Automated Vulnerability Remediation

Episode 3   Published April 2, 202413 minute watch

Episode Summary

In this episode of Product Talk, Peter Plaster and Steph Rizzuto discuss automated vulnerability remediation (AVR) within Automox. Our hosts explain how AVR was created to help users connect the dots between CVE data and patch deployment, as well as how it can remediate vulnerabilities that can't be patched. They also discuss the current state of AVR and the improvements that are being made to enhance its functionality. Additionally, Peter and Steph highlight the availability of AVR for non-Rapid7 users and the excitement it has generated among customers. The episode concludes with a discussion on the importance of addressing unknown devices and the future plans for AVR.

Reading the Product Talk Transcript

Peter Pflaster: Hello and welcome to the third episode of Product Talk on the Automox Podcast Network. I am Peter Pflaster on the Product Team. And your host and with me today is Steph Rizzuto, the co-host of the Product Talk Podcast.

Steph Rizzuto: Hi guys, Steph Rizzuto, Product Manager here at Automox.

Peter Pflaster: Awesome, thanks, Steph. And for those of you who are listening for the first time or maybe Product Talk's the only podcast that you've seen from Automox, we have a few others in the network, so I definitely recommend checking those out. This month, our theme is end user happiness. And today we're gonna be talking about automated vulnerability remediation within the Automox products. So automated vulnerability remediation or AVR, we'll be calling it AVR, the rest of the podcast because automated vulnerability remediation is a bit of a mouthful. 

AVR is a capability that we created back in 2022. We created this because we were finding a lot of our end users were working off of spreadsheets or Google Sheets if you're one of those people. 

Getting spreadsheets and spreadsheets of CVE data and scan results from their security teams and having to try and connect the dots to deploy patches or update configurations to remediate the vulnerabilities on those spreadsheets. So we built AVR to connect with best in class scanners. We're integrated with Rapid7 today and ingest their scan data and then correlate to patches and help deploy those patches out to endpoints. And for the stuff that you can't patch, we can push the Rapid7 fixed details and connect it with a Worklet which is essentially just an automated script with PowerShell or Bash, depending on if it's Windows Mac or Linux, to help actually remediate the vulnerabilities that can't be patched. 

So when we released this back in 2022, if you were at RSA that year, I think that was the first year they had RSA again since COVID had started. So we released it back then and it was kind of our big splashy release at RSA. It went really well, except for, I would say about 75% of our staff there, along with probably most of the show for RSA, including myself, got COVID. So it was, it was great while it lasted, but definitely regretted it for a couple of weeks after, after we got back from RSA.

Peter Pflaster: So I'm going to toss it over to Steph now. That's kind of the history of AVR at a really high level, but let's talk a little bit about where we are today.

Steph Rizzuto: Sure, and thankfully I missed RSA, so I escaped the COVID bug, unlike everyone else. So where we are with AVR today is kind of in a V1 format and where we're going in the immediate future is making a lot of improvements to the underlying data structure so that everything that's being pulled in, when you see it in Rapid7, it correlates to what you're seeing in Automox and it's really easy to identify, "hey, these are the vulnerabilities that I'm seeing in this tool and here's how we can patch it, here's how we can action upon it." That's the biggest thing that we're trying to tackle is now I know about the vulnerabilities, how do I take action on those and how do I communicate effectively with my security counterparts, kind of bridging that gap between the system admins and security. 

So, we're really excited in April. We're gonna release a few improvements to really hone in on Windows OS specific vulnerabilities. We've added in some supersedence data, which is really cool. So what does the supersedence get you? 

It gets you really accurate, patching and categorization from Rapid7 to Automox. You know, when we initially released it, we started getting a lot of customer data and that's where we were seeing, we don't need the supersedence data to patch within the Automox tool. We do need it in order to map within ADR and give that really long view of, here's the patch that you're deploying and here's everything that it's going to fix, not just what's fixed in the most recent release.

Steph Rizzuto: So we have improvements like that coming. Something that we really found interesting is when we envisioned what this would be and created it, we thought, okay, we want to only pull in a really targeted list of vulnerabilities from Rapid7. People are only gonna wanna look at super critical fixes. It's gonna be something came out, we wanna go patch it immediately. We don't wanna wait for our policy to take care of it. 

And what we're finding now that we're in the market, is that's not necessarily how everyone is trying to use it. I've had a lot of customer calls recently where they want to pull in more, they want to see more, they want to take everything that's in Rapid7 and look at it through the lens of Automox and work with their patch policies to do so. So we're looking into how do we open up the scope? What's the right amount of detail to let in and kind of go from there. So those are kind of some things that when we talk about where we are today, what releasing now, that's kind of where we are. 

Where we want to take this long term is, how do we allow the business to say, this is the risk profile that I'm comfortable with? Now, anything that you pull in through AVR that matches that automatically go patch, tie it to the policies, let the end users, let some of those bells and whistles that we have in the policies, end user notifications, reboot notifications, scheduling. Let all of that flow through. It's something that we've kind of called AVR as a policy. And how do we get that true automation between this is what you have in Rapid7 and it's patched in Automox without any intervention from you. So we're talking to a lot of customers looking at how do we get more targeted within Rapid7, how they identify what's critical and not.

