Hear from Your Peers: Advice for Your First 90 Days Using a Vulnerability Management Solution

Modern environments today are, well, complex. They often include a concoction of on-premises, cloud, container, and virtualization services. There’s a lot going on, and as a security pro, it’s your job to make sure your vulnerability management solution is dynamic enough to be quickly and easily deployed across all of these assets so you can see rapid time-to-value and ensure there is no stone left unturned.

But raise your hand if you’ve ever purchased a technology solution and found yourself saying, “I bet there are more features in here we could be using, but I’m just not sure what they are!” In a recent survey with InsightVM customers, we asked them to share their best tips for what to focus on in your first 90 days of using a vulnerability management solution. Below is their step-by-step advice for you to extract the most value from your solution:

Step 1: Scope out your environment

The first piece of advice shared by all the surveyed customers was to determine the scope of your environment, including internal- and external-facing systems. One customer recommended performing a discovery scan for acquiring all of the assets found on the network(s).

“Once you have data from your first full vulnerability scan(s), prioritize those systems that have critical vulnerabilities and/or policy violations, keeping in mind those systems that are crucial to your company,” he said.

Related: Learn more about InsightVM’s Real Risk Prioritization feature

Customers also suggested organizing your assets by region, floor, type, etc., ahead of time, to save you a lot of legwork later on.

Since scanning can impact your entire organization, another Rapid7 customer suggested informing your company that scanning will be taking place and what to expect.

“Do tech talks to walk users through the platform and show them the features and benefits it brings,” he said. “If they’re engaged in the process, they may forgive the alarm bells given off by the scanning.”

Customers also advised focusing on coverage as early as possible by deploying the Rapid7 Insight Agent on all the assets you can (even remote laptops) so credentialed scans will happen every six hours, instead of scanning through a firewall and potentially non-credentialed scans (and even while off the network). And, of course, make sure scans are authenticated.Another customer added that customizing their InsightVM dashboard helped them better understand their environment and bring meaning to the data from day one.

Step 2: Organize the vulnerability management process

Once you have a grasp on your environment, it’s important to put some organization around the vulnerability management process to make it easier to understand and manage. One customer recommended tagging your assets by the criteria you find easiest to work with (OS, risk, physical, virtual, etc.) and separating and organizing assets by either location or their asset tag. You can also create asset groups.

From there, determine your scanning schedule and keep in mind the effect scanning has on operations, and whether scanning after business hours or overnight would work better for your company.

Structure is also important. As one customer said, “Decide on the structure you want to adopt for organizing and delegating the responsibilities for the scanning of systems: systems in scope, groups in charge, etc. Another important step is defining who should receive the reports and what is the process for remediation. Without those steps, a lot of additional work to redo some tasks or a lack of accountability has to be taken into account during the roll-out of the VM project.”

Step 3: Create an action plan for vulnerability detection and patching

Once your environment is fully scoped out and you have a scanning process in place, you need to think about what happens when your team needs to jump into action.

“Create an action plan for patching systems, especially critical ones, to determine which vulnerabilities should be remediated first,” one customer said. “Upon completion of patching your first round, re-scan the environment to confirm remediation.”

Chad Kliewer, Information Security Officer for Pioneer Telephone Cooperative, Inc. advises: “There is always a ton of noise around the latest vulnerabilities, especially those with catchy names, so make sure you identify your own crown jewels first and protect them accordingly.” He adds, “Rather than chasing the latest news article, make sure you can create a strategy for long-term management of the vulnerabilities that are important to you and your organization instead of playing infosec whack-a-mole.”

Layer in deployment and training services

The advice provided above by our customers is invaluable, and we know that having the right partner makes putting this advice into practice that much easier. Here at Rapid7, we offer deployment services to help companies deploy our already easy-to-use InsightVM to ensure it’s set up right the first time around. Our team of seasoned vulnerability management experts can help you to maximize the value from InsightVM by ensuring you’re set up properly and know exactly how to use it from Day 1.

We have several types of deployment service packages you can purchase, and these services can be further tailored to your specific security program’s needs. We can help you with specific areas like product configurations, automation, creating reporting workflows, and ensuring your program meets industry best practices. Learn more about our deployment services.

We also offer training certifications to teach you all of the best features InsightVM has to offer so you can walk away an expert and maximize your investment in the solution.

Inside our training certification, you learn things like:

• An Introduction to InsightVM. We’ll familiarize you with InsightVM’s architecture, the Insight Agent, and best practices for a top-notch vulnerability management strategy.
• Operations. We’ll show you how to set up sites, understand the scan process, organize assets, and create stakeholder reports. We’ll also show you how our Real Risk model works and the various ways in which you can report on risk.
• Administration. To ensure you fully know how to scan and manage credentials, create report templates, and query custom scans, we have a complete training just on these key elements of running and optimizing InsightVM’s power.
• Creation. We’ll show you how to create Remediation Projects, run queries to dive deep into the analysis of various data sets, create dashboards, and more.

If you’re already an InsightVM customer, head on over to our deployment services and training certification pages to learn more and to get in touch to begin. If you’d like to take InsightVM for a spin as you rethink your approach to vulnerability management, sign up for a free trial. Either way, we hope to hear from you soon!