Welcome to the VMblog
2022 Mega Series
where we'll be covering a number of important topics throughout the
coming months. In this series, you'll be hearing from the industry
leaders and experts in order to help you make important decisions within
your own organization. Follow along for a chance to better understand a
number of topics and find out more about some of the best technologies
available out there in the industry.
In today's Q&A, we're speaking with industry expert, Ben Skelly, Solution Evangelist / Head of Growth at
Vicarius. And we're diving into the topic of Security.
VMblog: Provide
a little backgrounder information on the company and your solution. What does your company look like in 2022 and
beyond?
Ben Skelly: Like most good business concepts,
Vicarius was born from that mindset of "
there has to be a better way" -
founded by 3 former security practitioners who were bewildered by the
inefficient and manual processes that often surround vulnerability management
programs. Rather than continue working from spreadsheets and never getting
ahead, they began automating as much of the processes as possible, and after
proving the concept to themselves, launched the company in 2016, where they
operated bootstrapped until taking funding last year. The company is now about
50 people strong and very much global.
That focus on automating otherwise manual
processes is very much at the core of our solution, called Topia. From one
dashboard, you're able to scan for all assets on your network, prioritize what
to focus on using context unique to that network, and schedule / deploy patches
automatically. I have a pretty deep background in security, including time
spent at other vulnerability management solutions, and truly think the way
Vicarius tackles this issue is the best I've seen, and easily the most complete.
We're also huge proponents of leveraging open-source tools and community, to
make security tools like our own available to all organizations, large and
small, with the smallest barrier to entry possible.
VMblog: How
are you different from your competitors? Why would someone prefer your
offerings to those provided by others in the industry?
Skelly: There's a tremendous amount of
market confusion around what "vulnerability management" even is,
so let's start there. Thanks to first-mover benefits and analyst research that lags
behind, many people associate "VM" with the big scanner vendors (Tenable,
Qualys, R7). The truth is, scanning is just one (albeit, important) step in a
broader, mature vulnerability management program. It's not enough to know
what's in your environment, you also need to orchestrate the steps to secure
and monitor on a continuous basis. There are a lot of disparate tools on the
market that can help accomplish that next step in maturity, which has given
rise to the "risk-based vulnerability management" (RBVM) market and a handful
of popular solutions to enable them. While incredibly useful, these RBVM tools
are essentially giant integrators, helping all of the security tools in your
ecosystem to work together as one. This means your program is only as useful as
the other tools you've bought and deployed - which can quickly get expensive,
confusing, and untenable for smaller enterprises, especially.
What makes Vicarius unique is the
holistic nature of the platform, having the capabilities to perform every step
of a mature VM program, without requiring third-party tools and licenses. We
provide the capabilities to scan your network, build an asset inventory,
prioritize fixes, and deploy those updates straight out of the box. While not a
technical differentiator, we also make it incredibly easy to try the platform
for free without ever engaging with sales or another person... which I see the
entire SaaS industry moving closer and closer to, although security has been
slow to fall in line. We're trying to change that.
VMblog: What
are the elements of a mature vulnerability management program?
Skelly: Maturity models for vulnerability
management are largely dependent on the vendor that's trying to sell you a
solution - but in general, there are four critical steps that most agree on.
The first is discovery,
scanning for and aggregating the assets in your environment. Having an accurate
and continuously updated inventory of all assets and devices in your
environment is obviously critical, as you can't fix what you don't know is
broken. Next is knowing how to prioritize the vulnerabilities you
discovered, which is a common place where enterprises fall short and the volume
begins to become unmanageable and just "noise." What's important to account
for, and where this step (and many vendors) often collapse, is a failure to
take business context into account. It's important to focus on the
potential threats that will have the largest impact to your unique digital
environment, not necessarily what a third-party rating assigned without
context. Once you have a clear asset picture and know which ones are
business-critical, it's time to remediate - typically through
patch management and deploying updates. The most mature organizations will
automate this process based on said context above, updating the most critical
systems while minimizing downtime and impact through strategic scheduling of
deployment. Lastly is continuous monitoring and reporting,
essentially starting the process all over again from discovery. This is where
you measure your progress, report on risk to management, track known vulnerabilities,
and make decisions for budget and program priority. There are other sub-steps
along the way, but those four buckets are critical to running a meaningful VM
program.
VMblog: How
do you respond to an organization's question of "Do I really need to
invest in security?"
Skelly: With the average security breach
costing upwards of seven figures, I would say "can you afford not to?" Despite
the advancements in vendor security technology, the morally-challenged hackers
/ opportunists of the world typically remain a step ahead, and they love to
collaborate with each other. Network and application vulnerabilities remain one
of the most significant, prevalent, yet (largely) fixable security problems
across the board - and for a multitude of reasons. A recent study from the
Ponemon Institute cited 60% of breach victims admitting the initial attack
could've been prevented by patching known vulnerabilities. This issue
transcends industry and company size, although large enterprises are typically
more susceptible due to sheer volume of systems and users in place.
There's also a hidden benefit to
tools like our own, which actually save money and give back to your
budget through improvements in efficiency. In mid-to-large enterprises,
security teams spend roughly 15-20 hours each week reviewing scan results,
searching in forums/blogs, and prioritizing fixes manually. By eliminating this
manual work, organizations can reallocate budget and time to other more
pressing business needs while remaining secure.
VMblog: Are
there any tools or tips for the smaller enterprises or those teams operating on
a shoe-string budget to stay secure?
Skelly: Absolutely. The first thing I'd
encourage, without even spending a dime, is to get involved with and leverage
the broader security community. As mentioned earlier, the "enemy" has long
collaborated with one another, sharing tactics, techniques, and procedures to
circumvent security solutions - and its long past time that we do the same on
the defensive side. We recently launched a community of our own - called vsociety - free from vendor influence
(including our own), as a place for security pros to collaborate on
vulnerability solutions, share remediation insights, and network with their peers.
The insights shared from across industries helps to level the playing field and
give key insights to practitioners who otherwise wouldn't have access to them.
Likewise, there are a plethora of
free and open-source tools on the market to help better secure an organization.
We're constantly trying to do our part and contribute to these projects, most
recently releasing a free integration for Nmap, one of the most popular
open-source / free scanning tools on the market. While powerful, one of the
knocks on Nmap has been a difficulty in interpreting and making sense of the
findings - which we've solved by allowing users to ingest their scans and
receive a visualized and user-friendly output inside the Topia dashboard.
Lastly, if you lack the budget and manpower but need the help, there's no
shortage of awesome managed security service providers who can function as an
extension of your own team for a fraction of the cost and no need to buy
licenses of your own.
##