ENGAGEMENT
The Vulnerability Management team of a large Media company engaged DayBlink Consulting to optimize and automate a variety of lifecycle steps, including: assignment, rescanning for verification, automated ticket closure and burndown reporting. We were responsible for redesigning the team’s operating model to improve effectiveness through automating as much as was feasible. The mandate included evaluating the tool stack and processes to support the new operating model. The client team had specific goals of future-proofing their capabilities and increasing the burndown volume and velocity of high severity vulnerabilities.
PROBLEM
The client team had recently been dramatically reduced in personnel due to a divestiture but had an increased scope and mandate for vuln reduction. Numerous previous organizational, scope and leadership changes had diminished the effectiveness of the VM team which was not highly regarded within the company. Asset management and patch management were both owned outside of the security organization, relegating the previous VM team to scanner operators with limited visibility into what they were being asked to scan or what was done with the results afterwards. The VM team was a successful, but reactive security organization whose leader sought to develop proactive efforts to improve the company’s security posture. The existing vulnerability scanning reports were managed in an ad-hoc manner without clear ownership of and reporting of the remediation efforts. As a result, Senior leadership had limited visibility into the risks they were accepting.
SOLUTION
Automation was seen as a path to improved scalability of a recently reduced team. DayBlink drove projects that would automate remediation of large swaths of vulnerabilities. We prioritized and then managed the relevant initiatives, across vuln scanning, triage and reporting. We started by expanding Tenable’s external network scanning and ensuring additional container vulnerability scanning (these addressed assignment and rescanning issues). We then enabled auto-remediation of standard builds and configurations by more clearly defining assignment, rescanning rules and automating ticket closure and burndown reporting (burndown). Next we developed processes to decouple compliance and vuln scanning which improved PCI scanning compliance reporting (also focused on rescanning). By operationalizing standard rules and approaches across the organization, we enabled better usage of the Security organization’s CVE-producing tools (assignment). This improved the auto-remediation capabilities because there were far fewer false positives (burndown). Finally, we implemented BU-Level SLA tracking & reporting with defined trackable metrics.
OUTCOME
DayBlink enabled the client’s VM team to effectively manage a job previously performed by 4 times the people. Despite the smaller organization, we helped dramatically increase the effectiveness and satisfaction of the engineering teams. Over the following 6 months, the team effort improved vulnerability burndown times due to increased visibility and automation of subset of deployed patches which then enabled the VM team to provide value beyond operating scanners through consultative remediation advisory for non-automatable efforts.
By the end of the project, the team’s effort dramatically increased the burndown of high-severity vulnerabilities within their SLAs through an increased use of automation. And the tracking efforts produced data which helped numerous stakeholders, from engineers through senior leadership with better understanding the current security risk.