We recently had the opportunity to speak with Brian W. Gray, Information Security Engineer for Carnegie Mellon University, about how he’s managing vulnerabilities across such a sprawling network, what his biggest challenges are, and how he is using our vulnerability assessment solution, Nexpose, to automate many of these processes.
Brian has a wealth of experience in vulnerability management, so if you are dealing with an expansive, complex network in an enterprise or university setting and are looking for a better way to get a hold of it all, read our Q&A below to learn how Brian does it:
Q: Tell us about your role as InfoSec engineer.
A: I’m focused on offensive tooling, performing penetration testing, and red team testing within our environment. I’m the prime user for integrations and configurations of our Rapid7 product, Nexpose. This involves integrating vulnerability scanning, taking the results of scans and automating how we interact with users, and using security orchestration to automate our response to vulnerabilities. Because we don’t ever want to be in the way of innovation and growth, it’s important that we don’t restrict our users beyond what’s necessary. Our intent is to give our team the freedom to research and build new things, but we are constantly looking for common problems and quickly letting users know about issues by using Nexpose and our automations.
Q: How many assets are you managing?
A: It really depends on the time of the year—it can range from 25,000 assets to 150,000. It fluctuates based on when school is in session, when students perform lab studies, when lab equipment is replaced, when new systems are implemented, or when a new building opens on campus. This alone could add more than 10,000 devices between lighting, badges, and dorm infrastructure, among other things. For us, it’s not just servers and workstations we’re managing—it’s everything.
Q: Why is automation important to you and your security team?
A: The number of assets we manage makes it absolutely necessary to have automation. We have a lot of devices that most corporate environments don’t. I’m talking about Wemos, Xboxes, Apple TVs, and all those little devices that we have by the hundreds or thousands all over campus. Our automations are focused on notifying system owners of issues and implementing mitigation workflows that do actions like automatically quarantining systems with critical vulnerabilities.
For example, there may be a robot someone is using in a classroom that is connected to the network using default credentials. Even though the connection may only live for two to three days, it’s only a matter of hours before it could be compromised because it’s connected to the internet and the credentials aren’t properly configured. Because of that, we need to find and remediate issues like this as soon as possible. To do this, we developed a lot of checks on top of our original vulnerability management platform that most organizations may not have due to a lack of resources. And we use automation to mitigate and remediate vulnerabilities across our devices.
Q: How long did it take for you to set up automation with Nexpose?
A: Over the past four years, we’ve been slowly transitioning over the custom vulnerability checks we had written in-house with Ruby to Nexpose. The transition was easier and faster than I expected. Using the Nexpose APIs,we were able to take the things we were using our internal APIs for and transition them over to Nexpose to be automated.
Q: How would you cope with a vulnerability today without automation in place?
A: Automation is the only way we can keep up with vulnerabilities. There is just no other way we could do it with our infrastructure. If we relied on our team to manually handle each vulnerability scan, threat detection, and incident response, we’d be paying a fortune on labor—and even then, tasks would be accomplished far more slowly, since it’s not humanly possible to react and take action as quickly as our automations do. It only takes a matter of hours for a default credential or vulnerability to be exploited, so we simply cannot afford any mistakes or oversight.
Q: What benefits are you seeing with your automated vulnerability management program?
A: Time savings is the biggest benefit by far. With Nexpose, we have reduced our response time down to just 24 minutes, on average. We have our DHCP listener on Nexpose, which detects everything that comes in. Being able to continuously monitor for things that we know have a rate of occurrence greater than zero allows us to reduce the potential for an issue to be exploited again in our environment. If we were still doing this manually, the initial push to scan and address vulnerabilities may go pretty well, but after that’s over, people tend to forget about certain things and put less effort into it all. Automation doesn’t forget and doesn’t get lazy—it’s always on the lookout. That’s incredibly reassuring to us.
Image source: Wikimedia Commons