Buy vs Build a VM Program

TRY BEFORE YOU BUY

The Path to Vulnerability Management Maturity

Trying to Build In-House Vulnerability Management Software

We’ve talked at length about Fixing the Broken Vulnerability Management Process, establishing the problems and chaos that plague security teams trying to address an explosion of technology and vulnerabilities with a mature Vulnerability Management (VM) program. 

As you continue down the path of VM maturity, you will undoubtedly find that manual VM workflows are bottlenecks preventing your program from scaling and moving quickly enough to meet your objectives. You might even consider building your own VM platform internally to automate some of these bottlenecks. Let us stop you right there. 

Proprietary in-house software, or homegrown vulnerability management solutions, tend to be clunky and immature, consisting of little more than a database and primitive user interface. They‘re often difficult, time-consuming, and expensive to maintain, as wellConsider that any time developers spend maintaining the vulnerability management system is time they cannot spend on internal projects that drive the business forward. 

In-house solutions seldom meet the needs of the organizationrarely scaling sufficiently to meet increasing demand. They also tend to be purpose-built by one dedicated team, to solve one vulnerability management problem, but multiple stakeholders are involved in the vulnerability management process. This creates a situation where the homegrown solution solves only one problem, to the detriment of the vulnerability management process across the larger enterprise. 

If building your own solution is a situation you have found yourself in, it is probably because: 

BLISSFUL IGNORANCE

You were unaware that vulnerability management platforms already exist to automate manual VM workflows.  

UNICORN COMPLEX

You believe that your VM objectives, use cases, and workflows are too unique for an off-the-shelf VM platform to satisfy.      

PINCHING PENNIES

You have software development resources in house and believe you can save money by building your own vs engaging a vendor.      

Below are three insights to help you move towards VM maturity… without making the mistake of building your own VM workflow solution. 

INSIGHT #1

TERMINOLOGY MATTERS

The primary reason that VM platforms like Nucleus are still foreign to many cybersecurity professionals, is that the term “vulnerability management” was adopted by scanning vendors over 20 years ago. Still today, when most people think of vulnerability management, the first thing that comes to mind is vulnerability scanning, which is just one step (Vulnerability Discovery) in the larger vulnerability management process.

DISCOVER

ENRICH

ANALYZE

REMEDIATE

MONITOR

Scan for vulnerabilities using any number of scanner integrations.

Correlate and prioritize scan data alongside data from Asset Inventories, Threat Intelligence, and other business context.

Launch analyst investigations to determine best fix while tracking progress & outcome.

Triage high-impact vulns and implement long-term fixes to mitigate on-going and sustained risk to infrastructure.

Measure progress, report on risk, track vulnerabilities, and make decisions for budget and program priority. REPEAT!

Unfortunately search engines are also still stuck in the early 2000’s, and searches for “vulnerability management” still do not return results for platforms designed to automate the larger VM process.  Making matters worse, the analyst community cannot agree on a good term for this space, so we’re stuck with categories like “Vulnerability and Risk Management” (VRM), “Risk Based Vulnerability Management” (RBVM), “Application Vulnerability Correlation” (AVC), or one of several other terms that are nearly impossible to differentiate from one another.  

INSIGHT #2

YOU’RE NOT (VERY) UNIQUE

While there are some incredibly specific VM use-cases in some large enterprises, most of the issues large organizations face when scaling their VM program are actually quite common and can be solved with a VM platform. That said, the automated VM platform space is relatively new, and there may be feature gaps that you identify. This makes it especially important to partner with a VM platform vendor that listens to your feedback and is committed to filling those gaps quickly.

INSIGHT #3

LEARN FROM OTHER’S MISTAKES

If you are part of a large organization, you may have internal software developers with extra capacity to support a new project to develop an internal VM platform. Many companies try this, and the vast majority eventually fail. The reason is that most companies underestimate the level of effort required to build and indefinitely maintain their own VM platform internally.  An enterpriseclass VM platform will cost millions of dollars to develop over the course of many years, will absorb the time of many senior security engineers, software developers and project managers, and will come with a never ending (and ever-growing) maintenance tail. The chart below details the expenses you can expect to see across your build in employee headcount alone, not including hardware and hosting expenses.

YEAR

OBJECTIVE

HEADCOUNT

AMOUNT

COST

1

Project plan, product roadmap, prototype development and testing, launch and support beta version.

Product Manager

1

$249,600

Design/UX Engineer

1

$166,400

Frontend Developer

1

$166,400

Backend Developer

4

$748,800

Database Engineer

1

$280,000

QA/Testing

1

$156,000

Sr. DevSecOps Engineer

.5

$104,000

Sr. Infrastructure Security Engineer

.5

$104,000

Sr. Enterprise Security Architect

1

$249,600

Support Engineer

.25

$39,000

TOTAL YEAR ONE

$2,152,800

2

Iteration based on feedback from users, leadership and management, launch and support GA version.

