Silver SSVM Case Study

Introduction

Secutor’s Signature Vulnerability Management (SSVM) system provides a means to leverage best practice guidance and information to improve Threat & Vulnerability Management. Secutor spends the time necessary to understand our client’s cybersecurity environment, framework, and controls. 

We perform a deep dive on our client’s ability to discover assets, perform vulnerability scans on them, report to application teams and how effectively the organization remediates vulnerabilities. In essence, we evaluate the performance of our client’s cybersecurity program.  

 

We discussed robust security practices with our client’s information security team. We performed a gap analysis of the actual security controls we found against the security controls that the client believed were in place. Where practical, we performed technical assessments of those controls to make a determination if the controls were operating at peak effectiveness. Our processes included performing details reviews of firewall rules, intrusion detection signatures, and the setup and configuration of these cybersecurity solutions – particularly those associated with Threat & Vulnerability Management. One practice that is usually missed is including Threat Intelligence information in the organization’s vulnerability classification process – thereby giving one an incomplete view of risk and vulnerability prioritization. 

Secutor uses threat intelligence information to enhance the effectiveness our the SSVM process. Threat intelligence feeds provide us with an understanding of which vulnerabilities are not only classified as critical in a VM solution, but are those vulnerabilities actually being exploited in the wild. That information helps us paint a true picture of organizational risk. We find that threat intelligence data is absolutely paramount and necessary in a modern Threat & Vulnerability Management program. 

 We make extensive use solutions provided by Qualys. Qualys is one of the original pioneers of saas based VM solutions. We use Qualys to assess our client’s Vulnerability Management programs. We believe that it is critical that organizations be able to timely identify vulnerabilities so that they can be addressed. That process begins and ends with IT asset discovery, vulnerability scanning, report distribution, vulnerability mitigation and remediation techniques, and informing information security leadership about metrics that tell us if the program is successful or not. 

Vulnerability Management is hard, but it doesn’t have to be impossible. We help our clients understand how to build effective Threat & Vulnerability Management programs by focusing on best practices and education. Our programs help clients maintain more accurate IT asset inventory, scan and remediate more effectively. In some cases, the issue isn’t VM, but controls in the IT environment that aren’t keeping pace with vulnerabilities identified. In those cases, we help educate IT how to more effectively handle processes such as patch management, change control, and even desktop and server images. Your VM processes need to adapt in order to effectively deal with the thousands of new vulnerabilities introduced each year.  

SSVM, by its very nature, is an effective Vulnerability Management Program. We’ve designed the “gold” standard of TVM programs and assess our client’s programs against SSVM.  

Situation

One of the largest public transit authorities in the United States, serving almost 6 million people with nearly 5000 employees, has a very large legacy network with sporadic documentation that the new IT Security Manager needed to get under control so that he could modernize their cybersecurity protections. He chose QualysGuard to obtain the visibility needed to rapidly reach his goals. But he quickly discovered that despite how easy Qualys is to manage and maintain, his team didn’t have the required skills to get Qualys deployed on time and in the most optimal configuration for his needs. They had accomplished a partial deployment but weren’t using Qualys to it’s full potential.

Challenges

Secutor performed a gap assessment with SSVM, analyzed the results, and identified a wide range of issues, which including:

  • They didn’t have the information needed from the networking team to scan all available IPs
  • Vulnerability scans weren’t properly scheduled, with a standardized Option Profile
  • Reports and metrics weren’t standardized, and they were using individual scan results rather than the powerful “Host Based” database
  • Authentication wasn’t enabled, so the vulnerability scan results were limited and they weren’t taking advantage of QualysGuard’s built-in “Agent-less Host Tracking” features
  • They were struggling with assigning vulnerabilities to individuals and teams for remediation
  • Lack of defined metrics and KPIs to track progress
  • Lack of effective communication between the network, IT, and security teams

Services Provided

Secutor Cybersecurity experts in conjunction with IT Security, collaborated to perform:

  1. Security Control Gap Analysis – Obtained approved security policies and procedures so that we could assess against best practices and determine where controls were deficient 
  2. Network Security Analysis – Reviewed subnet information provided by the networking team to determine the optimal scanning coverage and schedule; determined if IT asset inventory was complete or lacking.
  3. TVM enhancements – Designed and implemented new processes and procedures around Qualys VM. We helped automate multiple routine vulnerability tasks such as remediation ticket opening to reduce the burden on IT personnel. Our process also included reviewing existing vulnerability scans so we could optimize scan coverage, scan windows, and the penultimate – the prioritization of vulnerabilities.  
  4. Program Metrics and Vulnerability Prioritization – We worked with our customer to select relevant and repeatable metrics. Where possible, we spent the time and effort necessary to automate information gathering, metric collection and communication. The goal being to provide our client with the ability to measure TVM program success.
  5. Governance, Risk, and Compliance (GRC) – We collaborated with our client to reflect their new Vulnerability Management processes and procedures in their policies and standard operating procedures (SOPs). We also tweaked and enhanced the client’s Remediation policies and procedures.
  6. Education and Best Practice Training – During the engagement, we took numerous opportunities to guide our client on TVM and remediation best practices and procedures – providing opportunities for the new systems and processes to be more likely to “stick” once we were no longer onsite. 

Summary

Secutor SSVM: 

  • Helped our client assess their network in the identification of 3,000,000 internal IP addresses. Answering: “Is my IT Asset inventory complete or am I missing assets?”
  • Assisted our client in updating their IT asset and software inventory of 7,000 networked devices. We also helped establish repeatable processes to continue to identify what assets our client needs to protect. 
  • Put specific time and attention on a smaller number of assets (150 assets out of 72,000). Our process helped our client deal with vulnerability prioritization more effectively so that they could demonstrate our vulnerability remediation prioritization process and demonstrate “wins”. 
  • Document security program and architectural improvements. Effectively, helping our client establish one way, the right way of running a TVM program.

Other Case Studies

Having the right group of people to run your vulnerability management program is just as important as the actual program itself. Let’s face it; not all companies can keep up-to-date with the latest security trends as technologies continue to advance, all while bringing on more threats.

If you are going to do something, you may as well do it right. A poorly designed and constructed vulnerability management program is essentially like having no program at all. Why spend the time, money, and resources putting together a program that won’t meet or exceed the expectations you have in place for it?

Year after year, cybercriminals take advantage of more opportunities to infiltrate a system’s vulnerabilities. These attackers feast on the systems that show no real signs of cyclical security maintenance and prevention techniques.

Vulnerability Management is essential. It needs investments in tactics, techniques, and procedures to be a successful program.