Vulnerability remediation isn’t just about patching - it’s about staying ahead of cyber threats before they become breaches. With attack surfaces expanding and zero-day exploits on the rise, organisations must take a proactive approach.

Tales From the CyberLab: Episode 9

Remediating Security Vulnerabilities Explained

with Moty Cohen, Director EMEA at Vicarius

Are your vulnerabilities leaving you exposed? 🔎 

With cyber criminals racing to exploit weaknesses faster than ever, effective vulnerability management is critical. But patching alone isn’t enough – organisations need a smarter, more proactive approach to stay ahead.

Moty Cohen, Director of EMEA at Vicarius, joins Adam Gleeson to break down…

✔️ Why vulnerability remediation can no longer be a manual process
✔️ How cyber criminals weaponise CVEs within minutes of discovery
✔️ The growing risk of zero-day threats & why patching isn’t enough
✔️ How automation & AI are reshaping vulnerability remediation
✔️ The most common vulnerability management mistakes

Listen on Spotify

Meet Our Guest

Moty Cohen
Director, EMEA at Vicarius

Moty Cohen is the Director of EMEA at Vicarius, bringing nearly four years of expertise in vulnerability management and cyber security solutions.

With a background in business development, cyber security, and legal affairs, Moty has worked across global markets, helping organisations enhance their security posture through proactive risk mitigation.

His unique career path – from law to cyber security leadership – gives him a strategic perspective on managing vulnerabilities in an evolving threat landscape.

Episode Transcript

Adam Gleeson
Hello and welcome to the latest episode of Tales from the CyberLab. Today we’re going to be talking about vulnerability management and remediation. And with me I have Moty Cohen over from Vicarius – and you are the Director of EMEA, I believe?

Moty Cohen
That’s true.

Adam Gleeson
If you’d just like to introduce yourself, tell us a little bit about who you are, where you’ve come from.

Moty Cohen
Yeah, sure, sure, sure. So I’m Moty Cohen, I’m handling or managing the EMEA region within Vicarius. I’ve been doing this for the last four years. Before that, I had different roles among the high-tech technology industry and before that I was actually a lawyer for a few years, commercial lawyer, anti-trust, M&A’s, so on. So I made a big shift and I’m very happy for that.

Adam Gleeson
Okay, so we’ll start off by, let’s just set the scene a little bit and we’ll talk about what vulnerabilities are, what vulnerability management is and what remediation is all about. So first of all, let’s talk about what vulnerabilities are. So what are these things called vulnerabilities?

Moty Cohen
Yeah, so these things, they are kind of weakness or flaws in software and those weakness of flaws, they’re calling those potential exploiters to try to utilise those weaknesses. It’s like gaps in the software.

Adam Gleeson
So this is, yeah, they’re kind of like gaps or oversight in the software, but that allows someone to do something to that software that then exposes a security vulnerability.

Moty Cohen
Yeah, exactly. By the way, not only security, it can be also bugs or performance issues that those holes can invite, but in this case, we’ll focus on those security.

Adam Gleeson
Absolutely.

Moty Cohen
And definitely when you have this kind of hole, it’s kind of a race. If who will find this hole first, the vendor or maybe the good people, if you can say, or those, sorry, cyber criminals or potential attackers that will try to take it.

Adam Gleeson
And I think that’s probably a good point, but at that point, when a cyber attacker or a criminal has uncovered one of these things, that’s what we would then call a zero day threat, isn’t it? Because the bad guys know about it before any of the good guys have had chance to actually start to try and bolster their defences. So meaning that this threat that’s out in the wild is now something that no one else knows about. So potentially the bad guys have got the upper hand in that sort of instance.

Moty Cohen
Exactly.

Adam Gleeson
Ok. So zero-day is something that you may have heard – I just thought it was worth mentioning that.

Moty Cohen
By the way, zero day without getting too much into that, this is exactly the reason why today patch management is not enough. If you really want to close the holes, patch management is enough for those CVE’s (Critical Vulnerabilities) for the known vulnerability.

Adam Gleeson
So problems that are known about.

Moty Cohen
And we can talk further, maybe a little bit about it.

Adam Gleeson
Cool. Alright, so we’ve talked about vulnerabilities. What is vulnerability management? So I’m guessing that that is then the process by which we manage these vulnerabilities and we gain insight into them and stuff like that.

Moty Cohen
Yeah, exactly. In the past when you have few vulnerabilities every week maybe and so on, so maybe you can manage it manually and meaning by management meaning to be aware of the vulnerability and to analyse if it can be really be exploitable in your environment or not, and then decide what you want to do with it today. Vulnerability management, the numbers are just soaring.

Adam Gleeson
Well, it comes out constantly. I mean software changes with, there’s so many different software vendors out there now, each one of them are going to release updates at some point.

Moty Cohen
Yeah, I can give you my benchmark. When I joined Vicarius four years ago, we had, I mean the NVD had in their database one 140,000 CVE’s, what is the number today? After four years it’s around 280,000 – almost double! And within that, including all of those that we patched, that was patched. So just imagine the pace is just increasing significantly. And today you must have combination of methodologies and tools in order to manage those vulnerabilities. First of all, be aware of it, identify those vulnerabilities, analyse whether they are really important to you or can be exploitable in your environment. And finally of course, and I think this is maybe the most important part, remediate or at least compensate for the risk.

Adam Gleeson
And that brings us onto the next point. So what is remediation? Because people can be forgiven for thinking that remediation is just, oh, instal a patch, but there’s often a lot more to it than that, isn’t there?

Moty Cohen
You touched in a very, very important point. Still today, patch management, I think, comprise of 70 to 80% of the remediation that when you talk about CVE’s, obviously having said that – patch is not enough, you have first of all those zero day vulnerabilities. They’re not known. You need somehow to try to be aware of those and when you are aware of those, try to close potential holes.

Adam Gleeson
It’s the race, isn’t it, to get that hole patched, or at least covered up so that it’s not as exposed as it was.

Moty Cohen
And furthermore, you have other types of vulnerabilities that patch would not do it on their case. Sometimes you just, in many cases you need to do configuration adjustments to the software and those vendors are letting you know that you need to do it. And maybe also what do you need to do? But you must be talking about management. You must manage this and you must apply it and you must have a good tool to apply it and to apply it in an automatic manner.

Adam Gleeson
So already I can see that keeping track of the vulnerabilities is difficult, so many of them. But then actually remediating ’em and managing them, keeping visibility of them because there’s lots of vulnerabilities out there. But as you touched upon, it might be the case that we don’t need to apply half of them or something because they’re not security or they don’t directly impact the strength of our cyber security posture. But then with the remediation as well, you add all of these three things together and that’s a huge amount of work just to manage that day to day, isn’t it?

Moty Cohen
Yes. And you touched the right points. Why? Because you talk now about the three main phases of this entire cycle. We call it, when I’m speaking about vulnerability, I’m talking about the vulnerability journey inside the company, since the moment it was first identified or should be identified and in between, analyse whether it’s important or not important, sorry for keep it very high level and eventually decide what to do and do it not only highlight it but actually do it. When you talk about each one of those phases, because of the numbers, because of the hectic work that the IT teams and the cyber teams has today, each one of them is very complex, intense, and with so many details. But when you talk about this journey together, things are starting to make more sense. And this is exactly what I’m thinking, that the right approach should be the consolidated approach, the holistic approach, not just letting the cyber team see where are the vulnerability and analyse them. And then we’ve done our share, this is not our problem anymore. We shifted to the IT team to remediate it. No, take an holistic view from the first beginning of the cycle.

Adam Gleeson
I think this is a good, so one of the things we’re kind of venturing onto stuff that I wanted to come onto next, but traditionally how we call it vulnerability management and remediation, I’ve heard it referred to a lot of different ways, vulnerability management, patch management. I think patch management is probably what it was known as because the big thing was about deploy the patches.

Moty Cohen
Yeah, still, still, still.

