Solutions II: The missing sauce in vulnerability management.​

Full Review.

Solutions II is an infrastructure and cybersecurity solutions and services provider. We’re headquartered in Denver, Colorado. We have a couple verticals that we focus on, casino gaming, where we support around 25% of the casinos in the United States, as well as public safety, where we support around 1000 plus agencies, 911 centers, as well as clients in other industries and verticals like healthcare and financial services. As the CSO, I’m responsible for of course, our corporate security program as well as the security practice where we’re developing and driving and building security solutions and offerings for our clients. Asset intelligence has been foundational for many years. I just think the industry had not caught up yet. Asset hardware and software inventories have been a part of the critical security controls one and two going back as far as I can remember, and we just haven’t really given it the focus and attention that we’ve needed to. 

Today it’s finally getting the visibility it needs because clients are realizing without that visibility, they can’t answer baseline questions like how many assets do you have? Do those assets comply with your baseline security posture? Have those assets been comprehensively scanned for vulnerabilities? Now that we’re elevating and illuminating that information for our clients, it’s really having an impact on their overall dollars. Asset intelligence is helping my team perform better and drive value to our clients because we can now answer definitively those key questions that our clients are asking about how many assets they have. Do those assets comply with their security posture? Have those assets been assessed for vulnerabilities? And we’re doing all that today through our product offering, ASM illuminate, that’s using and powered by CEFCo and tenable together. 

We chose Sevco for a few different reasons. One, they have a great service provider program which worked out great for us natively born in the cloud, multi tenant from the get go, which was perfect from a live licensing and operational value. And then third and most important is it wasn’t relying on what we would consider legacy tech like doing agents or doing network discovery scans. It’s all based on integrating via API into our clients existing investments and pulling data and metadata about assets, and then correlating all of that such that we can then feed that into our ASM illuminate offering. We’re always finding hidden and unknown assets in our clients environments. And from our perspective, hidden and unknown assets creates hidden but accepted risk in your environment. The other thing that we find consistently is either under licensed software tools and technologies that our clients have already invested in, think endpoint security software, patching software, etcetera, or oversubscribed where they’ve over licensed software. And either one of those things impacts their dollars in a way that can either improve their security program and or give them money back. Our favorite CEFCO feature is easily the API integration with our clients existing security tools. The fact that we can go in and use their existing tools and make those existing investments stronger and better and drive more value. In fact, all the other security vendors should love us right now because we’re driving more value out of the tools and investments they’ve already made.

Yeah, I think all the traditional sources, like you mentioned, are still great sources. There’s still a lot of great data, so pulling that CVE data from your vulnerability management platform is great. But that information is also being populated by other security tools. So today, both in my environment and clients that we’re helping manage this problem, we’re seeing this EDR now and other security tools are populating that CVE data, if they have knowledge of it, but there’s also a lot of open-source intelligence sources where this data is coming from as well, so like ISACs and CISA and the KEV. Those are all sources of vulnerability data as well. That in and of itself is a challenge, because now there’s not a single source to go and validate this data. It’s coming from a lot of different sources.

Yeah, for sure. And I’ve also seen where a lot of vulnerability assessment… And I feel like that’s an area still that gets overlooked today is when people start talking about vulnerability management technologies, they’re typically talking about the scanner or the assessment. And nothing against those technologies and those tools, but in many cases, they’re doing unauthenticated assessments of devices, and they’re reporting on CVE data that may or may not be factual and correct, based on the information that they’re trying to ascertain from the asset. This is where the vulnerability correlation… So if you have a platform that can now take that data and correlate it with other vulnerability sources that may have more detailed information, like your EDR or another source, and correlate and validate that data, it becomes pretty powerful.

I think it started in the same way that everyone else was doing it, and it’s a little bit of a data and a process problem. So you have a significant amount of data that is typically point-in-time, so by the time you even look at the data, it’s typically somewhat stale. And then you’re typically manually correlating that data and trying to gain some insights and intelligence out of that data. So typically we see many organizations… And the way we were doing it when we first got into this side of the business was massive data analysis with, fundamentally, spreadsheets and pivot tables. And you’re doing a bunch of data analysis and manual data science on data that’s already stale.

