Vulnerability management is a big deal to us at Evercore—not just for compliance reasons, but because we feel it’s the right thing to do. With complete visibility into our network using InsightVM, a cloud-based vulnerability management tool, we can find vulnerabilities on any machine and fix issues straight away based on risk score. By addressing security this way, we see a substantial improvement to our overall risk posture because we know what the biggest vulnerabilities are. It also allows us to look at the software and processes we use, determine what’s safe and what’s not, and find better alternatives.
In this post, I’ll shed some light on why we chose InsightVM and how we use it today.
1. Clear and succinct vulnerability reporting through dashboards
The reports we were getting from our former vulnerability management tool were quite poor, spitting out two-inch-thick stacks of paper with every vulnerability, CVE score, and IP address listed out. No one wanted to deal with it, so it was difficult to do proper vulnerability management.
To fix this, I started looking at Rapid7. I spun up a private POC and ran an initial scan. I showed my boss the report and his eyes instantly lit up. He then spent the next week exploring and configuring it all himself. From there, it was an easy sell to the business and financial approval was quickly granted. Next, we began using InsightVM to monitor our cloud assets and found the reports for those assets to also be accessible, actionable, and relevant to both executives and our technical staff.
Once more people saw the reports, everyone became enthusiastic about vulnerability management, eager to attend weekly meetings to report on patches, and wanting to help our risk score go down. What’s great is we can get both an executive report as well as detailed reports for things like individual workstations, networks, servers, etc. that anyone on our team can read and act on. Now when threats like Wannacry come out, for example, more people want to help out because they can see in real-time the impact of patching.
Within InsightVM, we use dynamic asset groups to prioritize our most vulnerable assets. This allows us to track things like obsolete operating systems, newly discovered assets, IP locations, servers, and an actual asset count. It’s a great snapshot of what’s going on and allows us to go to our infrastructure and network teams and show them what servers or networks need to be patched in priority order.
We can also see in real-time on the dashboard what assets are most vulnerable according to InsightVM’s Real Risk Score powered by attacker-based analytics. This helps us target risky assets or offending software straight away. We also have DHCP feeds set up in InsightVM that catch new machines and classifies them according to our rules so we can keep an eye on them. This has helped us get better visibility and patch faster.
2. Universal agents that provide broader coverage and live updates
Bringing agents into our environment forced us to completely rethink our attack surface. That’s because InsightVM’s agents picked up machines we didn’t know were there before, which helped us reframe our discovery process. For example, if our network team spins up assets without telling us, we know the agents will pick them up and notify us. And since we have remote workers who are operating outside the network, we can see them too because the agents aren’t restricted to just what’s on the network in our office. This helps us better track assets and ensure we don’t forget about the forgotten ones like old servers or out of office employees.
We also realized we didn’t have to be bound by the monthly scans to discover risk or have to re-run a scan if the first one fails (fully authenticated scans are just too labor intensive to set up and maintain, and tend to be prone to errors). We now push everything to the InsightVM agent and get a continual baseline of where vulnerabilities stand, meaning we don’t even have to wait for a scan to finish before we can start patching—we can do it straight away and then instantly see our risk score go down. This is incredibly motivating to our team.
3. Ease of setup
One of the best parts of InsightVM is you don’t have to be a grizzled security person with 30 years of experience to set it up or use it. It’s my infrastructure team that is responsible for logging on daily, running scans, and maintaining the patching process, and this was a big selling point for us. I don’t have to be heavily involved in the day-to-day operations of it, and my only job is to make sure everything is maintained, otherwise I can spend my time on longer-term projects and strategy.
Any infrastructure person with any interest in security, in our experience, will want to be involved in the running of InsightVM. Security people have been bad at allowing others to get involved mostly because non-security folks often can’t run the tools. It’s great that we can give them that responsibility with InsightVM and watch them go off and run it without our help. We then have a weekly meeting to review the top vulnerabilities and learn how our teams are working to bring risk down.
4. Proof of ROI in vulnerability management
ROI is pretty easy to prove with InsightVM because all I need to do is show my management team a monthly report on the downward trend of our Real Risk Score, which shows that what we’re working on is directly addressing risk. There isn’t a specific metric we measure, it’s more that we want to see a continual decline in risk and be able to demonstrate that we’re making progress, which InsightVM makes easy to do.
Anytime we spot a spike in the risk score (which is usually caused by a patch Tuesday or celebrity vulnerability like Wannacry), I can explain exactly why that is and what we’re doing about it. We can also see if any spikes in the risk score are due to risky software like Adobe, Flash, or Java, for example, which help us justify dropping the use of such software.
Rapid7’s vulnerability management suite has shown us a whole new way of looking at our risk and better managing it, and our whole team has been excited to get involved.