Cybersecurity

Seeking a Simpler User Journey for Vulnerability Management

Robert WoodBy Updated:4 Mins Read
Vulnerability Management
Acceleration Economy Cybersecurity

The idea of infusing simplicity into a design is not new. We see this trend in products all over from user interfaces, physical products, mobile devices, and user journeys. At the same time, there’s always a desire for more, fueling feature or tool creep and information overload. This theme certainly rings true in cybersecurity.

There are hundreds, if not thousands of tool options for identifying vulnerabilities and reporting on them. Each tool has its own unique interface and its own risk interpretation. They are also likely looking at different slices of a technology stack or environment. Attempting to manage all of those layers within a single tool is complex. Taken in and layered together across different solutions, that complexity becomes needlessly untenable and even more complex.

Within the domains of user experience (UX) and human-centered design (HCD) there is a concept of managing cognitive load for users. There are two key forms of cognitive load [1]:

  1. Intrinsic cognitive load is the effort taken to absorb new information and keep track of goals.
  2. Extraneous cognitive load is processing that consume mental resources but doesn’t aid in understanding the content.

A simple example of extraneous cognitive load is the use of different colors within a tool that doesn’t actually convey meaning. Circling back to a recent article on tool-driven risk confusion. A user attempting to derive prioritization out of conflicting colors and scores adds unnecessary cognitive load. The unified vulnerability management (UVM) tools segment has the potential to improve this situation. These solutions, such as Kenna Security and Nucleus Security both provide commercial offerings to aggregate and streamline vulnerability management programs.

Broadly speaking, UVM tools have focused on a couple of core problems.

  • Aggregate vulnerability data using connectors to different security tools
  • Instrument security tools directly to generate and then collect data
  • Display vulnerability data from different tool sources in one view to the user

For the purposes of this discussion, the instrumentation is not relevant. We will focus on minimizing cognitive load, aggregating data together, normalizing it, and displaying it inside of a single view. Following a hypothetical organization with a security tools portfolio, a deployment could look like this.

In this scenario, there are 8 reports, 8 risk assessments, and 8 different user experiences consolidated into 1. That’s a lot of cognitive load removed for those teams working on vulnerability remediation. While focused on the same core problem set, commercial and open source solutions naturally vary in their approaches to key features. If you are evaluating this approach to vulnerability management in your environment here are some key areas to focus on:

  • De-duplication of vulnerabilities: Tools or security processes (e.g., penetration testing) can sometimes identify the same issues as another. A solution should have the ability to identify these similar issues and consolidate them into unique vulnerabilities. This ensures that a developer is not doing extra work to prioritize, fix, and report out on duplicate issues.
  • Threat intelligence enrichment: Mapping vulnerabilities to threat intelligence feeds, commercial or custom. This can help teams further prioritize vulnerabilities beyond assigned risk ratings to understand where exploits exist or what’s being actively exploited in the wild.
  • Asset management correlation: To ensure a team understands what a reported vulnerability actually affects, a solution needs to have a robust asset management model. How does it handle ephemeral resources? How about duplicative IP addresses utilized in different data centers or cloud environments?
  • Integration support: This one seems obvious, but ensuring that the technology stack you use is supported out of the box or with relative ease (e.g., a well documented and open API) is essential. If a security team cannot integrate its entire stack then this consolidation of extraneous cognitive load will struggle.

As technologies continue to evolve, vulnerability management will adapt and follow. It is essential that security teams not let this constant change lead to constantly growing complexity for the development teams they engage with. The approach outlined in this article is one way to approach the problem, it is certainly not the only viable one. The important takeaway is that teams consider the user journey that developers go through to receive, understand, prioritize, and address vulnerabilities.

Share.

Robert Wood is an Acceleration Economy Analyst focusing on Cybersecurity. He has led the development of multiple cybersecurity programs from the ground up at startups across the healthcare, cyber security, and digital marketing industries. Between experience with startups and application security consulting he has both leadership and hands on experience across technical domains such as the cloud, containers, DevSecOps, quantitative risk assessments, and more. Robert has a deep interest in the soft skills side of cybersecurity leadership, workforce development, communication and budget and strategy alignment. He is currently a Federal Civilian for an Executive Branch Agency and his views are his own, not representing that of the U.S. Government or any agency.

Related Posts

Add A Comment

Comments are closed.