By Paulo Shakarian, CEO, CYR3CON
In our business, we talk with MSPs and MSSPs regularly and our conversations often turn to how service providers handle vulnerability management for their clients. All too often the service provider has added a bare-bones service around vulnerability management to upsell or grow their customer base. Compared to SOC-as-a-service or incident response – the more exciting services normally associated with cybersecurity – vulnerability management gets viewed as a box to check.
However, nothing is further from the truth. Vulnerability management is the primary means by which an organization can avoid attacks. It offers the ability for an MSP/MSSP to put their clients in a more proactive position and reduce costs. From a business perspective, vulnerability management can lead to new streams of recurring revenue as well as improve other services like SOC operations. In this article, we give three tips on how to turn vulnerability management from a boring commodity service to something that excites customers.
- Showcase Avoided Attacks
CIOs and CSOs tend to present vulnerability scanning results to management as a compliance issue with a focus on ensuring that vulnerabilities are identified and patched in a certain amount of time. While important, this mode of presentation does not communicate the effectiveness of the measures and more importantly, it does not highlight successes.
Now suppose the CIO presents to his board 2-3 slides of exploits seen in the wild after his organization has patched the associated vulnerabilities. This can provide clear evidence to management that the organization avoided attacks as well as the effectiveness of the policies. It will also help the CIO justify security resources as it will communicate to management that he is actively countering the threat.
From an MSP/MSSP perspective, providing this type of information can easily be layered into the results of a vulnerability scan, and under the CVE numbering system, this analysis can be scaled to support many clients. It would be very difficult for a CIO to replace a service that helps communicate program effectiveness to management.
- Guide The Customer On How To Prioritize Vulnerabilities
Many MSPs/MSSPs find that when they implement vulnerability scanning with a client, that the customer becomes overwhelmed with the results. This is especially true when a client has either a non-existent or poorly run vulnerability management program that causes enormous amounts of vulnerabilities to be overlooked.
Even going beyond that point, with over 1,600 disclosures a month, the number of potential vulnerabilities in a given organization tends to grow. This means that even for firms with great practices there is a high-risk period – a “window of risk” – in which vulnerabilities are queued up for remediation.
Further compounding these difficulties is the fact that the NIST CVSS scoring system has been shown to not be predictive of future exploitation. However, this shortcoming poses a potential opportunity for a service provider to differentiate. By prioritizing vulnerabilities by threat using factors such as availability of exploit, threat intelligence, and other factors, the customer can be put on the right track toward fixing the most threatened vulnerabilities first.
This accomplishes a few things with the customer. First, it recognizes and addresses the pain they have in combatting many vulnerabilities with limited resources – it's reasonable to want to remediate what the hackers will attack first. Second, is it enables the client to build trust in your results – providing intelligence or other evidence as to why one vulnerability should be patched over another lends credibility to the service provider as well as provides differentiation from those just running a scanner.
- Coach The Client On How Digital Transformation Initiatives Impact Vulnerability Management
Companies are constantly undergoing digital transformation in one dimension or another. Key trends such as work-from-home, containerization, dev-sec-ops, and OT/IoT all require revisions in vulnerability management.
For each of the different areas listed above, there are potential technologies. For each of the above-listed digital transformation projects, there are associated vulnerability management challenges – whether it's mitigating old vulnerabilities in legacy OT devices, understanding the expanded threat surface brought on by containerization, or enabling development teams with best practices to detect and avoid application security vulnerabilities.
Understanding the client’s ongoing digital transformation efforts in these areas and getting ahead of the vulnerability-related pain points allows the service provider to take a more consultative approach with the client – and will serve to minimize the expansion to the attack surface associated with digital transformation.
Too many view vulnerability management as “running Nessus” or “part of compliance” when it can drive value to clients, build trust, and boost retention. The tweaks involved in doing so are easy to implement across the customer base and will serve to differentiate MSP’s/MSSP’s from their competitors in this area.
About The Author
Paulo Shakarian, Ph.D. is CEO and Co-Founder of Cyber Reconnaissance, Inc., (CYR3CON) which specializes in combining artificial intelligence with information mined from malicious hacker communities to avoid cyberattacks. He has led research efforts funded by IARPA, DARPA, ONR, AFOSR, and ARO.