Ask the Expert: How can I make my vulnerability solution more responsive?

Cyber Risk

Kirk Hogan, Chief Innovation Officer at Iceberg Networks and Allan Liska, CSRIT at Recorded Future, sat down to answer some questions that they are hearing about how organizations can prepare for all levels of vulnerability, including how to get the best vulnerability prioritization, knowing where to look for vulnerabilities and in fact, if they are the MOST critical, as well as how to inject best practices of management and tools to help organizations elevate their approach. The following is an edited transcript of the conversation.

Kirk Hogan: I really think if we were to design a more responsive vulnerability management solution, we need to go bac to the core element which is going to provide the biggest impact and that is getting your focus on the right things first. So go bac to your scoring and as you said, Allan, it’s an evolution, so you are not going to get it exactly right the first go. An that’s ok because what you are doing today is better than it was yesterday, and that should be your plan to go forward — are we always improving? it could be incremental or exponential, but i really do believe that is how we move into a more responsive program. I think your point is really important — that people need to understand is that it’s ok that you are not going to do everything we talk about today, all at once. What you need to think abut is what is most important — what are your most important assets and what are you most concerned about how to protect those, and then you can build out your program based on the success there. Most of this conversation has been around find it, and I break down the life cycle to: find it, fix it, confirm it. And we violently agree on the find it component – and there is also fix it and confirm it, where we need to consider alignment of the language there. If you are an expert in vulnerability assessment analysis, and you understand language around severity and risk etc, but we need to have that same education flow down to the remediation teams because they ultimately want to understand ‘why is it so important that I prioritize this activity over that activity. We need to share the knowledge that when something comes out as very critical or ultrahigh, or whatever your rating system is internally, that they appreciate why its so critical that they meet some sort of timeline, and I fear to call it an SLA, but there is an urgency. And there is a reason why we applied that risk score in the first place. So i think the other half of the equation is the fix it, confirm it, and there are things that need to be done within hours, because even in minutes matter, seconds matter within security operations.

Allan Liska: I know when I ran a vulnerability management team I had the most success getting things patched in a timely manner, when I was able to tell a story. It’s interesting because we think of vulnerabilities as being universal. That if it’s a vulnerability, it’s a vulnerability everywhere. So understanding not what is just in the vulnerability database, but also understanding what other threats are out there, that may not have made it into the vulnerability database yet, and haven’t been officially assigned a CVE number but are still floating out in the wild. Perhaps a new vulnerability was just announced and a researcher released a proof of concept code that outlines how you could possibly exploit that. As soon as that proof of concept code is released, somebody is going to figure out how to import that into metasploit or one of the other attack frameworks and then pretty soon we are going to start seeing people launch that attack using that POC code. And being able to follow that connection from vulnerability announced POC code, to metasploit module developed, active scanning from groups x, y and z for that vulnerability, that is really where we see a lot of this progress. And that is where those outside experts with that intelligence, can really help benefit your organization, then you really know when its a hair on fire situation, and doing things like moving up the patching schedule etc.

See all the Ask the Expert videos in this series:

Ask the Expert Part 1: Why CVSS isn’t enough?
Ask the Expert Part 2: How can I make my vulnerability solution more responsive?
Ask the Expert Part 3: How do you level up your vulnerability management?
Ask the Expert Part 4: What is the difference between vulnerability management and attack surface management?

UPCOMING WEBINAR Sweeten up your approach: Vulnerabilities and knowing exactly where to look. (30 minutes)

Start your GRC journey.
We’ll be your trusted partner.

Start your journey