Adam Gleeson
And that didn’t really necessarily, and that was really about we would use a patch management solution like WSUS for example, being the Microsoft one, which is the one that most people will be familiar with. Okay, so we’ve talked about what vulnerabilities are and we’ve talked about what remediation is, so what does that actually look like as a real world solution? So typically, historically, that means that we’ve essentially got two different software solutions that we’re going to have to work with. One to go and find the vulnerabilities and then one to deploy the software to do some of the remediation, assuming that you can do that via deploying software. But these things wouldn’t talk to each other. So the patches, you wouldn’t do a scan and say, right, for these 10 critical vulnerabilities deployed just those patches, you have to go through and pick the patches, don’t you? So that in itself is going to be extremely time consuming and I think one of the things that you mentioned before, and with anything with cyber security, when vulnerabilities are involved, time is a critical factor and certainly in larger organisations where we’ve got one person who’s monitoring the system and then the other people who might be responsible for the patch management and what have you, that can then introduce delays, can’t it? Because it means that in order to go from, “we’ve detected a critical vulnerability”, “we’ve got the patch deployed” – that can be a number of different teams involved and it can take quite a bit of time, can’t it?

Moty Cohen
Yeah, yeah. So I will say a few things. First of all, you said that we need two software, one, actually in many cases we need more than two. Why? Sometimes we need tool to prioritise and analyse in between. Sometimes we need tool to patch those things that the patch management platform that they’re using is not covering. Sometimes Linux, sometimes max, sometimes few of the third party apps are not covered. So in many cases it’s like we are encountering in situation when they’re using 3, 4, 5 different tools and they’re not necessarily….

Adam Gleeson
…and they’re each other all separate, none of them communicate?

Moty Cohen
Exactly, even if they have a third party integration and so on. It’s not native integration that really communicate in one streamline flow and we see it all over the place. We see situations where this process instead of taking between minutes to hours is taking days and weeks. And listen, I’m not sparing now the labour of this organisation or even the money that it costs them, let’s keep it aside for now. I’m talking about the exposure time that it takes this cycle to be completed in this time. If those cyber criminals will get to those holes and gaps and CVE’s that are not being patched on time before the team get to them, what will happen? And this is exactly what we are trying to educate the market or at least our customers by saying to them, listen, this was good. Maybe for the previous world of IT.

Adam Gleeson
Exactly, the world that we live in, certainly post-COVID and with remote working and everything else, we work at a much faster pace now as well that I don’t have the time to drive to customer meetings like I used to because it’s like, oh, can I just do it on teams and save half a day.

Moty Cohen
And you gave it every phase of this cycle. In the first phase, they’re using scanners that give them snapshot and because it’s taking so much engagement and time and then to analyse those reports, they’re not doing this every day usually. Sometimes we have organisations that are doing this on a quarterly basis and if not so monthly or weekly, it’s just not enough. It’s not enough things happening in between. And you know what those CSOs, let’s talk about the remediation for one moment and the connection to real time, everything in real time, this is what you need. Why today I’m not talking about incidents. We have other tools that talk about incidents management. So on talking about the ongoing daily management of patch and vulnerability management.

Adam Gleeson
It’s like feeding the pets or something like that. It’s something that everyone needs to be doing. You need to keep your software up to date, otherwise you’ve just got holes in your system.

Moty Cohen
Just take very small example, you are applying daily example. You are applying critical patch now. You don’t want to wait until the next time you will scan this big scan of the environment to find out what was the impact of this critical patch you just applied. Whether it’s the risk reduction, whether it’s, I don’t know, disrupt something in your environment, you need to get it now. And this is the approach we’re seeing more and more within the CSOs and within the IT infrastructure directors and so on.

Adam Gleeson
Just to sum up, so vulnerabilities are software flaws or configuration changes that need to be made to strengthen cyber security, remediation is the process of fixing those things. And traditionally this has meant that we end up with multiple disparate solutions, which mean it’s quite a clunky process. It’s very difficult to manage. It can arguably be pointless in some cases because if it takes too long from the initial detection of the vulnerability to getting the patch deployed, that patch might not even be the right one anymore. It might have been moved on or there might be. So the result has been that most of the time it’s very hard to do it correctly and I think a lot of people, it ends up being left not being done properly.

Moty Cohen
And let me tell you a secret, it’s also not cost effective, to run all those different tools.

Adam Gleeson
So that kind of brings us onto, we’ve kind of talked a little bit about how vulnerability management has changed there. So what are the kinds of trends? So if we start to look at vulnerability management and remediation today, and then we’ll come on to what it looks like in the future then what are the sort of things that have changed that have driven us that this old model that we’ve just been talking about, what are the trends and drivers in the industry to improve upon this?

Moty Cohen
So few major trends, I think that the most important one is the consolidation, the understanding that this is not effective, this is not working in the right pace for us and not mitigating the risk like we should. And we need to consolidate, meaning that we need to have an holistic view. We need one tool or maximum two tools better to have one that will manage this entire process, address both cyber teams and IT teams will help them to improve their internal communication and sync. And by doing that bottom line will shorten significantly this whole cycle and by doing that, increase the risk reduction level of the organisation.

Adam Gleeson
So it very much is about consolidation. We can’t have this multiple disparate systems, none of which are really interacting. It’s very inefficient. It’s not very cost effective. So the newer solutions now that we’re talking about are consolidated. So it can do the vulnerability assessments, it can assess what patches are needed where, and it can then use that as actionable insight to then start to deploy those patches.

Moty Cohen
Exactly.

Adam Gleeson
Now how does that work if it was, say for example, a configuration change that is needed.

Moty Cohen
So it works in a way that, I will take one step back with your permission, it works in a way that first of all, the approach should be that patch management is not necessarily what we need and it’s not enough sometimes. So you must have tool basket for remediation.

Adam Gleeson
Yes.

Moty Cohen
You cannot say to the, okay, this is patch management. If it’s not patch don’t call us. Okay, this is not working…

Adam Gleeson
…no, because that’s not vulnerability.

Moty Cohen
Yeah, exactly. So first of all this, and second, once you have those other tools, some of them should address threats A, B, and C, and some of them should address the other threats. When you talk about configuration adjustment, one of the approaches that we are using is a script-based remediation. And those scripts will have teams, and this is by the way, will be interesting to talk about the combination of AI on that, but maybe we can touch it later, but those scripts are enabled and created by the teams in order to apply those configuration changes. So they must be up to date, they must be on the spot when new configuration adjustment is needed to create the right script to enable it to the customer. And this customer needs to have the ability to just click, sometimes automated, sometimes manually if it’s one specific and just apply it and change the configuration as fast as possible just before that. It needs to be aware that it needs to do it. So this is where we are again going for the consolidated approach.

Adam Gleeson
Yeah, excellent. Thank you. So a modern vulnerability management platform needs to do more than just, oh, there some critical updates that’ll deploy these patches and often the patch management, this is something, and this is maybe going back a bit now, but when I worked on WSUS, occasionally you’ll come across things where there’s a specific methodology that’s required to deploy the patch or there may be dependencies. So I would argue that it’s important that any vulnerability remediation solution needs to be able to do that. Would you agree with that?

Moty Cohen
Yeah. That must be part of the basic functionalities and capabilities, patches, deployment links and patch groups and automated playbooks sometimes to incorporate those configuration adjustments and the patches and other operations that you need to apply in the same playbook before, after, during it must be able to offer this to the organisation.

Adam Gleeson
I think we can probably draw a line under this. The bottom line is that we need consolidated solutions and we need solutions that are not just looking at software patching. They need to be able to deploy other remediation methods for different types of vulnerabilities.

Moty Cohen
Other remediation and also this linkage, with your permission, I will take one level down with the details. So just imagine, that today, when you separate those, you have those asset inventory and then by doing asset inventory then the scan of the CVE’s, and then this is a total different process to analyse what you have here and to linkage it to the right patches that associated with the CVE’s that you find for the consolidated approach you have. Let me take one approach for the asset inventory, we discovered all apps by CVEs, the unique identifiers, this CVE connected directly to the associated CVE’s that relates to those CVE’s and this CVE’s connect directly to those patches that relate to the CVE’s. And eventually once you have this cycle without separation, the flow is just…

Adam Gleeson
…It’s all you’ve got. All of the information is linked together.

Moty Cohen
All the teams are seeing it from one end to another and can make better decisions and quicker decisions with a few more clicks.

Adam Gleeson
And of course what we’re talking about here, all of these good things that we’re talking about, this is what Vicarius VRX does today out of the box, isn’t it?

Moty Cohen
Yeah, you’re right.