Product Manager

1

$249,600

Design/UX Engineer

2

$332,800

Frontend Developer

2

$322,800

Backend Developer

6

$1,123,200

Database Engineer

1

$208,00

QA/Testing

2

$312,000

Sr. DevSecOps Engineer

.5

$104,000

Sr. Infrastructure Security Engineer

.5

$104,000

Sr. Enterprise Security Architect

1

$249,600

Support Engineer

1

$156,000

TOTAL YEAR TWO

$3,016,000

3

Continued evolvement to meet business needs, maintain integrations, support end users.

Product Manager

.5

$124,800

Design/UX Engineer

.5

$83,200

Frontend Developer

1

$166,400

Backend Developer

2

$374,400

Database Engineer

.25

$52,000

QA/Testing

.5

$78,000

Sr. DevSecOps Engineer

.25

$52,000

Sr. Infrastructure Security Engineer

.25

$52,000

Sr. Enterprise Security Architect

.25

$62,400

Support Engineer

2

$312,000

TOTAL YEAR THREE

$1,045,200

TOTAL COST OF OPERATION FOR YEARS 1-3

$6,214,000

TOTAL COST OF OPERATION EACH YEAR AFTER

$1,045,200

It adds up! Are there cases where it makes sense to build a VM platform vs. buying one? Sure, we’ve seen exceptions, but they are few and far between. You may have a very limited set of use cases that do not justify the cost of a VM platform designed to solve many larger problems. In these cases, we would suggest developing the minimum set of tools/utilities you need to get by as a stopgapkeeping close tabs on this rapidly evolving space. More than likely, if you cannot find the right vendor solution today, it will be available soon.

* Labor costs in each category are averaged across junior, mid, and senior level positions and includes all fringe benefits. Labor costs are based on U.S. national averages and may be adjusted due to location.

Critical Features of an Effective VM Workflow Tool 

For effective vulnerability management in modern data environments, organizations need a dedicated, scalable vulnerability management solution that does all of the following: 

  • Provides a central repository for vulnerability data, integrating with and aggregating results from all scanning tools, assessments, and penetration tests. 
  • Automates as many steps of the vulnerability management process as possible, including normalizing scan result data, sending notifications to the appropriate remediation teams, handling ticket creation and assignment, and generating reports. 
  • Helps prioritize vulnerabilities and risk using customizable algorithms that can be configured to the vulnerability and asset attributes that are most important to your organization. 
  • Automates and orchestrates response through integration with ticketing systems, issue trackers, SIEMs, and incident response tools. 

We’ve Already Done the Hard Work for You – GET STARTED

Nucleus Streamlines Enterprise VM

Nucleus is a platform that automates vulnerability management processes, enabling organizations to mitigate vulnerabilities 10 times faster, using a fraction of the resources that it takes to perform these tasks today. 

Nucleus Security’s vulnerability and risk management platform integrates with your existing tools, providing a single pane of glass to monitor your security posture and manage your vulnerability data. Integrating with over 100 scanners and external tools, Nucleus ingests your entire scope of vulnerability data, consolidates it in one place, and automates your vulnerability management processes so that your team works more effectively, and critical findings do not fall through the cracks. 

Nucleus delivers value right out of the box, allowing you to manage vulnerabilities at scale through a simple, three-stage process: 

  1. Collect and Normalize. Nucleus ingests and normalizes all the vulnerability data in your enterprise, including your tools, penetration tests, and audits, allowing security personnel to analyze, track, and search from a single console. 
  1. Prioritize, De-duplicate, and Enrich. Nucleus enables organizations to produce custom risk scoring algorithms based on risk tolerance and priorities, resulting in risk scoring that is contextual to each organization, a significant reduction in time to determine the true risk of each vulnerability, along with more accurate reporting. 
  1. Automate Response and Remediation. Using bi-directional integrations with ticketing systems, issue trackers, incident response tools, SIEMs, and more; as well as flexible automation rules, and real-time views of all active vulnerabilities and remediation statuses, Nucleus enables organizations to respond to vulnerabilities up to 10 times faster. 

Over 100 Integrations and Counting.

Nucleus currently integrates with 100+ tools and is continuously adding more based on customer requests. We also maintain an open GitHub project for customer contributions. 

Support for SSO and Custom Roles.

Nucleus integrates with your single sign-on provider so that you can map your existing roles to Nucleus roles, minimizing administrative overhead.  

Enterprise Speed and Scalability.

Nucleus scales to support any sized organization and remains performant regardless of the number of tools in use, concurrent users, or amount of vulnerability data imported.  

Scheduled Reporting.

Built-in reports for all levels of stakeholders, from executive to technician, can be automatically emailed at any scheduled interval. 

Accurate Vulnerability Status. 

It is critical that security personnel track every change to vulnerability status, not just discovery and remediation. Nucleus supports over 10 different vulnerability statuses, ranging from false-positive to risk-accepted, and documents each step along the way to produce a complete and detailed history of each vulnerability, from discovery to remediation.