Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Work Smarter with Retina Insight Threat Analyzers

Posted May 17, 2012    Morey Haber

It keeps happening over and over again. I speak to a prospect, and they do not want yet another vulnerability report with pages and pages of assets and vulnerabilities. Every tool vulnerability assessment scanner can produce this with various degrees of customization and consolidation but a 1,000 page report for a few dozen assets doesn’t scale for the organization or the administrator trying to interpret the results. Even sorting the results based on risk, or filtering on critical assets, can produce a report that is completely unusable based on the shear volume of pages contained within. The same problem is happening in almost every enterprise client I speak to. So what is the solution? Rethinking how a solution displays, reports, and analyzes vulnerabilities and present them in a way that is meaningful and actionable.

We took that first step about 6 months ago when we first introduced HeatMaps to Retina Insight. This concept takes the most critical vulnerabilities (72 seen as CVSS High Impact below) and reorganizes them by risk. 59 of them are Remote Unprivileged and only 37 have proven exploits in common penetration testing tools. For my clients, I would recommend starting remediation on the 37 remote unprivileged, CVSS high impact, and available in an exploit framework first, and then continue working on efforts to mitigate the rest of risks from right to left.  This review has essentially trimmed nearly 50% of the vulnerabilities off the vulnerability report based on real-word priorities and the complete details for remediation are a simple drill down into the Heatmap. This then follows the traditional vulnerability report we all are familiar with.

Risk Matrix by Vulnerability

While this exercise of reclassification is rather basic, it is incredibly important. It visualizes what vulnerabilities are the most critical (despite a critical score) and where the weaknesses are to the business. It does however lack one component that is now available in the new Threat Analyzers. Which vulnerabilities out of the “59” would improve my vulnerability count, vulnerability score, and asset risk score the most if I could only apply a subset of them in a normal remediation cycle. Below is a screen shot from the Threat Analyzers available in Retina Insight.

Risk Reduction Metrics

Essentially, if I was a security engineer and recommended “n” vulnerabilities to be remediated by my team members, what improvement would I see to my overall vulnerability count and asset risk score?  This value can be changed to meet a user’s needs, capacity planning requirements, and filtered on mitigation type: Configuration, Patch, or Zero-Day. The Analyzers will automatically calculate the best recommendations and calculate the effectiveness of the remediation plan. In this example, Retina Insight is recommending 20 vulnerabilities that are a combination of Patches and Configuration changes that would improve the vulnerability count by over 18.5% and lower the average asset risk score by 9%. The Threat Analyzers allow changing criteria within the solution and even filter on: Recommendations, Vulnerability, Mitigation, Software, Score, and Asset Count to optimize the remediation plan to be the most effective use of resources and to maximize security posture.

These tools are no longer just about finding a vulnerability and running a report; they are about working smarter and ultimately making us more effective at our jobs. Prioritizing our efforts, understanding which vulnerability needs attention first, and creating a plan to create a secure computing environment is how we solve these problems. The days of sole vulnerability reports are a legacy technology and we would like to introduce you to Retina. A better way to manage threats and vulnerabilities. For more information, click here.

, , , , , ,

Additional articles


Best Practices for Managing Domain Admin Accounts

Posted August 3, 2015    Russell Smith

The risks of using privileged domain accounts on devices that are not secured to the same level as DCs increases the chances that domain administrator credentials could be exposed. Windows caches credentials by default to authenticate users when a domain controller can’t be reached, including those of domain administrator accounts that have previously logged in to a device. As such, a compromised workstation or member server can also lead to stolen domain administrator credentials.

, ,

PowerBroker for Mac: A Least-Privileged Apple a Day…

Posted July 27, 2015    Jason Silva

BeyondTrust PowerBroker for Mac reduces the risk of privilege misuse by enabling standard users on Mac OS X to perform administrative tasks successfully without entering elevated credentials.

, ,

On Demand Webinar – Now is the time for Privileged Account Management

Posted July 24, 2015    BeyondTrust Software

In this webinar, SANS Instructor and Founder of Voodoo Security, Dave Shackleford, will revisit several hacking and breach scenarios that involved privileged accounts, and use these as examples while discussing tools and tactics to get this problem under control once and for all.

, ,