Expiration dates with everyday items can feel like a bad thing. If your license expires, you lose your legal right to drive. If a coupon expires, you miss out on a great deal. If your groceries expire, you lose out on a planned meal. However, expiration dates can be a powerful and positive tool when managing vulnerabilities.
The traditional approach to vulnerability management is deceptively simple: see the vuln, fix the vuln. But that’s not really vulnerability management; that’s vulnerability remediation. Vulnerability management includes vulnerabilities that you can’t fix too. That’s where expiration dates come in, also known as status expirations here at Nucleus.
Released February 2023, status expirations allow you to temporarily set a vulnerability finding to any resolved status for a specified period. Now, when you cannot remediate a finding simply by deploying an update during the next maintenance window, you can use Nucleus to track everything you can/can’t do and why, track everything you did, attach all relevant evidence, mark the vulnerability under the appropriate status, and give it an expiration date. Status expirations are helpful in several situations, including when a risk acceptance requires annual re-evaluation or when recommended mitigations on a zero-day vulnerability need another review later to apply a future update.
You won’t find automation-supported and context-rich status expirations in most of today’s vulnerability management tools and homegrown solutions. That makes managing and setting expiration dates without a tool like Nucleus time-consuming and painful. For example, collecting and storing supporting evidence, then effectively tracking an assigned expiration date, can require working across multiple tools that may or may not be familiar.
One common option for dealing with vulnerabilities lacking immediate fixes is storing the data in a Governance, Risk, and Compliance (GRC) tool. Not all organizations have GRC tools, and they may require learning for teams typically working in vulnerability management tools. GRC tools also fail to have all the relevant data, requiring some shuffling between multiple browser tabs. Additionally, without a GRC tool, many organizations turn to their ITSM system to track and attach relevant evidence, which still results in the team shuffling between multiple tools.
Though some scanning tools allow you to mark a vulnerability finding as resolved, mitigated, or false positive, their ability to track all evidence effectively is limited. In some cases, you only have the option to disable the relevant vulnerability signature, which removes the vulnerability from view on all systems (not ideal in most cases). The actual tracking of the expiration dates is arguably the most challenging part of all of this. For many organizations, this means creating a calendar entry in Outlook or Gmail to alert admins to go and revert changes after they were supposed to expire.
Status expirations in Nucleus quickly and easily solve these problems. With our unified vulnerability management platform and advanced automation, Nucleus lets you immediately transform your vulnerability management program and processes. Status expirations and other features within our finding processing rules allow you to accelerate your vulnerability triage and remediation efforts, with minimal stress and effort.
Practical Application Examples
Setting an expiration with accepted risk
The standard practice for accepting risk for a vulnerability finding is to review once a year. With Nucleus, you can apply a 30, 90, or 365-day temporary status change in one click, which reverts to your chosen active status once it expires. You can also pick the specific expiration date on the calendar when needed or resolve the vulnerability finding indefinitely.
Setting an expiration with a false positive
An everyday use case for status expirations is to set an expiration on vulnerability findings that are suspected false positives and require further evaluation. You contact the scanning vendor to verify whether the finding is a false positive, which requires some time. You set an expiration status for 30 days or more to allow ample collaboration and feedback. Then, if the false positive is confirmed and fixed on the scanner side, the vulnerability will resolve after expiration. If, however, the false positive lingers, it’s time to investigate and possibly contact the scanning vendor again.
Using status expirations gives you more time to work with your scanning vendor and reduces false positives when auditors come calling. Automatic expiration dates on risk acceptances also mean that human beings aren’t going to miss a reminder of something when away, a common pain point with the traditional approach to vulnerability management. Having an expiration on a false positive clearly shows an automated mechanism to ensure follow-up when needed, providing auditors with that extra layer of assurance that things will be taken care of in a timely manner.
Setting an expiration with duplicates
Another typical use case for status expirations occurs when transitioning scanning tools. Multiple tools may result in duplicate data within Nucleus. You could use status expirations to mark findings from the soon-to-be deprecated scanning tool as duplicate(s) to avoid inflated finding counts. While assessing which tool you’re keeping long-term, you could also use status expirations to close findings as duplicated with an expiration date as a hedge.
Another scenario where duplicate vulnerability findings might occur is when authentication fails intermittently, causing your scanner to run authenticated scans on some days (and not others). Sometimes the unauthenticated scans use different signature IDs than the authenticated versions, causing duplication. You could close the unauthenticated findings as duplicate(s) with status expirations to avoid inflating your vulnerability counts while troubleshooting the issue. Once the authentication problem resolves, you could close those unauthenticated findings as duplicates with no expiration date.
Setting an expiration with mitigations
Zero-day vulnerabilities, by definition, do not have an available patch. They may, however, have one or more vendor or security researcher-recommended mitigations. If mitigations are applied, it’s critical to reevaluate and apply a future update when available. In the meantime, you don’t want those mitigated vulnerabilities cluttering your views. With Nucleus’ Status Expirations, you can attach all your relevant documentation, mark the vulnerability mitigated, and set an expiration for some time, such as 30 days for updates released monthly by Microsoft and Adobe or 120 days for updates released quarterly by Oracle.
Setting an expiration in conjunction with due dates
In the Nucleus platform, users can set both expiration and due dates. Expiration dates pertain to the expiration of a resolved status (i.e., how long selected vulnerability findings stay in any of the denoted resolved finding statuses). A due date indicates the day a vulnerability should be resolved. Having the ability to set a separate due and expiration date, or the option to make both the same in a unified vulnerability management platform like Nucleus, allows you to build a complete review cycle that fits the unique needs of your org and continues to strengthen your vulnerability management program.
Our final two cents: Nucleus makes expiration dates your friend with this latest Status Expirations release. More importantly, Nucleus applies precision and speed to your vulnerability management program and processes, so you’re always focused on those vulnerabilities that matter most to your business.