From Replaceable Commodity to Must-Have: Three Tips to Up-Level Your Vulnerability Management Service

Reposted from our Guest Column on MSP Insights


From Replaceable Commodity to Must-Have

In our business, we talk with MSPs and MSSPs on a regular basis and often our conversation turns to how the service provider handles vulnerability management for their clients.  All too often the service provider has added a bare-bones service around vulnerability management to upsell or grow their customer base. Compared with SOC-as-a-service or incident response – the more exciting services normally associated with cybersecurity – vulnerability management gets viewed as a box to check. 

However, nothing is further from the truth. Vulnerability management is the primary means by which an organization can avoid attacks. It offers the ability for an MSP/MSSP to put their clients in a more proactive position and reduce costs. From a business perspective, vulnerability management can lead to new streams of recurring revenue as well as improve other services like SOC operations.  In this article, we give three tips on how to turn vulnerability management from a boring commodity service to something that excites customers. 

  1. Showcase Avoided Attacks

CIO’s and CSO’s tend to present vulnerability scanning results to management as a compliance issue – with a focus on ensuring that vulnerabilities are identified and patched in a certain amount of time.  While important, this mode of presentation does not communicate the effectiveness of the measures and more importantly it does not highlight successes. Now suppose the CIO presents to his board 2-3 slides of exploits seen in the wild after his organization has patched the associated vulnerabilities. This can provide clear evidence to management that the organization avoided attacks as well as the effectiveness of the policies. 

It will also help the CIO justify security resources as it will communicate to management that he is actively countering the threat. From an MSP/MSSP perspective, providing this type of information can easily be layered into the results of a vulnerability scan, and by virtue of the CVE numbering system, this analysis can be scaled to support many clients. It would be very difficult for a CIO to replace a service that helps communicate program effectiveness to management. 

  1. Guide the Customer on How to Prioritize Vulnerabilities

Many MSPs/MSSPs find that when they implement vulnerability scanning with a client, that the customer becomes overwhelmed with the results. This is especially true when a client has either a non-existent or poorly run vulnerability management program that causes enormous amounts of vulnerabilities to be overlooked. Even going beyond that point, with over 1,600 disclosures a month, the number of potential vulnerabilities in a given organization tends to grow. This means, that even for firms with great practices, there is a high-risk period of time – a “window of risk” – in which vulnerabilities are queued up for remediation.

Further compounding these difficulties is the fact that the NIST CVSS scoring system has been shown to not be predictive of future exploitation. However, this shortcoming poses a potential opportunity for a service provider to differentiate. By prioritizing vulnerabilities by threat using factors such as availability of exploit, threat intelligence, and other factors, the customer can be put on the right track toward fixing the most threatened vulnerabilities first. This accomplishes a few things with the customer – first, it recognizes and addresses the pain they have in combatting a large number of vulnerabilities with limited resources – it's reasonable to want to remediate what the hackers will attack first. Second, it enables the client to build trust in your results – providing intelligence or other evidence as to why one vulnerability should be patched over another lends credibility to the service provider as well as provides differentiation from those just running a scanner. 

  1. Coach the Client on How Digital Transformation Initiatives Impact Vulnerability Management

Companies are constantly undergoing digital transformation in one dimension or another. Key trends such as work-from-home, containerization, dev-sec-ops, and OT/IoT all require revisions in vulnerability management. For each of the different areas listed above, there are potential technologies. For each of the above-listed digital transformation projects, there are associated vulnerability management challenges – whether it's mitigating old vulnerabilities in legacy OT devices, understanding the expanded threat surface brought on by containerization, or enabling development teams with best practices to detect and avoid application security vulnerabilities. Understanding the client’s ongoing digital transformation efforts in these areas and getting ahead of the vulnerability-related pain points allows the service provider to take a more consultative approach with client – and will serve to minimize the expansion to the attack surface associated with digital transformation. 

Too many view vulnerability management as “running Nessus” or “part of compliance” when it can actually drive value to clients, build trust, and boost retention.  The tweaks involved in doing so are easy to implement across the customer base and will serve to differentiate MSPs/MSSPs from their competitors in this area.