Tips for Helping Vulnerability Managers Sleep Easier

Wouldn’t it be nice to sleep easy at night and not have to worry if your vulnerability management program is really catching all the vulnerabilities that could be and are in your environments? Wouldn’t it even be nicer if you could get them prioritized by risk and truly make sure they are mitigated or remediated based on what attackers may try to leverage first? How about that resource(s) who now spends 100% of their job on vulnerability management, although it wasn’t why they were hired? Wouldn’t it be nice to get them back to working on the projects they were hired for and are, most likely, experts in? You could put them on that list of projects you are trying to start but just can’t spare the time or resources for. Shoot what about just helping the resource get their lives back and not be drowning in vulnerability data? Well, we have the life preserver for them.

I do a lot of traveling to organizations to demonstrate how we can assist in their Vulnerability Management Process by helping them cultivate and leverage such programs so they are addressing the correct vulnerabilities first and not just prioritizing by standards ratings. No matter what type of organization they may be I hear the same thing over and over, “we are drowning in data and can’t seem to keep up”, or “we think we are doing it correctly, but have no way to really tell or verify it”. Most of these organizations have programs and workflows, and usually, have a team (usually only 1 person) dedicated to identifying vulnerabilities and reporting them to the necessary system owners. I’ve seen somewhere everything is done on a spreadsheet and they still don’t know where to begin or by the time they get to them all (never) there are new sets of vulnerabilities from the latest scan.

Sound familiar?

Yes, you can address all the Critical and High scored vulnerabilities, but what about the lower ones? What about the ones where you are not certain how they can be leveraged? It’s a big enough problem to keep you up at night, wanting to throw more resources at it which, now a days, you don’t have. You may be saying, “but Magno it will be impossible to get to them all, or we will burn through our budgets if we did so”, well not necessarily so. What if you can get the right vulnerabilities remediated and expedited quickly? Would that help? Of course it would, but is that enough?

Wouldn’t it also be nice to visually see what a vulnerability, better yet an exploit meant to leverage a vulnerability, can lead to in your networks?  In my visits and discussions, I find many types of vulnerabilities, even some that you may not believe. For example, MS-0867 is still around and living it up out there. No it’s not because the organizations are not aware of them, they are just classified as Risk Accepted Vulnerabilities. Most, if not all, have mitigation in place to prevent any sort of exploitation of such vulnerabilities, but all have that same look of worry on their face when I call these out. Wouldn’t it be nice to have a little more peace of mind to see if they can truly be leveraged or not and, better yet, that whatever mitigation you have in place is working? Of course. How great would it be if you could provide that type of confidence in a report or attack path graph to your management and get some of those Z’s back at night? Listen, I’m not knocking how you run your VM program, but I know that what it boils down to is information overload. Sure in my experience with organizations they all implement methodologies that work for them, but wouldn’t it be nice to have a little better visibility or, better yet, control of managing them. I can’t tell you how many times I get a remark of, “yeah we have a great process, we submit the reports, but nothing gets done”. Most of the time the ones responsible for the systems or for remediating them ignore the lists that you may provide. Why? Well, they are just too big or full of false positives. Wouldn’t it be nice to be able to provide them a more precise list? Better yet some proof of validation (where allowed?)

Of course, maybe you are thinking “what he is talking about doesn’t exist” or “other vendors promise this but you still get buried under all this data”, well we here at Core can help. Really. Our cyber threat solutions allows you to fully see the lay of the land and how things can be prioritized. If you wanted to, you could also provide proof that a vulnerability is exploitable. Imagine if you can show them how you were able to get into the system, I bet that would move it right to the top to be remediated.