How do we tie that back to Automox to say, you can set these configurations. When do you want these policies to run automatically? When do you want to go into the ADR tool and do that automatically? So we're really excited about it. And it's really interesting, Peter, to just see how different people or how different customers are trying to use it. 

Steph Rizzuto: So we did a lot of customer interviews, made some assumptions and released that. Now we're finding some held true, some did not. And so we're going back and adjusting based on our customer's needs and what they want.

Peter Pflaster: I think the interesting thing to me about AVR is how excited our customers and how excited prospects were about it. In my mind, I would have thought an aggressive patch policy would fix most of the problems up front. But the reality is most orgs seem to have a little bit more of a conservative patch policy to avoid disruption. And they're still getting these, you know, spreadsheets, if they're not using Automox they're still getting spreadsheets of scan data from their security team that they have to go and try to fix manually.

Steph Rizzuto: Yeah, it is interesting. That's what, if you had a really aggressive patch policy, very few things should flow through ADR. But again, what we're seeing in our customer base is that is not the case. And even if you did have pretty aggressive patch policy, there's still those instances where vulnerability comes out and you want to quickly, don't want to wait for your policies to take care of it. You want to go in and remediate. It's exploitable. 

You know, people are actively trying to attack and you want to go in and resolve that. Remedy AVR gives you that ability to act quickly. I even talked to someone today who said, well, what about alerting me when that happens? Like I don't want to have to log in to the tool every day. I want you to send me an email if it hits a threshold and that happens. So those are all the different places we could take it. And how does this turn into more than just automating tasks for you, controlling your risk based on your risk profile and what you're comfortable with and how aggressive you want to be with what you patch.

Peter Pflaster: And I know there's probably a good amount of people listening that may not have Rapid7 and they might be feeling a little bit sad and left out, but we have something for you all as well if you're a Tenable customer or you're using something like CrowdStrike Spotlight or Qualys Scanner, which is vulnerability sync or vuln sync, how we shorten it, which is essentially data-wise, AVR, just without the API plugin, right? 

So you can take an actual CSV file of scan data from a TenableIO, for example, and actually upload that to Automox. And we'll do the same thing that we're doing on the back end with AVR, correlating all of those vulnerabilities to patches and workload-based remediation, so unpatchable vulnerabilities to help kind of bridge that gap again between security and IT. And if you're really tech savvy, we've got APIs exposed for Vuln Sync as well. So you could actually try to automate that with like picking up a flat file, for example, of that scan. So that's another note for those of you that don't have Rapid7 today. But yeah, so I'm curious Steph, Oh, go ahead.

Steph Rizzuto: Well, one more thing I kind of forgot to mention earlier that I wanted to highlight. We talk a lot about the patching aspect of it, but something that is a real value add is when something is, it's a vulnerability, but it's not patchable. We have that Rapid7 solution, and there we're giving you really specific fix details directly from Rapid7, step-by-step instructions, here how you go fix it. Today, how you action upon that is you can create a Worklet.

You can use an existing one if an existing one will fix it. But long term and down the road, we're looking at how do we even make that more robust? Like are there workloads that we can suggest when, you know, we're looking and analyzing to say, okay, this is what Rapid7 says. Here are some workloads you can try or how do we integrate with AI and feed it the fixed details and let that spit out the workload for you. 

So there are all kinds of places we can take it and we're excited about kind of where that can go next, that next level of remediation and automation. I don't want, I wanted the Rapid7 solution section to get lost cause it really is a valuable tool on, on top of the patching.

Peter Pflaster: We've seen a surprising amount of excitement from customers and prospects that I've talked to is actually with the extra devices section or the unknown devices section. So anything that we get a scan from Rapid7 or with Vuln Sync TenableIO or Qualys or any of those vendors, we're actually looking to see if we can find the device in Automox. And if it doesn't exist, we actually throw it in the unknown devices section. So it also gives you kind of a gut check on how well your environment is covered from an Automox perspective as well. You definitely want to make sure that you have the agent deployed to all the devices in your environment. So you're able to keep them configured and controlled automatically and with AVR as well.

Steph Rizzuto: Yeah, definitely. Devices we don't know about are also risks. So it kind of touches upon everything. Vulnerabilities you can patch, config changes that you need to make, and then devices that don't have the agent and are therefore unprotected.

Peter Pflaster: Well, I think that's a great place to stop at, Steph, unless you have anything else you'd like to add.

Steph Rizzuto: No, I think that's good.

Peter Pflaster: Awesome, well thank you for tuning in to another episode of Product Talk. We'll keep you posted as AVR and the rest of the product continues to evolve really excited about the future there. And we should have more news to share in the coming quarters around the AVR front and the whole product. So really looking forward to that. Thanks for joining us today and we will talk to you all next month.

Steph Rizzuto: Bye guys.