Penetration tests truly are a required part of any organization’s security program. But organizations are not always efficient at managing those tests and results. Such processes have historically often created a separate management process to track the exact status of known vulnerabilities – which often relies on a variety of spreadsheets and task lists. This creates a danger that reporting can be simplistic, and often indicates whether the tracked vulnerabilities have been remediated. Part of this is due to the problem that the process is often tracked in distributed workflows and spreadsheets.
So, how does an organization consolidate all of the information they need?
The catch is that an organization needs the capability to identify details to improve their vulnerability management, security program, and perhaps a wide variety of organizational operations. The reality is that good analysis of vulnerability information can provide great insight into parts of the organization beyond that organization’s vulnerability management system.
Effective organizations track progress so they can not only manage vulnerabilities effectively, but so they can demonstrate the status of their vulnerability management process at each step. The organization should be able to easily tell which vulnerabilities have been identified, accepted, prioritized, patched, and closed. Organizations must be able to meet demands of regulatory compliance, cyber insurance, breach liability, and other metrics that can be demonstrated by the organization’s ability to manage risk. Such metrics can also demonstrate the effectiveness of the security program, justify the cost of managing security measures and support the security return-on-investment.
Evolve Security has recognized that successful vulnerability management can be a boon to all organizations. The Darwin Attack platform provides one authoritative source for all information about identified vulnerabilities. This includes a list of all known vulnerabilities with severities for each, the system(s) upon which those vulnerabilities are found, and recommended remediations for each. This information is invaluable for all team members doing remediation and reporting on progress, as well as for any auditors verifying work.
Better yet, maintaining this information in a single repository means all staff, management, and consultants are working from the exact same data set, so all have the exact same data. This is even better if testing is currently being performed, and that repository is being updated in near real-time, so all parties have access to the most current data available.
Any user reviewing vulnerability data in the Darwin Attack platform, can tell at a glance which vulnerabilities remain to be addressed, which ones have been successfully remediated, and which ones have been successfully validated. As new vulnerabilities are added, users can make updates directly in Darwin Attack to show real-time results, and not wait for penetration test reports.
Not Just “Vulnerabilities”
Reviewing progress across all vulnerabilities can also reveal information about other parts of the organization’s security program, beyond the vulnerabilities themselves. An organization can review the vulnerabilities to determine common root causes. For instance, if the organization is constantly addressing high volumes of vulnerabilities, they could review processes and practices for hardening of systems and networks. If the organization is constantly addressing vulnerabilities related to configurations, such issues may be reduced with better training, better processes, better documentation, better validation checking, better peer reviews – or other techniques and controls designed to reduce potential vulnerabilities.
One good example is an organization who finds themselves constantly addressing vulnerabilities in their own developed web applications. Such vulnerabilities may be better addressed with controls around the software development process, such a training in secure coding practices, better use of approved code libraries, code reviews, code testing, application testing, and even, if appropriate, replacement of an existing outsourced coding contractors.
Users can use the Darwin Attack platform to help determine common root causes, that, if addressed, can save the organization time and resources not just in vulnerability management, but in a variety of operational aspects of the organization.
Vulnerability information can also be used to support external demands and requests for information about the security of the environment. An organization who can demonstrate their effective management of vulnerabilities can readily gain confidence from partner organizations, especially if the organization can demonstrate that they regularly manage a low volume of vulnerabilities, and that they do so in an effective manner.
An organization who uses the Darwin Attack platform to help manage vulnerabilities is exercising standards of good security practice. Organizations who actively track the status of their vulnerabilities, and review vulnerability information to help improve their security program are exercising standards of best practice, and can also demonstrate best of breed controls to themselves, to clients and to auditors. In the end, they are not only improving their security program and reducing organizational risk, but they can prove it.