Intelligent Work Orchestration for VM

Vulnerability Management (VM) remediation activities, while fundamentally straightforward, can become quite complex due to numerous factors. These complications may arise from the intricacies of critical applications, inadequate or complex support contracts, a poor understanding of remediation, and an intricate network of accountability/responsibility spanning the entire digital organization. Often, when Cybersecurity primarily drives VM, the focus is solely on risk accountability, neglecting the processes and parties responsible for actual remediation. This approach can lead to a large volume of inefficient "reactive" work, commonly manifested as incidents, requests, or changes—or as we often call it, "tickets."

TranSigma utilizes our Intelligent Work Orchestration (IWO) framework to address these varied objectives harmoniously, serving as a keystone to our clients’ VM program success. The priority of IWO is to prevent as much work as possible through robust preventive and proactive measures. After achieving this, IWO strives to consolidate and optimize the remaining work, especially the orchestration of unavoidable, non-, or partially automated tasks.

Given the auditing and tracking requirements of remediation efforts, ticket creation becomes a challenging task, fraught with required approvals, diversified communications, and special handling. Nevertheless, we have aided our clients in achieving substantial improvements in remediation efficiency and effectiveness using these strategies. This article explores these strategies for reducing, and then optimizing the use of tickets within VM remediation scenarios:

• Do your data homework FIRST: Minimizing ticket creation by eliminating false positives, resolving data issues, and addressing broader ITAM data and detection problems should be the priority due to the inefficiency and costliness of this remediation approach. 

• Simplify the remediation requirement: Software vulnerabilities are not individual problems with individual solutions… usually. Different tools will report vulnerabilities in different ways, but at the CVE level, the vast majority represent weaknesses in operating systems and 3rd party software for which solutions (patches) have been published. Hence, if an asset has 2,000 Google Chrome vulnerabilities, the remediation options both involve only one activity: either remove Chrome or update it to the latest release. While this seems incredibly simple, we still see some Cybersecurity teams pushing lists of vulnerabilities to remediation teams, who then fail to make these easy translations.

While many of these translations are quite straightforward, TranSigma maintains a large master database of published vulnerabilities from various scanning tools with proprietary tags, allowing our clients to apply their policies (such as a software whitelist, or supersedence rules). Our clients can then translate their vulnerability data into the most efficient “to-do” list that meets policy requirements.

• Understand existing remediation process: Cybersecurity teams must understand remediation realities in addition to risk assessment.

A real-world example: A newly created VM team looks to create their first of many goals to reduce “vulnerability debt.”  They select a CVSS or other risk score and decide to address every operating system vulnerability that falls above this line. The next step is to then assign and address vulnerabilities to myriad business units, divisions, countries, departments, teams, and beyond, and “manage” these groups via traditional rack and stack until it is time for the next goal.

However, many of these teams or owners will have nothing to do with remediation efforts. Indeed, activities like Operating System management, certificate management, and configuration management are often handled centrally or regionally. Further, the “source of truth” data about the impacted assets are also likely owned outside of Cybersecurity, and it may not be very accurate.

Therefore, the priorities need to be correcting underlying data issues and patching process failures. Concurrently, the more manual effort should focus on known individual failures and other outliers, while the broader solutions are enacted. Overall, this approach will be far less costly, resolve risks faster (both now and in the future), and enhance the relationship between key stakeholders in the VM matrix.

1. Minimize non-value add work in each ticket: Implementing "opt-out" remediation programs within predetermined maintenance windows can reduce the need for approvals and scheduling communications. This requires significant stakeholder buy-in and is worthy of its own article, but setting reasonable expectations around regular remediation is a foundational step in transforming inefficient, reactive work activities into proactive, process-based services. 

2. Maximize the value of each ticket: Use data intelligently to enhance the breadth of assets and/or depth of remediation activities within each ticket. Remediation tasks are common across assets available in similar timeframes and should be grouped and remediated in a single job. Similarly, in cases where an engineer may be working directly on an asset, use telemetry to identify any other issues they could address during the same work window.

   
   

   
   

Intelligent Work Orchestration is a potent framework for maximizing the impact of VM programs. Even in “Emergency Patching” situations, where all hands can be on deck, there should at the very least be an immediate and concurrent effort to work down the below pyramid so that this surge effort can be as efficient and effective as possible, and that every “ticket” is providing maximal impact.

Intelligent Work Orchestration Framework: