Tell me I'm not losing my mind
Posted by PlaneHashes@reddit | sysadmin | View on Reddit | 413 comments
Linux Sysadmin for 14 years. L3 but asked now to help L2 and L1 on some run activities. Infra is so big I don't even know how many servers I overview.
During some meetings, I keep hearing management say: "Next month we want less new active CVEs".
Experience tought me long ago to shut the fuck up and just nod on these meetings. Keep doing my job the best I can.
But I got tired of this BS graphs and curves.
Yesterday on a meeting with a new manager (been with us for a year) the guy says:
"The total number of NEW active CVEs for this month is the same as the previous. I want this number to go down A LOT. I don't understand why this number isn't going down."
Note: "my" team of 5 fixes an average of 8k CVEs a month.
I got tired. No one else was refuting the request. I asked if he wanted an explanation now. He said yes.
I said:
"There is no direct correlation between new active CVEs in the next report and the amount of CVEs we fix until then. Theoretically you can't ask us to lower the number of newly discovered and active CVEs in the next report. You can only ask us to fix more CVEs per day."
Dude told me I'm wrong and that we must have control over that number.
Told him he doesn't understand that newly discovered CVEs are not under the team's control.
Called me after, furious because I was telling the team that CVEs could not be fixed and was being a problematic and not on his side.
Told him I'm not his friend to be on his side. I'm paid to do my job based on reality and not on magical theories and that if he keeps on not understanding how CVEs are created and what a direct correlation is, that's his problem, not mine.
I've been thinking for a while that this guy is just dumb.
But how mad he got, got me thinking if I'm being the dumbass in this situation.
Let me know please.
OTonConsole@reddit
Hello, I wouldn't like you to introduce to my friend, "The Malding IT Manager" who acts like a know it all, a piece of shit, knows a little bit of everything to bullshit, but not enough to talk accurately on a topic. Has deadline brainclock set to GMV, aka Greenwich Meridian Venus time. Doesn't remember half of the false promises and projections made from quarter to quarter. And keep that holy water close because sick leaves are now one of the seven deadly sins, and the only way to atone is by serving half of your annual leave on an alter as sacrifice via work calls and being guilted into not complaining.
Just asking in case we might be talking about the same boss, have a good one!
doblephaeton@reddit
whatever KPI he is working on needs to actually be managed better.
Look at CVE raised previously
age of CVE
CVSS Score.
We have based on a score of X patching must be within 8 hrs, 24 hrs, 7 days, 1 month, or CVE mitigated through other controls
By discussing how its measured, and actions to be taken, you can build a better relationship.
PlaneHashes@reddit (OP)
We have all that mapped. The dude keeps insisting on new CVEs that may be discovered the next report. I can't do anything about those new ones... Tried to explain, he doesn't understand.
ReputationNo8889@reddit
Tell him to find the person in your org that is responsible for discovering new CVE's and getting them reported. Maybe then he understands, that is not in your control.
_matterny_@reddit
You can either buy brand new equipment which has a lot of CVEs due to lack of field testing or you can run older equipment which has lots of CVEs due to the outdated technology at play.
To minimize the number of new CVEs it’s simple: get rid of anything able to connect to the internet. Computers are still allowed, if they predate the internet and USB. Printers are a huge risk, gotta get rid of those. Servers are inherently dangerous by that metric, those should all be disposed of.
dougmc@reddit
Just run old, unsupported OSs and software.
Few people are running it, even fewer are fixing problems, so few people are reporting CVEs against it, so fewer new CVEs!
(/r/ShittySysadmin approved!)
lovesredheads_@reddit
I understand you are joking but the sad part is that stuff like that happens. I find all sorts of kpi bs. You need kpi to "motivate" people who got demotivated by you beforehand. My hot take is that management needs to create a environment where a team can work effectively and efficiently while having fun doing that. This at least my goal and it works so far
8492_berkut@reddit
Nailed it - if cluedart in OP's story wants the # of CVEs to go down in relation to the environment they manage, they need to consolidate and minimize the number of disparate tech they have under their control.
_matterny_@reddit
However the changes like moving 5 servers into vms on one server will only make the CVEs more severe and difficult to mitigate. You need to evaluate if servers are needed and remove unnecessary equipment.
anomalous_cowherd@reddit
A lot of vulnerability scanners don't look too deeply into containers. Have a few very standard Linux hosts (they usually have zero CVEs when new or stripped down) running containers that won't be scanned and watch the CVE numbers tumble.
Rude-Sprinkles4118@reddit
Circumvention =)
BadSausageFactory@reddit
I tell my users to stay off the computers entirely. that's part of our AV security training. just say no.
seanl1991@reddit
This is just me in life. I can't get in trouble if I didn't touch it.
Grrl_geek@reddit
Also no more email. No more cloud ANYTHING.
Helpful-Recipe9762@reddit
I read somewhere "If you measure work by KPI people would just work to improve KPI" or something similar.
This manager want number of new CVE down a lot - yes boss, easy task. Stop registering or accepting new CVE, stop testing to find them. I'm sure 100% these 2 easy steps will bring number of new CVE A LOT. Not so sure this is what he wants, but hey, improving KPI is improving KPI.
PS. Just in case. Above is a joke. 😅
anomalous_cowherd@reddit
You need to try and turn it back on him, get him to specify how many CVEs are going to be published next month as part of his requirements. If unspecified default to zero.
brrrchill@reddit
Did you ask him why? Why is this number important to him?
reevesjeremy@reddit
You need to patch all the known and unknown vulnerabilities today. You need to make that system so rock solid that a CVE never impacts your systems. Aka: you need to prevent the scanners from getting in. And once you’ve done that, you’re secure from the scanners saying your systems have new vulnerabilities. :)
DrunkenGolfer@reddit
He thinks you are creating vulnerabilities and should create fewer of them. You can reduce the number of new CVEs by not updating your software. Eventually, all the vulnerabilities are found and no new ones emerge. There will then be 1000 CVEs that can’t be remediated, but none of them will be new. The alternative is to have updated software that will have few known vulnerabilities, but a higher numbers of newly discovered vulnerabilities.
Ask him which of those two options he prefers.
jurassic_pork@reddit
"So what is our private mercenary hit squad fund sitting at? How many hundreds of millions of dollars do we have for assassins and internal threat research departments?"
"You are asking us to start killing security researchers on a global scale to reduce the number of reported vulnerabilities or to be the ones to discover the vulnerabilities ourselves and work with the vendors to develop and apply the patches or mitigations before they are public."
randalzy@reddit
I like this one, it could start with something like:
- "hey Bob, just to make sure we are in the same page, is this a Top Priority Job?"
(...)
- "ok, who else is involved that I can safely know? Do we have CEO approval?"
Better if this can be obtained via Teams or email in written form. After some weeks pass a budget for a mercenary cover ops team that could kill reporters and decline the nmber of new found CVEs. Always add an option to buy MITRE in a hostile way. Maybe include a takeover of the US government, or buying Microsoft.
PlaneHashes@reddit (OP)
This!! So much this!
TaterSupreme@reddit
That's not completely true. I've had situations where my webserver build included both Apache and nginx even though we only used one. We kept installing a log analysis tool and the perl environment it needed for years after we started shipping weblogs off to a central reporting system.
Maybe it's time to audit your systems for unnecessary cruft. If you can pull some packages, you'll reduce the number of possible targets for new CVEs.
littlemissfuzzy@reddit
Hear hear.
One can limit the amount of incoming CVEs by reducing the amount of kruft installed.
Case in point: compare the CVEs for a Temurin 21 JRE container image based on Ubuntu, versus based on Alpine. A world of difference.
JimmyMcTrade@reddit
Tell him that you can set up a firewall that blocks the reporting agents. No more CVEs detected!
Or even better, you can turn off the systems.
tuscangal@reddit
My response to “targets” like this is “if I could predict the future, I’d be working on Wall Street not here”. But then again I’m out of fucks to give about this kind of stuff.
PlaneHashes@reddit (OP)
Exactly! Well, I don't have a crystal ball but at least I've confirmed I have my sanity.
evolutionxtinct@reddit
What is a CVE….
anomalous_cowherd@reddit
We have a policy that CVEs over a certain score need to be fixed or mitigated within a certain time. That all makes sense.
However that time starts when the CVE is published, not when a patch is made available. I've tried to fight it, but...
Not surprisingly we have quite bad metrics for some of those.
klauskinski79@reddit
Will never forget the official degree that our product should have zero open bugs in two months. Was impossible since many bugs require full feature development. So in a long night our tpm changed half the "bugs" to "feature requests". Which is kinda true didn't make anything better but some metrics got achieved and someone got his bonus. Yay?
Big-Industry4237@reddit
CVSS scoring is also flawed. It really should be based on the risk that the org decides. Always fun to see production. Systems getting disrupted because a “critical” CVSS score requires an immediate fix and the “vulnerability” has absolutely no chance of being exploitable. 😞
PlaneHashes@reddit (OP)
Sheesh don't even start me on that. If I can't make them understand this simple concept, imagine trying to explain that some detections are bogus or that the CVSS doesn't make sense for us...
iamlostinITToday@reddit
They should also understand it's a target, a best endeavour kinda thing you could patch all CVEs in your environment and get new ones 5 minutes later, for cyber essentials+ I think they ask for critical and high risk CVEs to be patched within 14 days of the release of the patch. Some systems need downtime to patch or change mgmt approval all of those need to align for a team to achieve the best outcome possible, just demanding the numbers to go down doesn't work
redditor5597@reddit
Just tell that if he really want's that number to come down you have do remove software from servers. Ask him if that's what he wants you to do.
sliverednuts@reddit
How did he get that job if he has no idea how things actually work !! He’s read books without real world experience .. He’s about to find out you can’t fudge reality 🔮
DrummerElectronic247@reddit
There's really only one way I can think of to reduce the number of CVEs coming at you in a given interval: Simplify your tech stack. Fewer different systems reduces the overall volume of CVEs (from a purely numeric standpoint) and simplifies patching (while simultaneously increasing the footprint of a give patch deployment). It's not an idea without merit, but it's not a magic bullet.
If you have a problematic vendor who is consistently generating higher CVSS scores than others in the segment then it might be worth your while to migrate. Maybe. You're just rolling different dice as opposed to better ones, but it is what it is.
azure-only@reddit
Do we really need to fix ALL the CVEs?? I think your manager is dumb. You need to convince them to ignore some cves. Not all cves can be super fixed, irl. There are other facilities in security to cover them up.
Tcrownclown@reddit
As a security specialist I would have answered similarly. I would be upset if the cves I've asked to be patched are still there and not if new cves were discovered.
I have sysadmins that actively refuse to patch and the number rises or in the best case scenario remains the same as the previous month.
smokie12@reddit
Maybe ask him what he thinks a CVE is and how it is created, to make him realize that you don't actually have any control over the number?
PlaneHashes@reddit (OP)
Tried. Explained. Explained with diagrams. Explained with drawings. He doesn't get it. Keeps saying I'm wrong on the fact that we have no control on new CVEs that might appear next report...
isystems@reddit
Show him this post, so he can see he is wrong…😂
ckdarby@reddit
You're right and they're right as well.
If you're reporting on a monthly rate and the number is flat the prior month that would raise suspicion to myself as well and I'd ask for how many new CVEs and how many resolved CVEs happen.
You are in control in the mean time of CVE being patched from when there is a patch. That is probably what this individual is focusing on saying that the team does in fact have control of the number.
As an example infrastructure I've managed in the past rolls out the latest AMI on a weekly basis. We're never behind a week on the image distro CVEs.
smokie12@reddit
I'm so sorry.
PlaneHashes@reddit (OP)
Me too. At least I have the confirmation I didn't go full retard. But the absurdity of all this made me question myself.
TheDunadan29@reddit
Sometimes when you run into someone that absolutely stupid, you need a sanity check to make sure you're not the one losing your mind. I get it.
randalzy@reddit
- "ok, for the next meeting, can we have the manager of the CVE Creation and Discovery Team here with us, so we can get their input? Once we meet with this Team we can put a plan"
Happy_Harry@reddit
AKA the dev team?
randalzy@reddit
nah, the idea is that the manager ends admitting in front of someone up in the food chain that he has no idea of what a CVE is or who generates it, or that he manages to get MITRE involved in the reduction of new discovered CVEs. That would be hilarious.
PlaneHashes@reddit (OP)
ahahah thanks for the laugh!
Technical-Message615@reddit
Not a laugh, make it an actual item on the agenda.
hkusp45css@reddit
Something like that might actually jar him into a logical understanding.
Have you asked him what *he* thinks you can do to lower the new CVE count?
It's possible (though, unlikely) that there's some weird definition disconnect or some obvious thing which is actually happening but he's unable to convey it.
depoultry@reddit
The manager sounds like the type of person to say “it’s your job to know how to lower the CVE count, not my job”
Rzah@reddit
Not offensive enough, I think he's more "Why have a dog and bark myself?"
hkusp45css@reddit
Sure, but unless you ask you won't know.
nihility101@reddit
Have him send his complaints to cve.org.
His personal villain’s origin story: https://www.cve.org/Resources/General/Towards-a-Common-Enumeration-of-Vulnerabilities.pdf
pentangleit@reddit
Tell him that you could always turn off all the servers. That'd reduce your CVE.
PopularDemand213@reddit
This is the answer.
Start turning shot off. When he asks why shot stopped working, tell him you're doing what we asked you to do.
robreddity@reddit
He might be on to something... I remember hearing if we just stopped testing for covid, the number of covid cases would go down.
PlaneHashes@reddit (OP)
I think this is the approach he wants. I'm clearly the dumb one for not understanding this simple trick! /s
Problably__Wrong@reddit
Is there a metric that shows which vulnerabilities that were remediated over the course of the month or is there 1 scan per month and everything constantly looks the same. We run multple scans this way we can demonstrate progression to those who are less likely to understand. This almost sounds like math problem
PlaneHashes@reddit (OP)
There are all metrics you can think of. It's a big, big company spread world wide.
With all the tools and metrics we have available, these guys are focused on that freaking number... It's just dumb.
Cowicidal@reddit
Maybe he's trying (and failing) to tell you he wants more preventative measures taken to prevent vulnerabilities? Which, of course, wouldn't prevent CVEs unless you literally change the hardware/software you're using and find something that's perhaps more inherently secure.
Ask him if he's willing to massively blow up the budget to reduce all these pesky CVEs. /s LOL
Ohmec@reddit
Maybe throw the dude a metaphor?
Something like "That is like asking people who run a zoo to stop new species being discovered in the Amazon." or "That is like asking people who run a hospital to somehow stop new diseases being discovered."
PlaneHashes@reddit (OP)
Gave him the janitor in a public park analogy. He said it's not the same thing...
FireLucid@reddit
"I can explain it to you but I can't understand it for you."
RandomActsOfAnus@reddit
Dont tell him about 0days that don't have a CVE assiges yet. He might loose his mind.
hyjnx@reddit
"How can you not predict zero days! Patch for the unknown GOSH!" /s
PlaneHashes@reddit (OP)
Just transform into a team of highly skilled researchers for fucks sake and pre-detect the vulnerabilities!!! /s
hyjnx@reddit
Why arent you a pen team and discovering the zero days yourself? What do we even pay you for?! /s
kingofthesofas@reddit
Honestly at this point you should escalate to his manager, get all your data and presentation ready to go. Schedule a meeting without your manager to explain what is going on and how you need your manager to understand this basic fact about metrics.
peavey_tool@reddit
Does this manager have an MBA per chance?
PlaneHashes@reddit (OP)
No idea. But by the looks of it, he probably does.
Nosa2k@reddit
Your are right, the only thing he could say in his defense is to prioritize based on the severity of the CVE.
PlaneHashes@reddit (OP)
Agreed! Told him: you can ask us to fix more. You can't ask us to ensure less vulnerabilities are discovered. Systems are already as lean as possible.
Any-Fly5966@reddit
Bless his heart
music2myear@reddit
Suggest he develop and fund hit squads to go after the groups that pentest systems and find new CVEs. Fewer people to find CVEs, fewer CVEs to deal with.
plumbumplumbumbum@reddit
Does he also want you to reduce the number of updates Microsoft releases each month?
ScannerBrightly@reddit
Have HIM explain to YOU how CVE's are created.
ITguydoingITthings@reddit
Is there a chance he somehow believes that your team or some team internally discovers/creates the CVEs?
It may be worth starting the questions at the absolute most basic stage, asking what his understanding of what a CVE is, how they are reviewed and published, and where they are published.
Not as an attack, but almost apologetically because "it seems like we're on different pages" kind of thing (and yeah, it's borderline manipulative, because we already know he doesn't understand, but you're giving him a chance to clarify your possible misunderstanding...)
Own_Bandicoot4290@reddit
Did you try em him who creates the CVEs? That it is not anyone inside the company?
Sleepy_L0c0@reddit
My boss kept arguing with me that back ups were the most important thing. I said "I agree they are really important, but Monday I'm gonna shut down production and see what is more important." Argument ended right then.
kjeserud@reddit
Just keep limiting the scope for new CVEs you put in the report, eventually you'll get to 0! (Of course, security is out the window, but who cares, right? At least the number is down.)
ShoePillow@reddit
Ask him to explain his understanding...
Maybe he'll realise it then. Or maybe you'll find out he actually wants to track some other number
1116574@reddit
As a bonus reading for him:
https://en.wikipedia.org/wiki/Goodhart%27s_law
jekksy@reddit
Correct doesn’t mean you’re right… let me try that again…
You’re right but that doesn’t mean you’re correct… that doesn’t sound right…
This is why I just shut up on meetings. Lol
CA_Dukes90@reddit
Reverse “Terminator” the CVE’s go to the future to destroy them before they make it onto his report!
Reddit_User_Original@reddit
...8k CVEs per month? ???
No_Resolution_9252@reddit
Depends on the age of the CVEs.
Also, if you are mitigating 8k cves every month, you have too much crapware on your network and the guy's concern should be over organization management.
da4@reddit
Hang in there bro. Suits are the distraction the sysadmin gods throw at us to keep us on the divine path. This guy you’re dealing with is a lesser suit.
primorusdomus@reddit
Limiting the number of software packages and operating systems can help lower CVEs only because the portfolio is smaller. Are you counting a new CVE as a single or the number of servers?
But no - you are correct - if you could lower the total number of CVEs you could write your own ticket with the OS or software publisher.
1randomzebra@reddit
I am happy that guy works at your company and not mine - I could not deal with that headwrecker daily. Life is way too short.
beheadedstraw@reddit
"Note: "my" team of 5 fixes an average of 8k CVEs a month."
Where the fuck you working that has 8 THOUSAND CVE's? A retro 90's shop that runs Windows XP Service Pack 2? Or am I missing the meaning of "CVE" in this context?
CaterpillarFun3811@reddit
Sounds like bad communication. It's likely you 2 don't understand each other and are unable to communicate thoughts and effectively and professionally, causing such misunderstanding that don't make sense.
lopahcreon@reddit
Tell him upper management needs to layoff more state actors.
Superb_Raccoon@reddit
Here, show him this:
https://www.cvedetails.com/product/16924/IBM-Z-os.html?vendor_id=14
Migrate to a Mainframe. Last CVE was in 2014.
JMaAtAPMT@reddit
29 year IT guy, over 20 as an SE.
Ask him HOW you are supposed to PROACTIVELY FIX a CVE that HAS NOT BEEN DISCOVERED AND DOCUMENTED yet.
goishen@reddit
"WE have no control over how many CVE's are reported."
"Impossible."
"You're just wrong."
I would state it in a very matter of fact tone of voice.
trooper5010@reddit
I'm curious, how do you patch over 8k CVEs per month? What tools do you use to do this on large Linux infra setups?
davidgrayPhotography@reddit
Just do the Donald Trump COVID thing:
If you don't report CVEs, the count goes down, therefore, you've successfully dropped the number of CVEs per month!
Easy!
PlaneHashes@reddit (OP)
Dude! I'm starting to believe this is what they want. Stop the scanner. No more vulnerabilities. BOOM! Problem solved!
Frosty-Magazine-917@reddit
Look man, stopping the scan will probably show up in a lot of places, but setting the network bandwidth and disk IO the scanner is allowed to use in less places.
smellybear666@reddit
I am a new president on a nonprofit board, and I am fjj in finding all sorts of things to fix that we are responsible for, and they all cost money. Some other board members (who had been presidents in the past and let everything go to shit) gave accused me of “looking for problems” it’s fing insane.
PlaneHashes@reddit (OP)
The audacity! Trying to fix broken things! /s
randalzy@reddit
"We blocked all the DMZ so now, as per the "Lower the New CVEs Prime Directve", we hit the target set by Manager X.
As a side effect, our webs and business apps are not accesible and this may have some business impact, but that is for Manager X to manage."
narcissisadmin@reddit
Kind of like counting someone as a COVID hospitalization if they test positive regardless of why they were in the hospital to begin with? LOL
crossdl@reddit
Then he'll keep assessing the team by a bullshit metric he made up because he's a super cool dude that actively tracks CVEs and wants to flex and he'll get lied to or people will leave.
Show him this thread and specifically my comment calling him a fucking jackass.
DarkSide970@reddit
We still have sql 2014 and server 2012 in our environment and the CVE's don't go down when the vendors software cant upgrade. Lol
lithdk@reddit
No you are ok, he shouldnt be in a position where he can set targets for numbers he doesn't understand.
JazzlikeSurround6612@reddit
While OP is right... Depending on this guy's position, OP might need to be looking for a new job soon. Sometimes you have to pick your battles and the hill you will die on.
Maro1947@reddit
Same days, the hill looks great in the sunshine though
SkullRunner@reddit
The hill has a picnic basket with your favorite sandwiches, cold beer and a small TV playing your show, movie or sport.
You just have to go over and lie down...
I have died on that hill before... 100% worth it.
Maro1947@reddit
To be honest, I've charged to the top of the hill to enter Valhalla more times than I care to admit.
Life is too short to deal with asshats, especially those who threaten my co-workers'
Angelworks42@reddit
You're right I would have likely nodded my head and said "ok...?".
I feel like the security guy turned it into a hill to die on when he did the after meeting call.
PlaneHashes@reddit (OP)
He ain't even security. This is my manager! Ah! Go figure.
Security department is with me on this. This is purely a management issue.
Angelworks42@reddit
Oh wow yeah that is kinda bad 😔
Valdaraak@reddit
Blaming me and my team for not doing something that we literally can't do is a battle I'm willing to pick and a hill I'm willing to die on. I'm not going to have someone with a misunderstanding make me and my team look bad.
I would've done the same thing in OP's situation. Letting them keep working under that misunderstanding can also cause issues with keeping your job.
PlaneHashes@reddit (OP)
Exactly.
Can't add another word to what you just wrote.
tdhuck@reddit
You are not wrong, but this is why I can't stand when higher ups are dumb. Just because you are a director, manager, etc doesn't mean you should be able to get away with being stupid.
That being said, there are other ways to handle this where both parties can get their point across w/o blowing up, assuming this isn't a weekly thing.
I get that the higher ups aren't experts, that's why they have a team under them, but when they don't stop to think/understand what is being told to them, they should no longer be in that position.
hkusp45css@reddit
I am as "job protectionist" a guy as you'll find, generally.
But, if I find myself explaining to a guy who sets metrics and uses them to judge productivity and that guy is telling me to make sure I have more control over how the entire global technical landscape behaves, I'm probably going to tell him he's an idiot. I might try to be diplomatic, at first, but that's going to wear really thin, really fast.
Part of the reason we hire professionals is to help each other understand where they're going wrong.
I'd defend the discussion the OP had all the way to the soup line.
