INTERACTIVE TOUR
REQUEST DEMO
Go to my account
Search
Search
Edgescan on AWS Marketplace: Seamless Security Testing, Natively Integrated with AWS
READ THE BLOG

RETURN TO WHITEPAPERS

Does a Hybrid Model for Vulnerability Management make Sense?

Do Automated Scanning Tools Require a Human Touch?

A new model for Vulnerability Management (VM) – the Hybrid Model – layer on top of the emerging scanning tools. And on the surface it appears to be going backwards – why would we retreat from the advances and sheer scale that automated scanning technology can deliver and burden ourselves with the slow pace of a team of humans? Does the hybrid model make sense?

Will Scanning Automation Delivery Vulnerability Management Nirvana?

If there has been ane theme in 2021 to define the last decade of Vulnerability Management (VM) – it is the rise of automated tools to deal with the deluge of the ever-increasing number of attack surfaces and the frequency and ingenuity of the attacks themselves. And so as the tools become more refined and more accurate and expanded in scope to handle all the layers of the attack surface including not only the network but the application layer itself – one might reasonably ask – Are we now in 2021 headed to a utopian state? Are we headed to a point where the technology and its ability to handle the sheer volume of incidents is simply going to outgun the attackers?

Software testing Software, who thought that would ever work?

The View from the Trenches is Not Pretty – It’s Actually Noisy

The answer is a firm “No”. Far from VM nirvana – the front line VM staff leveraging automated scanning tools are now faced with a new herculean task. For all the scaling efficiencies automated tools, they have effectively created a new massive problem – How with the proliferation of automated alerts do the tools actually separate the wheat from the chaff? For a significant amount of the alerts represent false positives (noise) an alert that accurately detects an incident but the incident does not represent an actual issue. So while detection automation looks after the incident scale issue – it passes on a new scaling problem – dealing with the noise.

“More than 60% of security professionals estimate their security function spend over 3 hours per day validating false-positives Nearly 30% are spending over 6 hours on this task. Most agree that it is too much and the time could be better utilized. For most, it is the part of their job they like least.” by Infosecurity Europe 2019

Software testing software – We accept false positives in scanners (Software getting it wrong) but we don’t accept vulnerabilities (Software getting it wrong).

Hybrid to the Rescue – Can I Have Some Human Expertise Please?

Imagine yet another future utopian state. We rank all the types of incidents against technical and business severity and pass them through a skilled, experienced set of cyber security experts that parse out severity-ranked alerts of those that represent a significant problem from those that are false positives. And imagine that communication comes with expert remediation advice to resolve the issue efficiently and how to avoid the issue in the future. Now in this scenario, the front-line VM worker is equipped with scale for both incident detection through automation tools and immediate resolution guidance against only those incidents that matter. Indeed, such a desirable state is in fact available in 2021 – it’s the hybrid approach.

The Future is Now – What are We Waiting For?

So if the enterprise now can embrace a truly hybrid model – a model that both leverages the scale of automated detection tools against the entire stack as well as integrated human security expert guidance to rule out all the false positives and provide timely expert remediation guidance for equally timely resolution – then surely the enterprise is 100% onboard – correct?

The answer is “no” and for the remainder of this paper, we will examine why and submit the approach to a pro and con analysis – weighing the merits and areas of concern for adopting the bybrid approach and hten counter wheter those areas of concern are valid.

The reliance alone on automation to defend against an experienced and determined human adversary will not work.

Pros and Cons for the Hybrid Model

Pros

1. Scale: Hybrid model still offers all the scaling automation benefits of the automated side of hybrid.
“Scale vs Depth – Scanners do scale, Humans “do” depth. Our enemies “do” depth every time and are focused.”

2. Accuracy:  The entire point of the human expertise side of the hybrid model is to verify incidents and remove false positives.
Automation accuracy is not a strong as human accuracy -Our attackers are humans.

3. Expert Support: Again expert is exactly what the human side of the hybrid model delivers needs to cover everything – testing both the technical and logical security posture of every asset – including API’s, cloud-based infrastructure and web and mobile applications.
IT and developers are not cyber security experts Expert guidance is necessary

4. Removing Noise: The human touch will remove 100% of false positives.
Chasing noise is a fool’s errand

5. Timely Remediation: When experts present real incidents they offer expert guidance how to resolve now and for the future. And no time wasted or distraction from chasing false positives.
Far from slowing remediation relevant expertise pins down the source of the problem quicker

6. Severity Ranked Guidance:  The human side gets rid of the false positives and the automated scanning platform can be mapped in the setup phase to automatically rank the severity appropriately for each enterprise.
Effective VM intelligence requires alert significance context

7. Staffing Challenges: Having a team of security experts within a hybrid model offloads the stress of inhouse recruitment.
Extending your security team with world class experts offloads staffing challenges

8. Automate Remediation into Operational Workflow: The alerts can be integrated to the enterprise support and development systems to automate remediation practices into the daily operational workflow.
Change gives rise to Risk. Change occurs when a system does not change & When a system changes (duh!!)

