If you’ve been in the security industry for any amount of time, you’re no stranger to false positives. They show up in nearly every security monitoring tool and can waste an incredible amount of time and resources that your team should be spending on issues that actually matter.
The good news is, there is a way to measurably reduce them so you can reallocate your team’s time from investigative to proactive work. Here’s how.
Challenges in the vulnerability management process
To begin, let’s discuss a few of the top challenges when it comes to investigation for vulnerability management. The first challenge is that triage sessions, especially on false positives, are a serious resource drain. When an alert comes in, the amount of effort that goes into coordinating work across IT, development, and security teams only to find out it’s a false positive can often be a huge resource drain. This can be frustrating to non-security teams, leading them to deprioritize security tasks for ones that seem more fruitful, leaving real vulnerabilities unattended to.
The second challenge is the influx of off-network devices. Hard to keep track of and scan regularly, they can often run rogue without proper monitoring. That or security teams have to manually scan them, which is a time-consuming process. Furthermore, with the influx of remote workers, risk intensifies and visibility continues to wane.
The third challenge is visibility without context. Even though your solution may give you meaningful visibility into your environment, it could lack the necessary context to help you understand what’s going on. Because of this, it can be difficult to take effective and targeted action.
The last challenge is CVSS (Common Vulnerability Scoring System) risk scoring being too generic. Organizations often struggle to determine which vulnerabilities are important to their specific business, which only compounds the issue of false positives. Because CVSS scoring is only a broad guideline, it does not always lead security professionals to the vulnerability that needs to be addressed most urgently.
Addressing top vulnerability management challenges
Thankfully, there is something you can do about all of this. A good vulnerability management solution should help you navigate investigation of vulnerabilities in an efficient and effective manner. Let’s look at how InsightVM, Rapid7’s vulnerability risk management solution, helps reduce efforts spent on false positives, starting with targeted vulnerability monitoring.
Targeted vulnerability monitoring
The core of InsightVM's vulnerability assessment engine is what is known as an expert system shell. As you might expect from the name, expert systems emulate the decision-making ability of a human expert, and are considered one of the first truly successful forms of artificial intelligence (AI) software. An expert system allows the person programming it to simply describe the "what" about a particular goal rather than the "how" to determine it. The "how" can be inferred by the expert system, typically with help from other defined rules.
You may be wondering what any of this has to do with false positives. The answer is in the simplicity that this system enables. Instead of a procedural approach to determining whether a particular patch has been applied, most of InsightVM's checks simply declare what a "vulnerable state" looks like. As the scanner learns new facts about what is (or isn't) installed and configured on an asset, it's up to the rules engine to deduce whether a check should fire vulnerable. This leaves less room for human error—the logic for detecting patches can get quite complicated, especially when you factor in concepts like supersedence, cumulative vs. non-cumulative patches, and so on. Better to leave that "thinking" to the computers, and let content developers focus on the research and higher-level descriptions.
Rapid7's security content team embeds their security expertise into the vulnerability checks and solutions that go out in our daily content releases. The team monitors a wide range of security advisory data sources, and builds tools that allow them to quickly convert advisory information into InsightVM's check format. This isn’t a one-and-done process—as vendors issue revisions to their advisories and bug pages, checks and remediation details get updated and released with the changes incorporated.
The assessment engine can also adapt to new information as the scanner collects additional data and fingerprints. For example, many Linux distributions “backport” security fixes. This means they take a fix for a security flaw out of the most recent version of an upstream software package and apply that fix to an older version of the package that is distributed. During the unauthenticated phase of a scan, server software such as Apache or PHP may report itself as an old version known to have several vulnerabilities. But if credentials are used and package manager data is available, the engine will incorporate what it knows about backported fixes from vendor advisories and override the less reliable fingerprint. This eliminates the patched vulnerabilities from being flagged and triggering a false-positive investigation.
Handling off-network devices
Off-network devices no longer need to be a black hole to your security program. With InsightVM, our Insight Agent gives you a live view into exposures on your endpoints, including off-network devices and assets deployed in cloud and virtual environments. This way, you can rest assured that no stone is left unturned, even with modern-day and rogue devices lurking around.
The Insight Agent is purposefully designed to be lightweight and non-invasive, meaning once it collects data, it transfers it onto our Insight platform, where the heavy lifting analysis occurs, not on your network. The agent knows where to monitor, collects small amounts of data from the registrar, packages, and the OS itself in a non-invasive way and skirts the rest of the process onto our platform with negligible impact on you.
Adding critical context
A solution like Rapid7’s InsightVM is purpose-built to give you both broad and deep visibility into every inch of your environment, as well as the context you need to understand the what, when, and how of a vulnerability so you or your IT and development counterparts can jump into action.
Once vulnerable assets are identified, InsightVM prioritizes them by leveraging attacker analytics. This identifies vulnerabilities that are being actively targeted in the wild, coupled with our advanced threat feeds, to show you the real threats you should be focused on. This process goes well beyond CVSS score, as it takes into consideration the age of vulnerability, its exploitability, Metasploit intel, and more to create a Real Risk Score. You also have the ability to tag critical assets so if a vulnerability is detected on one, it’s instantly elevated to the top of the list for remediation, not buried alongside menial or false positive alerts.
This is what sets InsightVM—and your vulnerability management program—apart from others. With the ability to gain actionable context, you can remediate faster and without the overwhelm, complexity, and resource expenditure.
Reducing false positives to accelerate remediation time
In a recent Total Economic Impact (TEI) study conducted by Forrester, they found that InsightVM's approach reduced false positives by 22 percent, altogether eliminating a portion of the investigative work by security operations teams and accelerating the remediation process. Over a three-year projection period, Forrester forecasted a savings of $397,200 per company.
With InsightVM, IT operations and DevOps spend less time rectifying issues due to actionable remediation with a few clicks, while live dashboards track the progress.
If you are interested in seeing how InsightVM can help you achieve similar results, sign up for a free trial or watch a demo today.
The Total Economic Impact™ Of Rapid7 InsightVM, a November 2019 commissioned study conducted by Forrester Consulting on behalf of Rapid7.