I think you brought up a great point with your… You were able to immediately see when was the last time this data was collected. And I think in the example you just used, it was fairly recent, but being able to differentiate that from the various different sources and see how old the data is, to make sure that you’re working with current data. But anyway, that’s how we’d been doing it in the past, was basically manually correlating that data. And at the end of the day, there’s only so much value you can get out of that.

I think the business context is arguably the most important component of this whole problem that we’re all trying to solve on the cybersecurity side, having that context and being able to… In our case, we’re using Sevco now and its dynamic tagging capabilities to create tags to associate business context with assets, and to be able to correlate that with vulnerability exposure, it’s pretty significant. So now being able to tag things to specific geographies or departments or assets, and there’s also the notion of what assets are most critical, crown jewels, et cetera, what things are in certain networks, if they’re in a DMZ or externally facing, versus they’re very deep and layered and there’s all kinds of compensating controls in place and defense in depth. That’s context that’s missing in general if you’re just looking at CVE data.

Yeah, that’s for sure extremely critical. It’s not just a matter of knowing about the dangers and the risk and the threats, it’s really being able to measure that whole piece that you were just showing where you can see the response time actions on how long it’s taking to remediate things.

Another one, another item that you pointed out that’s super critical is when you were showing the exposure with a certain number of assets missing. I think in your example it was EDR. And there’s a static number, and if you’re just looking that on maybe a rolling 30-day window, that number… It’s potentially possible that that number is getting larger on a case-by-case basis. And that leads a lot of executives or other people that may be viewing that information to really ask and say, “Well, wait a minute, how is this getting better?” That key piece was that second data element which you showed, how it’s changed since the last time it was reported on. So how much of that exposure has been remediated? So you may have net new exposures, but if you’re not also correlating that with exposures that have been remediated, you’re really missing a critical part of your scoring, or you’re not demonstrating the action that was taken, and that speaks directly to risk reduction for an organization.

Yeah, so of course all those KPIs and metrics, to me, are some of the most meaningful metrics from when you’re speaking to things like risk reduction and how you’re handling your vulnerability exposure. And so from a cybersecurity risk and dashboards and things like that, those are all meaningful KPIs that CISOs and other security leaders care about.

But you bring up a great point is there’s the flip side of that coin, which is all those KPIs and metrics can be used to also drive improvements in your own operational processes, so looking at remediation and how things are being actioned on by, depending on… In my case, by a tenant-by-tenant basis, or a client-by-client basis, or specific engineers. So it allows for very targeted training to do improvements and to refocus and maybe reprioritize resources on the actions and items that need to be focused on.

So in general, it’s providing overall risk reduction for us and for our clients, but it’s also providing that super specific KPIs that help ascertain and determine next steps and actions to improve and help individual SOC analysts and security engineers to get better and help us to scale. So at the end of the day, none of us have a money tree in our backyard that we can go shake, so if we can basically do more with less, that’s a net win for all of us.

Yeah. Just overall, I could not be more excited to see what you guys are doing today from Sevco to help drive this. At the end of the day, I think this is the wrapper that’s helped making not only all the technologies that we’ve all invested in the past better, but it’s helping make our teams better. It’s helping make us more efficient. I think this is arguably the missing sauce that we’ve all been missing for years to help drive significant efficiencies and improvement in the way that we’re doing overall vulnerability life cycle management. And we’re able to apply our finite amount of security resources to the problems that matter most and impact the business the most. And I’m super excited to see what you guys are doing today and what I… You guys keep surprising me with new improvements with what you’re doing, and I’m excited to see how it plays out over the next few years.

It’s helping make us more efficient. I think this is arguably the missing sauce that we’ve all been missing for years to help drive significant efficiencies and improvement in the way that we’re doing overall vulnerability life cycle management. And we’re able to apply our finite amount of security resources to the problems that matter most and impact the business the most.”

We'd love to hear what you have to say about Sevco

Share your thoughts on Sevco with a Gartner Peer Insights review or contact us to submit a review for Song My Review songwriting credits.

AWARDS