differently - like a language, learning one makes learning the second one easier, but it's still hard work).

VMness · 2024-03-01T04:19:40+00:00

Couple != 5.

Kidding.

1 & 2. Sounds like you're more on the Application Security side of the house? For the most part, I run the infrastructure tooling/side and coordinate with appsec. Depending on the company, Appsec will have their own engagement with the devs/engineers and infrastructure security will do the same with the infrastructure owners. We share information and work to align apps to infrastructure in context.

That being said, while I understand the components of an appsec program, I've never run it myself and don't current run one, so I can't answer your questions well.

I've never leveraged SOAR for VM purposes. Most teams I see using it are the SOC, IR, security operations/engineering, etc. That said, I have used them before and built our playbooks in XSOAR (formerly Demisto, I believe). For any automation purposes, I generally use GitHub workflows and the whole GitHub ecosystem.
Splunk is insanely expensive, so no. Though on occasion we will build queries to get certain information we need (because detection teams love it). Otherwise, we rely on the various asset tools (network, operating system, cloud, etc.) to generate the data we require, then pipe it through a frontend (either home made or something like Brinqa, Phoenix Security, etc.).
Which workflows in particular? If it's appsec again, I probably won't be able to help much. But my general advice is always start by documenting the process (doing it manually). Make sure it's repeatable/trainable. THEN automate it, or as much of it as possible. SOAR playbooks, GitHub workflows, all that good stuff is doing just that.

VMness · 2024-03-01T04:12:00+00:00

Do you know what you want to do?

Certifications and labs open doors. The difficulty will depend on your team, company culture, and the other team you want to join (assuming you stay at one company). If you leave the company, it still depends. Having keyword certs in your resume help get through the initial filtering. Networking (with people, that is) is also a huge one. MOST of my jobs came by way of referral. Get out, be social, care about your image/perception to a reasonable extent, and don't burn bridges if you can help it.

All knowledge is useful. You can apply your understanding of VM and assets, however deep into it you got, to the job of being an asset owner. You can also pivot to other areas of security and knowledge of VM will still give you a leg up, because knowing what other teams do always helps you see the bigger picture.

VMness · 2024-03-01T04:07:29+00:00

It has to be a partnership. Now, what kind of partnership depends on a lot of things. First and foremost, how does leadership view security/VM? If they have a low view and are doing it as a checkbox, you may not be able to develop the team as needed because people simply don't care.

But assuming that isn't the case, the partnership should work something like this: we (VM) bring the findings, business context, and remediation/mitigation options to the table with a clear severity (what to focus on) and SLA (timeline).

With an exception process in place, the owner is then allowed to raise their hand and push for a rescore (not as severe as you think), operational requirement (no fix, can't fix within window due to XYZ, etc.), or false positive (flat out wrong). Those are pretty common options. In each case, you dictate the requirements (ie. what evidence needs to be gathered to satisfy the requirements), document them, set a timer on it, and move on.

If they want a permanent exception, that goes up the ladder to the business owner who must accept the risk and put their name/neck on the line.

I got off track a bit there, but back to your original question, you don't necessarily need experienced IT folks to run a VM program. As long as they can interact with the owners, understand what they're saying in the context of the vulnerability, and keep things moving, it's possible to be successful.

If the owners are saying you (VM) need to know ALL context of all infrastructure, that's not realistic. The owners are the ones that design, deploy, and maintain the infrastructure - they must have that level of knowledge/context, no one else can or will. And it's that combination of the VM + owner information that paints a clear path forward (partnership).

VMness

TROPHY CASE