Vulnerabilities are weaknesses in the security infrastructure that bad actors can exploit to gain unauthorized access to a private network. It is nearly impossible for security analysts to patch 100% of the vulnerabilities identified on any given day, but an application vulnerability management plan can ensure that the highest risk vulnerabilities (those that are most likely to cause a data breach), will be addressed immediately. Any vulnerability alert has the potential to turn into a security incident —which can be extremely detrimental to the organization if it is not identified and patched. Organizations must have a plan in place to proactively identify, evaluate, and patch vulnerabilities to reduce cyber risks.
Five Common Phases of a Vulnerability Management Cycle
Garter recently shared an updated Vulnerability Management Guidance Framework, which sheds light on how most organizations are currently handling vulnerabilities in their IT security systems today.
- Assess: A vulnerability scanner or endpoint agent is used to scan for vulnerabilities in a network.
- Prioritize: An analyst will evaluate each alert to determine the risk level of the alert and how much time is required to patch the existing vulnerability.
- Act: After the analyst determines that the vulnerability needs to be patched based on the analysis of available artifacts, they will notify the responsible team by creating a ticket with all the necessary information. The responsible team will review the details within the ticket and patch the vulnerability.
- Reassess: After the responsible team has validated the fix, the ticket will need to be marked “closed”.
- Improve: The team will evaluate the current process and look for ways to improve any inefficiencies.
Many security analysts currently go through each step within the entire vulnerability management (VM) cycle manually — and the entire lifecycle could take upwards of 38 days or more! You’re probably thinking, “So how can I beat the threat actor in this race and patch the vulnerability before it can be exploited?”
How Splunk Uses Automation to Manage Vulnerabilities
Gartner states that one of the characteristics of a successful VM program is that the program “leverages advanced prioritization techniques and automated workflow tools to streamline the handover to the team responsible for remediation.”
Our internal security team at Splunk did just that. They leveraged Splunk Phantom, a security orchestration, automation, and response (SOAR) tool, to manage the entire vulnerability management lifecycle — from automating vulnerability prioritization to creating vulnerability remediation tickets and tracking the remediation process — without ever leaving the platform. A SOAR tool like Splunk Phantom can help security teams orchestrate actions across disparate tools from a single platform, and automate responses quickly so that your team can focus on mission critical tasks.
Upon implementing Splunk Phantom, the Splunk security team saw a 40% reduction in mean time to detect and mean time to respond. The automated workflows allowed the team to quickly add important enrichment context to the vulnerability data that is pulled from various sources, and then filter and categorize by label, plugin ID, severity, number of hosts affected, SLAs and more. These fields can be customized so that the analyst can easily view all the necessary information at a glance and clearly identify which vulnerabilities to prioritize. In addition, the team also used Phantom automated playbooks to effectively communicate with the remediation team by creating, updating, and closing tickets from a ticket software, such as Jira or ServiceNow, in seconds.
To learn more about how our internal Splunk security team uses Splunk Phantom to manage vulnerabilities, make sure to join us for the webinar, "Streamlining Vulnerability Management with Splunk Phantom" where our senior security engineer, Dominic Salas, walks us through an in-depth demo.