How to Actually Reduce Risk in Your Environment

What is a vulnerability risk management program?

A vulnerability risk management program is imperative at any organization to secure assets, but how do you actually reduce risk in your technology environment? In order to understand how to reduce risk in any organization, you first have to understand the vulnerability risk management process. Vulnerability risk management programs have to encompass five basic steps:

1. Visibility
2. Assessment
3. Prioritization
4. Remediation
5. Tracking and Reporting

Step one, visibility, involves instrumenting all the assets in your environment. This is actually a challenging step, because beyond connecting to traditional onsite assets like hardware and employee desktops, you have to include cloud providers such as AWS, account for ephemeral assets like containers, connect to virtual machines like VMWare, and account for traveling laptops.

After visibility is established, it’s time to assess them all for risk. The hard truth that inevitably surfaces from the assessment stage is that there is always going to be more risk in your environments than you will ever be able to remediate.

However, once you’ve accepted some level of risk, you can begin the process of prioritizing vulnerabilities based off of the level of risk they pose to your organization. This process requires you to take into account traditional methods such as CVSS scores, as well as identifying what attackers are really after. With this understanding, you can determine what attackers are most likely to take advantage of so you can prioritize where to focus your attention.

Prioritization leads to the heart of risk reduction: remediation. This is where you take actual steps to reduce risk, such as installing a patch, implementing a compensating control, updating code, or simply choosing to accept the risk and do nothing.

The final step in the process is tracking and reporting, in which you look at the data you’ve collected and create a story of your progress. This step is imperative in securing budget to ensure your team can be effective going forward. If you can’t report on how well you’re doing and what you need to improve, you can’t prove your worth to the broader organization and show why they should continue to invest in your program.

How do security professionals view risk management?

In order to come to the above conclusions about risk management, we surveyed vulnerability management teams in varying industries and company sizes, resulting an in-depth view of what security professionals want from a vulnerability management program today, from what they already have that works to what’s missing.

What we found is that most security professionals feel their program is vastly under-resourced, from staffing, to tools, to budgets. They also feel anxiety over the parts of their environment where they don’t have the visibility they need to successfully circumvent attacks.

Many security professionals work beyond their traditional roles and have to spend a significant amount of time playing politician in their organizations in order to justify their team’s efforts and get buy-in from other departments.

The time it takes to discover and remediate vulnerabilities is another concern. Security professionals often have doubts about the data that their vulnerability management tools provide them and don’t necessarily feel confident answering questions posed to them about security risks by peers or leadership.

Where do problems occur in the vulnerability risk management program?

When all is said and done, vulnerability risk management programs can be broken down into two halves:

1. Understanding risk: This includes visibility, assessment, and prioritization. This is where traditional security practitioners spend most of their time.
2. Reducing risk: This includes remediation, tracking, and reporting. This half of the program is often handled by a different team, such as IT operations or development.

There is often friction between these two halves of the process due to a difference in focus between the security team and the IT/DevOps team. The former is often focused only on understanding risk and security, while the latter is focused on a number of initiatives, such as building, deploying, upgrading, and maintaining assets.

How InsightVM helps to reduce risk in your organization

As a software vendor and a partner, Rapid7 works to help organizations bridge the gap between understanding risk and reducing risk. Our vulnerability management solution, InsightVM, offers a number of features to help reduce risk. We’ll start with Remediation Projects.

Our Remediation Projects feature provides hands-on, built-for-purpose views of remediation data across the organization. These help reduce friction and effort for security teams and remediators, regardless of the size of your organization. The tool was designed to take the burden of remediation off the team so that they can focus on driving the program forward. Remediation Projects helps to automate and address time-sucking manual processes, such as:

• Ticketing
• Emails
• Reporting
• One-off vulnerability verification requests

InsightVM also directly integrates with ticketing systems like ServiceNow and Jira so you can create projects and assign clear remediation actions. Remediation Projects gives you back the time you’d normally spend tracking progress, achievements, or failures of remediation. And the tool works to make vulnerability validation painless by providing the most up-to-date view available of any vulnerability status within the environment.

Another capability within InsightVM that can help security teams actually reduce risk is automation. InsightVM provides automation-assisted patching solutions that can help streamline manual, repetitive tasks, while allowing you to maintain control throughout your environment. With automation-assisted patching, you can directly integrate with patch management tools like BigFix and SCCM to streamline your patching process.

InsightVM automation is also available for containment. You can decrease exposure to any vulnerability by automatically implementing temporary or permanent compensating controls via your network access control systems, firewalls, or endpoint detection response tools. InsightVM integrates with all of these systems and other third-party tools to automate the process of restricting network access to any vulnerable assets.

For more insights on vulnerability risk management, reducing risk, and demos of the InsightVM tool, watch our full webcast here.