The terms “patch management” and “vulnerability management” are sometimes used interchangeably, but it is important to understand the difference. Though both strategies aim to mitigate risk, patch management (the process of managing software updates) is limited in scope. To gain a deeper understanding of your environment and make informed, impactful decisions, you need to move to a more holistic approach through vulnerability management. Vulnerability management is a continuous process of identifying, prioritizing, remediating, and reporting on security vulnerabilities in systems and the software that runs on them.
Patch management is a critical component of vulnerability management, but it’s just one piece of the puzzle—and technology can make all the difference. For example, Kurt Hazel, IT security manager for financial institution Security Finance, knew his organization was an attractive target for hackers and wanted his team to be able to take a proactive approach to managing vulnerabilities. So, he made the switch and adopted Rapid7 InsightVM, enabling Security Finance to move to a more mature security program.
In a similar spot? Here’s what you can learn from Kurt’s experience.
1. Implement asset management
Your ability to reduce risk is only as good as the visibility you have into your environment. An asset management solution helps you gain a full understanding of the assets you have and the vulnerabilities associated with each asset. With that knowledge, you are equipped to prioritize vulnerabilities, remediate issues, and communicate effectively with stakeholders.
According to Kurt, back when his team only did patch management, they “didn’t have the full story about what was still left unaccounted for on each of the systems.” But InsightVM increased their visibility.
InsightVM provides visibility into on-premises, remote, and cloud assets. Its discovery scans directly integrate with Amazon Web Services (AWS), Microsoft Azure, and VMware to detect devices as soon as they’re spun up or taken down. Once you have a comprehensive view of your environment, you can make the best decision about what to assess.
2. Prioritize vulnerabilities
With limited time and resources and an ever-changing threat landscape, it’s unrealistic to think that you can fix every vulnerability as soon as it appears. Consequently, prioritization is one of the most critical aspects of vulnerability management. As a security professional in the often-targeted finance industry, Kurt needs to have the ability to prioritize based on what is actually being exploited in the wild.
InsightVM comes with prioritization tools that enable you to make informed decisions about where to take action first. The Real Risk score ranks vulnerabilities on an actionable, 1–1000 scale based on the likeliness of an attacker exploiting the vulnerability in a real attack. The Real Risk score takes CVSS scores, malware exposure, exploit exposure, and vulnerability age into account. Asset Criticality Tagging allows you to indicate which assets are particularly important to your organization, like a system that hosts PII or sensitive corporate data.
3. Remediate vulnerabilities to reduce risk
Identifying and prioritizing vulnerabilities is important, but you’re not actually reducing risk unless you’re remediating the issues.
InsightVM integrates with IT service management (ITSM) software like Jira and ServiceNow to facilitate communication between security and technical teams throughout the remediation process. Technology partner integrations like these was a key factor in Security Finance’s decision to adopt InsightVM. Being able to connect InsightVM with other existing tools in your environment, like patch management solutions, helps to streamline and even automate workflows.
InsightVM also provides you with a list of the remediation steps to take so that you can have the biggest impact on your risk in the least amount of time.
4. Measure the success of your vulnerability management program
No matter how many fancy features a vulnerability management solution has, it’s only worth the investment if it meets your organization’s unique needs and adds value for you and your team. To determine if you’re achieving a good ROI—and justify the purchase to senior leadership—you’ll have to determine how to measure success. Kurt measures success at Security Finance by determining the month-over-month decrease in vulnerabilities in the environment. For this, he uses InsightVM’s robust reporting capabilities.
A couple of useful reports that InsightVM can generate are the Executive Summary Report and the Top 25 Remediations Report. The Executive Summary Report provides insights into month-over-month trends. The Top 25 Remediations Report shows your vulnerabilities broken down by site, domain, and asset group. It also highlights how many assets and machines these vulnerabilities affect and provides you with a list of the quickest and simplest remediation actions you can take.
5. Develop partnerships and support
When something goes wrong, you want to know you have a team of people you can rely on to help troubleshoot. When you choose InsightVM, you’re connected to the dedicated and enthusiastic support professionals at Rapid7. As Kurt says, “The people within Rapid7 are always enthusiastic. They're always there to help us.”
The Rapid7 Insight platform is a one-stop shop for companies looking to improve and advance their cybersecurity. Just getting started with vulnerability management? Having the right partner can help build your overall security platform and combat threats.