This blog post was written by Brett Deroche of Amedisys and was previously published on LinkedIn.
I recently read an article on ZDNet that covered a joint Balbix and Ponemon Institute survey. The report goes into myriad metrics, but there were a few that stood out the most. The report attempts to explain why almost half of the surveyed organizations only scan their networks for vulnerabilities quarterly, if at all. With that in mind, it shouldn’t be surprising that this survey also found that almost 50% of organizations aren’t current with their patches.
One of the explanations in the article was that the vulnerability management solutions currently in the market are too complicated. However, vulnerability scanning is not difficult in most environments, and modern vulnerability solutions solve a lot of these problems. I’m going to give you some examples of how Rapid7’s InsightVM can mitigate or completely solve most of the following struggles:
- Static scan ranges
- Inability to communicate priority
- Lack of recurring scans
- Transient assets
- Low-fidelity vulnerability information causes inefficiencies in patch management
- Unable to fully discover the attack surface
- Unable to embrace SecOps and make IT more productive
Let’s tackle these issues one by one with InsightVM:
Problem 1: Static IP scan ranges
Sure, it’s probably best that you start off with some baseline of static IP ranges, but static IP ranges are not the best way to scale a vulnerability management practice. Three words: Dynamic discovery connections. InsightVM can leverage the technologies that likely already exist in your environment to dynamically discover assets. Those connections can aid in asset identification and can be automatically added to the existing scan schedule. You can’t protect what you can’t see, and dynamic discovery connection enables you to see all the things. Boom! Problem No. 1 solved.
Problem 2 : Inability to communicate priority
Many people use the highly criticized CVSS score to determine severity. CVSS is a good starting place, but it’s by no means the be-all and end-all. It is meant to be a standardized numerical score and can be a starting point for determining risk within an environment. That’s where Rapid7’s Real Risk Score comes in. It takes the metrics CVSS quantifies a step further by leveraging insights (pun intended) into existing malware, exploits, exposure, and the amount of time it’s been published to calculate a risk score between 0 and 1,000. Anyone who has experience in vulnerability management knows not all CVSS 8s, 9s, or 10s are created equal. Also, Rapid7 obviously doesn’t know where an asset sits within your environment or what data is housed on that asset, so there are criticality tags that can be used to multiply the risk score. This further assists with risk prioritization.
InsightVM can leverage its live dashboard feature to make a custom dashboard specifically for the groups responsible for communicating priority, whether that’s a system administrator or management. If colorful pie charts don’t solve your communication with management, I don’t know what will.
Problem 3: Lack of recurring scans
Why not? Most vulnerability management solutions, including InsightVM, make this incredibly easy. It would be difficult not to set up. There are many options for setting up recurring scans. With a little tuning to the scanning template, scans will be optimized for your environment. After that, it’s just making sure you have properly distributed and resourced the scan engines. The other common issue I hear around recurring scans are maintenance windows. Many system administrators are afraid of vulnerability scans during maintenance windows. A properly tuned vulnerability scan won’t run your asset out of resources, and if it somehow does, it’s not likely to do it for an extended period. On average, vulnerability scans with InsightVM take 10–12 minutes per asset.
The other concern I’ve heard is that the system might be rebooted during the middle of the scan. Who cares? If the vulnerability scan misses the asset due to a reboot, it’ll catch it on the next cycle. If none of this eases your concerns, InsightVM makes it easy to configure global and site-specific blackout periods that will prevent any scans from running during the prescribed times. Configure recurring scans now!
Problem 4: Transient assets
The solution is an agent. Don’t scream. It IS the solution, not the problem. The Insight Agent that InsightVM leverages is incredibly lightweight. I understand that a vendor has never pitched its “heavyweight agent,” but in this case, Rapid7 delivers on the lightweight agent promise. The agent allows for visibility both on- and off-network. It’s impossible to secure what can’t be seen. It gives the insight that security teams desire. The Insight Agent doesn’t provide the same level of information that a traditional vulnerability scan will, but it will provide you with any information that can be gathered locally on the machine. More importantly, it will provide a great deal more information than you would have had if you didn’t leverage the agent.
Problem 5: Low-fidelity vulnerability information causes inefficiencies in patch management
InsightVM can solve this problem a few different ways. Especially early on in a vulnerability management practice, it's probably best to start off with what Rapid7 calls the "Top Remediations" report for quick, actionable data. Use this report for the small-effort, big-impact approach to your organization. This report gives you single solutions, along with the impacted devices and the associated impact on your environment. For example, it could tell you that upgrading Java within your environment will remediate X% of vulnerabilities, reducing your risk score by Y%. Maybe remediating Java doesn't sound like a small-effort, big-impact scenario in your environment, but either way, it allows you to start the communication.
As the practice evolves, dive into individual vulnerabilities and find the associated "proof" section. Like the name infers, the proof tells the patch management and other remediation teams exactly what it detected. The proof section will come in clutch when communicating individual findings to the remediation teams or when conducting false-positive investigations. Beyond that, it recommends the best solution given the specific machine's characteristics—that’s right, you don’t have to sift through the 100+ possible remediations for a single vulnerability. It gives you the link directly to the best remediation, along with instructions on how to remediate.
But wait, there's more. The Remediation Projects feature can also be leveraged to measure your progress in remediating specific vulnerabilities, such as your progress on updating Java. Projects mean metrics and dashboards—that’s right, bright colors and pie charts.
Problem 6: Unable to fully discover the attack surface
Rapid7 operates an open-access project called Project Sonar. Project Sonar conducts internet-wide scans and provides that data to the customer for FREE. It can also provide SSL certificate and service identification. Want to know whether you have Telnet, SSH, or RDP exposed to the internet? Hopefully, you do want to know. Project Sonar can tell you. Using a combination of dynamic discoveries, dynamic assets groups, and automated actions, you can query this information and take appropriate action around those assets.
What does that look like in practice? It may be that a new internet-accessible asset is discovered. An automated workflow can be easily created around this trigger to queue a vulnerability scan from Rapid7’s hosted engine or even your own AWS or Azure scan engine. When I mention automated workflow, I don’t mean something that is going to require you to know Python or other language. It’s completely GUI-based, but the best part is that it will explain all the steps that the workflow is taking behind the scenes. Obviously, this isn't going to detect the "entire" attack surface, but it's a step in the right direction.
Problem 7: Embrace SecOps and make IT more productive
Rapid7 InsightVM gives a security team the necessary tools to enable IT and become an overall more productive IT shop. InsightVM has existing connections with ServiceNow, Jira, Microsoft SCCM, and IBM BigFix. This means that the security team, in conjunction with the patch management team, can define specific triggers to automate patching. I realize that to many, the thought of “automatic patching” is completely out of the question, but stick with me for a second. What is the expected availability of development and/or test machines? How does your team deal with true critical vulnerabilities? Leveraging the powerful filtering capabilities, specific triggers can be created depending on the vulnerability and/or asset. Maybe you only want to patch Microsoft patches on test machines. That’s as easy as a few clicks and defining that criteria, which InsightVM walks you through. If your IT team already leverages a ticketing system such as Jira or ServiceNow, InsightVM can leverage that same platform to communicate vulnerability and respective remediation steps as well. With a closed-loop integration, if a ticket is updated in the ticketing system, it will update the InsightVM platform, and vice-versa. Whether you’re looking for automated patching, automated communications, or just colorful charts, InsightVM can make your process more streamlined.
As you can see, modern vulnerability solutions—and InsightVM specifically—have solved most of these problems. It only takes a few days to set it up. Sure, if you’re trying to run a fully mature vulnerability management practice, it’ll take time and tuning, but that’s true for any practice. InsightVM makes going from 0% to 80% of a mature vulnerability management practice easy. That’s right. You can go from 0 to recurring vulnerability scans and automated workflows in a week, if you take your time. If you’re too understaffed to have someone solely focus on vulnerability management for a week, engage Rapid7’s professional services. Either way you slice it, do something. The barrier to entry isn’t large. Maybe you don’t set up all the features that I’ve mentioned, but you can figure out which of your problems you can solve and then solve those. Then, when you have more time, solve the next one.