With the summer holiday period approaching, taking time off from work to relax and recuperate is in the mind of many. Whether it's the book you've been wanting to read, the latest Netflix must-watch box set to catch up or just the idea of doing nothing soaking up sun on a beach, likely you'll be thinking of ways to spend your time that absolutely do not relate to work. But an unexpected benefit is that this detachment from work can help bring clarity to a work problem you were not even intending to think about...
This happened to me earlier this year. Relaxing in a hammock, on a homestay amid coffee plantations in the south of India, I finally understood something that had been troubling me in my almost three years at Solvinity - "Why are we bad at vulnerability management?"
Listening to an episode of the podcast You Are Not So Smart entitled “Why solving problems can make those problems seem impossible to solve” (1), I was introduced to the concept of prevalence induced concept change. Solvinity’s problems with vulnerability management then became clear.
The podcast explains that there are three concepts involved in prevalence induced concept change:
- Concept creep (2)- whether this is a project, scope, or feature creep; creep is a term all of us in the technology field are familiar with. But ideas, abstractions and definitions can also suffer creep over time as we begin to understand them.
- Evaluation by comparison – our judgement being influenced by previous experiences.
- Change in prevalence over time - Our judgement changes when we notice that something becomes rare over time.
In the research study by David Levari and others (3), a series of dots coloured from very purple to very blue were shown to respondents. They then were asked to decide whether the dot was "blue" or "not blue". On the second part of the experiment, for half of the participants the number of blue dots were gradually reduced in prevalence down to 5%. For this group blue dots became rare. The research clearly showed that as the numbers of blue dots started decreasing, people started rating a wider range of colours blue. This second group of people changed their definition of blue.
My lightbulb moment
Listening in that hammock on holiday, it suddenly clicked when I heard the research suggest that “if you are doing a good job, in a way that is not conscious or intentional, you respond by perceiving a wider range of problems than you used to."
Relating to Vulnerability Management
At times vulnerability management seems like an ongoing battle you will never win. First you focus on the systems with exploitable internet facing vulnerabilities. Any other Critical severity vulnerabilities? Obviously, these are a priority too. When you’ve reduced this list, you focus on systems with High severity vulnerabilities. Whilst juggling both active vulnerabilities and security baseline issues, ensuring the costly time of the engineer is focussed on the area with the most risk.
All of this in environments with strict patching cycles following the Development, Test, Acceptance and Production paths. Or on environments running custom middleware with dependencies that cannot easily be updated. Then the clock resets every month when a new batch of vulnerabilities are announced...
But over time the total count of vulnerabilities reduces. You start testing the robustness of your vulnerability management solution. Is our scanning configuration optimised? Are we sure we identify all systems on our target networks? Are we using all the functionality the current version of our security assessment tool offers?
Actually, we do this well!
So over time my concept of what is a vulnerability management problem has expanded to include additional areas, such as:
- system and functional monitoring of the vulnerability management solution
- interaction with the patch management cycles
- efficiency of logging service requests when vulnerabilities need remediating
While the prevalence of Critical and High vulnerabilities reduced, I was too busy identifying issues that I wasn't aware of before, based on my growing experience of the security scanning tool and the part it plays in the overall goal of providing a secure managed hosting solution to our customers.
In fact, there have been huge advances in the security scanning maturity since I started with Solvinity. In the last year we have added several thousand vulnerability scanning agents. This allows us to provide a number of customers with weekly or monthly reporting on their vulnerability exposure through our Vulnerability Management service. If a zero-day vulnerability is announced, we have up to date data for a significant proportion of our infrastructure to quickly assess the potential risk.
Elements of our CMDB are synched into our security scanning solution in a structure that provides an engineer with full visibility of vulnerabilities in customer systems under his responsibility. We are also implementing the ServiceNow Security Operations application to streamline the logging of vulnerabilities, removing a reliance on manual analysis and automatically generating service requests based on business rules.
So, while on holiday listening to a podcast explaining an experiment on blue and purple dots I was subconsciously thinking about my work at Solvinity. I was provided with a fresh insight and a new way of appreciating successes and the increased maturity of the vulnerability management process at Solvinity!
Enjoy your time relaxing on holiday and be warned that that book, podcast or even boxset may unintentionally set you thinking about your work and appreciate your successes.