9. Instilling Confidence on Alerts and Remediation: When the noise is removed with expert human review, then the enterprise confidently knows they are acting on things that matter.
Over time critical vulnerabilities are discovered. Patches are released. Yesterday I was secure, today I’ve a Critical Risk. Need to patch/Redeploy. Also… when a system changes: new features deployed, new services exposed, larger attack surface, more exposed, more to attack, more headaches, this also gives risk to risk.

10. Enabling the Enterprise to Act Strategically: Equipped with verified accurate intelligence, the Enterprise Security Team can now plan and strategically align their goals with the overall business goals of the Enterprise.
Business Goal Alignment – How to ensure Cyber Security has a seat at the strategy table.

11. Staff Morale:  Removes the drudgery – the multiple hours per day – of the repetitive work of removing false positives.
Burnout can have an impact on readiness.

12. Executive Management Confidence and Transparency: Acting on false positives or simply inaccurate assessments can be tiresome to the Cyber Security Staff and can be equally tiresome and demoralizing when the executive management team does not think they are being presented with the truth.
Nothing motivates more than accurate and actionable intelligence.

13. Proactively educate IT Staff on what is the issue and what can be done: The expert remediation guidance that comes from the human touch side of the hybrid model can also be proactive and suggest steps to be taken to avoid similar issues in the future.
The DevSecOps elephant in the room is “Validation.”

14. Supplements the Inherent Weakness of Automation: Automation does not provide human context for intelligence. Experts can identify risk. Artificial intelligence is narrow – it cannot determine meaning.
We’re protecting our systems against breach by humans, not scanners right!

15. Determination of Vulnerability: Sign if canceI of order to be seen as significant, certain vulnerabilities require humans to quickly come to terms with its meaning. It is not just all about ruling out false positives it’s also coming to terms at the human interpretation level that a certain issue represents a significant issue.
We can’t improve what we can’t measure; We can’t secure what we can’t see

Cons and Counter Arguments

Time: Having a human interpretation phase will slow down the ETA on resolution.
Counter: This step will ALWAYS have to happen whether one utilizes a hybrid external solution or uses their own staff to rule out false positives. And the hybrid model can make effective use of a correlation engine to effectively minimize the human effort.

Cost: A managed service offering expert (i.e. costly) world-class security engineers within their hybrid model surely would be cost prohibitive.
Counter: The Enterprise HAS to deal with that cost themselves regardless if they staff it or use an external hybrid solution. The external hybrid solution can leverage economies of scale, produce efficiencies with its VM focus and have staff overlap in duties to lower the overall cost.

Resourcing: The enterprise even with their well-heeled brands has recruiting challenges for cyber security expertise, surely smaller suppliers will have the same problem.
Counter: With its global VM focus, the external hybrid solution will have more efficient recruiting and relevant ongoing staffing support while carrying less overheard.

Scaling: And as incidents rise there must be a point where the human side cannot meet the scale need even with an external provider.
Counter: The hybrid model is continually stress-tested to handle the scale of incidents that full automation can capture and still offer the exact same accuracy small volumes. The hybrid model does not create the problem of scale – it just deals with it the most effectively.

External experts do not possess company-specific, nuanced business knowledge:  Surely an external managed service cannot know the nuances like my own staff?
Counter: A hybrid model has the capability to recognize which type of assets and related incidents are most important to an organization and map that priority ranking in the setup phase into the automated alert systems.

Widening the Gap Between Ops and External Recommendations: Does not using an external team of experts within the hybrid model widen the operational gap between VM staff expertise and the operational daily workflow.
Counter: With a hybrid model – all the alerts and expert remediation are integrated very quickly in the setup phase to all the relevant operational support, risk and development systems.

So Does the Hybrid Model Make Sense?

In Conclusion – The Hybrid Model Makes Buckets of Sense

The merits now have been shown to be numerous and significant And the areas of potential concerns have been identified but as each one was countered – none of them have been shown to have merit. It is so compelling for so many reasons that any enterprise considering what model represents the most compelling solution for Vulnerability Management must put the Hybrid Model at the top of their list.

“While automation certainly provides scale, its human expertise that accurately gauges significance and focused remediation where it really matters”