Adam Gleeson
So hopefully I think we’ve probably spent enough, I, I’m really keen to get onto the exciting stuff, which is talking about what vulnerability management and remediation looks like in the future. Because this is really, I think everyone who works in IT or in cyber security is aware of the speed of the pace that things change and we’re always looking forward, we’re always looking at what’s next, what’s the next big thing. So given all of the different cyber threats and stuff like that, AI you touched upon before. We’ve got the likes of GhostGPT and that’s only going to be the first, I mean GhostGPT, by the time that sort of became publicly known, they were already killing it off because they’ve moved on to the next iteration and that’s not yet been divulged. But the ability for cyber criminals to be able to leverage advanced AI that basically has all of the safety features removed from it so they can, they ask it to do whatever they want it to, including writing scripts and writing malware. This means that we’re stepping into another phase where the speed and the veracity and the sheer numbers of threats that we’re facing are going to increase by an order of magnitude again, because we’re going to be looking at even more different new types of commoditized threats, not just ransomware.

Moty Cohen
And we cannot even start to imagine it’s one of those things that makes you to be concerned and excited at the same time.

Adam Gleeson
Yeah, I know exactly what you mean. It’s in equal parts, fascinating and terrifying.

Moty Cohen
And following what you said we see today tools that enabling to those cyber criminals to know first when either when new CVE, of course we have the world of those tools helping them to do the zero-day vulnerabilities.

At the same time they have tools that enabling them immediately in a matter of sometimes of seconds or minutes when a new CVE come, to create this exploit package automatically or whatever you want, to AI and just take it so it’s even enhance the need for those tools that will shorten the cycle.

Adam Gleeson
That’s one of the terrifying aspects is that it’s the power, when the power is applied, when you apply it for business and you can use AI to transform business and to introduce vast economies of scale and efficiencies and how people work, it’s absolutely fantastic. But then when you consider the same thing can be applied to the darker side of IT, that’s the bit that can be a bit terrifying I think.

Moty Cohen
And especially when you consider the fact that, I dunno, many people thinks that once you have CVE and patch, everything is okay and you’re doing this and most of their attacks are coming from zero or what, that’s not true. Look at the Gartner reports and all of the other reports. I think 65 or 70% from their attacks coming from CVE’s actually.

Adam Gleeson
It’s still, yeah, most of the attacks are based upon known vulnerabilities. And it’s one of the things when we were talking with Sophos about MDR for example, and we’ve mentioned it on lots of other occasions as well. Whenever there are attacks taking place or whenever someone’s realised that we’ve had this incident and stuff like that, the warning signs were all there. It’s just no one noticed them or no one was looking in the right place for them.

Moty Cohen
Or sometimes they didn’t have those warning signs because they didn’t have the right tools and protocols. Indeed, indeed.

Adam Gleeson
Okay. So I think we can safely say that the need for effective patch management is greater than ever and it’s not going to go away anytime soon. It’s something that people have always needed to be doing, but I think a lot of people have been able to get away with it just because it’s like, well, we haven’t got a massive risk profile, we’re not exposed massively online. However, with the increase of AI based attacks as well as AI commoditized malware and all the rest of it, those smaller people who have so far been able to be relatively innocuous on the internet, these AI tools are going to find them and weed them out. And if they’ve got vulnerabilities in their environment, they’re going to take advantage of them.

Moty Cohen
Yeah, definitely. And you are very politically correct by saying that until now they didn’t need it because the cyber criminal didn’t get to them. It was totally different. If they were being exploited, they would change their mind immediately. And that’s fine.

Adam Gleeson
That’s exactly something that we’ve, I have seen that the adoption of managed detection response has increased way more than a much faster rate than I thought it would. But that’s because businesses are feeling the true cost of ransomware. Now it’s not a hypothetical thing of like, well if it happens, I’ll pay the ransom, I won’t like it, but I’ll get my stuff back and this, that and the other. That’s not a given anymore. And people are realising that, but they’re also realising that, well it wasn’t just a case of I pay that much money for the ransom and that’s it. That wasn’t the end of it. There was a lot more hidden costs, financial, some insurance, regulatory, loss of earnings, loss of the impact of manpower of people being able to not being able to work. So it is definitely changing, but I think patch management is something that for a long time I’ve always felt that it’s something that a decent vulnerability, I just said patch management, I’m going to correct myself. A decent vulnerability and remediation platform is essential in any modern business now.

Moty Cohen
Yeah. And still listen, patch management is, it’s still 70, 80% of the remediations, but I think this percentage on time when we see what’s going on now, including AI based attacks and others, it’ll get to around 60 or 65 in the next few years and we’ll see many more other types of attacks. And it’s already here. It’s already here. And this is when we are talking about patch is not enough. I think I mentioned it in the beginning of our session, this is exactly the point that I want to mention and talking again about ai, the role of the AI with those non, let’s say patch management exploits is just getting bigger and bigger. And when I said before that I’m concerned and excited at the same time, the part of the excited part of it is because we see also the options that the AI is giving us to create automatic defence against those types of attacks.

Adam Gleeson
I think that’s probably quite a good segue for us to start talking around what types of things are we going to start to see in future vulnerability management and remediation platforms. So AI and machine learning. So what kind of a role do you think that they’re going to be able to take in doing this for people in the future?

Moty Cohen
So again, if I take a step back, if you’re talking about future trends or future even vision and I can share our vision.

Adam Gleeson
Yeah, sure.

Moty Cohen
Our vision is to be this platform that basically will address all of your remediation needs and actions, meaning that patch management, of course we are there and we have other things we didn’t even talk about virtual patching or those.

Adam Gleeson
That’s something that I do want to touch upon because that’s really cool. So we’ll come back to that.

Moty Cohen
And I can give you what about it. But what I’m saying is that patch is not enough in the sense that when you have weakness of flaws that are not related to CVE’s, to non vulnerabilities, zero-days or others, you need to have other tools. It’s not the time to say, okay, I’ve done everything I could. I hope nothing bad will happen. On the other aspect, and this is exactly connected to our vision, our vision, and it’s partly being addressed today, but of course vision is also for the next few years. So today when you have all of your patches being applied or no CVE’s, but still you see application analysed and you have some weakness points within that, either it can be exploited to exposed to remote code execution ethics or stuff like that. So this is where our virtual ping is coming. Just an example, without digging to the details. When you have configuration adjustment needed, you can address it by the automatic scripting and so on. But this is still not enough talking about a vision, we need to make sure that all of the different phases of this cycle, meaning starting from the discovery assessment for the prioritisation remediation, will be as enhanced and cover as much as possible. So if today we are using the NVD, the National Vulnerability Database, the Americanist to be the main database, now we are adding more and more. And if today we are doing our analysis by taking CVES scoring and other and also contextual base and other, we are adding more and more like the curve and like other EPSS and like others. And this goes the same way to the remediation. We Are adding more and more remediation tools, measures functionalities and capabilities to be this one tool. And we don’t do it just to be, we have this and we have this, we truly believe that where the IT system ecosystem is going to, this is what you need in order to not waste time on searching for the right remediation tool for each type of attacks. And the next step is to do it most of it or as much as it automated. It’s just a matter of time, how much time it takes you to close this gap before they’re getting to you. That’s it.

Adam Gleeson
And I think that that virtual patching is incredibly useful and I’d like to talk a little bit more about that because that’s present in the current version of VRX isn’t it – the virtual patching.

Moty Cohen
Yeah, definitely.

Adam Gleeson
Where virtual patching comes in, as I understand it, and you can correct me if I’m wrong, if we know of a vulnerability on a particular computer or server, but we don’t have a software update for that or we don’t want to deploy the software updates, but we want to address the vulnerability, that’s where virtual patching comes in.

Moty Cohen
Well almost 90%. The 10% is that it’s not necessarily addressed to specific vulnerability like the CVE’s that we discussed before. We’re talking about exploit or potential exploit. So, the idea here is to analyse as a baseline, analyse each application, each software that is installed in your environment and to do this analysis by disassembling each application to different libraries and LLMs and stuff like that. And finding those weak spots according to multiple indicators that could indicate that this could be compromised in a certain percentage. Once we found this, and this is again the baseline, then when you have specific CVE’s and patches that you can address, great, the risk will reduced. But when you don’t have it due to specific CVE’s, this is where we are saying to our customers, still things to do in order to compensate for the risk and apply our virtual patching. And this virtual page I would call it, it’s kind of like a gatekeeper, meaning that it resides in the memory space of this application that you decide to apply the virtual patching. And at first step is just watching everything that come in and out. And once it’s getting understanding that something fishy is happening, meaning like potential exploit, like memory abuse attempt, someone is trying to get something from the memory of the application outside. So this is where it gives you the alert us, the admin, and it can shut the door, nothing coming in, nothing going out until us, the admin will come and see what’s going on.

Adam Gleeson
Right. Okay. So virtual patching is not about addressing the vulnerability directly, it’s about addressing what that vulnerability would allow an attacker to do.