PlaneHashes@reddit (OP)
More and more I agree with this.
dhardyuk@reddit
Welcome to ‘my experience trumps your enthusiasm’
The understanding gap is always there. If they can’t explain something properly in their own words they reveal that they don’t understand it. If I don’t understand what you are trying to explain you need to be able to explain it with different words. The ones you have aren’t working.
Sometimes that’s my fault, occasionally it isn’t. Repeating the same words over and over suggests that they think I’m not understanding. When I really am.
Just today I have spent more than 90 minutes explaining to someone that when I say ‘show me what you mean’ that repeating everything they just said and insisting that is what they mean - ergo I’m wrong because they think they are right - when actually THEY haven’t understood that I actually understand both what they are saying and what they are trying to explain and that the words they are choosing are not influencing my understanding. Just underling their own lack of understanding.
Finding the words to wrestle this to the ground without anyone getting hospitalised or fired is a balance between allowing them to waste my time and dragging them to a new baseline for their understanding. It’s for their benefit, not mine.
Occasionally it goes sideways and ends up with HR. So far I’ve won every one that did.
Sometimes people mistake it for dick swinging, or knob conkers. Usually they stop when they show me exactly how much more right they are by actually doing the manual steps of the thing they are arguing about.
In the too many CVEs a month example here the idiot needs to be made to role play finding and fixing CVEs. Extra points if he is arrogant enough to do it front of the people who understand why he’s wrong. At which point he can throw his toys around and lose everyone’s respect or demonstrate that he has learnt something new and say something to elevate their respect from him.
If he’s an arrogant twatwaffle he won’t be able to swallow his pride and acknowledge that on this occasion he might be mistaken.
AlterdCarbon@reddit
Come on man, you're not gonna win these battles by trying to explain "that the words they are choosing are not influencing my understanding." You have to team up with the stupid person, blame the "tech" for all the problems, commiserate with their feelings of frustration, and then let THEM take the lead on "solving" it, and you have to pretend to just "have an idea" (use those words) and then you gently "try" the fix you knew all along. This is how stupid people think the world (and smart people) work, so you can just feed into their worldview and they will love you (or at least respect you) instead of fighting with you all the time. If they understood logic and detailed communication then they wouldn't need your help in the first place.
You know the absolute best and most satisfying way for a twatwaffle to swallow his pride? When you know that he knows that you knew the issue all along, but you still played along with him just to make him not feel dumb, and he realized it eventually. And he can't tell anyone because he legitimately realizes he was being dumb. Now you have social power over him, legitimately. Keep doing this and making him feel privately stupid but not because you did or said anything directly. And keeping making him look good in public. This is how you win, honestly. This is how the modern world works. Only other option is to leave the situation or go down in flames. This is how modern cooperative society works, for better or worse. This social media era idea of public shaming, "crashing out," and publicly airing interpersonal grievances just isn't productive for anyone, there's no point, and there's no "winner."
dhardyuk@reddit
Dude
I don’t have time to sit on my hands and wait for the twatwaffle to catch up. I have a whole queue of twatwaffles that want to get my attention because I am holding up their world domination plans.
I’m a grey beard and my time is running out.
AlterdCarbon@reddit
Flames it is then, it's your choice. Not saying how it should be just telling you how it is.
dhardyuk@reddit
No I have more than enough words.
From the gentle “I think we need to look at these specifics” via “I don’t find your explanation compelling” through “I understand what you’re saying, and you blindly repeating it indicates that you don’t.” to the very burnt bridge of “This conversation has an idiot in it and I’m looking at him” and then crashing into “I can’t work with you, you are fighting to be left to drown. ”
I invest heavily in everyone I work with. Until they prove they aren’t worth the effort. I have made a lot of assumptions that burnt me in the past, the idiots these days though are much better than when I was in my prime. These days they can irretrievably fuck someone’s business up without even noticing. I want the idiots to be at least self aware to the point they can spot a fuck up before it fucks them up.
AlterdCarbon@reddit
🔥🚒🧯
Affectionate_Ad_3722@reddit
"that repeating everything they just said and insisting that is what they mean - ergo I’m wrong because they think they are right - is actually them demonstrating that they have not understood that I do actually understand both what they are saying and what they are trying to explain and that the words they are choosing are not influencing my understanding."
This, but in bold, underlined and with a bleeding dagger for emphasis.
Not adding to what you said but just pleased/despairing someone else is living the same thing.
_Moonlapse_@reddit
Even though day to day this sucks to deal with, there is a certain comfort in a phrase I've been saying from Adam Savage recently, "do I need to absolutely argue this daily and constantly be rubbing this dude the wrong way, or will the world work it out in time".
I think once you have your documentation showing each month, and you can back up your arguement should it ever come along from above him, then it's fine.
Majestic_AssBiscuits@reddit
I’ve had the same problem. When the number didn’t move too much management just thought we weren’t doing anything, and it took a little bit of doing to show them that we were we basically made up our own metric of remediated CVE per month. If one vulnerability multiplied over 400 servers can ding me for 400 points on the report, then patching that vulnerability should give me 400 points on the other side.
I suppose about the only thing you could do to reduce the incoming number of CVE’s is to make sure you are retiring/decommissioning any unnecessary nodes and software.
Like, if there are 5 CVE’s found in RedHat next month, then if you get rid of 4 servers that aren’t necessary anymore, that number goes down by 20 on his report, yes?
Same for like Java or Python. Even if you’re not using those, the tenable scan or whatever they run will still find them and count the CVE’s right? So I guess you could make sure that you don’t have unnecessary packages and that would kind of have a similar benefit. I’m primarily a windows guy through, and Linux tends to run much leaner out of the box.
jurassic_pork@reddit
This is how my current multi billion dollar client handles things, with daily and weekly automated executive reports and Jira and Service Now integrated issue tracking, change controls and remediation. They also set a minimum vulnerability score that any network attached device must have or other changes for the affected systems will devices automatically get rejected - patching and best practices come first.
Majestic_AssBiscuits@reddit
That… that actually sounds kinda rad. Do you find it hard to keep up at all?
knightofargh@reddit
Isn’t setting targets for numbers you don’t understand just the job description for most CTOs and CFOs who are over IT for some reason?
Majestic_AssBiscuits@reddit
I felt that.
SkullRunner@reddit
You mean when the CTO's are MBA's and did not come from technology... 100%
A_Unique_User68801@reddit
I've never had an experience otherwise.
satchelsofgold@reddit
Post like this make me feel so lucky I run infrastructure for a 25 person company where nobody even questions our mini team hardly ever.
michaelpaoli@reddit
Ah, you're (mis)managed by someone that doesn't understand what they're supposed to be managing ... and clear that though they're asking for "explanation", etc., they don't want facts and reason, they just want reinforcement of their own misconceptions. Good luck with that. Update the resume, let 'em figure out why they have a high turnover rate and can't hold good people ... then it becomes a "not my problem".
You may try first talking to that manager privately ... see if you can (cautiously and appropriately) talk some sense into them. But regardless, update that resume. And be sure to smile real big on your way out.
Less-Procedure-4104@reddit
Maybe revisit it as likely you are not speaking the same language you might not understand the want and they may not understand your reply based on not understanding what they really want.
BokehJunkie@reddit
just block the vulnerability scanner from scanning more and more computers every week and that number will start to go down. It's so simple.
spazmo_warrior@reddit
^This guy Maliciously complies.
xabrol@reddit
Just tell them you don't work for MITRE Corporation And have no control over the CVEs they create.
hoax1337@reddit
Bro, this is easy. Just reduce the number of packages / applications you're using, and the number of new CVEs affecting you will go down. Do this gradually to indicate a downwards trend and until the productivity of the company grinds to a halt.
Boom, fixed.
PlaneHashes@reddit (OP)
BOOM! This is the plan! I usually say: Shutdown the servers and crush the hardware. They won't be vulnerable anymore.
Confident_Humor_3356@reddit
I love how you still "shut-down" the servers, before crushing them. roflcopters.
PlaneHashes@reddit (OP)
Yes, because after crushing, the bits spread all over and I want to only have to pick up zeros. If I leave the server on, we will have a bunch of ones and zeros and I'm sure someone will ask me to put the ones in a different bag from the zeros.
DeathSpot@reddit
(https://theonion.com/microsoft-patents-ones-zeroes-1819564663/)[Just be sure you pay royalties.]
fresh-dork@reddit
that's why i do it over a sieve. filter out the 1s (they're skinny) and bag separately because of course someone will ask
littlemissfuzzy@reddit
You’re being fascetious.
It is entirely possible to limit the amount of incoming CVEs by reducing the amount of kruft installed.
Case in point: compare the CVEs for a Temurin 21 JRE container image based on Ubuntu, versus based on Alpine. A world of difference.
rubmahbelly@reddit
But… there will be new CVEs on the interweb reported.
We need these number DOWN ASAP!
OldManAngryAtCloud@reddit
I assume they are using something like InsightVM or Tenable to track vulnerabilities in the environment. Just modify the reporting to exclude certain applications as "risk accepted". Taking Java off the report, should work wonders.
ProfessionalWorkAcct@reddit
This is what happens when you give a ~~fucking retard~~ manager KPIs that they don't even understand.
DarthTurnip@reddit
Wouldn’t it be cheaper just to put everything on one giant server?
MrCertainly@reddit
Do not worry about results -- "good enough" is truly good enough.
Treat your jobs as cattle, not as pets.
Work your wage. Going above and beyond is only rewarded with more work. Your name isn't above the door. You don't own the company. So stop caring as if you did own the place.
Don't work for free or do additional tasks outside of your role, as that devalues the concept of labor.
Faculties@reddit
You aren't wrong but yes you are losing your mind. The brain drain that comes from working with people unwilling to listen is immense.
okatnord@reddit
Sounds like you're a blocker to his bold leadership. This is a person who will not take no for an answer.
Courageous!
WannabeAsianNinja@reddit
Trust your gut.
You're already rationalized and attempted to fix the situation but there's a reason why there's an expression that "you can't fix stupid."
Solution wise, I don't know all the specifics of your job but maybe making a few CVE sites as his home page and having him go into whatever SIEM you have to fix it himself is what he is going to need to really do it. Play dumb, ask him to show you how to handle a SMB vuln for a Linux box and watch him suffer.
LonelyWizardDead@reddit
New job time tbh
coralgrymes@reddit
You're not crazy. He's just stupid. REALLY stupid. He went FULL stupid. You never go full stupid. Sometimes you get management so stupid it starts affecting you. I'm glad you came here so we can prevent his stupidity from infecting you. You can't control something that entities out side your reach create. You can only solve them as they come in. Does he think you can just wiggle fairy dust out of your magic IT fingers to make CVE's stop existing. That's not how that works. You aren't doctor strange. You can't travel through time to stop things from happening.
dazcon5@reddit
The number of times I have sat in meetings with upper management types and always thinking "how dumb are you?'
I let it slip once on a Teams call and had to blame it on my dogs.
Secret_Account07@reddit
I don’t even understand his logic.
So if this was a bad month and 10k new CVEs get created, you are responsible for A) addressing all 10k that month, and B) fixing existing so that number trends down
Is the score considered here? As we all know, not all CVEs are the same. Some CVEs cannot even be executed (despite existing) based on infra/setup.
serverhorror@reddit
You're the dumbass for criticizing him (or anyone) in public and making him lose face.
You should have nodded thru the meeting and given him a call afterwards and explained the situation.
Jswazy@reddit
How could you possibly control the number of CVEs? Who is this idiot?
PlaneHashes@reddit (OP)
My question exactly. Made me question my sanity.
MaelstromFL@reddit
He set this as a goal with his management, probably put it down as a metric for his bonus!
If that is the case, you will never get him to move off of it!
DamDynatac@reddit
time to spin up some legacy OS vm's to ruin Q4
littlemissfuzzy@reddit
By reducing the amount of crap you install on your systems.
SpongederpSquarefap@reddit
That only helps to an extent - every patch Tuesday there's at least 50 CVEs of some kind for Windows
Those numbers won't go down until you've installed the monthly patch
AlternateAcc1917@reddit
I don't know why everyone is saying this like it's a silver bullet. I'd recommend tracking and logging which systems are accumulating the most vulnerabilities and starting there. They may have a diverse array of devices and software leading to the # of new CVEs, which is good because it means researchers are finding issues, no? And it might not be an option to reduce attack surface by uninstalling if there's nothing superfluous in the first place. What do you tell this manager then? You've coddled their ineptitude by assuring them you can reduce new CVEs without throwing servers away, then it turns out you can't because you'd have to reduce functionality. I feel like this is a people/organizational goals/acceptable risk issue and not a technical one.
Jswazy@reddit
That still doesn't guarantee lower CVE numbers.
Some_Troll_Shaman@reddit
Management guy is a MBAtard no doubt.
The necessary measurement is age of CVE's, how fast they are patched, not how many there are. So you are correct.
So you want to chart number of CVE's by age over time, not number of CVE's over time.
Just give him the scenario of a good and bad patch tuesday.
If M$ drops 90 CVE's one month and then 240 the next, how is that in the teams control at all. What matters is if they are patched appropriately and according to policy.
You are smarter than the MBA taint licker.
SpongederpSquarefap@reddit
Yep, you don't need to care about the CVE count, just how high the severity is and when it was last patched
If there's a bunch of 4s and 5s outstanding but you just installed the monthly patch, it's likely that the other fixes are from config changes that could break something
Or the attack vector for something rated as a 4 is highly impractical - like physical unauthorised access to a server
In general - who cares so long as your riskiest assets are patched quickly
PlaneHashes@reddit (OP)
Told him about that kind of drop where in one month, 100% more CVEs are generated.
Said: You have no proof that will happen. I know how many vulnerabilities you fix. You don't know how many will appear next report.
Told him it was exactly my point. He didn't understand and kept ranting about how I was showing the team this problem wasn't solvable...
"Say what?"
fogleaf@reddit
Reducing new CVEs is an unsolvable problem.
Although as I typed that I think I might have figured out what he was smoking: He wants you to reduce the number of the new CVEs that are still active.
If you generate the report of new CVEs on a Monday and the meeting is on Tuesday, he expects you to have fixed more of them before the meeting.
Report says 1000 new CVEs, you then report that you fixed 800 of them. Thus the number of new active CVEs is 200. Then the next week you pull the report of 7000 new CVEs, and your team fixed 6999 of them. That way there's only 1 new active CVE!
PlaneHashes@reddit (OP)
I get all that and know what he wants.
The whole problem is promising.
A team is a finite resource. There is only so much it can do.
At our rate, I can promise that we can fix around 8k vulnerabilities a month. It's our average. If complexity stays the same, the average shall be respected.
But that's it.
If from this report we fix all the vulnerabilities, I can't promise anyone that for the next report, we will have more or less new CVEs.
fogleaf@reddit
Probably have to find a way to show the diminishing returns it would take to reach that goal. Adding 1 million per year in salaries might reduce the new active CVEs by 1%. But adding 10 million per year will not mean 10%.
As I type that I just got weary thinking about it being my problem. Sorry your management sucks! It's a dumb problem and shouldn't be entertained.
Some_Troll_Shaman@reddit
You can lead a horse to water,
But sometimes you still have to make Glue!
aka,
You can't heal stupid.
Sorry,
He can't be helped.
BTW, you do have proof from historical context, so, evidence denial, MBA lobotomy completed.
Get a Cyber Security consultant and make them fight the stupid.
Tanker0921@reddit
Hippty hoppity, this word is now my property.
But seriously, there are too many mba managers in roles that doesn't make sense for them to be in, not to mention most of them dont actually care about what the team actually does and just looks at the fancy graphs because the c suite like numbers.
stonecoldcoldstone@reddit
take half the servers out of circulation that will half the amount of active cves
Pravobzen@reddit
Is playing the n+1 game a sustainable strategy with such a limited team at scale?
Roanoketrees@reddit
Unless he is referring to active CVEs in your environment, thats all you can control.
msalerno1965@reddit
There's way too many raindrops falling from the sky - DO SOMETHING.
What a twat.
Unless, of course, he means you should be running stuff that doesn't get so many CVEs to begin with. But I'm just playing Devil's advocate.
saysjuan@reddit
There’s an easy fix to this. If you’re measuring daily, weekly or monthly you can slow down the frequency of scheduled scans. It’s an upstream issue scanning too frequently. If you measure less often you’ll give yourself time to fix CVE’s not find new ones.
Modern problems require modern solutions.
ravigehlot@reddit
You’re not losing it. Your manager just isn’t recognizing the talent on your team. Instead of trusting a lead or experienced person in an area they’re clearly more knowledgeable about, he’s trying to generalize things, which isn’t fair. This is one of those situations where real leaders (not just managers) get why delegation is so important.
Ayesuku@reddit
Wholly agreed. Leadership and management are two principles conflated by the naiive tragically too often.
PlaneHashes@reddit (OP)
Thank you for this.
Jwatts1113@reddit
Losing your mind is ALWAYS an option. Just not here.
Laxarus@reddit
I imagine this manager is not a tec. guy? Some pencil pusher maybe? How does he manage the IT team if he does not even understand how CVEs work?
Audience-Electrical@reddit
Not here for karma, just being honest with you:
Keep talking back to these people and you'll lose your job.
It doesn't matter that you're right. I know the feeling. I no longer work in tech because every day my job became arguing with management. Several different remote system administration positions went this way.
They want a yes man. They want to get off the call feeling good. It's not about tech, it's not about security, it's about people's fragile egos and how they want to go home at the end of the day. Unfortunately unless you run the company, that's how it's going to stay.
DragonsBane80@reddit
Idk, I worked with managers like this. They don't always want a yes man, they are passing through the dunning Kruger effect. They know enough to have an idea, but not enough to know they are wrong.
The trick is to not get defensive, and not attack their idea but propose a different concept to make their idea fruitful. I heard nothing regarding evaluating risk from the CVEs. Are you not evaluating based on CVSS score? Clearing CVEs is not fruitful and a losing battle. 90% of all CVEs published are un-exploitable in the real world. If OP or anyone on the team doesn't have the expertise to evaluate real risk level, suggest you hire someone.
DrunkenGolfer@reddit
There is equal probability as to who is confused. If you don’t change the tech, you have no control over number of new vulnerabilities. You can reduce the number of new CVEs by changing the stack, standardizing, scaling, and homogenizing.
TuxAndrew@reddit
I mean you can slightly control the number of CVEs depending on how they’re interpreting the metrics; less applications, less servers, less endpoints would reduce the number of total CVEs showing up. However if you can’t justify reducing the any of the above then it’s not possible.
sweetrobna@reddit
There are things you can do to reduce the number of CVEs and reduce your attack surface. There could be some legitimate changes here, using packages that were developed in memory safe languages or more mature alternatives that have a better testing cycle. Like Fedora usually has fewer cves than debian. Most likely though any changes would result in fewer services being offered just from cutting the numbers overall, other tradeoffs that aren't worth making.
nope_nic_tesla@reddit
You are right and he's a dumbass.
Suaveman01@reddit
Sounds like he’s one of those managers who wasn’t ever an engineer and has no technical ability.
tiberseptim37@reddit
Except I've worked with managers like that and they're self-aware enough to trust the technical assessments of those in their charge. Definitely sounds like some hotshot rookie who thinks "playing hardball" means standing your ground, never giving an inch and never even considering some sort of diplomatic middle ground. And he thinks this is how you get notices and get "ahead".
PlaneHashes@reddit (OP)
It is indeed. My first time with such a manager.
Suaveman01@reddit
They are pretty common in large enterprises unfortunately, half of the IT managers I deal with don’t have a clue
mspax@reddit
If he thinks you can prevent new CVEs then tell him to hire a fucking fortune teller. It seems like this person doesn't fully understand how CVEs work. Maybe walk them through how vulnerabilities are discovered, disclosed, tracked, and mitigated or accepted.
tiberseptim37@reddit
Clearly, this manager is insane (the entire scenario sounds like it was written for a Dilbert strip), but I'd like to take this opportunity to state how much I hate being as reasonable and rational as I am. I, much like OP, will start to question my own position, no matter how well founded, when a psychopath like this decides to dig in their heels and assert that the sky is green. I'm too likley to stop and think "Could *I* be the one who's mistaken here?" and I sort of envy people like this manager who are 100% confident in themselves and their positions despite all evidence to the contrary.
jlaine@reddit
If your metric is based on a sliding window, the exits from that window count just as much as the entries.
PlaneHashes@reddit (OP)
Exactly my point. He doesn't agree. Says I'm wrong. Says if we work more and better, next report will have less new CVEs...
hkusp45css@reddit
I have been working in infosec for a really long time.
The basic idea has always been "we don't worry about NEW vulnerabilities on our reports, we only worry about having the SAME vulnerabilities on this report as we had on the last one" when judging productivity.
mvbighead@reddit
Heh, we have had similar debates with our security team. If there is a >8 that is more than 30 days old, we have a problem. If there is >8 that is 3 days old that is dealt with by an upcoming monthly patch, we don't need to discuss it until after the patching window.
hkusp45css@reddit
I am blessed to have the kind of team that has gotten us to a place where if we see a >8 and we have a window approaching, we just move the window up.
Of course, we're a smaller org so, it's not as disruptive. It gives us the ability to be incredibly responsive and nimble.
Our CAB/CCB is only 5 people, and we meet once a day for 15 minutes and once a week for 1 hour. Our maintenance windows are reasonably elastic.
We do "urgent changes" for anything over 8, workload allowing.
It sounds more chaotic than it actually is.
mvbighead@reddit
100% a great situation. I have seen similar CABs, and while it can be a time waster in some sense, it is much easier to keep up.
My issue lately is having a weekly CAB, and then hearing the scanning guys talk about new vulns as if they aren't already planned to be remediated by patching. Like guys, wake up. We patch at X part of the month, we're 7 days before X. Why are we talking about a thing that is nearly certain to be dealt with during the patch cycle?
And, for >8 things, especially public facing, we can expedite as needed with an ECR.
hkusp45css@reddit
We have to do some mildly long-winded reports (because of compliance in our sector) for anything titled "emergency" which is why we treat them as "urgent" ... rather than use the term ECR.
It took some getting used to, for me.
mvbighead@reddit
Honestly good to know. All we have at this point are ECR, and while they aren't all ECR, if we don't approve them in a weekly meeting, that is the only other option to expedite. It really is a culture/org thing. If ECR is all things urgent/emergency, that works so long as your requirements say so.
hkusp45css@reddit
One of the common things we say in my department is "if everything is an emergency then, nothing is actually an emergency"
Which is our reminder to ourselves that "urgent" and "emergency" are two different types of problems.
mvbighead@reddit
Eh, we honestly have very few ECRs. But, if we see a CVE of 9+ for a single system, we'll get it done and not get flack for doing it. If there is a patch that affects 50 systems with a high severity, it gets hit with our patch cycle.
And usually, the patches are announced and we install them within 10-14 days after they've flushed out in the world and have had some chance to bake in the real world. We've definitely seen a few that later were reportedly causing issues that we avoided.
hkusp45css@reddit
We have update rings and a test/dev environment to do that. We try to patch as soon as it's practical. Of course, I don't know of too many orgs that maintain a test environment on prem that mirrors their prod cloud.
mvbighead@reddit
Same. For standard updates, we have phases.
Generally speaking for ECR'd updates, it's a single platform or system, and usually an infrastructure one and not a production application. IE - Backup software or load balancer, etc.
entropic@reddit
Doesn't sound chaotic as well, it sounds like an org with the flexibility to treat security as a priority, and has a great framework for doing so. Rare.
Technical-Message615@reddit
Mitigations maybe?
mvbighead@reddit
The point is, if the CVE is brand new and addressed by a patch, we need to execute the planned patch first and re-evaluate. 90% of the focus in CVE management is staying caught up. A 3 day old patch is likely addressed by the monthly patch cycle. A 45 day old discovery is the thing you need to talk about.
Suffice it to say, I've been in meetings where the security overlords focus on 3 day old vulns while skimming over 60 day old vulns. Target your attention on the stuff getting missed after multiple patch cycles, and expect that your patching solution will likely deal with 90%+ of the new ones. If your patch solution catches those, and you get the old ones, your reports start to look pretty damn good.
Technical-Message615@reddit
I like it.
I guess it depends on the composition of the >8 score and the affected system.
If it's sitting on your edge, and it's easily and remotely exploitable and you're gonna be waiting 27 more days for the patch to be released, mitigation is going to be key.
If it's an 8 that's sitting internally on a small segment with a high complexity and no known exploits, it changes the story.
They're both >8 but very different beasts.
KanadaKid19@reddit
Honestly, the explanation you provided to him in your original post isn’t helpful at all. “There is no correlation” doesn’t explain what’s going on. You need to define what a CVE actually is. There are actually some levers you can pull here - by consolidating vendors and products, you will reduce your footprint for this stuff. That’s a huge ask with a lot of implications, but that’s the conversation to have.
Rain_ShiNao@reddit
Well, most managers are dumb.
PlaneHashes@reddit (OP)
It's my first time getting one like this. Been lucky it seems!
Xalbana@reddit
I've been super lucky so far as well. My non technical managers in the past at least fights for us and listens to our expertise and doesn't make or accept basically unattainable goals.
My current technical literate manager already knows what goals can actually or not actually be accomplished.
elpollodiablox@reddit
You: fix 5000 CVEs this month
Next month 13000 new CVEs are published.
That guy: "Why do we have more active CVEs this month than last month? Why haven't you been doing your job?"
He doesn't seem to be terribly bright.
State_of_Repair@reddit
This reminds me of that scene in Click where he's designing that restaurant for Prince Habibu (Rob Schneider)... "No, just make bar longer!"
Pristine_Curve@reddit
He doesn't understand the concepts at work and how they interact. 100% he's in the wrong here, but the way to fix this is to get a better handle on the softskills necessary to manage someone like this.
Often non-technical management has expectations which aren't in-line with the unique reality of IT. They see vulnerabilities as 'flaws'. From their perspective, they pay a ton of money for your team to implement 'technology' and the number of 'flaws' in the technology you implement must be in your purview. Ergo, management from this perspective is to pressure those who are accountable.
His comment "Why can't we get this number down?" isn't him requesting an education, but him trying to apply pressure the team. This is why he hit the roof with your response. Your contradiction of him is seen as insubordination rather than education. At best you are putting a magnifying glass on his ignorance in front of the team.
Education of the boss should happen 1:1, and not in front of the team. The one thing non-technical bosses love most is a pre-meeting to get that education. A conversation ahead of time with someone they trust. Help them translate whatever goal they have into something actionable.
State_of_Repair@reddit
I get that you were frustrated, and that might have escalated things.. but does this guy have security related credentials? Understanding the whole purpose of the CVE program is pretty basic stuff. Also, do you have a different boss? I know you mentioned you are assisting some juniors. If so I'd give them a heads up before they get the other person's version of events.
billyalt@reddit
My blood is boiling for you. This is an absolutely insane way of viewing the problem. A competent manager would've listened to your explanation and worked with you to reframe CVEs vs fixed CVEs for leadership. It's like your team is being sabotaged.
basula@reddit
Nah not losing your mind sounds very familiar we got told if reports dont show 0 vulns(that's total vulns not overdue or in the wild etc) and patching is not 100% compliant every week we are getting officially written up warnings.it's got so bad that this management have created a policy with mandatory weekly patching and remediation windows. Its getting to be a joke so many more incompetent managers, set and c suite then there ever has been. I wanna say it's because new people are not coming up like we all did. Feels like they start in helpdesk and then the next year they are somehow Director of Infra or ops etc.
Key-Brilliant9376@reddit
My advice would be to nod in the meeting and then get him 1 on 1 for the discussion.
narcissisadmin@reddit
I would be extremely interested in knowing how to reduce the number of vulnerabilities before they're discovered and identified.
Zahrad70@reddit
You will never get CVE’s under control while being blindly reliant upon an industry whose revenue model depends on finding as many of them as possible. A filter is warranted.
To get control of your CVE response, you must first internally re-categorize what actually qualifies as a CVE for your environment. Unfortunately, to be good at this, it will need to be at least one (reasonably expensive) person’s full time job, and preferably 3+, regardless of the size of the company.
Obviously most companies can’t afford to hire a staff of people to re-categorize data they’re paying for. So most companies have to choose what to be bad at. Addressing CVE’s quickly, or identifying those truly critical TO YOUR BUSINESS.
I’d pitch the latter, if you can. You’re still addressing everything, but the formerly critical issues are “high priority,” and people don’t care so much about that taking 30 days. Which is how long it’s taking you now, but everyone’s reports look cleaner. Win/win.
captain118@reddit
I like using the ccri score. It only looks at vulns older than 30 days. So things that are not getting taken care of by the patching process. Then you take the critical and high vulns multiply them by 15, take your medium and multiply it by 7, then add those two results to the number of low vulns. Take that sum and divide it by 15 then divide that by the number of systems you have. If you are below 5 you are good in the DoD's eyes the lower the better.
captain118@reddit
What this tells you is if your patching process is successful. If you see the number trending up then you know that you need to work on better automation or more personnel to resolve the vulns within the patch cadence. If it's flat or trending down then that's great at some point you will level out. Looking at the trend tells you how effective the process is looking at the value tells you about your average risk level that you are carrying from month to month. If you are below 5 the DoD says you're good I want to see it below 3. You can use this number to determine resource allocation. If it gets above X then you know you need more automation or more bodies to do the work even if it's temporary.
captain118@reddit
My record is 0.85
Any-Fly5966@reddit
The CVE board has advised a 25% increase quarterly. Tell him that you'll lose investors.
Timothy303@reddit
This manager thinks you can control the discovery of new CVEs. That is insane. It’s time to get that resume ready, as this manager will be gunning for you, cannot be persuaded by reality, and their hiring manager is not doing a good job.
All pretty bad signs.
f0gax@reddit
Let me understand this:
Your leadership is asking that there be fewer CVEs to remediate. Is that accurate?
That's just insanity. It's like asking your team to make sure that less rain falls on your building during storms.
If they're looking for a KPI, it would be more informative to look at the percentage of CVEs of certain scores are remediated in a particular time window. And then set an SLA to meet.
For example:
Scalybeast@reddit
I'm not even sure that example would work because based on what the OP described, leadership doesn't even understand what is in that report. It doesn't look like they are even looking at the specific CVEs being fixed or their age, just maybe the severity and number of systems affected.
Scalybeast@reddit
You may just have to do an ELI5-type presentation at your next meeting because this guy clearly doesn't understand what CVEs are, work, and apply to your environment.
heapsp@reddit
First time dealing with incompetent managers? Dumb manager want number to go down, make number go down.
Is it a line of sight scanner? Just add some ACL so the scanner discovers less . This will make 'new CVEs' go down and you can do it under the guise of 'zero trust' which is another buzzword managers love.
You can't argue sense into people who don't have any sense. Just keep your head down and pacify.
Lazy-Technician4001@reddit
That sounds a lot like my old jobs Director of Cybersecurity. He was an absolute moron and the CIO was even worse. I'm so glad to be out of that situation.
dvicci@reddit
You're not wrong.
He knows he's wrong, and instead of bettering his understanding, he lashes out. That's pride.
I feel confident in this because I've been on both sides, and have felt and seen the anger dissipate as understanding takes over.
You tried explaining it to him. Now ask him to explain how CVE's work to you. Approach it with the idea that you can come to a better mutual understanding. Who creates them? How are they rated? What do they represent? How are the vulnerabilities they represent found on the hosts on the network?
michaelhbt@reddit
Did an AI generate that as a KPI, doesn’t make sense. If you have someone in GRC try to make sense from there. Should be linked to risk and CVSS clearly states it is not to be used as a measure of risk.
PlaneHashes@reddit (OP)
KPI is generated by the manager. He looks at new CVEs on the report and wants it lower. That's it.
Technical-Message615@reddit
What is the actual title of said manager? What is his area of responsibility?
poo_is_hilarious@reddit
Akin to asking firefighters to lower the number of flammable objects in every house.
WayfarerAM@reddit
Accept it’s worse than that because objects are becoming flammable randomly in your analogy.
architectofinsanity@reddit
Add to that, everything burns at certain temperature
Affectionate_Ad_3722@reddit
easy there Mr Bradbury!
unixuser011@reddit
Sure, we'll get right on to Mitre and ask them to lower the CVE's in their next report /s
How do they expect that to happen, what, go to Microsoft, etc. and ask them to stop reporting CVE's?
Key-Calligrapher-209@reddit
You're not wrong, but you still screwed up. You embarrassed him in front of people. Now he's going to double down, and you've lost any goodwill with him. Next time have those conversations in private, at least.
lpbale0@reddit
Not you're fault. If I understand he is wanting CVEs to be patched before or when they are discovered and not at some point after a remdiation or fix is even available?
native-architecture@reddit
I am so grateful, to have a boss with technical experience. Sorry OP, the next sys admin day is for you!
Technical-Message615@reddit
Well I can guarantee he doesn't have an active CISSP. How is someone so clueless in charge of something as critical as vulnerability management? Was he promoted from accounting to security after failing an audit?
Zentriex@reddit
Question and this may sound dumb. But as far as I know most places have a standard of looking for vulns over 30 days because these new ones pop up daily. Why is that not the case here. It's almost impossible for you to upkeep a large network and patch every new vuln as they come up which is why the majority of places sit on a cycle.
I may just be misreading the situation but it straight up sounds like they want you to be patching it the instant the cve is published.
genghisjohnm@reddit
The only thing I can imagine, if I’m being generous and trying to get him the number he is after… maybe the total number of CVEs being fixed includes duplicates across several similar or same devices? And if that IS the case, then consolidating them to say one CVE fixed on X amount of devices (or simply all affected devices). If he just doesn’t understand, that wouldn’t change the work you do, but would change the number he sees. Again, this is going out on a limb but I have had to deal with similar requests and pushing back got me in trouble until I learned to just give them what they want in the way they want it.
BasicallyFake@reddit
You just need another data point on the chart.
Existing CVE as of Date #1, Number of CVE corrected since Date #1, New CVE's released since Date #1, Total Open CVE
Provide him the correct answer in order for him to be able to show progress.
SexyEmu@reddit
What kind of ballbag manager uses CVE's as a KPI?
mineral_minion@reddit
Makes perfect sense, count of active CVEs is a number, KPIs are numbers.
mzuke@reddit
Maybe try explaining it via a different example:
If you own an independent auto repair shop but get contracted to repair recalled vehicles (I know this isn't how it works but stay with me)
It is the manufactures and Gov driving the recall notices
If you got 3 recall notices last month and 4 this month the number of recall notices went up
but if you repaired all the assigned vehicles for first 3 recalls you did your part of the job
Patching and remediation isn't a race, there is no finish line, so really it is more of a death march
MoPanic@reddit
Just correct their grammar. excuse me, that should be fewer new active CVEs, not less. Jeez.
marshmallowcthulhu@reddit
Explain the concept to the manager in Windows terms. There are new Windows updates every month. Does your manager prevent the vulnerabilities from ever appearing on his computer, or does he remediate them by applying updates? Put it into a context he interacts with.
Johnny_BigHacker@reddit
You could suggest updating to a new version or new software entirely. Try to get a price for them. Show it to him in business sense.
silentseba@reddit
Lower the number of CVEs by lowering the amount of services you manage.
Grimsterr@reddit
Depends on who this mangler is and who he's connected to further up the food chain. you may have just made a powerful enemy, and many would consider that a dumbass move.
PinotGroucho@reddit
You're approaching it the wrong way. There's nothing wrong with being strong headed or even passive aggressive in reprimanding management stupidity, but they're still management with the accompanying responsibilities.
Once you take those seriously (in the sense that you openly acknowledge them) they will no longer feel threatened by your forceful feedback.
for example, you could:
Tell them what you told them all things being and staying equal.
Tell them you can radically reduce the number of critical CVE's raised each month by reducing the possible attack surfaces following several strategies:
1- radically cutting into the technology stack.
Using far less services from a decreasing number of suppliers would be the most successful approach. Less vendors means less CVE's. Let's start with one of our biggest, let's say the supplier of most of our desktop applications. It's where the rubber meets the road.
maybe our users can get used to their new linux workspace & libreoffice & Jitsi collaboration suite.
2- drastically reducing the attack vectors that would exploit the CVE's thereby reducing their criticality by way of cutting service exposure.
No more working from home. No more remote sites, no more apps on phones, only zero trust networking etc.
a few of these are best practices anyway. They might make it on the long backlog or you might squeeze a neat project with an earmarked budget out of it.
Good luck OP ! exploit their ignorance, don't get run over by it.
ukulele87@reddit
You need to treat him as the idiot he is. Always use metaphors like he was a child: "You cant ask a doctor for less people to get sick, but you can measure how many people they heal."
traydee09@reddit
Last patch Tuesday Microsoft patched.. 85 vulnerabilities, the month prior, they patched 79... the month before that it was 92... (I dont know the exact numbers...) but what that tells me is next patch tuesday, they are going to patch another ~80 vulnerabilities. This means there are ~80 vulnerabilities that exist right now that cannot be remediated until Microsoft does something. So you can get the vulns down for two weeks, until the next patch comes out, then the pop right back up.
An org cannot get to zero. What you need to do is find an acceptable number, and try to maintain at that number. This is where layered security comes in. Servers behind a load balancer or firewall, servers running AV, servers with minimal software on them to reduce complexity and attack surface, monitoring, controlled credentials, etc.
Damdo54@reddit
You're not stupid or loosing your mind, you know your job, you don't have to pay mentally for thoses stupid managers looking KPIs without understanding what stand behind.
Ad-1316@reddit
I got it! Just turn it all OFF, internet and all servers and PCs. Nothing can be done now, but we got it to zero.
ka-splam@reddit
Reduce the number of products, services, tools, libraries, versions you use, the number of CVEs which affect you will trend down.
If he wants a smaller attack surface, why are you saying that can't be done?
Dumfk@reddit
Place a request for tarot cards, crystal balls and tea leaves.
LForbesIam@reddit
Again this is the biggest issue in the tech industry is that management is not qualified to do their job.
If you have a law firm, the directors are lawyers. In a hospital the Chiefs are doctors.
IT should be the same way. ALL IT management with decision making should have been techs previously and be able to understand the technical environment to get the job.
da_peda@reddit
Ask him to explain to you what a CVE is, and I mean explain, not just tell you what the abbreviation stands for. Until he can he's not allowed to use it as an KPI.
BigDowntownRobot@reddit
Management are so brainwashed. Thinking you can just firmly tell problems to not exist, via telling a group of people who knows it doesn't work that way to somehow make it happen.
And then they expect that to actually happen. The kind of thought process that only exists in incredibly entitled people who have become accustomed to people bending realities perceptions around them so they think they are getting what they want.
derpintine@reddit
I agree w/ you but try to see it from his POV. He's got numbers on a dashboard and "number go up". He needs to see that number go down. It's putting lipstick on a pig but that's what he's after.
You've been around the block and know how to play the game. I'd think from your view, you keep doing what you're doing to the best of your ability but also figure out a way to massage your data so that "number go down" on the reports.
SarahNerd@reddit
Manglement is so inept in this situation, you've gaslit yourself into thinking it's you from sheer bafflement.
bigdeezy456@reddit
“I can explain it to you, but I can't comprehend it for you.”
― Edward I. Koch
Bleglord@reddit
It’s almost like most managers are useless in a company and have to make up bullshit metrics to seem relevant
CombJelliesAreCool@reddit
What search term does one use to find one of these jobs primarily patching servers? I'm a windows sysadmin right now but I would drop down to t1 support if it meant I had a chance at working primarily with Linux.
mjulnozhk@reddit
Managers are a dime a dozen retarded. Work comes in, static effort goes out.. If they want the number reduced and the input is always high, they need to hire for more output. Simple.
I'm in a similar position and I'm probably just going to quit haha
Lando_uk@reddit
We have a power bi report of CVEs, and one section charts recently mitigated CVEs, so this is a good chart to show managers and secops that you're actually combating them as they come in.
asic5@reddit
Guy sounds like a dumbass.
MrPooter1337@reddit
Wait, fix 8k CVEs a month? How is that possible? Sorry, I don’t come from a software development background, so that sounds crazy 😅
dracotrapnet@reddit
I've got bad news for the pointy haired guy. It's November. There are going to be a pile of college and high school students off on holiday soon with nothing to do but find new things to break. Same goes for the pro programmers are going on holiday as well. Guess who is left committing code? B-team. The quality of feature updates and security fixes will be dropping until mid January. Just look at Microsoft, Vmware, and Palo Alto, they can't even put out fixes without doing them twice lately.
The number of CVEs magically rise every time there's a pwn2own competition either vendors release fixes suddenly or Hacker(ahem)... Security researchers sit on discoveries and abuse them during the competitions. https://www.bleepingcomputer.com/news/security/over-70-zero-day-flaws-get-hackers-1-million-at-pwn2own-ireland/ It looks like the next round is Jan 2025 Tokyo.
UltraEngine60@reddit
Tell him to read this:
https://www.helpnetsecurity.com/2024/02/26/cve-count-rise-2024/
Maybe something in his head will "click". Or he doubles down and fires you for insubordination.
TrueStoriesIpromise@reddit
https://csf.tools/reference/nist-sp-800-53/r5/cm/cm-7/
The only way to comply is to remove unnecessary software/packages from the environment, which you should be doing anyway.
Pork-S0da@reddit
Try an analogy: You guys are doctors. You can treat many diseases every month, but you have no control over the medical community discovering new ones in the wild every month.
123ihavetogoweeeeee@reddit
It reminds me of the saying “you’re 100% right and 100% fired.”
https://youtu.be/nDO24U3hMkU?si=2OEkyfImHuxQs3GD
Kakabef@reddit
Essentially, the manager expects you to develop solutions for diseases that have yet to emerge. Love it. You are right with the reality check. He is so dumb that you cant reason with him. Let him ride his horse, and keep doing your job. Let him bring up this nonsense to upper management. Until then, smile and nod, and tell him you will look into it.
Unable-Entrance3110@reddit
Maybe he is actually asking you to mitigate the CVEs? IDK, I am grasping at straws here because it makes no sense that you would have any control over submitted CVEs. But if a CVE is mitigated, for example, if the CVE refers to a management interface bug, but your management interfaces are not exposed already, that would put an asterisk next to that CVE on the report and make it seem like there are fewer?
kevin_k@reddit
He must hate weather
PlaneHashes@reddit (OP)
Make it not rain tomorrow! I don't care how many umbrellas we have. I want NO RAIN! NOW!
chuckmilam@reddit
Oh, this brings back memories. I used a similar analogy 20+ years ago at a corporate job where everyone was mad about Nessus and Retina scanning and the work that it generated in terms of patch and vulnerability management. Some people just wanted to disconnect the corporate network from the Internet to keep from having to patch systems. As I recall, my analogy was something like: “We are like an old man who lives in a house without a roof. Instead of building a roof and patching any holes to keep the rain out, we go outside, shake our fist at the sky, and scream: ‘Rain is not allowed here! Do you hear me? NO MORE RAIN!’”
kevin_k@reddit
Just put your house inside, and you won't have to worry about rain
JivanP@reddit
Finding CVEs is like finding rotten apples on the floor of an orchard. Fixing CVEs is like picking up those apples and getting rid of them so that anyone who explores the orchard after you doesn't have to encounter them.
Regardless of how many rotten apples your team finds and removes, the next group of people to explore the orchard will inevitably find rotten apples that you failed to discover, simply because the orchard is too vast to scour thoroughly.
Ask this manager how he expects you to find all of the rotten apples. More to the point, ask them how they expect you to make it so that the people exploring the orchard after you find fewer rotten apples of their own, despite the fact that you have no control over these people's actions.
Clean-Agent666@reddit
Fucking hate CVE's with burning passion. Such a shit metric (and don't get me started on actual CVE scoring and how useless it is).
I've got 20 years in cybersecurity. I understand your pain.
mitharas@reddit
"Fix CVE" means installing patches or implementing mitigations, right? He could strive for better, more secure products with less vulnerabilities.
bindermichi@reddit
Nope. That idiot just can’t deal with professional feedback.
I‘d probably have some lunch with his boss soon to talk about the workplace environment .
PlaneHashes@reddit (OP)
Ehehe his boss is the one asking for that number of newly discovered CVEs to be lower. Go figure...
wtf_com@reddit
Could there be some ulterior motive for this? Could his boss be wanting to reduce the size of the team and wanting to justify it by saying there is less new CVEs?
The fact he is so stubborn makes me think he’s been pressured for a specific result.
bindermichi@reddit
Absolutely! Always ask about the reasoning of tasks if they seem nonsensical.
Critical Thinking - 5 Why method
So if your boss has a target objective given to him by his boss you can either ask your manager about it or go to the source.
Same with customers. If you don‘t understand requirements you need to ask about why they are importantly and what results are expected to correctly address them in your products and services.
BlackSquirrel05@reddit
Better yet ask.
"Oh how are those actually exploited? Or how are those actually discovered if there was a person able to compromise the network?"
I know people don't actually care about that... But it's frustrating that people jus think "CVE == already ransomwared or broken into."
ScotchyRocks@reddit
This all wreaks of communications issues.
You two may be working on two different puzzles. But haven't clearly stated that.
Great example: One person talking about dating some one. While the other person thinks the convo. is about a popcorn machine. https://youtu.be/UmvN3TlGLDg
droog62@reddit
FFS, he might as well ask for it to rain less this year, and if you can't fix that, you're the dumb one. Please make sure this person doesn't reproduce, those genes don't belong in the pool.
JerryRiceOfOhio2@reddit
you can't fix stupid
jclind96@reddit
inept management, next question.
Xalbana@reddit
Ah yes, a people manager, not a technical one. Only understands goals but doesn't understand how to get to those goals.
darkblue___@reddit
But It does not matter of understanding because as long as he / she is able to tell to C Level that "goals are met", she / he will secure his bonus. The rest? Who cares?
PlaneHashes@reddit (OP)
Thank you!
phoenix823@reddit
The malicious compliance would be to slowly remove credentials from the scan while still doing all the remediation...
iamlostinITToday@reddit
Nah you're right he doesn't understand what he's asking that's common on non technical managers if he understood the challenge we would ask the team to prioritise CVE against something less pressing or important, or look for areas of improvement like automation to free up man power to deal with CVEs, it's not rocket science the dude just doesn't know what they're talking about and doesn't seem to want to know just wants nice graphs to show upper mgmt.
Use an patronising example next time, here you have 6 spoons I'm currently putting 3 spoons on CVE 2 spoons on project work and 2 spoons on BAU how many spoons do you want to take from project work or BAU to put in CVE
CrackCrackPop@reddit
Just provide him a solution, tell him about rapid response systems like RHEL or SLES.
Like how livepatching and scheduled reboots on every machine can be implemented.
About the usual response time of the paid time of either RHEL / SLES and how quickly they fix the CVEs in general.
Lastly give him a quote of the licensing, about 7000$ per year per ESXi core
CamelDangerous6437@reddit
"I asked if he wanted an explanation now."
Debates like that shouldn't be done in front of the group that your manager oversees. The professional play would have been to talk to the manager, one on one, at a properly scheduled time. Debating in front of the group/team just makes y'all look like you're in a dick swinging contest ('I'm smarter!" vs "I'm in charge!").
The manager SHOULD know more about what they are managing. And you need to work on presenting your ideas in a more professional manner.
