Threat and Vulnerability management

Our experience, supported by cyber security research companies, shows that the primary reason companies get compromised are active non remediated vulnerabilities in their systems and applications. 

The well-known Verizon Data Breach Investigation report (DBIR) 2016 lists vulnerabilities primary reason for breaches. 

All that patching is for naught if we’re not patching the right things.

Our approach to vulnerabilities is two-fold:

  1. Slow and steady patching ensures that the problem does not get worse
  2. Automated threat and exposure analysis pick up vulnerabilities that the organisation need to attend to urgently, outside of a typical patch cycle
Cyber criminals are still exploiting years old vulnerabilities Credit: Verizon Data Breach Investigation report (DBIR) 2016

Cyber criminals are still exploiting years old vulnerabilities

Credit: Verizon Data Breach Investigation report (DBIR) 2016

VULNERABILITY management process

Over 50 years of combined cyber security experience we have used many frameworks for threat and vulnerability management. We have devised our own, based on industry good practice and enriched by battled experiences. 

Ultimately, the process consists of 4 elements as depicted on the picture below. 

Threat and vulnerability process

Threat and vulnerability process

Asset management

Configuration management, as defined by ITIL, is hard. Very few organisations achieve managed stage on the CMMI maturity level. We have worked with some most complex organisations and understand how good CMDB looks like. The key is not to focus on tooling but rather people and process. As any process, also this one needs to be well defined and measured. 

The key deliverables of this phase are:

  • Correct and up to date Configuration Management Database (CMDB)
  • A process to discover new assets and ensure these are added to CMDB
  • A regular review process which queries owners of assets about their currency and attributes
  • A graph like relationships between business processes, data elements, applications and infrastructure assets

Vulnerability & configuration info acquisition

Once we know what assets there are in the company, their relationships and relative importance, we go to the next step - gathering active vulnerabilities and mis-configurations from systems. Your company might already have a vulnerability scanning tool, and that is very good. We will look how this tool is implemented and maintained to give optimal results.

Perhaps you do not have a tool to collect this information., In that case we can suggest tools that are at the top of their game. We will design, implemented and operate the tools. 

It is important not only to look at technology, but also review processes and train people to use the tool most effectively. 

Analysis & prioritisation

Once all vulnerabilities and mis-configurations are collected, the company needs to decide which ones are more important. It is a simple fact of life that it is not possible to fix everyone at once. Fixing gradually and ensure two things:

  • The pool of vulnerabilities is not getting bigger
  • The critical vulnerabilities that are actively exploited are prioritised. 

We will establish processes and tooling to do just that. 

Remediation, Monitoring & Risk management

Finally, based on prioritisation, the vulnerabilities and mis-configurations are either fixed or consciously ignored for limited period of time. In such cases, the active monitoring of attempts to exploits these by attacks is advised. 

We partner with Qualys and Skybox to deliver this service.