First things first: Asset inventory
When looking at security one first has to be aware what he needs to protect. This seems to be one of the most underrated aspects of a solid security strategy. You can’t protect it if you don’t know that it is there. Seems simple enough in theory but far more difficult in practice.
The vulnerability management toolings and processes will give you this visibility. If we look at the definition of asset management in the NIST framework: “The data, Personnel, devices, systems and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’ risk strategy” Being able to identify the devices and systems already gives you a solid view on your IT environments scope.
Know your environment, know your risks: Asset risk management
Every IT team or department is overrun with to do lists for new features, security issues, operational issues, … Therefore the need to prioritize your actions to the highest impact tasks is crucial to a successful IT department.
Again NIST talk about The organization understands the cybersecurity risk to organizational operations, organizational assets and individuals. Having a view on your assets’ security posture and identifying the tradeoff between effort and impact will give your IT team more focus. Even a better feeling about their day to day operations as they now know they are structurally handling the most important issues. Being efficient with your actions towards IT security posture starts with identifying your risks.
Solution, not just a Tool
Toolings are a great way to help you and be more efficient. However they are not the solution to the problem at hand. They will not magically improve your security posture or analyze your security incidents. Although a lot of the new wave AI/machine learning/SOAR/… toolings claim this. Sifting through the marketing materials, product sheets, demo’s and POC’s of toolings is tiresome and time consuming. Choice confusion amongst IT security products is very real and frustrating.
In the end they are just programs and machines which need to be operated by experts. On the one hand you need to maintain these toolings so they function correctly and give you the information requested. The scope of the engagement will differ from type of tooling and type of IT environment but there is always an administrative overhead. On the other hand you have information that flows out of these toolings which needs to be analyzed. Having the properly verified, scoped and prioritized incidents is vital to your security operation and still needs human interaction.
You are in need of solution to your problem not in need of another tooling which you need to evaluate and operate. Through a managed service you do not need to worry about what tooling you are using. As this assessment of “best of breed” tooling selection is done for you. No need to reassess your toolings every time the bill comes to renew your licenses.
Expertise, not just consultancy
Consultancy is understood to be buying the time of a subject matter expert. However, if you want to properly handle IT security you will need a wide variety of expert skills. Meaning that you will be looking for a unicorn. A managed service focusses more on the expertise and less on the individual skills of a consultant. The service can be handled by 5 persons with all 1 specific skill required to give you your analyses or by 1 person with all of the skills required. In the end it does not matter to you; the result is the same (or better), and finding a unicorn is not your problem anymore.
The above topics talk about processes, people and tooling. To have a successful deployment of vulnerability management you will need to manage these three topics and keep them in harmony.
Most entities do not need a full time employee just for vulnerability management or a dedicated tooling for that matter. Buying a tooling and dedicating a security analyst (or asking one of the current engineers to develop this skill) to managing this is in most cases not feasible. Only very large entities have the scope and resources to build a vulnerability management solution and manage this to its full potential and being cost efficient.
A managed service has developed the processes, people and tooling to handle vulnerability management and exploit it to its full potential. There is a team of experts, which combine a variety of skills, handling the analysis. The processes have matured and are already at a level of “industry best practices” standard. Lastly, the tooling is administered and deployed to give the highest return and lowest impact on your systems.