In today’s video we discuss digital transformation for vulnerability management. We've summarized these concepts in an ebook for download as well as the video below.
In our business, we work with a lot of vulnerability management teams with enterprises of all sorts, so we wanted to present what we have seen as the evolution vulnerability management. Basically, there are three major tiers we noticed:
Tier I: Process-oriented vulnerability management
In this stage of development, the enterprise has implemented a vulnerability management program that is primarily focused on IT-based vulnerabilities. Scanners such as Qualys or Outpost24 are used to identify the enterprise vulnerabilities. The vulnerability management team then prioritizes the vulnerabilities in a somewhat manual way – mostly relying on NIST CVSS scoring.
Finally, the prioritized list is sent to the patch management team, normally through email for firms in this tier. Despite several shortcomings, the main feature of this tier is that the organization has a very formal process around vulnerability management – and this allows for evolution into higher tiers of maturity.
Tier II: Data managed approach to vulnerability management
Now we start to see a little more sophistication. IT-focused scanning is now complemented with other, specialty scanners – such as those for external assets (i.e. Netsparker, Security Scorecard) and certain applications (i.e. Onapsys for SAP vulnerabilities). At the prioritization step, we see teams start to use a database to store vulnerability information from the different scanners (and often here we see commercial solutions to manage vulnerability data, even the use of the SIEM for this as well).
The use of a database – as opposed to manual means – is a clear marker of maturity. The organization cannot grow in sophistication easily without a strong data management process for their vulnerabilities. The use of data management at this stage of development permits some additional feeds such as ExploitDB which may also be ingested into the prioritization process. In communicating with IT, we see the use of ticketing to identify priorities – though the transition from priority list to tickets is still largely a manual process at this stage.
Tier III: Intelligence driven vulnerability management
Here we see the organization take a more threat-focused approach to vulnerability management. The vulnerability management team develops a working relationship with threat intelligence to inform prioritization and now we start to see the beginnings of a more proactive stance.
By leveraging threat intelligence, we also start to see that tickets sent to patch management actually now include threat intelligence to justify patching priorities. This tier is also characterized by a higher level of automation – use of API’s and automatic ticket creation. That said, there are even challenges at this tier. As threat intelligence is largely manual, the organization will have difficulty scaling the analytical process.
CYR3CON PR1ORITY can impact the vulnerability management process at any tier. The platform’s web-based user interface allows for threat-focused prioritization even for organizations at Tier I – as prioritizing is as easy as drag-and-drop. For Tier II, the CYR3CON API can easily integrate prioritization into the organization’s vulnerability data management solution. Finally, CYR3CON’s ability to scale makes it impactful for Tier III as organizations look to scale the vulnerability management process.
Download the ebook for a deeper look at Digital Transformation for Vulnerability Management and be sure to take advantage of our Predictive Threat Assessment today and see how CYR3CON will impact can impact your vulnerability management program at every stage of its life cycle.