Program Overview / Vuln4Cast 2024 FIRST Technical Colloquium

Thursday, October 3^rd
Day 1 - Plenary
Friday, October 4^th
Day 2 - Collaborative

Thursday, October 3^rd

	Day 1 - Plenary
09:00 – 10:00	Keynote : Vuln4casting Informing your Board Freddy Dezeure (CERT-EU)
10:00 – 11:00	US GB CNA STUDIES Benjamin Edwards (US); Éireann Leverett (Concinnity Risks, GB)
11:00 – 12:00	The Impact of Internet-wide Scanning on Known-vulnerability Exploitation Jamie O'Hare
12:00 – 13:00	Lunch
13:00 – 14:00	An Open-Source System for Customizable and Interpretable Vulnerability Exploitation Prediction Fredrik Sætran (mnemonic); Mark Anderson
14:00 – 15:00	US The Lessons Behind EPSS Jay Jacobs (Cyentia, US)
15:00 – 16:00	The Uncharted Territory: Vulnerabilities Outside the CVE Ecosystem (Sponsored by Vulners) Andrey Lukashenkov (Vulners)
15:30 – 16:00	Coffee Break
16:00 – 17:00	US Building Trust Through Transparency: Democratizing Vulnerability Data and Strengthening defenses (Sponsored by VulnCheck) Art Manion (ANALYGENCE Labs, US); Benjamin Edwards (Bitsight, US); Jerry Gamblin (Cisco, US); Patrick Garrity (VulnCheck, US); Tom Bain (VulnCheck)
18:00 – 19:00	Social Function
19:00 – 20:00	Dinner

Friday, October 4^th

	Day 2 - Collaborative
09:00 – 10:00	Coffee and Opening Remarks
10:00 – 11:00	NL Community-Driven CVE Scoring Renout Schoen (Dutch National Cyber Security Centre, NL); Armin Čoralić (Dutch National Cyber Security Centre , NL)
11:00 – 12:00	NO Automated Vulnerability Chaining with CVSS Dr. Martin Eian (mnemonic, NO)
12:00 – 13:00	Lunch
13:00 – 14:00	Networking and Workshopping
14:00 – 15:00	US Building CVE.ICU: Enhancing Accessibility to Cyber Vulnerability Insights Jerry Gamblin (Cisco, US)
15:00 – 16:00	Coffee Break
16:00 – 16:30	US Insights from 3,000 Known Exploited Vulnerabilities: What Can We Learn? (Sponsored by VulnCheck) Patrick Garrity (VulnCheck, US)

An Open-Source System for Customizable and Interpretable Vulnerability Exploitation Prediction
Fredrik Sætran (mnemonic), Mark Anderson
Predicting vulnerability exploitation likelihood is crucial for effective risk analysis and patching prioritization. We present our work on developing an open-source system for predicting vulnerability exploitation likelihood, inspired by EPSS. Our approach offers improved interpretability and user control, allowing practitioners to train custom models for specific contexts.

Key focus areas include:
- Feature utility: We challenge the trend of using complex and uninterpretable models with unwieldy number of features. Our system enables users to train models using customized feature subsets, while also providing an evaluation of each features utility. This empowers users to make informed decisions when tailoring models to their specific needs. Data completeness: We address the issue of missing data using language models (e.g., CVSSv3 vectors or CWE information) and potential human errors in feature values by exploring methods to predict and incorporate missing information, assessing its impact on model performance.
- Model interpretability: We investigate the balance between model interpretability and performance by comparing various architectures and examining how prediction formatting affects outcomes
- Temporal relevance: addresses the problem of static models being quickly out-of-date in a rapidly evolving space. This ties into our exploration of lightweight models with refined feature sets, enabling practitioners to update their models more frequently and easily.
We will present an overview and justifications for focusing on these four components alongside preliminary results under various experimental contexts in order to stimulate a discussion and generate potential contributions from the community.

Fredrik Sætran is a researcher at mnemonic. He has 6 years of experience in security operations and incident response. For the last 5 years he has worked as a researcher, focusing on machine learning applications. .

Co-Speaker: Mark Anderson. Bio Coming Soon.
October 3, 2024 13:00-14:00
Keynote : Vuln4casting Informing your Board
Freddy DezeureFreddy Dezeure (CERT-EU)
Vuln4casting helps to prioritize our limited resources with a continuously changing threat landscape and a complex infrastructure. We must continuously adapt our defenses in an informed manner, making sure that our mitigating controls are functioning as intended and the residual risk stays within the risk appetite. How confident are we that our efforts to cyber-protect our organization are sufficient? And how can we explain to our leadership that this is indeed the case? This talk will bring Vuln4casting in the perspective of the new NIS2/DORA legislation and its requirements regarding Board oversight.

Freddy Dezeure founded CERT-EU in 2011 and was its Head until May 2017. Since then, he is advising private enterprises and governments in cybersecurity and cyber-risk management, including by providing cyber training to Boards. He is also active as an Advisor to cybersecurity startups worldwide. He is a highly respected keynote speaker and thought leader and is very active in the cybersecurity community. He set up the EU MITRE ATT&CK Community and chairs a CISO Metrics Working Group. https://www.FreddyDezeure.eu/

October 3, 2024 09:00-10:00

Program Overview

Vuln4Cast 2024 FIRST Technical Colloquium

Thursday, October 3rd

Friday, October 4th

An Open-Source System for Customizable and Interpretable Vulnerability Exploitation Prediction

Keynote : Vuln4casting Informing your Board

Gold Sponsors

Bronze Sponsor

Thursday, October 3^rd

Friday, October 4^th