Moty Cohen
Yeah, yeah. It’s addressing the weak points of the application.

Adam Gleeson
So what we’re doing is we’re strengthening the route that the attacker would take. So I’ve discovered that computer there has this vulnerability, I can take control of that now using this particular exploit code. But when they actually come to run it, it won’t work because virtual patch has already blocked off all of those exploit routes.

Moty Cohen
Essentially it won’t work. And eventually you will get the alert and you will decide if maybe you can accept the risk. Maybe sometimes you can explore it further, but basically it won’t work. And not only it won’t work before that, it’ll give you a little bit more to be rest assure when you will see the actual risk going reduce by the virtual pitching. It’s not magic, it’s not necessarily will reduce it to the minimum level. But you will see the reduce and you will understand that if it was very risky before, now it’s a little bit risky and this is much better than very risky.

Adam Gleeson
Excellent. And I’m just conscious that we’re starting to run out of time, but one thing that I did want to touch about and you’ve just mentioned it then is risk management. Cyber security risk management is something that is, I think most organisations this year are going to start to seriously adopt it. I think everyone has it in some form, but a lot of the time it’s just kind of something that they did and they put it in there and then it, it sits in a spreadsheet that lives in SharePoint somewhere and very rarely gets looked at or updated. Whereas, it’s been recognised now that risk management is the way to go that with these massively complex environments, there’s no easy answer to say what is my risk? So you have to aggregate it and look at it from lots of different areas. Now, a really important contributor to risk is software vulnerabilities because if your environment is riddled with vulnerabilities, so you are giving an attacker multiple different options as to what they’re going to actually exploit, your risk is going to be significantly higher than an environment that has had all of the vulnerabilities addressed either through configuration changes or by having software patches deployed. So let’s talk in the context of VRX. What does that do today with regards to risk management and what are the plans for the future?

Moty Cohen
So I’ll be happy to associate also to talking about the UK cyber essentials and other regulations.

Adam Gleeson
Yes, absolutely.

Moty Cohen
Absolutely. So we see that even if those type of organisations, they are not deciding to put the risk management and cyber and patch management in the top of their priority. So someone else is deciding for them.

And this is a good thing on that sense. So for example, I know that for some sectors, so they have 14 days in order to apply a certain level of vulnerabilities and patches and above, and this is a good thing. So obviously this is basic. So we have our automated protocols in order to take it not in 14 days, actually in half of a day if needed or depends how you set it up. But this is one of the basic things that we are addressing. In addition, talking about compliance and other methodologies. So we have benchmarks, CIS for example, and this is just the first. We will add other benchmark like PCI DSS and others. So talking about regulations and those risk management protocols that nobody gives you a choice if you want to keep in this industry, you must keep doing this. So many solutions and tools that we see today in the market enabling this compliance by just having, let me give you example, what we are doing with CIS – CIS, you have, I dunno, hundreds of protocols and rules that you need to comply if you are going to check it manually, good luck with that. So of course, you need a tool. So we just because we have the ability for 24/7 information about everything that going on in your environment with regards to vulnerabilities, patches, and also other things related to the inventory that you have. We just by click running the scan and we take all of those 200 words, and one by one say comply, not comply. If not comply, what do you need to do in order to be compliant?

And furthermore, this is phase A furthermore, and phase B by the way is not in 2026, this is coming in three or four months now. And this is talking about what is the vision and what is the future. So in phase B, we will be able, once it’s not comply, to create also by AI help a little bit to create automatic scripts that will address this specific incompatibility. By clicking or automating it, just fix it immediately. So not only discovering, again, this is our concept, not only highlighting the issues, fix them. This is part of I think what we will see more and more with regards to benchmarks and fixes and the consolidated approach that we discussed and so on.

Adam Gleeson
Right. Well I think that unfortunately is about all we’ve got time for. So thank you very much for your time today. I know you’ve come over to the UK, not specifically for this, but this was one of the reasons, so it’s very much appreciated. It’s been really good to meet you. Hopefully everyone at home has enjoyed that vulnerability management and remediation is without doubt something that you need to be looking at. It’s without doubt something that you need to be doing to make sure that you are keeping yourself as secure as possible. So on that note, I’ll be back with more Tales From The CyberLab next time.

Stay secure.