So when you get your first cup of coffee in the morning, you can actually start fixing the top issues right away. You don't need to first sift through hundreds of new alerts and navigate different security dashboards before you can even figure out what needs remediating and in what order.
That’s why we're excited to announce that our Microsoft Defender for Cloud integration is now available in Mondoo Platform! In this blog, read more about how the integration improves your security posture and helps relieve your daily workload.
The need for vulnerability management
In an era when 100+ new vulnerabilities are found every day, staying ahead of potential security risks is imperative. Effective vulnerability management is about more than just keeping hackers at bay to prevent ransomware and data breaches; it’s about ensuring business continuity, protecting sensitive data, and maintaining your organization’s reputation.
Why is vulnerability management hard?
Managing the overwhelming volume of vulnerabilities in a complex, corporate IT infrastructure can feel like an impossible task. Fortunately, you don’t have to address every single one. Many newly identified CVEs can be safely ignored because they are low-risk, non-exploitable, or associated with obscure software.
But even for severe and exploitable CVEs, the actual risk to your environment depends heavily on context. For example, is the vulnerable asset exposed to the internet? Could it grant an attacker access to critical resources? Are there any compensating controls in place that would block a possible attack?
Unfortunately, determining these factors requires extensive investigation—something that many understaffed security teams simply don’t have the capacity to undertake.
In addition, security teams often use many different security tools, meaning they have to switch between different dashboards, correlate findings, disregard false positives, and determine which risks need to be remediated and in which order.
What is Microsoft Defender for Cloud?
Microsoft Defender for Cloud (MDC)—formerly known as Azure Security Center—provides threat protection and security management for cloud workloads and services in Azure, as well as on-premises environments and other cloud platforms like AWS and GCP. MDC helps organizations protect their cloud workloads and services from a wide range of security threats and provides the necessary visibility and control to manage security posture effectively.
The Mondoo value add
Even though MDC offers valuable threat intelligence, it’s only a small part of the puzzle. As an exposure management platform, Mondoo helps security teams quickly make sense of MDC and other findings, prioritize the most critical risks, and easily assign them to IT and DevOps with detailed remediation steps. This means that Mondoo significantly speeds up time to resolution and bolsters overall security posture.
With so many organizations struggling with understaffed security teams, the capabilities that Mondoo delivers are invaluable:
- Understanding which remediation efforts in your IT infrastructure will result in the biggest bang for your buck
- Guiding these efforts to a fast resolution
Mondoo does this by:
- Covering your entire IT infrastructure: There’s not much point in having a completely secure cloud environment if you have significant gaps in your on-prem environment or endpoints.
- Centralizing findings: Relying on separate tools for security is time consuming, requires data correlation, and prevents automated prioritization across the board.
- Prioritizing the most critical risks: Mondoo goes far beyond simply using CVSS scores and considers many different factors to determine which issues pose the greatest risk to your environment. You can fully customize risk scoring and tag which assets are the most critical to your business.
- Accelerating remediation: Mondoo’s guided remediation and integration with ticketing systems such as Jira and Zendesk greatly accelerate mean time to resolution of the most critical risks in your environment.
- Verifying and reporting on SLAs: Once tickets are created, Mondoo allows security teams to verify resolution and report on SLAs, such as for CVE and misconfiguration remediation.
Find and fix the security risks that pose the biggest threat to your business.
So how does Mondoo prioritize vulnerabilities?
Instead of just looking at the CVSS score of the vulnerability, Mondoo considers the following factors to determine the actual risk and urgency:
#1. What’s the severity?
How severe is the CVE? Using the CVSS score as a base, Mondoo increases the risk score if the CVE has a high severity, for instance if it allows remote code execution (RCE).
#2. Are there known exploits?
Are there already known exploits for the vulnerability? If there are no known exploits, it's less likely that an attacker will use the vulnerability to infiltrate your systems.
#3. Are the exploits productized?
Has the exploit been productized, i.e., is the exploit readily available for less sophisticated bad actors to carry out attacks? The presence of a productized exploit makes the vulnerability a lot more risky.
#4. What’s the exploit prediction?
How likely is it that an attacker will exploit the vulnerability? Mondoo uses EPSS scoring to determine the likelihood of attack both as a percentage and as a percentile rating of each vulnerability versus all other scored vulnerabilities, calculated nightly.
#5. What’s the exposure of the asset?
Are vulnerable assets exposed to the internet? If they are, the risk of the vulnerability is naturally much higher. Are there any other contextual factors that increase exposure such as open ports, or exposed keys? Is the OS on the asset at end of life (EOL) and therefore more vulnerable?
#6. What’s the business impact?
If exploited, what would this allow an attacker to do? Is the affected asset scoped as a critical resource? Are there any databases running on the asset? Could the attacker move laterally to other critical infrastructure?
#7. What’s the blast radius?
Is the CVE found on many assets in the environment with high risk scores? If so, this means that the blast radius is high, which raises the criticality of the risk.
#8. Are there compensating controls?
Does the asset have defensive countermeasures in place, such as SELinux or AppArmor? In that case, Mondoo reduces the risk score.
Advanced risk-based scoring options
A number of advanced options in Mondoo provide the additional secret sauce for a highly actionable list of the most critical risks in your environment—a list that your team can actually work with:
Dynamic risk scoring
Of course, all the prioritization factors are constantly changing as your environment changes, new exploits are released, and new vulnerabilities and misconfigurations are uncovered. Mondoo continuously assesses these factors and dynamically creates and updates risk scores. For instance, if internet access is disabled for an asset with a critical CVE, Mondoo reduces the risk score. If a new exploit is introduced for an existing CVE, Mondoo increases the risk score.
Vulnerabilities grouped by software or infrastructure
In addition to central prioritization, Mondoo can also show vulnerability findings grouped by risk factor for each environment. For instance, it can be useful to see aggregate risks, such as all internet-facing systems. Mondoo also lets you natively group EOL systems and replace the current EOL policy.
Risk score customization
Since every environment and business structure is different, Mondoo lets you define and evaluate your own risk factors. Far beyond simply tagging an asset as business critical, you can automatically prioritize systems as critical if certain workloads are executed on them or network or credential access are found on these assets.
Leverage Microsoft Defender in Mondoo
Vulnerabilities discovered by Microsoft Defender for Cloud appear in the Mondoo console alongside those discovered by Mondoo’s own scans. Mondoo automatically enriches all vulnerabilities found by Microsoft Defender with additional risk data and remediation advice, and prioritizes them based on the actual risk posed in the environment.
From there, it’s easy for security teams to assign these vulnerabilities to platform engineers and developers for remediation via ticketing systems (such as GitHub Issues and Azure DevOps) and track assigned work through completion. Leaders can use Mondoo to report on how their teams are meeting security goals.
About the Mondoo Platform
For already overloaded security and IT teams, Mondoo is the centralized exposure management platform that speeds up time to resolution for the cyber risks that truly matter. Mondoo monitors the security of your IT infrastructure, including on-prem, cloud, SaaS, endpoints, and more. It leverages risk-based prioritization to reduce investigation times and show teams which issues are the most critical in their environment. Fixing issues is easy with Mondoo’s detailed remediation steps and ticketing system integrations. But Mondoo doesn’t stop there: The platform tracks remediation status and automatically updates tickets when fixes are verified. This makes SLA reporting easy for tasks such as CVE and misconfiguration remediation.
Mondoo is rocket fuel for security teams. It not only automates and accelerates the process of investigating and prioritizing hundreds of daily findings, but also ensures that the most critical issues are resolved and verified as fast as possible.
Want to learn more? Schedule a demo with one of our experts.