RedDidItAndYouKnowIt@reddit
I haven't seen this posted yet. You're in the right but you're not achieving your goal. So two books I am certain can help you to have productive conversations with him and achieve what you need:
How to Win Friends and Influence People
Critical Conversations
I wish you all the best with this and hope that reading can elevate your interactions with him to the point of productive.
PlaneHashes@reddit (OP)
Thank you for the suggestions! Will make sure I get them and read them.
RedDidItAndYouKnowIt@reddit
You're very welcome. Wishing you the best in resolving this.
VirtualDenzel@reddit
Id burn the guy hard. A manager who pushes by numbers while having no idea how it works or what they mean... better to get rid of him asap
fdeyso@reddit
Are those graphs from MS Defender by any chance? It keeps misreporting CVEs on linux.
PlaneHashes@reddit (OP)
Tanium. Reports a LOT of bogus CVEs.
RockChalk80@reddit
Rapid7 does too.
fdeyso@reddit
Defender sometimes misreports the software version and makes mistakes with build numbers, etc
InvisibleTextArea@reddit
I've yet to find a vulnerability scanner that understands what a backport is.
fdeyso@reddit
Let me know if you find any 😅
robreddity@reddit
You're not the dumbass, you're the engineer. You're the scientist. It's ok to call out stupid things as stupid, just do it professionally. Always calm, always a level voice, never hyperbole.
There will be a time when you both are in a room trying to make a persuasive case. Let his hot headedness make his.
Dizzy_Bridge_794@reddit
You could have answered more tactfully.
baudwithcompter@reddit
Just look into your magic IT crystal ball and make sure you solve those CVE’s before they happen!
ShortFuzes@reddit
Just out of curiosity... Any tips for securing a job as a Linux Sysadmin? Or breaking into it per se?
KnowledgeTransfer23@reddit
Tell him if you were a mechanic and he was your boss, would he be asking about lowering the number of recalls on Chevy trucks?
You can't control how many recalls are issued. You can only maybe increase the number of recall fixes you do for your customers.
Maybe then he would understand.
thedatagolem@reddit
You're not losing your mind. But you did make him look like an idiot in front of his peers. And yea, you could argue that he made himself look like an idiot. But you still helped him. I recommend giving this kind of feedback in private. Ask me how I know.
OtherMiniarts@reddit
I would suggest that if they want fewer active CVEs then they need to hire more technical staff at your level. If you're pushed against the 5-man human limit then a good manager should recognize that.
And as others have said - not all new CVEs are equal, not all new CVEs have immediate patches and mitigations, not all CVEs are exploitable in your environment.
Sure a malicious attacker might exploit a buffer overflow or something on a botched Samba server - but how many of those do you have that are accessible outside the corporate firewall?
mr-tap@reddit
The only way that I can think you could effect this is if you have influence on product selection.
Are some products over represented in new CVE? If so then are there viable alternatives?
Do you have multiple products performing same function? If so, then consolidating products technically reduces the number of opportunities for CVEs.
theredgrape@reddit
You aren't losing your mind. This reads like a disconnect between the manager wanting to establish a baseline and a technical understanding of the metric being chosen. I take it as the manager's non-technical leadership buy into CVE remediation as a metric, but it's a really poor one. That said, you're misstep here was calling him out in the meeting. I'd wager if you could do again: "Let me research our options." And you'd be back to work.
If they are just hellbound, and it sounds like they are, on "new CVE's" then it seems like taking some time to try to understand the why behind the manager is in order. There is something that has this person holding on to new CVE's like that's their metric for a bonus.
Either way, I'd have a dialog in a one-on-one so the manager doesn't start thinking you're hostile against them. Regardless of their technical ability, someone put them in charge and it will take a lot more than a CVE metric to make that person change their mind.
relevantusername2020@reddit
kakistocracy
tactiphile@reddit
This needs to be OED's or Merriam-Webster's 2024 word of the year
relevantusername2020@reddit
funny i actually had a comment written out a bit ago about how ive been getting into the habit of checking the word of the day (and daily quotes - the word kind not the gambling market kind) from bing and merriam webster, spurred by microsoft rewards, and well. ive always been a bookworm and loved reading and words and whatnot, but the other thing ive been really getting into the last year or so is etymology, and (stick with me i know im all over the place, ADHD) theres a great website, etymonline.com, and its kinda funny. they have a trending words section, and ill often see a word trending there and then not long later ill start seeing it everywhere, or itll be the word of the day, and i mean i know reddit likes to refer to the baadar meinhoff* effect but actually? nah. im pretty sure etymonline and associated word nerd websites are just the resources that word nerds actually use, so when a word is trending, then its likely the people who write the things that the peanut gallery reads will be using that word soon. if that makes sense.
*well the backstory on that name is certainly a... uh, TIL 😐
tactiphile@reddit
Hi5 for the gambling market. I love it!
SpecialEar994@reddit
I worked in customer support for a software company where one of the metrics was how many support calls we got. A new exec asked how we could reduce the number of calls. I said to do more testing before delivery to reduce bugs, and provide better training for users. The mgr said “No, what can YOU do to reduce the number of support calls?” I replied that we could unplug the phones. He didn’t like that. Fortunately the CEO was an ex-programmer, and the exec didn’t last long.
Snoo_97185@reddit
If you are in the United States, you could give him us-certs number and tell him that they make the cves or whoever your org is that you get them from. Turn it into a third parties problem to explain, because they'll straight up tell him he is stupid and then if he tries to reprimand you you can tell his boss that you even got him to talk to third parties who release it and they said the same thing.
Edg-R@reddit
Could someone ELI5?
CeFurkan@reddit
What are these terms cve cvss and such?
Minute-Jellyfish-886@reddit
https://www.imperva.com/learn/application-security/cve-cvss-vulnerability/
CeFurkan@reddit
Thanks
4lteredBeast@reddit
Cybersec here - you're absolutely not in the wrong. This guy clearly has no understanding of what CVEs even are.
If he really pushes the point, I would ask him to formalise a KPI for your team and ask the cybersec team to advise on how many CVEs you should be "allowing" every month.
Grab some popcorn.
StaffOfDoom@reddit
You weren’t wrong, like a motorcycle rider isn’t wrong…you did all the right things but you’re still getting ran over. Why? Because you called out a new(ish) hothead manager in front of everyone. If there is a next time, explain to the person outside of a group what all these technical things mean so he can save face…in fact, be proactive. Next new guy in your business (whatever company you land at next) explain all of this at the front of the load, not in the middle of the meeting.
Try explaining in simple terms that CVE’s are generated by a third party and not internally. That patch cycles dictate the fix availability, not how hard your team works, and it’s part of a cycle.
OldManAngryAtCloud@reddit
You are not the dumbass. I ran into something very similar to this at my previous job when our CEO wanted to see these sorts of metrics in the idiotic monthly IT Scorecard. The request was originally "# of know vulnerabilities in the environment" each month. I told the CEO I could absolutely do that, but that the number was ultimately meaningless. At first he didn't understand, but then I pointed out that if a new critical vulnerability for an application on all of our systems is discovered on the 30th of the month then the scorecard is going to show a sudden increase of thousands of vulnerabilities, whereas if it is discovered at the beginning of the month it will never be reflected in the scorecard as it will get patched before the next scorecard comes out.
He understood this and agreed that metrics around active patching and precent change of vulnerabilities month over month was more meaningful.
bigpirm1977@reddit
Your only fault is not simplifying to the point a child or my mother could understand. You can’t use logical, or legalise, or overly complicated terms with any technical words with some executives, directors , or managers.in your case it’s clear this person doesn’t understand the basics of this system, so it’s your job to help them. I would schedule a private meeting and magically say:
“We don’t control the number of identified CVEs, an external org finds them and publishes them, we react to them. Do you only want us to react to a certain number or certain criticality? I’m not sure that’s advisable or possible.”
Then I would follow up with whatever the determination was in writing.
villan@reddit
Makes me think of a cave guide I talked to telling me that they frequently get asked how many undiscovered caves there are in the area.
anotherkeebler@reddit
I used natural disasters as an analogy: we don’t control them. What we DO control is how effectively we manage them
kosmosepiraat@reddit
Oh.. So you're the one to blame for always making all of those CVEs? I get a lot of CVEs daily on my job also and have to deal with those. Could you please stop making those so I have more time to deal with more important stuff?
Yucchie@reddit
What on earth… He’s basically asking you to predict/stop the future from happening
Ask him if he can tell you how many litres of fuel will be delivered to his gas/filling station tomorrow
When he doesn’t know keep pressing for an answer. Really question him on why he can’t get an answer (which is presumably what he’s doing to you) - you want to get his cogs going so he reaches that point of frustration
He’ll inevitably snap back that he can’t predict the future
“Exactly. That’s what you’re asking us to do so stop. I’m on your side, but this is a shit metric. Find another one like xyz which works well in this many cases”
With managers like this, you have to learn the dance of managing from below
TheCurrysoda@reddit
That CVE guy is probably just embarassed and he's acting mad to cover it up. People who get corrected publicly in a meeting like that tend to not take it well.
Especially since he spent time making pretty charts to build his case.
oxidizingremnant@reddit
Hard to really understand what they mean by “active CVEs” - do they mean exploitable CVEs? In my opinion, vulnerability Metrics should include age and exploitability.
And I don’t know what in your case the reporting periods are. Could be that a slew of vulnerabilities were dumped between the patching windows and when the other person built their reports. In recent months I’ve seen some servers have a massive uptick overnight in the number of vulnerabilities due to Linux kernel bugs that require reboots to remediate.
Or there could also be unnecessary software running on systems causing the numbers of vulnerabilities to be high. When you say things like “I don’t know how many servers I overview” it could mean that an inventory is necessary to compare your numbers against what the vulnerability team is observing.
PlaneHashes@reddit (OP)
He means this:
Tanium creates a report. Adds new CVEs to the report on top of those that are already being mitigated. Manager wants the number of new ones to be lower.
Completely unrelated to the number of vulns we are fixing per day.
lettuceliripoop@reddit
Tanium also gives you a score. Shouldn’t the goal be keep systems at x score? CVE is kinda useless metric in Tanium as it means a lot of things.
Xambassadors@reddit
Only tip is to ask him to agree on an authority, say he accepts that NIST is a good authority in terms of cyber security. Then you pull a definition of what CVEs actually are from that authority and hopefully he'll then shut up about it once he sees that the organization he respects proves him wrong
BalderVerdandi@reddit
Oh man, I used to work for a guy just like this.
Working for an MSP, we ended up patching over 55,000 issues across 1300-ish servers. I literally had to do the "ELI5" (Explain Like I'm 5 Years Old) with him so he could grasp what a CVE was, how it was found, how we address it, and that there was no possible way we could know what was going to be on next month's report because we weren't Miss Cleo.
Because if I were psychic, I would have cashed out on a couple lotteries and bought an island somewhere.
autiger98@reddit
Your job should come down to policy and procedures. Policy: we will fix CVEs x number of days after published. Procedures: Download, test, deploy etc.
If he comes up with some fancy dashboard that doesn’t jive with the policy, then the policy and procedures need to be over hauled.
New policy: limit the number of new CVEs Procedures: impossible to accomplish because it outside of our organizations control
cmack@reddit
"I've been thinking for a while that this guy is just dumb."
There is a reason they are in management
notfoundindatabse@reddit
Could this be a delivery issue? For instance, you mentioned you thought he was dumb for a while. If I think someone is dumb I have a tendency to switch of and become a condescending asshole. This is not fair to the person I am speaking with and I have to ACTIVELY fight this behavior. If I don’t, I am a dick. No one wants to listen to a dick. Could you also suffer from this? Perhaps the relationship needs a reset?
stshelby@reddit
Not saying do this but as a business case. Don't do anything for a month and see if the number changes. If it doubles fix last and current month cve's then have discussion about resources and staffing. If the number doubles you have proven two things not enough resources, time staff but you have verified the data capture is correct. Poor management is not your problem just your result.
undecidedpure@reddit
Extreme ownership. Your job is to dumb it down to the point he can understand and come to your side of the understanding.
snowwis81@reddit
It seems he isn’t going to listen or understand what you’re saying. If you are seeking a resolution the following MIGHT work. Find at least one if not more people in your org that you trust to fully understand all the details of this scenario. Now the hard part, find that person/persons that he’d be willing to listen to and accept “their” conclusion on the situation.
