Software Inventory & Vulnerability Management

3–10–2025 (Monday)

Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.

I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.

Today is Monday, March 10, 2025, and we’re going to use our time this week to get back to basics: know what you’ve got, and know when to patch it.

Software Inventory & Vulnerability Management

The last week has seen a range of new zero-day (or previously unknown) vulnerabilities be announced by several major vendors, including VMWare, Apache, and Ivanti.

What’s notable about these items, however, isn’t that there are more zero days - there will always be more zero days - it’s that these vulnerabilities quickly found their way on to CISA’s Known Exploited Vulnerability Catalog, often known as the KEV List.

The point of the list is to help figure out which vulnerabilities really need your attention - as they’re the ones being used in the wild to exploit systems and gain access.

Now, a couple of caveats.

First, it’s not clear if this services from CISA will continue with the ongoing uncertainty around many Federal services - see the last few weeks of this program plus any major news source in the US.

Secondly, it still requires operationalization from your end to derive real value from this list.

That means you need a few things.

First? Software inventory. You might know what you think is running in your environment, but are you sure? Do you have a list? Vulnerability scanners or endpoint detection and response tools can usually help provide a pretty good sense of both the software and version number on your endpoints.

Secondly, you need a way to reconcile your environment with the vulnerability list. Ensure that you’re getting update notifications from all of your vendors, of course, but also follow the CISA KEV updates (by email or in an automated fashion).

Third? Patch! It’s not glamorous, and it does feel like a never ending cycle, but keeping your machines up to date is one of the single most effective ways to help drive down risk across your enterprise.

You’re likely already on a monthly cadence for Microsoft (and other) enterprise updates. Be sure that you’re able to patch out-of cycle, and maybe consider developing some prioritization around machines that are public facing, business critical, or have some other special handling requirements.

We’ve been singing the refrain about controlling your controllables lately here, and this definitely falls squarely into that bucket.

So - if you have unpatched VMWare, Ivanti, or Apache software in your environment - turn this video off and go patch. If not, make sure you’ve got an accurate, up to date inventory and a way to get notified of new patches. Wash, rinse, repeat.

Fundraising

Speaking of back to basics, that was part of the headline in a Wall Street Journal article that ran a couple of weeks back, entitled “The New Survival Guide for Private Equity: Go Big or Get Back to Basics.”

The other part, of course, is what gets the attention, and it’s a trend that we are seeing continue with more than $23.3B of newly committed capital announced this week, including:

  • ICG raised over $11b for its fifth GP-led secondaries fund.

We had several funds announce commitments over $1B, and also saw Mark Walter, CEO of Guggenheim Partners, and Thomas Tull, former owner of Legendary Entertainment, form a $40b holding company to make large AI investments.

These folks are all on the Go Big side of the equation. I’d encourage you to be on the “Get Back to Basics” side, myself.

A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.

Links

https://www.rapid7.com/blog/post/2025/03/04/etr-multiple-zero-day-vulnerabilities-in-broadcom-vmware-esxi-and-other-products/

https://nvd.nist.gov/vuln/detail/CVE-2025-27636

https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

https://finance.yahoo.com/news/survival-guide-private-equity-big-103000120.html

Previous
Previous

Changes in Tech and Regulatory Landscape

Next
Next

Russian Roulette