Why was the Vulnerability Management Extra created?

One important distinction between vulnerabilities and risks is that when standalone vulnerabilities are discovered, context is not taken into account. While the existence of a known vulnerability tells you where and how an exploitation could occur, what it doesn’t tell you is the likelihood of compromise or the potential organizational impact if a given vulnerability is exploited. These are two vital data points that provide a clear guide to help prioritize your risk mitigation efforts.

Early on, we had a handful of customers who used the SimpleRisk Import-Export Extra to pull vulnerabilities into SimpleRisk from vulnerability management tools resulting in a subpar user experience due to countless duplicates, false positives and an excessive number of unwanted vulnerabilities. This vulnerability data intermingled with actual risks, with no easy way to collapse them down, organize, and manage them. SimpleRisk introduced the Vulnerability Management Extra as a way to:

• De-duplicate redundant vulnerabilities by turning them into a single risk across multiple assets to make the import process “clean”; 
• Remove false positives eliminating wasted time and resources on vulnerabilities that don’t exist;
• Provide context by linking vulnerabilities to assets so that a “likelihood x impact” risk formula, widely adopted by security practitioners as a best practice, could also be applied to vulnerabilities.

How is the Vulnerability Management Extra used?

Currently the Vulnerability Management Extra can be configured for use with Rapid7 Nexpose, Insight/VM, Tenable.io, and Qualys. Once configured with a Vulnerability Management tool, you can:

• Select specific sites from a list of currently scanned sites to pull in your vulnerability data;
• Set up a cron job to run automatically on a (e.g.) daily schedule to update vulnerability data;
• Limit the severity level of vulnerabilities that you want to manage as risks to a level such as “vulnerabilities with a score of 7 or greater”;
• Triage vulnerabilities from a “Triage Panel” where you can choose to add risks or not;
• Create risks automatically from a “Risk Panel” in SimpleRisk that continually captures and displays a list of all vulnerabilities that you have turned into risks.

What users would benefit from the Vulnerability Management Extra?

Risk Managers and Management are the primary beneficiaries of the Vulnerability Management Extra. Using this Extra enables Risk Managers to effectively track vulnerabilities as risks in a way that is simple and straightforward by linking this integration process to the “Likelihood x Impact” scoring methodology. It also fuels a more robust enterprise risk management program by providing an effective way to track and prioritize vulnerabilities as risks through their mitigation life cycle, which in turn, benefits the entire organization.

Which plans include the Vulnerability Management Extra?

The Vulnerability Management Extra is included with all Hosted plans and is only included with the On-Premise Premium package. It can also be purchased as an A La Carte option for customers who have deployed SimpleRisk On-Premise and are interested in customizing which Extras they would like to purchase.

How can I learn more about the Vulnerability Management Extra or try it out for myself?

To learn more about the Vulnerability Management Extra or discuss specific use cases for how your organization could use it, feel free to schedule a demo online. If you would like to try out the Vulnerability Management Extra functionality for yourself, we offer a free (no credit card required!) 30 day trial. Please reach out to SimpleRisk Support if you have any additional questions about the Vulnerability Management Extra or any of the additional functionality that we offer.