Vulnerability Management: The Hardest and Easiest Proactive Security Measure

Let’s be honest, vulnerability management is a pain in the ass. You fix everything and the dashboard is clean for two seconds, and then 20 new issues pop up.  

This is the most frustrating proactive security service some of us provide to our clients. It is like playing an intense game of whack-a-mole (... and I hate carnival games!). 

Vulnerability management is not sexy, fun, or engaging, but it must be done. Staff hate doing this as they would rather be analysts, pen testers, blue team, red team (purple team is just the confused team 🙃), etc.  

Furthermore, it does not help the company grow, affect profitability (though it could), or get someone promoted because of their outside the box thinking. (Really not sure why the triangle does not get more love…) 

It is hard because doing this once a month or once a quarter to meet the compliance standards your clients must follow creates a tidal wave of work. First, you must determine what is the most important vulnerability to address, which can be hard to decipher. Then, you need to research what the best solution is to fix it, whether that’s a patch, upgrade, or a physical change. To add insult to injury, you are usually pulling staff away from their primary work, as no one has a full-time vulnerability management team. 

So, is vulnerability management REALLY that critical? 

Well, unpatched vulnerabilities are second only behind humans in causing breaches. However, when a human messes up, it is the current vulnerabilities that bad actors will explore to cause harm and create havoc. I know…I know this does not take into consideration the “educationally challenged” individuals that give out their credentials or are thinking about anything other than work when they look at their emails and click on stuff. 

In addition, ALL compliance frameworks except for GDPR now require vulnerability management. Yes, even HIPAA finally caught up and said, “Hey, we have all these vague rules of what it means to be HIPAA compliant. Why not, as a holiday present this year, give them something concrete?” And BOOM… vulnerability management!

And then there’s the circus of cyber liability insurance. 

The insurance companies’ job is to NOT pay out if they can avoid it. They bury countless requirements in a document, knowing the average person won’t read them. Companies then sign and attest to things they do not have in place. Talk about digging for gold. 

Did you know that vulnerability management is starting to be required in cyber liability policies? And not doing it is like that time Aunt Rita left the window open and a raccoon jumped in. It was just a mess, literally.   

So, Matthew, thanks for telling me everything I already know and deal with daily, what do I do about it? 

I am so glad you asked! (Note to self: Take meds before writing blogs, so I do not talk to myself while writing them. 🙂) 

Like any other solution, with vulnerability management, you should use the proper tools. Ones that make life easier and not just ones that do the basics. I know you do NOT need another tool, however, what about the RIGHT tool. 

In this case, a vulnerability management tool should: 

1. Identify ALL assets including network and IOT devices. (Yes, even that Xbox Dave in accounting hides under his desk for Halo tournaments.)
2. Allow for ALL operating systems to be addressed, including Mac, Windows, and Linux. 
3. Provide information on ALL identified vulnerabilities from multiple sources, using AI to cross check the ones that seem like duplicate information.
4. Provide guidance on what to address and what to prioritize to make the biggest possible positive impact without wasting time guessing.
5. Include a link to the solution, whether it be a patch, upgrade, or even instructions on how to fix the vulnerability, cutting down on hours of research.
6. Have the ability to scan and manage both on premise and remote devices. (Scanning a traveling employee’s device for vulnerabilities can feel like a “Where's Waldo?” ... or “Where’s Matthew?”)
7. Be installed once and run in the background with the information always up-to-date and ready for action. No more scheduling scans nights and weekends, or once a quarter scans only to find the data outdated when you get back to the office.  

This is how we take vulnerability management and make it fit the way we want to work, as opposed to it making us work in a way that makes us miserable, unhappy, upset, depressed, bored, anxious…( wow, I did not know vulnerability management had such an effect on you. 🙂) 

In all seriousness, yes, this is where I give you the quick pitch on how Nodeware® does all these things and more. This is where I tell you that if you are not using it, you are missing out. This is where I tell you I have children in college and need help paying for it … oops. 

However, if you do not use Nodeware, make your life easier by doing something that makes vulnerability management necessary and mandatory, but NOT as much of a chore. Your staff will thank you, your clients will thank you, your boss will thank you, and I will thank you (for not letting this blog be written in vain!). 

If you are interested in learning more about Nodeware and how it does all the things I described, email me at matthew.koenig@igicyberlabs.com and I would be happy to set up a time to talk.  

Take care and until next time…(*insert catch phrase that makes you smile*)