A Deep Dive into KEV

Speakers: Tod Beardsley (CISA), Lindsey Cerkovnik (CISA, US) Tod Beardsley is employed at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government. There, he spends most of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member has authored several research papers, and hosted the Security Nation podcast. He is also a Travis County Election Judge in Texas, and is an internationally-tolerated horror fiction expert. --- Lindsey is the Chief of CISA’s Vulnerability Response & Coordination (VRC) Branch. Her team is responsible for CISA’s Coordinated Vulnerability Disclosure (CVD) process, the Known Exploited Vulnerabilities (KEV) catalog, and CISA’s Stakeholder Specific Vulnerability Categorization (SSVC) process. Lindsey and her team help to maintain, support, and advance the global vulnerability ecosystem by sponsoring and overseeing the CVE and CVE Numbering Authority (CNA) programs, leading the production and dissemination of machine-readable vulnerability information, and engaging in valuable technical collaboration with the vulnerability research community. In this session, Tod Beardsley from CISA will educate the audience on the ins and outs of what goes into building and publishing the Known Exploited Vulnerabilities catalog (the KEV). While building a list of known exploited vulnerabilities may sound straightforward, the devil in the details. Tod will explain and explore those details, and perhaps exorcise a devil or two.