Unlock the Power of Automation: Vulnerability ManagementDave Krasik
We’ve spoken extensively about the importance of taking a data-driven approach to Vulnerability Management. In short the efficiency and effectiveness of vulnerability management processes depend heavily on inclusion of threat intelligence for both prioritization and response activities. At any given time, only a small fraction of existing vulnerabilities are actively exploited or exploitable. And for any given organization only a fraction of those vulnerabilities are utilized by threat actors and campaigns that may target that organization. It logically follows that higher quality threat data and tighter integration of that threat data into the vulnerability management lifecycle will improve outcomes. A core characteristic of XDR (Extended Detection and Response) platforms is that they likewise take a data-driven approach and emphasize tight integration of security tools and threat intelligence to improve security workflows. This means that an organization that aims for best-of-breed XDR and vulnerability management capabilities needs to invest in high quality threat intelligence and the processes that produce and integrate into threat detection and response.
- Further automating threat intelligence workflows so that users can focus more time on developing a deeper and more responsive understanding of their threat landscapes and risk profiles.
- More easily evolve vulnerability management workflows to adapt what is a dynamic threat landscape.
In addition to processing large volumes of tactical, operational, and strategic intelligence, the ThreatQ Platform can also store and automatically build relationships to asset and vulnerability data. With our data model and ThreatQ Investigations, we can easily represent a multi-layered threat graph that connects directly to the vulnerability and asset data that is the focus of the risk mitigation efforts of vulnerability management. Once that graph has been constructed through a combination of automation and manual analysis it can be enhanced and leveraged by TDR Orchestrator to improve response time and effectiveness in multiple ways:
- Automate the enrichment of threat data – based on very granular criteria associated with both threat and vulnerability, any number of external sources can be called on to automatically enrich what is known about a vulnerability and associated threats.
- Feed ThreatQ’s prioritization scoring engine – by ingesting, relating, and enriching from external sources(e.g. Mitre ATT&CK) organizations incorporate additional criteria that can be factored into the ThreatQ scoring algorithm. This means that users can set up granular scoring policies and as the system ingests and enriches new data, vulnerabilities and IOCs priorities are automatically refreshed.
- Execute actions based on prioritization – TDR Orchestrator can easily leverage any form of data in the Threat Library to trigger follow-on actions. This means that the automated scoring algorithm tied to additional vulnerability and threat criteria can drive, directly from ThreatQ, actions such as automatic checks for vulnerable assets, prioritization of vulns and assets to be patched, retrospective SIEM searches or threat hunts based on newly related data (e.g. from enrichment), task compensating controls when patches aren’t possible.
Layered on top of these automation capabilities is the ability to very easily update them to react to and anticipate changes in the threat landscape. ThreatQ TDR orchestrator is a data-driven approach to automation in that leveraging multi-layered threat intel to drive actions is fundamental to its design. As such, we’ve made it extremely simple to construct the criteria that drive automations to incorporate the rich relationship data in a threat graph. Everyone knows that the overall threat landscape and atomic threat-specific graphs are dynamic. What was a relevant and effective automated process three months ago, may become less relevant and stale today. Fortunately, the tools within ThreatQ allow that view to evolve along with real world activities. And TDR orchestrator allows easy updates to the criteria and automated workflows, by any user armed with the right security and business context
- Ingest vulnerability and internal asset data into ThreatQ
- ThreatQ automatically relates relevant intelligence to ingested vulnerability and asset data
- ThreatQ scoring algorithm assesses, based on user configurations, the priority of a given vulnerability and threat. Users can easily weigh factors such as related malware type, adversaries, target sectors and geographies, source quality, and any other context.
- ThreatQ TDR orchestrator automatically enriches the threat-vulnerability graph based on scoring assessment. Adding the ThreatQ score as an automation criteria is as simple as a few clicks.
- User views the threat-vulnerability graph in ThreatQ Investigations with automatically generated relationships
- User can further pivot and expand this view manually, add assessment notes and pull in additional data points used in follow on actions
- TDR orchestrator updates the vulnerability management system and/or security ticketing system to trigger and provide more context behind a patching workflow e.g. For vulnerabilities related to these threats, within this score range, and updated in the last week, update status to ‘priority patch’ and include additional structured threat details in the ticket.
- TDR Orchestrator pulls a list of relevant IOCs from the graph and passes them to the SIEM for a retrospective search
Catch our previous blogs within our unlocking the power of automation series with threat intelligence management and spear phishing. To see the ThreatQ Platform and TDR Orchestrator in action, please visit: https://www.threatq.com/threatq-online-experience-registration/.