Challenge & Implementation
The Financial Institution had an implemented vulnerabilities management process based on Company’s scanners, that transferred vulnerabilities to the Defensys SOAR. When the Institution decided to change existing scanners, the running process was stopped. Moreover, the process was inconvenient for users and there was a huge demand for innovations. The Defensys’s engineers together with the Institution’s representatives have formulated the main goals for the process modernization:
1. Нosts have to be grouped in one incident
Previously 1 vulnerability was connected to only 1 host, that consequently led to creation of 1 incident in the SOAR and 1 remediation request in the Company’s ITSM system. So the process was related to the most critical vulnerabilities only. Because if the SOAR received more than three hundred thousand vulnerabilities, the IT department would have the same number of requests. As human resources are limited all the vulnerabilities could not be remediated on time in such a case.
To improve the situation, Defensys’s team has redeveloped the existing logic and designed the service, that transfers information regarding vulnerabilities from the scanner’s database. Now an important parameter for each vulnerability is the network’s segment, where the vulnerability was detected. The Defensys SOAR displays all hosts connected to the vulnerability according to the network’s segment. As a result, numerous incidents were untied into one and IT department receives only one remediation request in a ticket form.
Another problem appeared during the implementation: old hosts not used by employees are still present in the SOAR and cause errors. Defensys’s engineers have set up checks through attribute assignment policies to identify the host status and exclude old entities.
Besides, on the Institution’s request Defensys’s team has extended the functionalities of the SOAR and added state requirements for audits considering asset’s location, exploit checks, and CVSS analysis.
2. Statuses’ synchronization
The implemented ITSM system and the Defensys SOAR exchange data, but software users didn’t know tasks’ statuses in different systems and didn’t have updated information because of the missing systems’ interaction.
Now if a field in one system is updated, the information automatically changes in the other program. Therefore, users are always aware of the current situation and keep the Institution’s infrastructure secured.
3. SLA compliance
Synchronized statuses underlie the approach that excludes unprocessed incidents or remediation requests and helps not to lose them in a massive incident flow.
Besides, in order not to let users overlook an incident, Defensys’s engineers created notifications for responsible employees, that are sent if an incident’s status remains the same for a long period of time.
Each incident card has a time indicator, that helps to follow SLA deadlines. If the deadline is missed, a department head will be informed about the case and the incident will be prioritized. Additionally, remediation deadlines depend on the host’s severity level and adapt automatically.
The planned remediation date according to the vulnerabilities rating serves as the last check. If an incident isn’t closed after the planned deadline, responsible employees also receive a notification regarding the incident.
Results
After the process update Defensys’s team managed to reduce information load on IT department while handling of vulnerabilities, helping employees to save valuable time and raise their efficiency. New approach allows the Institution’s employees to have more precise information regarding all hosts in the infrastructure, vulnerabilities and their statuses. Correspondingly, responsible departments have a better understanding of the situation and can react more quickly.