Level-Up Your Vulnerability Management Program

VM MATURITY SNAPSHOT.

Where Does Your Program Score?

This quick 10-question survey is designed to benchmark your general vulnerability management program against five levels of maturity. To begin, enter your name and email below then click "Next". Choose the answer that most closely resembles your environment. Comments are enabled for context, but not necessary. At the end, we'll instantly reveal your program maturity score and provide some resources to level-up your vulnerability management operation! Ready? Get started!

Name

Work Email

Describe your scanning program.

We conduct scans on a regular basis but our tools aren't integrated with anything

We've started integrating our tools but we know there's more we could do

Our tools are integrated but there's no unified view that lets us see both network and appsec vulnerabilities together on a single asset

Our scanning tools all feed into a central repository and there's some data enrichment

Our scanning tools are integrated into a central repository that provides a full picture of a system's security posture and enriches the data from sources both internal and external to the company.

Describe how you prioritize vulnerabilities.

We prioritize based on scanner severity or CVSS

We also factor in whether exploits or malware exist for the vulnerability

We use threat intelligence

We factor in asset criticality in addition to vulnerability severity and/or threat intelligence

In addition to asset criticality and generic threat intelligence, we also factor in internal security data and/or threat intelligence, and some of it is specific to our industry

How's your asset inventory?

We have one but there's stuff in our scans that isn't included in our inventory

We have data for most of our systems and it's more than just IP addresses and system names

We have a central repository but it's not integrated with our VM tools

Our VM tools can push data into our central repository

We have a bi-directional integration between our central repository and our VM tools

How do you analyze your scan data?

It's a manual process

We have some reports but have mixed opinions on them

We have some or all of our VM data going into our SIEM, but correlations are tricky, if they are possible

We have dashboards that help but they sometimes take a long time to update and they aren't unified

We have reporting and dashboards and it's easy to find our success rate for fixing any given vulnerability, not just a count

How do you do metrics and reporting?

We produce reports manually

Our tools send out reports via e-mail

We have some dashboards for our scan data

We have dashboards that do some prioritization for us but they sometimes take a long time to update

We have dashboards and reports that can be distributed or pulled on demand depending on each consumer's preference, including e-mail, messaging platforms, and multiple ticketing systems. Depending on the audience we can give a unified view of all relevant vulnerabilities or a view narrowed to just a single person or team's responsibilities

How do you let your teams know when they have vulnerabilities to resolve?

It's a manual process

Our tools send out reports via e-mail

We have an integration with a ticketing system

We have dashboards but they require users to log into our systems

We have an integration with our ticketing system(s) and it includes closing tickets automatically when we get a clean scan. We also have dashboards for those who prefer them.

How do you handle system hardening/policy compliance?

We do system hardening but the standards aren't enforced

We do system hardening when required by regulatory or contractual requirements

We harden systems based on industry best practices, but the data is completely separate from our other security data

We harden systems and measure the success rates, but don't have a good way to prioritize any findings

We harden systems and our tools provide a unified view showing deviations from hardening standards prioritized alongside network and appsec vulnerabilities

How do you handle manual testing?

We do manual tests when needed and open tickets by hand

We do manual tests and can import the results into one of our other scanning tools

We do manual tests and can import the results into one of our other scanning tools that has an integration with our ticketing system

It takes some work, but we can feed our manual tests into a central repository that also contains results from scanning tools

We have the ability to feed our manual tests into a central repository that also contains results from all of our other scanning tools and our penetration tests and gives a unified view

What does your penetration testing program look like?

We do an external penetration test every year

We do at least one penetration test a year but acting on the results is a manual process

We do penetration tests and have ways to track remediation findings, but we had to make dashboards to do it

It takes some work, but we can correlate penetration test data in a central repository that also contains results from scanning tools

We have the ability to feed our penetration tests into a central repository that also contains results from all of our other scanning tools and our manual testing and gives a unified view

10.

What is your security awareness training like?

We have annual security awareness training

We have security awareness training and we phish our users but don't know what to do with the data we get back

We have a security awareness program but acting on outputs from it is a manual and time consuming process

We've figured out how to get data from our phishing campaign's API but find it difficult to do anything useful with it

We have a security awareness program and have a machine-assisted method to correlate the results with endpoints so we can adjust criticality and act on the results

Time is Up!

Time's up

VULNERABILITY MANAGEMENT MATURITY

DO MORE WITH UNIFIED VM.

Don’t just solve part of the problem. Nucleus was built to tie together the 5 step process of a mature vulnerability management program — from discovery to remediation and beyond.

DISCOVER

Scan for vulnerabilities using any number of scanner integrations.

ENRICH

Correlate and prioritize scan data alongside data from Asset Inventories, Threat Intelligence, and other business context.

ANALYZE

Launch analyst investigations to determine best fix while tracking progress & outcome.

REMEDIATE

Triage high-impact vulns and implement long-term fixes to mitigate on-going and sustained risk to infrastructure.

MONITOR

Measure progress, report on risk, track vulnerabilities, and make decisions for budget and program priority. REPEAT!

Fixing the Broken VM Process

DOWNLOAD

Controlling the Chaos of VM

WATCH NOW

Risky Business Podcast - Ep 600

LISTEN NOW