Today's Whiteboard Wednesday features Bernd Leger, Rapid7's VP of Marketing, who will be talking about how you can become more efficient with vulnerability management programs by focusing on the vulnerabilities that really matter!
Interested in trying out Nexpose? Download today to utilize our Real Risk feature that tells you which vulnerabilities need the most attention from your security team. Become more efficient with your vulnerability management today!
Read Video Transcript
Welcome. My name is Bernd Leger. I'm the VP of Marketing with Rapid7. Welcome to Whiteboard Wednesday. Our topic for today is: How you can save 150 hours with your vulnerability management program. Let's get started.
Let's assume you're a medium sized organization, and you have roughly 6,000 IPs in your environment. You can use a vulnerability management tool to help you discover all your assets in your environment. Clearly, from discovering all of your IPs, you want to then identify if you have potential vulnerabilities in your environment. What we're finding, on average, is that it's about a 3:1 ratio. So, let's say, you find 2,000 vulnerabilities in your environment. These could be in your databases, these could be in your networks, in your web applications. Once you have those 2,000, the next step would be figuring out which ones of those matters most in your environment. Is there a way that you can prioritize? Many organizations use either proprietary mechanisms of prioritizing like high, medium, low, which are internal mechanisms, or they might be using industry standards like CVSS.
Let's say, you break it down further to 400. Now you've been able to prioritize. You're down from 6,000 IPs, 2,000 vulnerabilities, down to 400 high priority vulnerabilities. As a next step, you would be interested in clearly identifying if those are real and if you have to take action. Let's say it takes about five minutes, on average, to investigate each one of these vulnerabilities. It then takes about 20 minutes, again, these are industry averages. It may vary in your organization. Let's say, it takes about 20 minutes in your organization to actually remediate or mitigate these vulnerabilities. Remediation would be actually fixing the root cause of the issue. Mitigation would be to potentially set up a compensating control; this could be a firewall or another mechanism of action mitigating.
If you do the math and you add up 25 minutes, and multiply that by 400 high priority vulnerabilities, that actually gets you to, roughly, 166 hours of time that your team would have to spend every single month in working through the patching and remediation process. Let's say, on average, you would pay your team about $50 per hour, per team member. That would equate, roughly, to $8,000 in operational costs that you would have to invest. So, that's the current state. What if I could tell you that you could save 150 hours every month? How would you do that? Let's get started on that.
Let's say, we start at the same point of 6,000 IPs. And you identify the same 2,000 vulnerabilities. And, let's assume you use the same mechanisms as the other organization, of getting down to 400. Now this is where the prioritization comes in and where you can do further drilling down. The way to further prioritize is to actually look for potential malware hits in your environments and to look for actual export exposures. What this means is that there might be a few malware hits that trigger major security breaches that you can identify in your environment. There are actually very, very few vulnerabilities that trigger these malware hits. If you can identify these critical vulnerabilities that could lead to a malware hit, you've done a fantastic job in further prioritizing.
Let's say, with malware exposure and export exposure, you can bring that number down further to around 200, which is great. But you can take that even one step further. Assuming you can actually validate these vulnerabilities in your environment to see if they're real, if they're actually exploitable, you can drill down even further into this number. Using a tool, such as a penetration testing tool, you can actually drill that number further down; let's say that number is 40. Again, these are industry averages. It may vary in your organization. But, for this example, we'll use 40. Using the very same math logic of five minutes and 20 minutes, you'll see a stark contrast of, actually, 16 hours that you're now spending on your vulnerability management program every month which, basically, is an operational cost of $800 rather than $8,000.
So, in summary, you've saved yourself roughly 150 hours of work every month, and you've saved yourself roughly $7,200 of operational costs - again, these are opportunity costs - that you could be spending elsewhere, or you could have your team focused on other critical elements in your environment program and your security program.
That was a summary of how you can save your team 150 hours every month. Thank you very much for attending our program today, and we look forward to see you again for another Whiteboard Wednesday. Thank you.