This month we talked to Tenable’s director of research product management Ray Carney and Eric Hoffman, director of partnerships and alliances at Greynoise, about the formation of a new research alliance program.Announced in mid October, this is intended to facilitate collaboration and information sharing between industry partners, and support best-practice coordinated vulnerability disclosure in order to promote increased cooperation in order to reduce an attacker's free time.Follow along for more from Tenable Research:Subscribe to the blogFollow Tenable's Zero Day team on Medium

After we discussed the concept of Exposure Management on our last podcast, this time we welcome back Tenable’s senior principal security advocate Nathan Wenzler to discuss the concept of how you can determine your level of exposure, what has led to this level of vulnerability, and what options are available to you to better manage this.Follow along for more from Tenable Research:Subscribe to the blogFollow Tenable's Zero Day team on Medium

The concept of Exposure Management has become more and more prominent in recent months, as users understand how much they are exposed to attack, how they can protect their assets and what it takes to achieve a level of compliance.In this podcast, we talk with Tenable’s senior principal security advocate Nathan Wenzler about the concept of Exposure Management, what it is, and what businesses need to do to adopt it. Follow along for more from Tenable Research:Subscribe to the blogFollow Tenable's Zero Day team on Medium

In the field of responsible disclosure, a policy of 90 days to publicly disclose vulnerabilities has been created by industry. This time period should allow the researcher to disclose the vulnerability to the recipient company, giving them time to push a fix out before the original flaw can be announced.However are we in a time where this time period still works? Some vulnerabilities can be fixed fairly rapidly as we work in cloud environments, while others can be more challenging to fix - such as in OT. We talked to Tenable’s Ivan Belyna and Nick Miles about the evolution of the 90 day policy, and its present and future, and what use advanced disclosure is to security leaders and to the wider industry.  Show ReferencesTales of Zero-Day Disclosure white paper 2020 Podcast with Tenable's Zero-Day Team Follow along for more from Tenable Research:Subscribe to the blogFollow Tenable's Zero Day team on Medium

In the first few months of 2022, the LAPSUS$ Group made a major splash in the cybersecurity headlines as it conducted a series of attacks on the likes of Nvidia, Microsoft and Okta. However a few months later, they had disappeared and arrests were reported soon afterwards.In a new blog, Tenable’s senior research engineer Claire Tills looked at the efforts of LAPSUS$ and what its motivations were, and how it is viewed now, and joins us on this podcast to discuss the extortion group further.Show ReferencesBrazen, Unsophisticated and Illogical: Understanding the LAPSUS$ Extortion Group Ransomware Ecosystem White Paper Download PageBlog on Understanding the Ransomware EcosystemWebinar on the Ransomware Ecosystem reportBBC News - Oxford teen accused of being multi-millionaire cyber-criminal Bleeping Computer news report on Okta attack Follow along for more from Tenable Research:Subscribe to the blogFollow Tenable's Zero Day team on Medium

Beyond the success of its impact, a lucrative criminal ecosystem has been developed for ransomware. This has seen ransomware-as-a-service (RaaS) creating an ecosystem utilizing multiple players, while the concept of double extortion has emerged, which involves exfiltrating data from victim organizations and publishing teasers about these breaches on the dark web.In this new edition of the Tenable Research podcast, we talk with senior staff research engineer Satnam Narang about a new white paper which explores the working of this ecosystem, how it works and what the economics of the model are.Show ReferencesRansomware Ecosystem White Paper Download PageBlog on Understanding the Ransomware Ecosystem Webinar on the Ransomware Ecosystem report ContiLeaks: Chats Reveal Over 30 Vulnerabilities Used by Conti Ransomware Follow along for more from Tenable Research:Subscribe to the blogFollow Tenable's Zero Day team on Medium

This month we talk to Tenable research manager Scott Caveza about three recent patching stories, where F5 and Microsoft offered fixes in a regular cycle, and how Amazon Web Services released hot patches to repair earlier vulnerabilities in fixes for Log4J.F5 BIG-IP Patch Hot Patches for Log4J May Patch TuesdayCVE-2021-36942Follow along for more from Tenable ResearchSubscribe to the blogFollow Tenable's Zero Day team on Medium

On this edition of the podcast, we look at the conversation around operational technology (OT) and attacks on critical infrastructure, as we mark a year since the Colonial Pipeline incident. We’re joined by Tenable’s VP of operational technology Marty Edwards to talk about lessons learned, what work there is still to be done by practitioners, industry and researchers, and where the problems remain.Tenable blog - Securing Critical Infrastructure its Complicated Amit Yoran TestimonyVideo of the Homeland Security CommitteeJoint Cybersecurity AdvisoryCBS News 60 Minutes Report NCSC blog on Cyber Assessment Framework Follow along for more from Tenable Research:Subscribe to the blogFollow Tenable's Zero Day team on Medium

This month we take a deep dive into the most recent Java related vulnerability, and ask what the situation was with this, how it got confused with another vulnerability, and how significant it is to the wider threat landscape - or was it just riding on the memory of Log4J?We also look at the April patches from Microsoft, and two lots of fixes from VMware.Spring4Shell FAQ: Spring Framework Remote Code Execution Vulnerability Microsoft’s April 2022 Patch Tuesday Addresses 117 CVEsVMware vCenter Server Sensitive Information Disclosure Vulnerability VMware Patches Multiple Vulnerabilities in Workspace ONE, Identity and Lifecycle Manager and vRealize Threat Landscape Retrospective 2021 Download Follow along for more from Tenable Research:Subscribe to the blogFollow Tenable’s Zero Day team on Medium

Have you ever sat in the audience at a conference, watched a video of a presentation, or listened to an interview on a podcast or TV, and seen a researcher and thought ‘how do I get to do that?’Tenable now has a wide selection of researchers, covering security response, zero day research, audit and compliance and writing software plugins.With more companies employing full time researchers now, we talked to two from Tenable about what the job entails, what you need to know to get hired, and what a typical day or week looks like. Joining this month are research senior managers Ivan Belyna and Jesus Garcia Galan.Research JobsTenable Careers Tenable Research