Imagine you are handed two items, a rock and a 400-troy-ounce bar of gold, and are tasked with protecting each from theft. You will spend more time considering how to secure the gold than the rock, because you know the underlying value of each. Context matters, yet vulnerability management systems often work under the assumption that all of your assets are gold (or rocks).
I recommend reading “Vulnerability Management is a Lie” by Tony Turner. He has good insight into the state of vulnerability management, and what needs to be done to make us more effective at remediation. His key points line up with what we have developed at Risk I/O:
1. We need a way to prioritize vulnerabilities.
Our system tracks assets independently and internally, allowing you to add contextual value to assets picked up by disparate vulnerability scanners. We go beyond this by monitoring global trending vulnerabilities and internet attack traffic, allowing you to focus on current threats to your key assets.
2. We need a way to escalate from vulnerability detection to work actually being performed.
3. Once work is performed, it would be helpful to be able to reference that back in the vulnerability scanning tools.
Additionally, I encourage you to empathize with your operations team when considering what vulnerabilities to focus on. They are probably resource constrained, so making their tasks meaningful and uncomplicated is important. Adding context will allow you to focus on the right issues instead of sending them another 500-page PDF with 300 “critical” vulnerabilities.