Bonus if you’re looking to exit this workplace quickly: state,” I think you may be too dumb to understand the words I am using to form sentences. Go ask Bob(the person you know he’ll listen to).” You’ll probably lose your job, but it’ll be a good story to tell your team at the next place.
ryoko227@reddit
Wait, what? We are talking about (Common Vulnerabilities and Exposures) CVEs, right? I'm confused, this manager thinks that your team is making them? Or, that your team is creating too many tickets to mitigate? I don't know if I am being retarded, but I'm really struggling to understand what he means by wanting less new CVEs.
taniceburg@reddit
If it isn’t running it can’t have any NEW CVEs discovered.
Better yet
Just update the firmware. A blank disk has zero CVEs.
PlaneHashes@reddit (OP)
This is the way! No servers, no worries!
Minute-Jellyfish-886@reddit
There you go... tell this manager that you want to move everything to using Serverless in the Cloud!
No servers, no vulnerabilities... right?
symcbean@reddit
We live in a world where the president-elect knows more about climate science than all the meteorologists put together. Not only are you wrong but you are clearly the cause of these vulnerabilities.
By the way, the internet is not real - we actually all live inside your computer.
Clamd1gger@reddit
I'd start updating your resume.
Self-preservation should always come before ego, brother.
graph_worlok@reddit
You are right, but propose a solution as well - based on time to patch based on severity, with a hard focus on internet-facing hosts
PlaneHashes@reddit (OP)
We do it. Solutions are in place. Vulns are mitigated daily.
It's the newly discovered ones that this guy wants to go down.
autiger98@reddit
The only way to solve this is to kidnap all the vulnerabilities hunters in the world so they can’t report issues. Or to convince all the developers in the world to secure their OS and applications.
graph_worlok@reddit
Oh dear…
pedrolane@reddit
Did you just recently go through an audit or soc certification? What is driving his shift in measuring these numbers ?
autiger98@reddit
I work in cyber as a DOD contractor. The organization needs a plan that avoids a moving target. It also sounds like he is putting more importance on new vulnerabilities and less on old vulnerabilities. In reality old vulnerabilities have been out longer and give bad actors time to develop exploits.
The best method I’ve seen is to allow 15 days to fix critical, 30 days to fix highs, and 90 days to fix mediums.
If you are fixing things to fast you run the risk of bricking a critical system and then you have just created a denial of service on your own systems. It’s called risk management framework for a reason.
MidninBR@reddit
When it comes to this point is hard. Everyone goes through it I guess. If you can't agree with your manager anymore he will probably take it personally if they are not good leaders or you didn't make him understand or you made him look like dumb in front of the staff. When this relationship is shattered you have two options, either get his job or get a job somewhere else.
A8Bit@reddit
You do have control over new CVE's. Don't want all those windows CVE's? switch to linux. I think he'll get it when you start suggesting you replace the existing infra for different platforms.
BrainWaveCC@reddit
You're fighting an uphill battle here, but I understand why you did it (because silence won't actually help in this case).
The only thing I would recommend in a slight change in emphasis about why the situation is the way it is. Rather than "my team can't do more," I would have emphasized the fact that CVEs are discovered by two main parties:
I would also have avoided the whole conversation about not being his friend, etc.
Not that I'm sure this guy would get it anyway, but speak to any of your vendor technical account managers and see if they would be willing to help educate this guy on a call.
Let the source of this info be other parties rather than you and your team.
In the meantime, stay looking for a better environment, because this guy's ignorance is going to get costly for you guys in the not too distant future, if it doesn't get fixed.
Minute-Jellyfish-886@reddit
Your manager or his manager might as well ask you to lower the amount of precipitation month over month. It's clear that neither understands what makes for an actionable metric/KPI.
I sympathize with you as I started my career as a sysadmin and had to deal with this type of thing more than I care to remember. I transitioned into Cyber Security a couple decades ago and unfortunately these type of individuals really give the profession a bad rap.
Cyber Security professionals exist to help the organization manage risk. Thousands of CVEs mean absolutely nothing if they aren't applicable to your environment or can't be exploited based on the architecture or other mitigating controls.
Many of the other commenters are right on target, you typically want to start with the age and severity of the vulnerability (although this should be adjusted based on environmental conditions... sensitivity of the system, other mitigating controls, etc.) but none of this matters if they are just tracking the raw number of new CVEs...
While you already have a full plate, I would possibly suggest reporting new useful metrics noting that many are not targets but are useful for understanding the risk landscape over time. This is effectively doing their job but sometimes you need to educate the ignorant.
Here are some more appropriate metrics for a Vulnerability Management Program:
Vulnerability Discovery and Assessment
Vulnerability Risk and Severity
Remediation and Response
Compliance and Risk Alignment
First, focus on metrics where you can automate their collection.
gumbrilla@reddit
Well, it might be possible to manage to lower relevant new active cve's, by reducing the attack surface? Get rid of all examples of system X, then no CVE's relating to system X need be considered..
mobiplayer@reddit
Well, one way to reduce the CVEs is to not discover them or just discard them. CVSS score under X? out of the report.
Captain_Swing@reddit
He wants you to juke the stats.
n0ah_fense@reddit
He probably controls the number of new CVEs moreso through vendor selection
EEU884@reddit
Let me guess the manager has a business degree rather than any technical experience or knowledge?
Cormacolinde@reddit
He’s a dumbass.
Yet there are actions you could take to reduce the number of new CVEs affecting your environment, by reducing the number of different systems and packages running in it. If there’s less variety of operating systems, and you reduce the number of libraries and dependencies, make your servers leaner by removing/uninstalling unneeded packages and services, you could lower your average CVEs.
This may very well not be your decision or under your control of course. Developers being what they are, they usually can’t update their shit and you need 6 versions of .NET and 18 versions of php, or they always want the newest shiny toy and add to the pile of libraries installed…
PlaneHashes@reddit (OP)
As you say, I have no control over that part. I have to maintain what exists. We push for lean servers but sometimes it's not possible.
Still I can live with that.
If only he was asking for leaner servers, I wouldn't have said anything.
But asking us to solve more so there are less new CVEs... WTF. Next time, ask for no rain tomorrow too.
HotPieFactory@reddit
No, he's mad you showed everyone in the meeting what a dumbass he is. Not your fault of course. You've been polite in your first explanation.
drunkenitninja@reddit
You're good. Sounds like this "manager" is new, or at least new to IT. I wish I could understand why managers believe that they know more than the SME's that they're supposed to be managing.
I have 30+ years in this industry, and 25 of those are in a specific role. Having a manager try to explain to me on how my environment works is one of the most frustrating things to have to deal with. I typically just sit back, nod my head, and just do what I need to do to get my work done.
PlaneHashes@reddit (OP)
Yes. Been thought by my senior admins way back to do just that. Been doing it ever since. But sometimes, I can't have infinite patience to this bulshit being repeated again and again.
gadget850@reddit
If you stop tracking CVEs then they will go away.
PlaneHashes@reddit (OP)
Nothing more, nothing less!
inktaylor@reddit
Look at all of these Microsoft Office CVEs, let’s remove it from all devices! No more CVEs next month for that product if it doesn’t exist. Next up, Adobe.
PlaneHashes@reddit (OP)
This ^ is the way!
Tanker0921@reddit
This is the classic problem with people managing teams without prior experience in what the team actually does,
Bet you the new-ish guy is a MBA too.
7ep3s@reddit
no its your fault should have taken that divination class at wizard school to be able to subscribe to future cve discoveries 2 months ahead
Aggravating-Sock1098@reddit
The new manager IS the personification of a CVE.
PlaneHashes@reddit (OP)
If I put all his year in perspective, he is for sure a liability to this company.
Danuzo_8@reddit
I noticed a correlation between the academic degree and the amount of insane bullshit ideas and thoughts coming from that person.
I think this is the exact same Problem you got here.
shut up and nod is the best solution though. You might also rather act stupid and seem like you don't know better than starting a fight with someone in a higher position..
This probably doesn't work forever but it helps alot in many situations
PlaneHashes@reddit (OP)
As I said. Shutting the fuck up and doing my job was something I learned with my senior admins 10 years ago. This has saved me from a lot of unnecessary discussions.
But man, I have a limit, and this new management keeps going on and on about this stupid number.
I reached my limit this time. He wanted an explanation. I offered to give it. Gave it. Got crap about it and been told I was wrong and misleading the team.
Helpful_Friend_@reddit
A way to rephrase it so he might get it.
He's esentially asking mal cops to make sure there is less crime in the city, while the mall cops only focus on the mall.
PlaneHashes@reddit (OP)
Tried to explain this analogy:
Janitor cleans public park with 10 visitors per day. Park is clean.
Park decides to have a festival. 1000 visitors per day. More trash for the janitor do clean.
Can you blame the janitor for the new trash that was thrown to the ground? You can ask him to clean more. But you can't blame him there is now more trash to clean.
Dude said it's not the same thing...
No-Term-1979@reddit
🤦♂️🤦♂️🤦♂️
ohzir@reddit
You need something like tenanble security center so you can report on fixed vulnerabilities over time.
Not plugging that tool specifically, it's just the one my team used - I'm sure other tools have similar reporting, we had this printed, though, and putting the "fixed cves week over week" next to the current cves really reframed our work and displayed our effort in a different way people were more able to understand. If it helps, we dumped reports from tnsc into splunk and used the report engine to put together a dashboard so he could have the report anytime he wanted. There are some caveats with that, because splunk is an absolute beast (we had a guy who basically was full-time splunk man.)
Consistent_Research6@reddit
The truth hurts, that is a 100% True. Corporate assholes are being borne and hired every day. Leadership does not want you to have idea's because, when you say the truth the invertors that have no clue what you are talking get spooked the fk out, not because the way you say it because they are to head down in the toilet that that business has become they scared. Yes Men-ism became a value in some company's instead of NOT being one. All tech people are replaced by business fed retards that have no grip on reality. That is why you should not argue with business fed cretins, they know shit, but get scared fast.
PlaneHashes@reddit (OP)
Indeed.
ruyrybeyro@reddit
Boo hoo, you called off the 'security guy'—you know, the one who couldn’t tell an OS from a stats sheet, scraped by with a few certs, strutted around in a suit, and stuffed PowerPoints with random numbers from black-box tools. What a pity.
PlaneHashes@reddit (OP)
I have all the data on what we do, how many vulns we fix. Showed him.
Dude is fixated that we have less newly discovered vulnerabilities on the next report.
Doesn't budge. Says I'm wrong in saying that we have no control over what will be discovered.
ruyrybeyro@reddit
Who knows, maybe he’s onto something. Ask him for the next EuroMillions numbers.
Essa_ea@reddit
I like your approach, you are being realistic in what you do.
PlaneHashes@reddit (OP)
Thank you!
D_Fieldz@reddit
Sounds like he wants to make his mark, goes for low hanging fruit of which he has low understanding.
A tale as old as time, don't fret. Managers, especially newer ones can be a pest.
PlaneHashes@reddit (OP)
Indeed. I've seen from this thread that I've been lucky. First time facing a guy like this.
RatsOnCocaine69@reddit
How do you track vulnerabilities (and their remediations) if you don't have an overview of your servers though? I get there are seemingly too many to track but then how do you do config management? If not, whose jurisdiction is asset management?
PlaneHashes@reddit (OP)
We track it on a DB where remediation plan and result are saved. When I said I don't even know how many servers I overview, it was just an expression to convey that the size of the infra is gigantic.
Temetka@reddit
It’s time for malicious compliance until he goes away.
PlaneHashes@reddit (OP)
Thought about it: stop scanning for vulnerabilities. Then the number of new ones goes to zero and we will all be happy!