Automating Vulnerability Management: From Detection to Remediation

Automation can help security teams more efficiently prioritize and remediate the ever-increasing number of vulnerabilities by uniting workflows across various systems.
Automating Vulnerability Management From Detection to Remediation
Share on twitter
Share on linkedin

In 1999, the year that the CVE database officially began, there were 894 vulnerabilities identified. In 2021, there were 20,150. The number of vulnerabilities discovered each year has skyrocketed in the last few years, making vulnerability management an increasingly daunting task.

With no way to remediate every vulnerability in their systems, security teams are focused on how to work smarter and prioritize the vulnerabilities that will have the most significant impact on their company’s bottom line. This has resulted in a shift toward risk-based vulnerability management, an approach that focuses less on resolving all vulnerabilities with a high severity CVSS score and focuses more on resolving the vulnerabilities that have the biggest impact on the business’s overall risk profile. Being able to put these vulnerabilities into context and truly evaluate their risk, however, is impossible in a vulnerability management program that lacks visibility of the entire attack surface. Additionally, VM programs with significant bottlenecks in their workflows and lack of coordination between IT and security teams will not be able to efficiently remediate any risks, regardless of how they are prioritized. For these problems, organizations are turning to automation, in an attempt to relieve some of the burden.

Modernize Your Tools for Automation Capabilities

In a perfect world, you want a seamless vulnerability management pipeline. A vulnerability is detected, a risk score is assigned to it, suggestions are provided for remediation, and action is taken to remediate it. How much of that can you automate? The problem for many organizations is that they’re utilizing vulnerability scanning tools, but there is a disconnect between the identification and prioritization of the vulnerability and the actual remediation. If your detection tool is not talking to the tool you’re using to deploy the update, you will likely need to communicate the vulnerability to your IT department by putting in a ticket, which might be a different ticketing system than the security ticketing system, and then they have to find the patch for the vulnerability and apply the patch. Quite the manual bottleneck. It also introduces potential tension between security and IT teams who may have different interpretations of what is truly a priority.

No tool will be able to do absolutely everything, at least not well. But modern vulnerability detection tools are beginning to incorporate the ability to remediate and deploy patches from the same system as detection, which can help make the pipeline much more efficient. Others without the capability to deploy patches are at least integrating with systems like Microsoft SCCM and HCL BigFix that are used to roll out updates. These tools will also integrate with popular ticketing systems such as Jira and ServiceNow to minimize the headache caused by transferring a detected vulnerability out for remediation.

If you’re running into bottlenecks, it might be time to reevaluate the tools you’re using to see if there is an opportunity to consolidate for better tool communication.

Moving to the Future with Hyperautomation

Right now, you might still just be trying to get the tools you have to talk to each other, but the future is going to take that one step further with hyperautomation. Hyperautomation is where automation spans a spectrum of technologies. If you think of levels of automation, task automation is just using one tool, process automation is bringing together multiple tools, orchestration is bringing together different functions, and hyperautomation is bringing together multiple orchestrated systems.

Orchestration has become popular over the last few years with security orchestration and response (SOAR) platforms. These tools combine different security functions such as vulnerability management and incident response by ingesting alert data and then triggering an automated workflow which ultimately informs the response to the threat. SOAR platforms are designed to take disparate data and use machine learning to automate a response to low-level threats, reducing the workload of your overwhelmed security team.

However, some challenges are stopping security teams from flocking to SOAR solutions for vulnerability management. First, it takes a bit of work upfront before you see a reward. You need to be able to create detailed workflows that the SOAR platform can follow otherwise it won’t provide much benefit. You also have to be using technologies that can integrate with it, as the entire point of the platform is to centralize information. For example, support for application security tools is currently limited.

That being said, if you have the processes and tech in place to utilize it effectively, a SOAR platform can be a valuable step forward in automating your vulnerability management program. It can help prioritize vulnerabilities with real-time threat intelligence to provide the additional context needed for risk-based remediation. Integrating your vulnerability management platform with a SOAR platform will allow you to build actions into your automated workflows based on CVE information, reducing some of the disconnect between detection and remediation.

Hyperautomation is still in its early stages, with some SOAR tools marketing themselves as next-generation SOAR platforms as they begin to incorporate hyperautomation elements. The ultimate goal of these technologies is to combine robotic process automation (RPA) with machine learning (ML) and artificial intelligence (AI) to automate not just a few aspects of the business, but the entirety of the business, with one unified strategy.

As these technologies improve, hyperautomation and AIOps (artificial intelligence for IT operations) will become the next generation of security buzzwords. Investing in automation technology will become essential for security teams to keep up with the ever-increasing number of vulnerabilities in the modern threat landscape.

RH-ISAC members have exclusive access to resources to help them in implementing the next iteration of security technology. For example, members can join tool-based working groups, including our SOAR group, which brings together SOAR users to collaborate on automation best practices. Visit the RH-ISAC website to learn more about RH-ISAC membership.

More Recent Blog Posts