The Role of a Vulnerability Analyst | Nucleus Shortcuts
I’m your host, Adam Dudley, and today we’re going to discuss what is the role of a vulnerability analyst. And our expert on the topic today is Kate Boucher, Technical Account Manager at Nucleus Security. She’ll be sharing her experience about the ins and outs of the vulnerability analyst and manager roles.
Shortcuts: Would you like to introduce yourself briefly for the folks watching at home?
Can you give us a quick take for those of us that aren’t familiar, what does the vuln analyst or manager do on a day-to-day basis?
Kate Boucher: The CliffNotes version is you make sure you’re scanning all the things, you’re taking all the data, and you’re prioritizing that and making sure that your security teams, your patching teams are addressing the risk in the most logical and risk-based manner as possible. So, basically your job is to make sure everyone’s doing their job. A lot of it is you’re the middleman between the data and the people actioning on the data. So, it’s a daunting task, especially if it’s a new role at an organization because not only are you driving processes, but you’re building them at the same time.
Would you share some ideas about, as a vuln manager, what are some of the challenges you face on a day-to-day basis?
Kate Boucher: Are we scanning everything? Do we have full coverage? Because nobody wants to be in that spot where you’re popped and you didn’t see it coming, and you find out that you didn’t have coverage on it, so there was no way you could possibly remediate anything because you didn’t even know. So, it takes a lot of teamwork, having the right people in the roles, making sure that you’re in constant communication with your security operations team or your IT teams to make sure that first of all, you’re scanning all the things. And then second of all, are we treating those assets as equals or are we saying, “Okay, well, of all the things that we’re scanning, these 50 assets are our most important. So, if these were to be compromised, then we would be hosed pretty much.”
So, you want to make sure that you’re putting the correct assets in the forefront, not that the other assets don’t matter, but we need to act fast on these, placing SLAs on assets, your most important assets and things like that. You can’t be taking 90 days to patch a critical vulnerability on a critical asset, or you’re really just sitting duck at that point. So, it’s getting all the things, prioritizing what you need to, and then holding your teams accountable for those prioritizations, setting SLAs, making sure that there is a process in place for zero-days emergency patching. These are things that don’t always come up, but I think we’ll always remember Christmas 2021 for Log4J. And I think a lot of teams realized, at that point, if they didn’t have an emergency patching process in place, then they really needed to get one.
You don’t want to be waking up, here’s this admin on Christmas morning saying, “Hey, we need to do this because we have no process around it.” And while you’re building that, it’s documenting everything because eventually, as I’ve learned in the past and I’ve gone through, those processes you’re building are going to be part of your VM program management, you’re going to be part of your security information security processes. They need to be well-known, agreed upon. That’s the biggest thing. If you’re working with different teams, if you’re working for your AppSec team and your network team, they need to be service levels that everyone agrees upon and that they can be held accountable for.
In the organizational structure, is it common or uncommon for the vuln manager to actually have authority over the patching teams? Or are they kind of in a separate world on their own and you more have to have that collaborative relationship?
Kate Boucher: I think it’s more of a collaborative, at least in my experience. So, two of my experiences are as a vendor, as an MSSP, and then my secondary experience was part of the security operations team. So, you have this core group of people that are setting up security protocols, security plans, contingencies, making sure that any procurement products are secure and we vet them and things like that. In a lot of organizations, you have your IT team that are actually managing the asset, so they’re actually responsible for patching them. You’re separated typically by teams, but there has to be that collaborative type of relationship where I found it it’s easier to get a little bit more with honey.
We all look good when we have a successful VM program and we know that we’re doing the right thing and we’re fixing the right things. And the CISO can take a report to the board and say, “Hey, last year we had 1.5 million vulnerabilities and this year we have 750,000.” And that’s what an influx is as we know, an average of 25,000 vulnerabilities growing each year. So, not only did you manage to attack your technical debt, you kept in front of everything that was coming in and you brought it down a significant amount. So, the vuln management or the vuln analyst role can be a tricky one because you basically need a lot of buy-in from other people, from other people’s management, from your security operations team. But it is a very important role at this stage because if you’re not getting in front of what’s coming in and attacking what’s already there, then you’re never going to be able to dig out of the hole.
How does Nucleus really make a vuln analyst or a manager’s life easier?
Kate Boucher: Honestly, automation. I mean, I’m a person that has used multiple tools in the space that Nucleus is in, I won’t name any names, but a lot of the other tools don’t allow for the automation that we have. Just as the example I told you, I used to go into the tool, copy and paste, pull the CSV, have to manually create the ticket. With the amount of knowledge that comes with individuals in this field, there’s a lot of better things they could be doing with their time than copying and pasting and pulling CSV reports and uploading them every week. There’s a lot more in depth research we could be doing, just time better spent somewhere else. So for me, the big game changer was the automation that Nucleus provided, especially on the ticketing side of things. Because if you’re not tracking this activity through ticketing, how are you really able to measure how are you holding people accountable for what you need them to do? I’d be hard-pressed to see a successful vuln management program that didn’t have a ticketing aspect to it. If you’re working out of spreadsheets, how do you keep track of the amount of assets and things like that? So, automation is a huge one for Nucleus, and honestly, the trending reporting that we offer was always a huge hit with C-Suite. You got to keep it high level most of the time because some of those executives, you get 30 seconds to a minute and in a quarterly report that the security operations team is presenting.
So, those high level metrics that we provide to show a year’s worth of data, this is how we’re progressing or this is how we’re not progressing. You can go either way. But just the raw numbers of this is what’s discovered, this is what we’re remediating, this is our meantime to remediate, this is how long it’s taking on average per the criticality of these vulnerabilities. My C-suite love that. And that’s hard to replicate outside of going in and manually creating any of these graphs and charts with Excel. I feel as though, and what’s been my experience, that we have a lot of newcomers into this world, and this role in particular, I feel like it’s the entrance into a lot of cyber security roles or security operations roles. And I say just come in with the confidence of knowing if it’s not built, you can build it.
You have a team over here at Nucleus, people like myself, that have been in the role that have built programs previously, so lean on the knowledge of the individuals in this space and just build that trust with the people that you are depending on to action on the data that you’re giving them. They can be difficult sometimes, but if the trust relationship is there, then I have no doubt that the program would be successful and you’d be able to grow and show improvement to your manager, your CISO, and your board.