Chapter 1 - The State of the Vulnerability Landscape
1.1 The security canon: Fundamental cybersecurity terminology
1.2 Security metrics: The new guard
Chapter 2 - Data Science to Define Risk
2.1 Risk management history and challenges
2.1.1 The birth of operations research
2.1.2 The scale of cybersecurity
2.1.3 Origins of the risk-based approach to vulnerability management
3.0 Chapter 3 - Decision Support: Tapping Mathematical Models and Machine Learning
3.1 Mathematical modelling
3.1.1 Mathematical scale
3.1.1 Statistics
3.1.2 Game theory
3.1.2.1 Stochastic processes
3.1.2.2 OODA loops
3.1.3 Machine learning for cybersecurity
3.1.3.1 Supervised models
3.1.3.2 Unsupervised models
Chapter 4 - How to Build a Decision Engine to Forecast Risk
4.1 The Data
4.1.1 Definitions vs. instances
4.1.2 Vulnerability data
4.1.2.1 Vulnerability assessment
4.1.2.2 SAST/DAST
4.1.3 Threat intel sources
4.1.4 Asset discovery and categorization (CMDB)
4.1.5 Data validation
4.1.5.1 ETL
4.2 Building a logistic regression model
4.2.1 Data sources and feature engineering
4.2.1.1 Feature engineering
4.2.1.2 Interpretation of features
4.2.2 Testing model performance
4.2.2.1 Calibration plot
4.2.2.2 Simplicity vs performance
4.2.3 Implementing in production
4.2.3.1 Data preparation
4.2.3.2 Application of the model
4.2.3.3 Converting log odds to probability
4.2.4 Communicating the results
4.3 Designing a neural network
4.3.1 Preparing the data
4.3.2 Developing a neural network model
4.3.2.1 Neural network architecture
4.3.3 Hyper-parameter exploration and evaluation
4.3.4 Scoring
4.3.4.1 Score scaling
4.3.4.2 Volume scaling
4.3.4.3 Combining scores
4.3.4.4 Comparison to existing scoring model
4.3.5 Future work
Chapter 5 - Measuring Performance
5.1 Risk vs performance
5.2 What makes a metric “good”?
5.2.1 7 characteristics of good metrics
5.2.2 Evaluating metrics using the 7 criteria
5.2.3 More considerations for good metrics
5.3 Remediation metrics
5.3.1 Mean-time-tos
5.3.2 Remediation volume and velocity
5.3.3 R values and average remediation rates
5.4 Why does performance matter?
5.5 Measuring what matters
5.5.1 Coverage and efficiency
5.5.1.1 Optimizing the tradeoff between coverage and efficiency with predictive models
5.5.1.2 Coverage and efficiency in the real world
5.5.2 Velocity and capacity
5.5.2.1 How much does capacity cost?
5.5.2.2 The power law of capacity
5.5.3 Vulnerability debt
5.5.3.1 The move to the cloud
5.5.3.2 Paying down security debt
5.5.4 Remediation SLAs
Chapter 6 - Building a System for Scale
6.1 Considerations before you build
6.1.1 Asset management assessment
6.1.2 Where your organization is going
6.1.3 Other tools as constraints
6.2 On-premise vs. cloud
6.3 Processing considerations
6.3.1 Speed of decisions and alerts
6.3.2 SOC volume
6.4 Database architecture
6.4.1 Assets change faster than decisions
6.4.2 Real-time risk measurement
6.4.2.1 Vulnerability forecasts
6.4.2.2 Batch where acceptable
6.5 Search capabilities
6.5.1 Who is searching?
6.5.1.1 Risk hunting vs. threat hunting
6.5.1.2 Reporting as a service
6.6 Role-based access controls (RBAC)
Chapter 7 - Aligning Internal Process and Teams
7.1 The shift to a risk-based approach
7.1.1 Common goals and key risk measurements
7.1.2 Case study: More granular risk scores for better prioritization
7.1.2.1 The importance of culture in adopting RBVM
7.2 Driving down risk
7.2.1 Aligning teams with your goals
7.2.2 The importance of executive buy-in
7.2.3 Reporting new metrics
7.2.4 Gamification
7.3 SLA adherence
7.3.1 High-risk vs. low-risk vulnerabilities
7.3.2 When to implement or revise SLAs
7.3.3 What to include in your SLA
7.4 Shifting from security-centric to IT self-service
7.4.1 How to approach change management
7.4.2 Enabling distributed decision-making
7.4.3 Signs of self-service maturity
7.5 Steady state workflow
7.5.1 The limits of remediation capacity
7.5.2 Media-boosted vulnerabilities
7.5.3 Exception handling
7.6 The importance of process and teams
Chapter 8 - Real World Examples
8.1 A word from the real world by Will LaRiccia
8.1.1 Vulnerability discovery
8.1.2 Vulnerability assessment and prioritization
8.1.3 Vulnerability communication
8.1.4 Vulnerability remediation
8.1.5 What success looks like
Chapter 9 - The Future of Modern VM
9.1 Steps toward a predictive response to risk
9.1.1 Passive data collection
9.2 Forecasting vulnerability exploitation with EPSS
9.3 Support from intelligent awareness
9.4 The rise of extended detection and response (XDR)
9.5 The other side of the coin: Remediation
9.6 The wicked problem of security advances