The Ongoing Frustration of Vulnerability Management
Working at an unnamed large bank and as faculty at IANS, Alex Hutton (@alexhutton) admits his biggest challenge with vulnerability management is the removal of false positives, and getting the business to act on the vulnerabilities they’re responsible for.
Plus, the way vulnerabilities are presented, Hutton’s given an impossible task. He can’t do 30,000 risk assessments nor issue 30,000 tickets.
In our conversation at the 2015 Black Hat Conference in Las Vegas, I echoed a conversation I had with Monzy Merza of Splunk who suggested that false positives were an old way of thinking, and given our advanced analytics and data, we should be measuring vulnerabilities on a confidence scale.
The reason we were operating with so many false positives is that we had much less data and therefore much less understanding as to what was going on.
While Hutton likes that confidence scale idea, what he really wants to see is contextualization.
“We’re always going to have to make a guess on whether this thing is real or not, but give me more context,” said Hutton. “I want to know change management around this host name or IP address. I want to know configuration management changes. I want to know file integrity changes … The way you’re going to get better certainty estimates is to add more and more context.”