TRUE has been providing managed vulnerability scanning services for clients for years, scanning external and internal network environments for the latest exploits, supplying reports, and remaining just a phone call away for remediation guidance, report interpretation, and discussing what keeps our clients up at night. While we’ve helped identify what needs to be fixed and what can wait, we have found too often vulnerabilities go ignored. Scanning continues, but organizations don’t always move the needle and are often no more secure as a result. As Scott Williamson mentioned in our last blog, Solving the Vulnerability Problem, we have developed a solution to help change that trend: TrueMVP.
As reported in the 2020 Verizon DBIR Report, hosts susceptible to major new vulnerabilities also tend to be defenseless against many older vulnerabilities, shedding light on the importance of routine patching in vulnerability management. Leaving systems unpatched on the Internet only invites attackers to accept the challenge of exploiting them. I know firsthand our Red Team gets excited to find this low hanging fruit.
In light of this, TRUE is now extending our expertise and capabilities to help clients address each phase of the Vulnerability Management Life Cycle. At the center of it all is a Vulnerability Management Platform automating the vulnerability response workflow, which TRUE configures to provide visibility, accountability, and an all new level of auditability for the organization.
Phase 1: Discover
I recently learned of an Incident Response engagement where a company had made every investment in endpoint protection, SIEM, and vulnerability management technology, but, in the end, their tools didn’t provide adequate coverage, and overlooked assets were exploited by attackers.
Lesson Learned: Regular discovery scans should be completed as part of any Vulnerability Management Program. Asset management can often be the root of the problem. If you don’t know assets are there, you can’t patch them. TRUE’s services begin with this important step, with regular discovery scans performed periodically thereafter.
Phase 2: Prioritize Assets
Once all assets are known, taking the extra time to classify each by importance and risk goes a long way in prioritizing remediation and understanding your environment and its risk profile.
As part of the onboarding process, TRUE reviews each asset with our clients to categorize by criticality and value to the organization – e.g., does it store sensitive data or trade secrets, or host systems critical to keep the business operating – with each further identified as external or internal.
Note: If you don’t currently have a handle on your assets, this is an area where TRUE’s Risk Advisory Services team can lend their expertise with asset and data discovery projects to help identify and document sensitive data flows, data objects, and systems that process sensitive data within the organization.
Phase 3: Assess
Regular scanning is the easy part. Conducting regular vulnerability scanning is not only security best practice but often required for compliance. TRUE schedules and conducts each scan at the contracted interval, monthly or quarterly, with monthly recommended to stay on top of the latest security threats.
Our new solution leverages existing scanning licensing, or we can procure new licensing on a client’s behalf as part of our service. The Platform imports vulnerability scan data from most scanning toolsets with 50+ integrations, and it’s not limited to network-based scanning platforms. Application and compliance scan data can also be imported into the tool, for holistic scan management. To point out one integration example, internal scans completed using AlienVault SIEM licensing can be imported, without incurring any additional scanning licensing costs. If you are already a beneficiary of TRUE’s 24x7x365 Managed SIEM Monitoring services, this is a nice bonus.
Now that we have captured and prioritized all discovered assets, we leave the assessment magic to the Platform itself. Raw scan results include severity ratings to give you a good idea of what needs to be fixed now and what can wait. Typical vulnerability scanning reports classify vulnerabilities using the Common Vulnerability Scoring System (CVSS), which is a free and open security standard for assessing the severity of computer system security vulnerabilities. These scores take a one-size-fits-all approach to prioritization, not accounting for the criticality of assets to the organization or the availability of exploits in the wild. A vulnerability could have a high CVSS score, but if no exploits are available, it still may be prioritized over others with lower scores that are actively being exploited and in actuality present a much greater risk. By taking the time to prioritize assets up front, the Platform considers all of these factors in its assessment output.The result is clearly prioritized, risk-ranked vulnerabilities that demand and deserve your attention, neatly displayed within a single pane and tailored to your specific environment.
Phase 4: Report
The Platform archives all assessment data, providing accessible audit evidence when needed. Platform reports as well as raw scan result reports can be exported directly from the interface and provided to auditors at a moment’s notice.
In the past, our work was done when we delivered the scanning report, where our clients’ work had only just begun. While we extended a lifeline for guidance understanding vulnerabilities and additional insight on remediation, the handholding stopped there.
With our new solution, TRUE is embedded within the entire life cycle. After scanning is conducted, we schedule regular results review meetings following each scan. By meeting on a regular cadence with TRUE, scanning results and activities gain more visibility within the security team and can be neatly summarized for upper management, where results can no longer be swept under the rug, at least not without friendly and persistent follow-up. We fill a facilitator role, discussing the vulnerabilities and plans for remediation, providing guidance, and addressing any questions that arise. When a remediation solution is not available, TRUE discusses mitigating factors to consider to best address the threat at hand. TRUE is there to help drive remediation progress, adding a new layer of visibility and accountability to help stay on track with remediation and leverage the expertise and capabilities available for vulnerability management success.
Phase 5: Remediate
Once fully aware of the risks discovered vulnerabilities pose, patching and updating misconfigurations should be performed on a regular basis. We recommend organizations follow a monthly patching schedule, with critical patching performed as soon as possible upon release. The Platform is especially helpful in this area because remediation tasks can be assigned to specific individuals with deadlines and reminder settings to help drive accountability, with tracking functionality to serve as audit evidence to demonstrate when remediation is completed.
When critical vulnerabilities are uncovered but clients don’t have time to take action or confidence to address, experts at TRUE are standing by. TRUE has a dedicated team of IT engineers available to perform patching, configuration updates, and other remediation activities using a Block Time Services Agreement. Simply request this support from TRUE during regular results meetings, and we will arrange the rest.
Phase 6: Verify
Once remediation is completed, TRUE will re-scan to verify remediation was successful, with the Platform tracking the remediated status, completing the Vulnerability Life Cycle … until the next scan.
The Vulnerability Management Life Cycle is a continuous process that requires diligence and commitment. TRUE is here to help each step of the way. Our structured vulnerability management approach, utilizing a powerful Platform combined with TRUE’s expertise and persistence, ultimately empowers clients to take the steps necessary to protect their networks and systems against evolving threats inherent to our connected world. TRUE’s team can help you address those threats, one scan at a time.