Today we are live from the RSA showroom as our Director of Product Management, Ray Suarez, gets ready to present "A Vulnerability Maturity Model That Thinks Like an Attacker". We brought you the first part of this series last week, and if you haven't read it yet, I would urge you to go back and read How to Think Like an Attacker - Part 1.  For those of you not lucky enough to hear Ray's presentation in person, we have convinced him to share his actual presentation with all of you. Keep reading for the conclusion of "How to Think Like an Attacker." 

 We started last week with a funny look at cyber security with a top 5 "you're in trouble when" list, but let's be honest, there is nothing funny about the risks in your organization. Let's imagine that you are the new CISO of an organization, and you walk in on your first day and sit down with your security team. Your first question is: "how many vulnerabilities are there in our system?" What would be an acceptable number to you? 100? 100K? What if you had 700K+, and you need to know which ones are most important. How many are high risk? How many are relatively low? Where do you even start?  That number changes every day. With the number of servers in your environment growing at 15% per quarter - along with your business units and IT staff - you need to know what your biggest risks are so that you can target them immediately.  Let's do some math.


Out of your 700K vulnerabilities, let's just look at the "high" threats. If there are: 

  • 93K High Threat Vulnerabilities 
  • 250 Working days in a year 
  • You can fix 372 vulnerabilities per day or 1,860 per week 

The problem here? We are overwhelmed by data. Even if we spent every minute of every day fixing just the high risk, high severity problems, would we really solve almost 2,000 every week? Oh, and that is considering that no new vulnerabilities pop up. The attackers are taking advantage of that limitation and are using it against you. You need a vulnerability managment system that thinks like an attacker.  Peak data overload is the most common issue for most IT security teams. Take a look at this model:


In the first two levels, you are in the wonderful stage we call "blissful ignorance" where your threats are nonexistent, and you just start the scanning process. Then you get the results of your scan which is where you first encounter the magnitude of your issues. We will start here, with your scanner, and give you the five steps to building a vulnerability management model that thinks like an attacker. 

1. Scanning - Get the basics in order 

The first step in setting up your solution is to incorporate your busines goals into your vulnera bility management program. By aligning your business and IT security goals, you will establish a unified team. You need to adopt or acaquire a vulnerability scanning capability that will regularly scan and help you find vulnerabilities. 

2. Assessment and Compliance - Begin actually managing vulnerabilities 

Just like with any other business system, you will need to establish a repeatable process to create metrics that you can measure. Adopting a compliance framework (PCI, FISMA, HIPAA, etc) is the bass for vulnerability scanning and patching and help you to implement a basic prioritization framework to deal with data overload. 

3. Analysis and Prioritization - Formalized Process 

A vulnerability management program that deals with vulnerabilities, prioritization, and patching are part of a complete ecosystem. These tools help security and/or IT operations adopt tools that can add value to the data, enable prioritization, and deal with the problem of too much data. In this stage, vulnerabilities are prioritized to facilitate limited resources and bandwidth and metrics begin to focus on improving security rather than being busy. 

4. Attack Managment - Attacker Focused 

In this stage, processes and metrics are coupled together to understand security posture trends and to improve process and execution. Security and IT departments build continuous processes that manage the lifecycle of a vulnerability and analytics and risk management processes and tools are used to measure risk to critical assets. The focus of the vulnerability management program has shifted from the need to patch and comply to being attacker and threat focused. Penetration testing is conducted by internal red teams and, likely, validated by external professional service teams. 

5. Business-Risk Management - Business-risk and vulnerability context 

A vulnerability managment program incorporates business goals and critical assets as it looks at risk as a business wide issue. Business leaders become engageed at the program level and make decisions routinely about where to apply limited security resources. All potential threat vectors (mobile, web, network, social, identity, wireless) have been integrated into the vulnerability management program and the tools and processes that measure risk and provide prioritization are fully integrated with security, IT, operational and enterprise risk management functions. 

Is your vulnerability management system prepared to think like an attacker? 

Ready to see what this can look like in your organization? Request a demo of Core Insight, our market-leading vulnerability management solution.