The value of vulnerability management to help you stay safe

It’s fair to say that most people in our industry have an idea of what vulnerability management (VM) is, but not necessarily how it’s done and the value it can bring. It’s not just about giving customers lists of problems to fix, and it’s definitely not just about saying “go patch this”. As well as missing patches, recent engagements with customers have identified issues such as superfluous applications, widespread deployment of powerful tools like PowerShell, devices not taking regular restarts, and poor build standards. All of these things contribute to vulnerability hygiene and ultimately help keep the bad guys out.

One goal

The VM team at Quorum Cyber has one goal: to help customers stay safe. There are thousands of vulnerabilities in commonly used computer systems and our job is to help them find, prioritise, and remediate them before threat actors can exploit them.

When a customer first comes on board as a VM customer, we help them set up scanning for their internal network and the external perimeter. It’s important that we do both because securing the perimeter is much less effective if the internal network is easy to attack and vice versa. All it takes is one successful phishing attack to get in behind the firewalls.

We’ll then help the customer to arrange scans. This is done at their convenience. You don’t want to scan during peak business hours? No problem, we’ll scan at night time. We’ll help make sure that scanning is effective and comprehensive. Avoiding blind spots in scanning is vital because you never know where an attacker might strike, so it’s important that we look everywhere we can.

Taking a risk-based approach to remediation

Vulnerability data can be comprehensive, and if this is the first time using a VM process, there might be a lot of it. So where to start? Well, that’s where we come in.

Our VM team works with customers to prioritise remediation actions, identify places where processes are needed, or when existing processes haven’t worked. We take a risk-based approach to this, looking at vulnerabilities with:

• Known exploits
• Proof of concept (PoC)
• High-severity ratings (meaning they are easier to exploit or more dangerous if exploited)
• Most common detections.

Looking at all these factors, we will provide a list of recommended actions and track these to completion.

Consolidating the estate’s assets

As part of the recommendation process, we will also identify areas where an estate can be tightened up. For example, do you really need all those browsers? Do all those team members really need Photoshop? Why do new laptops carry older vulnerabilities? Improvements like these can keep an estate safe by making the attack surface smaller and reducing the patching burden on IT teams.

Customer examples

We’ve seen some great examples of this recently, which we’ve shared here to give you a flavour of what types of issues we frequently address.

We have seen examples of customers using out-of-date web browsers, some of which carry tens of thousands of vulnerabilities spread across the estate. This can be incredibly dangerous, particularly with a large estate where they’re regularly used for web browsing. We encourage that processes are introduced to regularly patch browsers (or remove them – do you really need more than one?) and the exposure generally plummets as soon as this is implemented.

When a process is in place, it doesn’t always work like it should. It’s common for older versions or Office, Adobe, Chrome, etc. to linger on an estate, even when the newest version is deployed. This can indicate deployment failures, multiple installations on certain devices, colleagues failing to restart their machines (a surprisingly common problem). VM will help you weed these out and resolve them.

We often find older Windows patch vulnerabilities on newly deployed devices. This can indicate that the build image needs an update, rather than just a patch.

Vulnerability management is a continuous team effort

We meet with customers regularly to discuss these issues; we don’t just send them a report and expect them to get on with it. VM is a process, not a goal, and our team will help to build as good a process as we can.

If you’d like to join the conversation around VM, please get in touch and we’d be delighted to talk to you.