Stop Putting Rocks in the Vault

Jun 6, 2013
Kenna Security

Share with Your Network

Imagine you are handed two items, a rock and a 400-troy-ounce bar of gold, and are tasked with protecting each from theft. You will spend more time considering how to secure the gold than the rock, because you know the underlying value of each. Context matters, yet vulnerability management systems often work under the assumption that all of your assets are gold (or rocks).

I recommend reading “Vulnerability Management is a Lie” by Tony Turner. He has good insight into the state of vulnerability management, and what needs to be done to make us more effective at remediation. His key points line up with what we have developed at Risk I/O:

1. We need a way to prioritize vulnerabilities.

Our system tracks assets independently and internally, allowing you to add contextual value to assets picked up by disparate vulnerability scanners. We go beyond this by monitoring global trending vulnerabilities and internet attack traffic, allowing you to focus on current threats to your key assets.

2. We need a way to escalate from vulnerability detection to work actually being performed.

We have a bidirectional connector for JIRA, which allows us to assign work and monitor the resolution from within our application. You can also manage the remediation directly within Risk I/O if you prefer not to use a ticketing system.

3. Once work is performed, it would be helpful to be able to reference that back in the vulnerability scanning tools.

Thanks to the ticketing system integration we can also find the associated scanner and vulnerability information allowing you to verify the resolution efficiently. For some scanners we can even trigger retest and ensure the vulnerability has been properly handled.

Additionally, I encourage you to empathize with your operations team when considering what vulnerabilities to focus on. They are probably resource constrained, so making their tasks meaningful and uncomplicated is important. Adding context will allow you to focus on the right issues instead of sending them another 500-page PDF with 300 “critical” vulnerabilities.

Read the Latest Content

Research Reports

Prioritization to Prediction Volume 5: In Search of Assets at Risk

The fifth volume of the P2P series explores the vulnerability risk landscape by looking at how enterprises often view vulnerabilities.

5 Things Every CIO Should Know About Vulnerability Management

If you view vulnerability management (VM) as just a small part of your operation, it might be time to take another look.  Managing vulnerabilities is...



Get Started Using the Exploit Prediction Scoring System (EPSS).

Cyentia Institute’s Chief Data Scientist and Founder Jay Jacobs gives tips on how to get started using the Exploit Prediction Scoring System (EPSS). You...

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.