On Coffeemakers, Quick Start Guides, and Why the Missing Piece in Your Vulnerability Scan Is Your MSP


You just bought a new coffee maker. This contraption is the “bee’s knees;” it can make coffee any way you like it, light, medium, bold. It can add a caramel drizzle or some foam, and automatically cleans itself. It connects to the WIFI and can sense your morning mood, notify Netflix what shows you should watch, and will even misspell your name on the side of the cup so you feel like you’re at an over-priced coffee house.

There’s only one problem with this fantastic new coffee maker: you have to put it together.

And that, my friends, is where the fun begins. Because the only set-up instruction for this complex contraption is a manual over fifty pages long. But just before you despair your lack of an engineering degree, you see the “quick start” guide, lying among the packing peanuts. THE QUICK START GUIDE!!! Happily, you pull out an 8-page document that you KNOW is either half in French, German, or Spanish, meaning you only have to read at maximum 4 pages in any language! You can do this! Maybe you shouldn’t take the machine back to the store, after all!

If this story sounds familiar to you, that’s because it’s a pretty good description of what it’s like to incorporate a new, complicated technology into your life. In this complicated world, a quick start guide can make all the difference. So why then, are so many cybersecurity companies missing the opportunity to use that “quick start guide” mentality to create reports a company can actually act upon?

If you have a vulnerability scanning and reporting program, you owe it to yourself to have an MSP that owns the program, can analyze the reams and reams of information that come in from it, and issue some doable suggestions for correcting your vulnerabilities. But before we get into all that, let’s first talk about what a vulnerability scan can do for your organization.


Internal/External Vulnerability Scans – What They Can Do:

Internal/External Vulnerability Scanning, or IVS for short, can help your organization:

  • Meet multiple compliance requirements
  • Protects your organization’s reputation
  • Lower your risk profile, so you can qualify for cyber risk insurance
  • Help you make more money, because you have a higher operational maturity level, and are more attractive to a wider range of customers

How the Average Vulnerability Scan Works, and Why That Needs to Change

Too many clients simply purchase a vulnerability scan from an MSSP, clap their hands together, and consider the job delegated. But it doesn’t work that way. In my experience, here’s what the lack of analysis will get you:

  • An IT Administrator installs a server or virtual appliance on a network and tells it to scan once a quarter, then pulls the report which is hundreds or thousands of pages long. They review the first few pages, irritable at having to do extra work, then give up by page 10, telling the CFO of the company that they need to hire somebody to even begin this. The report is saved to a drive and is trotted out whenever the IT Administrator is unhappy with how they are being treated.
  • An organization hires a Managed Security Services Provider (MSSP) to augment the services of a Managed Services Provider (MSP). The MSSP installs a server or virtual appliance on a network and tells it to scan once a quarter, then pulls the report, which is hundreds or thousands of pages long. They “review” the first few pages, then send the full report to the CFO of the organization as well as the MSP. The MSP, irritable at having to do extra work, review the report in its entirety and get mad at the MSSP as there is no real guidance for what to tackle, since the standing orders are “You should take care of all of these.” The MSP tells the CFO of the company that they will do what they can with the report after about six different meetings. They have already pushed out those patches. The report is saved to a drive where other very similar reports also live, having only provided so much valuable information for the client to know that they are in fact, vulnerable.

In a world where coffee makers connect to the internet and have firmware updates, a several hundred-page report making it to the CEO of an organization is very unlikely. This means that a very valuable service is often miss-labeled as bulky and tough to manage. The issue isn’t with the actual vulnerability scanner(s) themselves. We work with several different offerings.

The main two reasons why this security layer isn’t viewed in a favorable light are the following:

  • Vulnerability Scanners that are installed in the office don’t necessarily work well with remote workforce. They are also considered “loud” and may slow down the network during work hours.
  • A report that is several hundred pages long is like that of the coffee maker—organizations want a Quick Start Guide and don’t necessarily need to know about the entire network.

That was easy, right? So, how do we address these issues?


Vulnerability Appliance and Agents

First missing piece: You still need a vulnerability appliance on your network if you have server infrastructure, whether in the cloud or on premise. To augment this, add vulnerability scanner agents, which are kind of like installing Anti-virus on all your computers. It’s important to look for a product that does the following:

  • Runs concurrently throughout the day without interrupting work.
  • Can be installed on multiple operating systems.
  • Can relay information back to the Vulnerability Management portal from anywhere.

This addresses the issues of employees having laptops and traveling, especially with the changing times. Instead of running quarterly, run it all the time! Treat it like your smart phone. Reboot for updates, turn off while on an airplane, otherwise leave that sucker on.


Quick Start Guide

Second missing piece: Often termed the “Executive Summary Report,” this is a short version summary of that hundred-to-thousand-page full report. It should cover the following:

  • Critical and High vulnerabilities with action plan to fix. (A lot of those pages in the original report are informational. Focus on the important items.)
  • Communications to employees (The employee with 2 devices, the laptop that they never turn on or reboot.)
  • A score. (Good organizations use metrics to improve.)

The value of instituting a program like this far exceeds running scans quarterly then dropping a big report on someone’s desk with no direction of what to tackle. Most important, this is a program that a Managed Services Provider (MSP) should own. They are a key component to your organization, it’s their job to manage the challenges that never go away because technology is made by humans, and, therefore, it’s not perfect. Vulnerability scanning can be read by just about anyone but often requires a specialist to interpret and provide that very valuable direction regularly.

Make yourself safer and more competitive as an organization through valuable security services and adding these missing pieces. Call us at Integris. We’d love to show you how.

Nick McCourt is a vCISO, CISSP at Integris.

Keep reading

vCIO vs. vCISO: What’s The Difference? 

vCIO vs. vCISO: What’s The Difference? 

Managing your IT operations is a big job, especially if you're a small or mid-sized company without the resources to hire a full internal IT staff. In these cases, most companies hire a managed IT service provider to fill the gaps. Yet, knowing who to hire and what...

Retainers for vCIOs and vCISOs: A Comprehensive Guide

Retainers for vCIOs and vCISOs: A Comprehensive Guide

If you're running an IT department at a small to mid-size company, you know— the demands on your infrastructure are greater than ever. Cyber threats are growing at an alarming pace, primarily fueled by the accessibility of AI to hackers. Cloud productivity, system...