VMblog: Provide a little backgrounder information on the company and your solution. What does your company look like in 2022 and beyond?
Ben Skelly: Like most good business concepts, Vicarius was born from that mindset of "there has to be a better way" - founded by 3 former security practitioners who were bewildered by the inefficient and manual processes that often surround vulnerability management programs. Rather than continue working from spreadsheets and never getting ahead, they began automating as much of the processes as possible, and after proving the concept to themselves, launched the company in 2016, where they operated bootstrapped until taking funding last year. The company is now about 50 people strong and very much global.
That focus on automating otherwise manual processes is very much at the core of our solution, called Topia. From one dashboard, you're able to scan for all assets on your network, prioritize what to focus on using context unique to that network, and schedule / deploy patches automatically. I have a pretty deep background in security, including time spent at other vulnerability management solutions, and truly think the way Vicarius tackles this issue is the best I've seen, and easily the most complete. We're also huge proponents of leveraging open-source tools and community, to make security tools like our own available to all organizations, large and small, with the smallest barrier to entry possible.
VMblog: How are you different from your competitors? Why would someone prefer your offerings to those provided by others in the industry?
Skelly: There's a tremendous amount of market confusion around what "vulnerability management" even is, so let's start there. Thanks to first-mover benefits and analyst research that lags behind, many people associate "VM" with the big scanner vendors (Tenable, Qualys, R7). The truth is, scanning is just one (albeit, important) step in a broader, mature vulnerability management program. It's not enough to know what's in your environment, you also need to orchestrate the steps to secure and monitor on a continuous basis. There are a lot of disparate tools on the market that can help accomplish that next step in maturity, which has given rise to the "risk-based vulnerability management" (RBVM) market and a handful of popular solutions to enable them. While incredibly useful, these RBVM tools are essentially giant integrators, helping all of the security tools in your ecosystem to work together as one. This means your program is only as useful as the other tools you've bought and deployed - which can quickly get expensive, confusing, and untenable for smaller enterprises, especially.
What makes Vicarius unique is the holistic nature of the platform, having the capabilities to perform every step of a mature VM program, without requiring third-party tools and licenses. We provide the capabilities to scan your network, build an asset inventory, prioritize fixes, and deploy those updates straight out of the box. While not a technical differentiator, we also make it incredibly easy to try the platform for free without ever engaging with sales or another person... which I see the entire SaaS industry moving closer and closer to, although security has been slow to fall in line. We're trying to change that.
VMblog: What are the elements of a mature vulnerability management program?
Skelly: Maturity models for vulnerability management are largely dependent on the vendor that's trying to sell you a solution - but in general, there are four critical steps that most agree on.
The first is discovery, scanning for and aggregating the assets in your environment. Having an accurate and continuously updated inventory of all assets and devices in your environment is obviously critical, as you can't fix what you don't know is broken. Next is knowing how to prioritize the vulnerabilities you discovered, which is a common place where enterprises fall short and the volume begins to become unmanageable and just "noise." What's important to account for, and where this step (and many vendors) often collapse, is a failure to take business context into account. It's important to focus on the potential threats that will have the largest impact to your unique digital environment, not necessarily what a third-party rating assigned without context. Once you have a clear asset picture and know which ones are business-critical, it's time to remediate - typically through patch management and deploying updates. The most mature organizations will automate this process based on said context above, updating the most critical systems while minimizing downtime and impact through strategic scheduling of deployment. Lastly is continuous monitoring and reporting, essentially starting the process all over again from discovery. This is where you measure your progress, report on risk to management, track known vulnerabilities, and make decisions for budget and program priority. There are other sub-steps along the way, but those four buckets are critical to running a meaningful VM program.
VMblog: How do you respond to an organization's question of "Do I really need to invest in security?"
Skelly: With the average security breach costing upwards of seven figures, I would say "can you afford not to?" Despite the advancements in vendor security technology, the morally-challenged hackers / opportunists of the world typically remain a step ahead, and they love to collaborate with each other. Network and application vulnerabilities remain one of the most significant, prevalent, yet (largely) fixable security problems across the board - and for a multitude of reasons. A recent study from the Ponemon Institute cited 60% of breach victims admitting the initial attack could've been prevented by patching known vulnerabilities. This issue transcends industry and company size, although large enterprises are typically more susceptible due to sheer volume of systems and users in place.
There's also a hidden benefit to tools like our own, which actually save money and give back to your budget through improvements in efficiency. In mid-to-large enterprises, security teams spend roughly 15-20 hours each week reviewing scan results, searching in forums/blogs, and prioritizing fixes manually. By eliminating this manual work, organizations can reallocate budget and time to other more pressing business needs while remaining secure.
VMblog: Are there any tools or tips for the smaller enterprises or those teams operating on a shoe-string budget to stay secure?
Skelly: Absolutely. The first thing I'd encourage, without even spending a dime, is to get involved with and leverage the broader security community. As mentioned earlier, the "enemy" has long collaborated with one another, sharing tactics, techniques, and procedures to circumvent security solutions - and its long past time that we do the same on the defensive side. We recently launched a community of our own - called vsociety - free from vendor influence (including our own), as a place for security pros to collaborate on vulnerability solutions, share remediation insights, and network with their peers. The insights shared from across industries helps to level the playing field and give key insights to practitioners who otherwise wouldn't have access to them.
Likewise, there are a plethora of free and open-source tools on the market to help better secure an organization. We're constantly trying to do our part and contribute to these projects, most recently releasing a free integration for Nmap, one of the most popular open-source / free scanning tools on the market. While powerful, one of the knocks on Nmap has been a difficulty in interpreting and making sense of the findings - which we've solved by allowing users to ingest their scans and receive a visualized and user-friendly output inside the Topia dashboard. Lastly, if you lack the budget and manpower but need the help, there's no shortage of awesome managed security service providers who can function as an extension of your own team for a fraction of the cost and no need to buy licenses of your own.