All links and images for this episode can be found on CISO Series https://cisoseries.com/patches-yes-we-need-stinkin-patches/ There was a time we could trust a patch, but now our adversaries are actually looking at the patches to find even more vulnerabilities. And we keep patching those as well. Our patches' patches need patches. When does it stop?! This episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest this week is Travis Hoyt (@travisehoyt), managing director, exec cybersecurity technology, TIAA Thanks to our podcast sponsor, Adaptive Shield Adaptive Shield ensures companies gain control over their SaaS app security and prevents the misconfigurations and vulnerabilities that could lead to a leak or breach. Adaptive Shield connects to any app, continuously monitors all configurations, provides a complete picture of the company's SaaS estate, and enables quick remediation of any potential threats. On this week's episode What’s the best way to handle this The vulnerability landscape is changing, according to a new report from Rapid7. One issue, as Rob Lemos of DarkReading reports, is that you can't necessarily trust patches. They're often incomplete, and attackers look at existing patches as an opportunity to find more flaws, which they do. And the threats come from different angles: they're widespread, targeted, often using a zero-day, and there are other vulnerabilities that are impending threats. It seems that the portion of the threats you know about and can defend against is shrinking, and you're battling more of the unknown. Have you seen similar, and if so how has your security program shifted as a result? That’s something I would like to avoid The NSA recently provided guidance on creating a Zero Trust security model. In the piece, the NSA says, "transitioning to a [zero trust] system requires careful planning to avoid weakening the security posture along the way." So what is the NSA talking about? What are common transitioning moves to zero trust that can make you vulnerable? "What's Worse?!" Jonathan Waldrop from Insight Global delivers a challenge specifically tailored for Mike. Please, Enough. No, More. Let's look at SaaS posture management, or just the ongoing management of potential issues that may come across SaaS platforms - and consider what we have heard enough about with regard to SaaS posture management, and what we would like to hear a lot more about. Umm is this a good idea OSINT should go beyond finding out a security practitioner's email and phone number, argued Alyssa Miller of S&P Global Ratings. Alyssa received an email pitch from a vendor offering a gift and she declined. That same vendor then followed up and called her. The vendor was pitching her something that wasn't in her department, that she had no control of, and she couldn't accept gifts because her company is in a heavily regulated market. In summary, Alyssa said if you're going to use OSINT, understand the person's business, their role, and if making such a request would be counterproductive. What types of vendor OSINT tactics work well and what types work poorly?