By (author)s: Michael Roytman, Ed Bellis

Copyright: 2022
Pages: 265
ISBN: 9781630819385

Our Price: $129.00
Our Price: $96.00


This book comprehensively covers the principles of Risk-based vulnerability management (RBVM) – one of the most challenging tasks in cybersecurity -- from the foundational mathematical models to building your own decision engine to identify, mitigate, and eventually forecast the vulnerabilities that pose the greatest threat to your organization. You will learn: how to structure data pipelines in security and derive and measure value from them; where to procure open-source data to better your organization’s pipeline and how to structure it; how to build a predictive model using vulnerability data; how to measure the return on investment a model in security can yield; which organizational structures and policies work best, and how to use data science to detect when they are not working in security; and ways to manage organizational change around data science implementation.


You’ll also be shown real-world examples of how to mature an RBVM program and will understand how to prioritize remediation efforts based on which vulnerabilities pose the greatest risk to your organization. The book presents a fresh approach, rooted in risk management, and taking advantage of rich data and machine learning, helping you focus more on what matters and ultimately make your organization more secure with a system commensurate to the scale of the threat.


This is a timely and much-needed book for security managers and practitioners who need to evaluate their organizations and plan future projects and change. Students of cybersecurity will also find this a valuable introduction on how to use their skills in the enterprise workplace to drive change.

Table Of Contents

Chapter 1 - The State of the Vulnerability Landscape

1.1 The security canon: Fundamental cybersecurity terminology
1.2 Security metrics: The new guard


Chapter 2 - Data Science to Define Risk

2.1 Risk management history and challenges
2.1.1 The birth of operations research
2.1.2 The scale of cybersecurity
2.1.3 Origins of the risk-based approach to vulnerability management


Chapter 3 - Decision Support: Tapping Mathematical Models and Machine Learning

3.1 Mathematical modelling
3.1.1 Mathematical scale
3.1.1 Statistics
3.1.2 Game theory Stochastic processes OODA loops
3.1.3 Machine learning for cybersecurity Supervised models Unsupervised models


Chapter 4 - How to Build a Decision Engine to Forecast Risk

4.1 The Data
4.1.1 Definitions vs. instances
4.1.2 Vulnerability data Vulnerability assessment SAST/DAST
4.1.3 Threat intel sources
4.1.4 Asset discovery and categorization (CMDB)
4.1.5 Data validation ETL
4.2 Building a logistic regression model
4.2.1 Data sources and feature engineering Feature engineering Interpretation of features
4.2.2 Testing model performance Calibration plot Simplicity vs performance
4.2.3 Implementing in production Data preparation Application of the model Converting log odds to probability
4.2.4 Communicating the results
4.3 Designing a neural network
4.3.1 Preparing the data
4.3.2 Developing a neural network model Neural network architecture
4.3.3 Hyper-parameter exploration and evaluation
4.3.4 Scoring Score scaling Volume scaling Combining scores Comparison to existing scoring model
4.3.5 Future work


Chapter 5 - Measuring Performance

5.1 Risk vs performance
5.2 What makes a metric “good”?
5.2.1 7 characteristics of good metrics
5.2.2 Evaluating metrics using the 7 criteria
5.2.3 More considerations for good metrics
5.3 Remediation metrics
5.3.1 Mean-time-tos
5.3.2 Remediation volume and velocity
5.3.3 R values and average remediation rates
5.4 Why does performance matter?
5.5 Measuring what matters
5.5.1 Coverage and efficiency Optimizing the tradeoff between coverage and efficiency with predictive models Coverage and efficiency in the real world
5.5.2 Velocity and capacity How much does capacity cost? The power law of capacity
5.5.3 Vulnerability debt The move to the cloud Paying down security debt
5.5.4 Remediation SLAs


Chapter 6 - Building a System for Scale

6.1 Considerations before you build
6.1.1 Asset management assessment
6.1.2 Where your organization is going
6.1.3 Other tools as constraints
6.2 On-premise vs. cloud
6.3 Processing considerations
6.3.1 Speed of decisions and alerts
6.3.2 SOC volume
6.4 Database architecture
6.4.1 Assets change faster than decisions
6.4.2 Real-time risk measurement Vulnerability forecasts Batch where acceptable
6.5 Search capabilities
6.5.1 Who is searching? Risk hunting vs. threat hunting Reporting as a service
6.6 Role-based access controls (RBAC)


Chapter 7 - Aligning Internal Process and Teams

7.1 The shift to a risk-based approach
7.1.1 Common goals and key risk measurements
7.1.2 Case study: More granular risk scores for better prioritization The importance of culture in adopting RBVM
7.2 Driving down risk
7.2.1 Aligning teams with your goals
7.2.2 The importance of executive buy-in
7.2.3 Reporting new metrics
7.2.4 Gamification
7.3 SLA adherence
7.3.1 High-risk vs. low-risk vulnerabilities
7.3.2 When to implement or revise SLAs
7.3.3 What to include in your SLA
7.4 Shifting from security-centric to IT self-service
7.4.1 How to approach change management
7.4.2 Enabling distributed decision-making
7.4.3 Signs of self-service maturity
7.5 Steady state workflow
7.5.1 The limits of remediation capacity
7.5.2 Media-boosted vulnerabilities
7.5.3 Exception handling
7.6 The importance of process and teams


Chapter 8 - Real World Examples

8.1 A word from the real world by Will LaRiccia
8.1.1 Vulnerability discovery
8.1.2 Vulnerability assessment and prioritization
8.1.3 Vulnerability communication
8.1.4 Vulnerability remediation
8.1.5 What success looks like


Chapter 9 - The Future of Modern VM

9.1 Steps toward a predictive response to risk
9.1.1 Passive data collection
9.2 Forecasting vulnerability exploitation with EPSS
9.3 Support from intelligent awareness
9.4 The rise of extended detection and response (XDR)
9.5 The other side of the coin: Remediation
9.6 The wicked problem of security advances


  • Michael Roytman
  • Ed Bellis