Flexible Vulnerability Management Solutions

Regardless of size, organizations continue to struggle with the daunting task of vulnerability management. According to Gartner, the average time to exploit from time of disclosure has dropped from 25 days to roughly 8 days in the last two years. In addition, the OWASP Top 10 Vulnerabilities, which are often ranked medium, made up about 40% of all vulnerabilities in the last decade.

Organizations don’t have enough time or people power to address every issue that gets identified, and remediation efforts are being held back by manual processes and a disconnected vulnerability response process that compromises their ability to protect the organizations in a timely manner. But how do you decide which issues need to be addressed first?

With all this in mind, there is no doubt that flexibility is of paramount importance when selecting a vulnerability management solution.

 

What exactly does it mean for a vulnerability management solution to be flexible?

 

As security conditions change and threats emerge, CARTA (Continuous Adaptive Risk and Trust Assessment)-inspired vulnerability management programs need to be flexible enough to adapt to those changes. Traditionally, incorporating new data and technologies is difficult if the management process is not built from premise that the data, business, and security needs of the organization will change over time. The most mature programs are the ones that focus on proactive reporting and prioritization of issues that maximize the efficient use of resources and drive down the costs of operating the business securely.

The ideal risk-based vulnerability management solution is:

  • Interactive and Dynamic
  • Automated with Scheduled reporting
  • And provides Role-based access control

Beyond this, however, there are three major considerations:

 

  1. Tailored to your organization

Your utopian RBVM solution should be designed to adapt to every customer’s risk landscape, completely customizable and flexible enough to ensure that only the most important factors for each customer affect the overall scoring. The data model should allow for the addition of organization-specific exposures and the adjustment of attributes that contribute individually to the technical severity and how important that asset/service is to the business. This freedom and transparency allows organizations to adjust the overall scoring to better reflect their business needs and risk appetite.

 

  1. Simple and automated aggregation

Automation, automation, automation! The necessary data already exists within your environment. An RBVM solution should be automated and provide agentless data aggregation enabling correlation, normalization, and consolidation of asset state data without any additional scanning. This collected data is cleansed, enriched, and consolidated to be leveraged by many different aspects of the organization because of its superior accuracy, context, and comprehensiveness.

 

  1. Integration with other tools

It should not require hours of manually built integrations to install an RBVM solution. Ideally, solutions engineered with a vendor agnostic approach, simplify the data integration process by pushing the configuration entirely to the front-end web UI. Whether the data exists in a simple spreadsheet, database, or through an API, the solution facilitates data connector configuration without the need for a developer’s skill set or lengthy enhancement requests through a vendor.

 

BONUS: Can the cleansed and correlated data from your vulnerability management solution be fed downstream to other enterprise tools?

 

Flexibility Meets Function: NorthStar Navigator

 

Different things are important to different people. Flexibility for one does not mean flexibility for all. No one outside of your organization, 3rd party intelligence feed, AI, or machine learning algorithm is ever going to be able to accurately define what’s most important to your business.

NorthStar Navigator does not force you into a scoring model that you don’t understand; it is built on a data-driven approach that offers the flexibility required to ensure that organizations are able to prioritize what matters the most to their business. Organizations need to understand the underlying data that is driving any all scores and dashboards.  NorthStar’s commitment to ‘showing our work’ offers visibility and transparency into the scoring model fostering trust in leadership, management, and technical teams that they’re operating on a common model towards a common goal.

In addition to out-of-the-box attributes, NorthStar allows you to determine custom attributes and their weight toward the overall score so you get a custom-tailored view of risk to your business. Leveraging metrics and data the business has already established, NorthStar consumes existing business data and processes in a scoring model that reflects what matters most to your business. This creates the foundation for prioritizing exposure remediation.  Additionally, NorthStar allows for high level adjustment of the scoring model based on your tolerance for technical or business risk.  We believe that in order for you to trust a risk score, you should not only have transparency into how it was calculated, but have the control to adjust the model to fit your unique environment and requirements.

 

For more information about how NorthStar Navigator can empower your risk-based vulnerability management program, visit HOW IT WORKS.