By Sohil Ramdas | Trace3 Innovation Principal
Enterprises have reached a point where the complexity and scope of the technology landscape have exceeded expectations. This is probably no surprise to anyone, but when you look at it from the organizational lens of tracking and inventorying these environments, the view becomes blurry. To make it even more complicated, that is just step one. Ensuring every asset has been hardened and secured creates an ongoing challenge for our security teams to navigate.
When we were deploying only desktops and servers, managing risks was relatively straightforward. But the elements have naturally shifted as the business and technical requirements have expanded. Infrastructure has now shifted towards supporting compute resources in the public cloud. Containers are implemented throughout for portability and scalability. Development teams span across the organization, with potentially their own way of writing and deploying code. Not to mention all the various IT devices on our networks providing us with access and connectivity. Each domain provides a unique set of obstacles to protect and prevent potential exploits or breaches.
For cybersecurity teams, the good news has been there is no shortage of specialized tools for scanning and testing, providing the capabilities to identify vulnerabilities relevant to these environments. On the other hand, the same teams have become overwhelmed with findings, the list of fixes in the backlogs remain full, and the overall remediation efforts are misaligned with the true business risk.
So how does the enterprise tackle these challenges that come with the growing technology landscape? This is where Unified Vulnerability Management, or UVM, enters the picture.
Before we dive in, it is important to understand the key differences between traditional vulnerability management and the UVM approach.
Historically, vulnerability management relied on several security solutions to scan the IT environment, with patching and remediation handled through separate, manual processes. As the IT footprint started to expand, so did the number of specialized solutions to ensure proper coverage relevant to the technology. But with each platform producing its own datasets, the amount of information associated with vulnerabilities and assets started to pile up quickly. To complicate matters further, often these tools were operated by multiple teams throughout the organization, keeping the data output siloed and fragmented. Without proper orchestration, teams were overloaded with alerts, findings were only prioritized based on a default criticality level, and manual efforts were needed to assign and coordinate the remediation of findings.
UVM emerged to address the limitations associated with traditional vulnerability management. At a high level, UVM provides a consolidated and comprehensive view of asset and vulnerability information discovered throughout the enterprise. By ingesting data from these fragmented systems, security teams had a single console to operate within. Beyond the consolidation, another benefit was because UVM solutions aimed to be the source of truth; they were able to apply context to what a vulnerability means within the scope of the IT landscape and business environment. Additionally, UVM streamlines the remediation workflows by automating the ticket management process for patching and fixing issues. Security teams now have a solution that amplifies their toolbox, as well as a unified approach to evaluating vulnerabilities and the fixes required for the environment.
Gathering visibility into the organization was the foundational phase; the ability to consolidate and focus was what came next.
To fully understand the UVM strategy and platform functions, it’s critical to understand what inputs are captured and centralized. This process provides the foundation for the unified approach and evolution of vulnerability management for security teams.
Here is a quick recap of several technologies and concepts that may exist in your environment today:
It’s important to remember this is just a snapshot, as there are potentially other platforms or risk signals configured throughout the organization. In certain situations, it’s even common to see multiple solutions deployed with the same domain concept.
The key takeaway, UVM is only as effective as the data produced by the enterprise and ingested by the platform.
Introducing a UVM strategy provides a clearer picture. This is based on the overall objective, providing a single pane of context for assets, identified vulnerabilities, and associated remediation efforts. This is accomplished through the following process engines commonly built within UVM platforms:
Asset Management
Through API integrations and custom connectors, UVM tools aggregate data from the security and technology stack to provide an authoritative source of asset information. Because data and tech silos exist throughout, this fundamental orchestration layer sets the stage for the UVM multiplier.
Standardization and Deduplication
Specialized tools will produce findings in the way they are designed, so after the ingestion occurs, UVM tools aim to normalize and correlate the data signals allowing teams to identify the security posture of an asset. A key step in this process is the deduplication of alerts, so security teams are not chasing the similar findings from multiple scanning technologies but rather focusing on a contextualized view of the asset and its risk profile.
Prioritization
We move beyond the Common Vulnerability Scoring System, known as a CVSS severity level, and start to understand what a vulnerability truly means within the scope of the environment. From a traditional standpoint, a machine with a critical CVSS vulnerability would aim to be patched before another asset with a medium vulnerability finding. But what if that machine with a critical alert had no network connectivity, and the asset with the medium finding was public-facing? UVM looks to shift that focus to ensure remediation is prioritized, and teams are spending time fixing the alerts that are critical to their environment.
Remediation
Of course, knowing what to fix is only one part of the equation, and manual processes to coordinate remediation efforts often fall short. This is where UVM platforms step up by connecting to the IT workflows and patch management technologies for automation to take over. This includes managing the ticket lifecycle by opening the requests, ensuring the right resources are assigned and managing the overall progress. Knowing the context of a vulnerability within the enterprise is fundamental; mitigating the risk is critical.
Now that we are aware of how teams can utilize UVM solutions, it should be an easy decision to deploy, correct? Well, there are key concepts organizations must understand for implementation to be successful.
First, UVM typically operates above the underlying technology stack and depends on external systems to supply inputs. As a result, if there are gaps in scanning or testing coverage, then UVM will be limited in its ability to paint the true risk posture of an asset. Similarly, poor data quality within the CMDB can lead to unclear remediation ownership, potentially resulting in delayed patching. It is important to note UVM is not intended to replace foundational asset discovery, data hygiene, or scanning procedures. However, when they are established, UVM becomes a value multiplier upon an organization's technology and security stack.
Additionally, as organizations mature their threat and vulnerability management programs, it becomes important to understand the distinctions between UVM and Exposure Management Platforms. UVM focuses on aggregating asset and vulnerability data, providing fundamental context required for prioritized remediation. Exposure management builds the vision by incorporating misconfigurations, IAM permissions, and environmental relationships to model the enterprise attack surface. Understanding these distinctions helps teams set clear expectations for purpose and coverage, while also recognizing UVM and Exposure Management capabilities are beginning to converge with platforms like Zafran and Brinqa leading the way.
In the end, traditional vulnerability management, where we focused on discovering Common Vulnerabilities and Exposures, or CVEs, then prioritizing remediation based on non-contextual CVSS scores, no longer reflects today’s technical strategy. Teams require consolidated visibility and risk-based prioritization that is focused on their environment. This is where UVM steps up, by providing a single pane of context for the enterprise.
Sohil Ramdas serves as an Innovation Principal on Trace3’s Innovation Team. With a background in cybersecurity, he leverages his extensive experience in both industry and consulting roles to now provide clients with guidance on emerging technologies. His objective is to supply organizations with the expertise required to securely innovate and scale in a rapidly evolving technology landscape.