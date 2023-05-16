Working through these four steps to remediate a CVE inevitably requires juggling multiple security tools. But are there some synergies between the available tools that could give you a bigger picture and more control, without becoming too cumbersome to manage? Let’s look at what’s available to facilitate each of the framework’s steps.

Configuration management database (CMDB)

A fundamental component of every organization's IT stack is the CMDB, which is the central repository of information about your organization’s assets — software, hardware, systems, products, and even people — and the relationships among all of those assets.

CMDBs are, by nature, excellent at asset management and configuration tracking, but they don’t provide much visibility into the network, or into connections being made with other assets that may appear unaffected at the surface. Many security solutions feature integrations with CMDBs to leverage the data for network and asset visibility and security purposes.

Cloud security tools

The most common cloud security tools we’re seeing today include:

Cloud access security broker (CASB). This cloud security tool has become very well-established in recent years and enforces security policy between the user and the data in the cloud. This tool does everything from authenticating user sessions to single sign-on, device profiling, malware detection/prevention, and unauthorized data transfer and anomalous communications prevention. This may be a good option for cloud environments, but like all cloud-native tools, it won’t do much to protect your on-premises systems or any underlying infrastructure.

Cloud security posture management (CSPM). Although this is a strong tool for general cloud asset discovery, normal activity baselining, as well as CVE ingestion and remediation via integration with tools like Tenable, it does not monitor cloud network traffic directly, so you’ll only get alerted after the vulnerability has likely been abused. And since CSPM is dependent on the cloud providers for the network logs required, analysis is rarely performed in near-real time.

Cloud workload protection platform (CWPP). These cloud security tools can cover those parts of the workload that may be on-premises as well as in the cloud, but they have their limits. They don’t cover security issues at the Layer 7 application level, nor do they do much to protect the underlying cloud infrastructure. So, if the vulnerability relies on individual processes to be exploited, or if it affects the underlying cloud infrastructure (which is managed by the cloud providers, not you), your CWPP will not be able to prevent the vulnerability from being exploited and affecting your systems.

Cloud-native application protection platform (CNAPP). CNAPPs are a relatively new tool, combining the capabilities of CSPMs and CWPPs. They can also help identify misconfigurations and vulnerabilities in your public cloud deployments, but (again) find themselves limited to just those instances.

Identity and access management (IAM)

A strong choice to assess and potentially block user access in real-time based on risk scores, and it can provide real-time fixes for CVEs on assets or users attempting a connection. But, asset discovery is not a focus of IAM solutions, and it’s not a focus for these solutions to prioritize high volumes of alerts or CVE tags, making management more time consuming and limiting your overall time-to-remediation.

Internet of Things (IoT) security solutions

IoT security is becoming increasingly relevant, and we’re seeing solutions emerge that cater to the unique security challenges posed by these “smart” devices. But these solutions tend to be focused on device discovery, and their remediation capabilities are relatively limited.

Security information and event management (SIEM)

Pronounced “sim,” this tool combines security information management (SIM) and security event management (SEM) into one system. A SIEM tool collects event log data from a range of sources, identifies activity that deviates from the norm with real-time analysis, and takes appropriate action like limiting access attempts and generating relevant reports. It won’t do much to remediate the actual vulnerability, however, so you’ll need another solution in addition to your SIEM.

Network access control (NAC)

This tool is great at identifying new assets connecting to your network and assessing their security posture, but they’re not really helpful for identifying and mapping existing connections, and they don’t provide much in the way of remediation.