By Mike Buckley | Pre-Sales Consultant at Nettitude
For some of our clients reading this, you might well be familiar with our Security Operations Centre (SOC). However, for many it can be a bit of a mystery with it sounding like some sort of covert operations lair. Whilst we can tell you that what goes on in our SOC is some very clever and ground-breaking stuff, it’s not quite the scenes from the latest James Bond movies!
So, you’re probably wondering what does actually go on in our Security Operations Centre, and what goes on in our Vulnerability Management Programmes. Below, we’ll give you exclusive access to the ins and outs of our SOC Vulnerability Management activities.
How did the Vulnerability Management Programme come to be?
Nettitude established their Security Operation Centre in 2013, primarily as a response to our customers need for a solution around compliance standards (particularly PCI-DSS) requiring centralised logging. During the intervening years, there has been a huge shift in perceptions and attitudes to risk, and as the marketplace has matured, so too has Nettitude’s Security Operation Centre. This has expanded not only in customer numbers and employees, but also in solutions both wide and deep. One of those solutions is a service based around Vulnerability Management, which we like to call “SOC Scanning” for short.
Why do clients need SOC Scanning Tools?
Nettitude perform detailed Penetration Test activities on a wide range of varied environments. There is no doubt that the majority of our follow up debrief reports, conclude that the success of the test was dependent on the lack of a proper Vulnerability Management Programme.
When first engaging with our customers, it’s often the management of their Vulnerability Programme that is significantly failing their otherwise successful cybersecurity measures. The bottom line is that unpatched resources pose a significant risk to any business, whether public facing or not.
What challenges do our clients usually face?
Why do we continue to see a lack of Vulnerability Management? For a thankfully decreasing number of companies, this is because they believe it’s either unnecessary, or that an annual check as part of a penetration test is sufficient for them. More commonly, there is a real reluctance to engage with this problem, it’s acknowledged that the problem exists, and it’s perceived to be too big of a problem to fix. Well, part of that is true, and part of it isn’t.
Starting from scratch there are likely to be some common challenges:
- What hardware and software actually exists within the environment
- What is the patch status of those assets?
- How can we fix it?
The first two on that list are relatively easy to address. The third one, the implementation of a successful patching policy, can often require quite a culture change, but the outcomes of addressing the first two challenges can be used to help drive this.
Figure One: Asset Discovery
What’s the solution?
Vulnerability Management begins with understanding what exists within your environment, and what the status of those devices is. As there are a large number of vendors out there who offer this service, the challenge is often finding the most appropriate one to do so.
Addressing the technical challenge often required the purchase of specialist tools. However, this then causes an additional problem – how is an already stretched IT team going to successfully deploy and manage the solution, also who is going to even qualify that the solution meets requirements? Does the IT team have the cyber security knowledge to successfully run the tool and manage the output? Can they then incorporate it into a ‘Business as Usual’ activity?
Figure Two: Vulnerability Tool Lifecycle
The Solution; outsourcing the technical challenge of Vulnerability Management, removes the resource hit on an IT team, but also provides assurance that the tool is being run by a cybersecurity MSSP with all the knowledge required to successfully implement it. The technical output from the tool can be used to drive patch management internally, while the management report can track progress and be used in a “top down” approach to give management visibility into the progress, (or lack of it) in addressing the risk of running on unpatched devices. It is important also that this comes from an independent cybersecurity specialist. For example, at Nettitude, all results have been validated by our analysts and carry weight that an internal IT Team may lack.
What can Nettitude provide?
Our “SOC Scanning” service is technically delivered by Tenable.io, who are a market leading vulnerability scanning service, with the advantage of a simple deployment methodology. The front end is Cloud based, reducing the impact of local teams having to provision resources (although we do require internal scan agents where networks are segregated and protected). We also share the portal, which means our customers can log on at any time to view the asset lists, the scheduled scans and the scan results, ad hoc scans can be run at any time with no limit on the number of scans required.
All features of the tool are available to use, so we can also run compliance and configuration assessments as well as vulnerability scans. Our SOC Consultants will onboard new customers and set up asset discovery scans, to identify the “in-scope” devices/applications for the deeper vulnerability search. Following this, scheduled scans are organised and any regular reports you require are configured. If a customer is also signed up to our SIEM service (SOC Monitor), alerts are configured to the SIEM and the Management reporting becomes a single report for both services.
Service reviews are then scheduled to ensure that when the service moves into a ‘Business As Usual’ status, that this continues to reflect any changes in the environment.
The plan of action
Vulnerability Management is essential in protecting businesses from a cyber-attack, we can point to several large incidents over the years that simply would have not happened in the way they did if devices were patched – TalkTalk, Equifax, WannaCry, Petya/NotPetya, the list is almost endless.
Any company not performing regular vulnerability scans, simply does not have the information with which to assess their current risk, nor drive a successful patching policy.
The NCSC state in Step 5:
If there is no evidence that a vulnerability is being actively exploited, the following timescales should be considered minimum good practice:
- ‘Critical’ patches should be deployed within hours
- ‘Important’ patches should be deployed within 2 weeks of a patch becoming available
- ‘Other’ patches deployed within 8 weeks of a patch becoming available
Is your company arming itself with the information needed to be able to achieve this? Perhaps it's time to find out.