vulnerability management

Proactive versus reactive vulnerability management

rich gardner / 01.11.18

A career in information security is a trial by fire, one I dove into headfirst when I began career 18 years ago. Challenging problems reared their ugly heads through attacks like NIMDA, CodeRed, SQLSlammer and others. These viruses took advantage of un-patched and/or misconfigured systems. Those experiences pushed me to continually reassess how I approach patch and configuration management within the data centers.

How to change the way you manage this problem:

So here we are 18 years later and every sector of the industry is still dealing with the same issue and faced with the same daunting task. Except now patch and configuration management has expanded to include: private clouds, public clouds, PaaS environments, IaaS environments, and containerization.

As a security practitioner, I see that we need to address the issue at its core and challenge the status quo. Scanning systems and/or networks for a known exploit is just a reactive response and organizations need to take a proactive approach to this issue. I don’t think anyone wants to see their company making headline news for a disastrous breach or get that dreaded call from Capitol Hill.

That being said, here is one approach that can be taken to push your organization beyond looking for a single exploit or vulnerability and into a green status on patching and secure configuration: build a harmonious environment where people integrate with process and are fueled by strong and nimble technology.

To demonstrate this, I’ll use our product, CloudPassage Halo, as an example.


Come to terms with the fact that there will never be enough people to do the work needed in today’s constantly evolving security environments. You must find a way to automate! For example, the CloudPassage Halo platform let’s you deploy a lightweight agent that does the work for you. Our Github contains all of the major orchestration scripts and recommendations for deploying Halo along with scripts that help you integrate and automate other facets of your organization like ticketing and SIEM tools.


If you use an agile methodology, or if you employ CI/CD, you can empower your DevOps team  or application developers to correctly patch and securely configure their systems quickly. CloudPassage Halo integrates directly with Slack so you and other developers can get real time notifications of this process. The Halo API also easily configures with Chef, Puppet, and Jenkins, so it bakes right into the DevOps process.


You need technology that:

  • Scales to your environment, wheather it’s 100 or 100,000 systems
  • Finds OS and Software CVE data quicker and with LESS PERFORMANCE impact than traditional scanning or other agent technologies
  • Performs a CIS or DISA Stig configuration check faster and with less impact than a person operating manually
  • Integrates with Slack or other notification services
  • Integrates with a true CI/CD process
  • Continually scans a system for new CVE’s and configuration drifts, with the ability to report on them to the appropriate team(s)

In today’s world, when you think of patch and configuration management I hope your mind is drawn to a security tool that can be baked into the DevOps workflow, continually scans and makes automated assessments while also integrating with other tools. If your current vulnerability assessment practice doesn’t involve this kind of proactive approach, then I encourage you to look for one that does.