Stop Putting Rocks in the Vault

rhuber    June 6, 2013

Imagine you are handed two items, a rock and a 400-troy-ounce bar of gold, and are tasked with protecting each from theft. You will spend more time considering how to secure the gold than the rock, because you know the underlying value of each. Context matters, yet vulnerability management systems often work under the assumption that all of your assets are gold (or rocks).

In Risk I/O, we add context to your vulnerabilities in order to prioritize the most critical.

In Risk I/O, we add context to your vulnerabilities in order to prioritize the most critical.

I recommend reading “Vulnerability Management is a Lie” by Tony Turner. He has good insight into the state of vulnerability management, and what needs to be done to make us more effective at remediation. His key points line up with what we have developed at Risk I/O:

    1. We need a way to prioritize vulnerabilities.

Our system tracks assets independently and internally, allowing you to add contextual value to assets picked up by disparate vulnerability scanners. We go beyond this by monitoring global trending vulnerabilities and internet attack traffic, allowing you to focus on current threats to your key assets.

2. We need a way to escalate from vulnerability detection to work actually being performed.

We have a bidirectional connector for JIRA, which allows us to assign work and monitor the resolution from within our application. You can also manage the remediation directly within Risk I/O if you prefer not to use a ticketing system.

    3. Once work is performed, it would be helpful to be able to reference that back in the vulnerability scanning tools.

Thanks to the ticketing system integration we can also find the associated scanner and vulnerability information allowing you to verify the resolution efficiently. For some scanners we can even trigger retest and ensure the vulnerability has been properly handled.

Additionally, I encourage you to empathize with your operations team when considering what vulnerabilities to focus on. They are probably resource constrained, so making their tasks meaningful and uncomplicated is important. Adding context will allow you to focus on the right issues instead of sending them another 500-page PDF with 300 “critical” vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *