Vulnerability Management: Build vs. Buy
The Path to Vulnerability Management Maturity
We’ve talked at length about Fixing the Broken Vulnerability Management Process, establishing the problems and chaos that plague security teams trying to address an explosion of technology and vulnerabilities with a mature Vulnerability Management (VM) program.
As you continue down the path of VM maturity, you will undoubtedly find that manual VM workflows are bottlenecks preventing your program from scaling and moving quickly enough to meet your objectives. You might even consider building your own VM platform internally to automate some of these bottlenecks. Let us stop you right there.
Proprietary in-house software, or homegrown vulnerability management solutions, tend to be clunky and immature, consisting of little more than a database and primitive user interface. They‘re often difficult, time-consuming, and expensive to maintain, as well. Consider that any time developers spend maintaining the vulnerability management system is time they cannot spend on internal projects that drive the business forward.
In-house solutions seldom meet the needs of the organization, rarely scaling sufficiently to meet increasing demand. They also tend to be purpose-built by one dedicated team, to solve one vulnerability management problem, but multiple stakeholders are involved in the vulnerability management process. This creates a situation where the homegrown solution solves only one problem, to the detriment of the vulnerability management process across the larger enterprise.
If building your own solution is a situation you have found yourself in, it is probably because:
Blissful Ignorance
You were unaware that vulnerability management platforms already exist to automate manual VM workflows.
Unicorn Complex
You believe that your VM objectives, use cases, and workflows are too unique for an off-the-shelf VM platform to satisfy.
Pinching Pennies
You have software development resources in house and believe you can save money by building your own vs engaging a vendor.
Below are three insights to help you move towards VM maturity… without making the mistake of building your own VM workflow solution.
Insight #1: Terminology Matters
The primary reason that VM platforms like Nucleus are still foreign to many cybersecurity professionals, is that the term “vulnerability management” was adopted by scanning vendors over 20 years ago. Still today, when most people think of vulnerability management, the first thing that comes to mind is vulnerability scanning, which is just one step (Vulnerability Discovery) in the larger vulnerability management process.
Unfortunately search engines are also still stuck in the early 2000’s, and searches for “vulnerability management” still do not return results for platforms designed to automate the larger VM process. Making matters worse, the analyst community cannot agree on a good term for this space, so we’re stuck with categories like “Vulnerability and Risk Management” (VRM), “Risk Based Vulnerability Management” (RBVM), “Application Vulnerability Correlation” (AVC), or one of several other terms that are nearly impossible to differentiate from one another.
Insight #2: You’re Not (Very) Unique
Insight #3: Learn from Others’ Mistakes
If you are part of a large organization, you may have internal software developers with extra capacity to support a new project to develop an internal VM platform. Many companies try this, and the vast majority eventually fail. The reason is that most companies underestimate the level of effort required to build and indefinitely maintain their own VM platform internally. An enterprise–class VM platform will cost millions of dollars to develop over the course of many years, will absorb the time of many senior security engineers, software developers and project managers, and will come with a never ending (and ever-growing) maintenance tail.
Are there cases where it makes sense to build a VM platform vs. buying one? Sure, we’ve seen exceptions, but they are few and far between. You may have a very limited set of use cases that do not justify the cost of a VM platform designed to solve many larger problems. In these cases, we would suggest developing the minimum set of tools/utilities you need to get by as a stop–gap, keeping close tabs on this rapidly evolving space. More than likely, if you cannot find the right vendor solution today, it will be available soon.
Critical Features of an Effective VM Workflow Tool
Nucleus Streamlines Enterprise VM
Nucleus is a platform that automates vulnerability management processes, enabling organizations to mitigate vulnerabilities 10 times faster, using a fraction of the resources that it takes to perform these tasks today.
Nucleus Security’s vulnerability and risk management platform integrates with your existing tools, providing a single pane of glass to monitor your security posture and manage your vulnerability data. Integrating with over 100 scanners and external tools, Nucleus ingests your entire scope of vulnerability data, consolidates it in one place, and automates your vulnerability management processes so that your team works more effectively, and critical findings do not fall through the cracks.
Nucleus delivers value right out of the box, allowing you to manage vulnerabilities at scale through a simple, three-stage process:
- Collect and Normalize. Nucleus ingests and normalizes all the vulnerability data in your enterprise, including your tools, penetration tests, and audits, allowing security personnel to analyze, track, and search from a single console.
- Prioritize, De-duplicate, and Enrich. Nucleus enables organizations to produce custom risk scoring algorithms based on risk tolerance and priorities, resulting in risk scoring that is contextual to each organization, a significant reduction in time to determine the true risk of each vulnerability, along with more accurate reporting.
- Automate Response and Remediation. Using bi-directional integrations with ticketing systems, issue trackers, incident response tools, SIEMs, and more; as well as flexible automation rules, and real-time views of all active vulnerabilities and remediation statuses, Nucleus enables organizations to respond to vulnerabilities up to 10 times faster.
Over 150 Integrations and Counting
Nucleus currently integrates with 100+ tools and is continuously adding more based on customer requests. We also maintain an open GitHub project for customer contributions.
Support for SSO and Custom Roles
Nucleus integrates with your single sign-on provider so that you can map your existing roles to Nucleus roles, minimizing administrative overhead.
Enterprise Speed and Scalability
Nucleus scales to support any sized organization and remains performant regardless of the number of tools in use, concurrent users, or amount of vulnerability data imported.
Scheduled Reporting
Built-in reports for all levels of stakeholders, from executive to technician, can be automatically emailed at any scheduled interval.
Accurate Vulnerability Status
It is critical that security personnel track every change to vulnerability status, not just discovery and remediation. Nucleus supports over 10 different vulnerability statuses, ranging from false-positive to risk-accepted, and documents each step along the way to produce a complete and detailed history of each vulnerability, from discovery to remediation.