Vulnerability data must be tracked in order to ensure remediation – or vulnerabilities can fall through the cracks leaving your organization exposed. Most vulnerability data comes from scanners, though the most important vulnerability data often comes from humans. In this third post of a four-part series on threat and vulnerability management tools, we provide guidance on how to effectively track vulnerability data in the context of orchestration.
Several non-optimized tools commonly used for tracking vulnerability remediation include the following, each of which has significant limitations:
Excel and SharePoint: Companies often use Excel or SharePoint to track remediation from a central list of findings – a single spreadsheet file where dozens of users comb through thousands of vulnerabilities. Tracking remediation this way certainly presents challenges, because spreadsheet tools are not designed to help manage such complicated data sets and team collaboration. The information often gets overwritten or marked improperly. The accuracy of the data is questionable, making reporting difficult.
JIRA: Alternately, some companies use JIRA for tracking software vulnerabilities, which helps ensure that processes are followed. Unfortunately, most organizations have many JIRA instances across their development environments. Distributing the results across many JIRA instances leads to an inability to effectively report on the data. Storing the results in a central JIRA system has advantages, but getting stakeholders to take the time to login and review the findings in a different system than they use daily can be difficult.
ServiceNow: Some companies attempt to use ServiceNow, which has the advantage of more robust ticketing, to track vulnerabilities on the networking side. Unfortunately, some of the same ingestion challenges exist, and you lose the fidelity of having all of the vulnerabilities in a single place.
Home-built: Other companies have built systems that connect to other internal systems. While they work, home-built tools are difficult to maintain and often are maintained less formally than normal development efforts, as they are unrelated to the core business purpose. These systems are often just databases with a minimal user interface, not fully optimized for the purpose.
BEST PRACTICES CHECKLIST:
SECURITY ORCHESTRATION FOR VULNERABILITY REMEDIATION
Best practices for threat and vulnerability management require a system for remediation workflows that can handle the following seven tasks:
- Ingestion of various data formats with flexible normalization
- Reviewing of normalized data for changes and modifications as needed
- Distribution of normalized data to various external systems
- Tracking the data distributed externally to keep a central listing up to date
- Ensuring policy is adhered to across the various systems where the data is tracked
- Sending notifications for users and keeping humans involved in the process, especially when vulnerabilities become overdue
- Reporting on the outcome of vulnerabilities by group, business unit, or globally across the organization
As a result, a checklist for a security orchestration tool for vulnerability remediation includes these six capabilities:
- Serve as a central clearinghouse of vulnerability data
- Automate many steps of the remediation process
- Coordinate varying processes based on the organization’s internal structure and environment
- Integrate with a large number of systems via API
- Define a workflow with decision points based on data criteria
- Notify key users when something is not right
Make sure any threat and vulnerability management tool you consider can check these six boxes before you try it out.
Read the earlier posts in this series: