The idea of infusing simplicity into a design is not new. We see this trend in products all over from user interfaces, physical products, mobile devices, and user journeys. At the same time, there’s always a desire for more, fueling feature or tool creep and information overload. This theme certainly rings true in cybersecurity.
There are hundreds, if not thousands of tool options for identifying vulnerabilities and reporting on them. Each tool has its own unique interface and its own risk interpretation. They are also likely looking at different slices of a technology stack or environment. Attempting to manage all of those layers within a single tool is complex. Taken in and layered together across different solutions, that complexity becomes needlessly untenable and even more complex.
Within the domains of user experience (UX) and human-centered design (HCD) there is a concept of managing cognitive load for users. There are two key forms of cognitive load :
- Intrinsic cognitive load is the effort taken to absorb new information and keep track of goals.
- Extraneous cognitive load is processing that consume mental resources but doesn’t aid in understanding the content.
A simple example of extraneous cognitive load is the use of different colors within a tool that doesn’t actually convey meaning. Circling back to a recent article on tool-driven risk confusion. A user attempting to derive prioritization out of conflicting colors and scores adds unnecessary cognitive load. The unified vulnerability management (UVM) tools segment has the potential to improve this situation. These solutions, such as Kenna Security and Nucleus Security both provide commercial offerings to aggregate and streamline vulnerability management programs.
Broadly speaking, UVM tools have focused on a couple of core problems.
- Aggregate vulnerability data using connectors to different security tools
- Instrument security tools directly to generate and then collect data
- Display vulnerability data from different tool sources in one view to the user
For the purposes of this discussion, the instrumentation is not relevant. We will focus on minimizing cognitive load, aggregating data together, normalizing it, and displaying it inside of a single view. Following a hypothetical organization with a security tools portfolio, a deployment could look like this.
In this scenario, there are 8 reports, 8 risk assessments, and 8 different user experiences consolidated into 1. That’s a lot of cognitive load removed for those teams working on vulnerability remediation. While focused on the same core problem set, commercial and open source solutions naturally vary in their approaches to key features. If you are evaluating this approach to vulnerability management in your environment here are some key areas to focus on:
- De-duplication of vulnerabilities: Tools or security processes (e.g., penetration testing) can sometimes identify the same issues as another. A solution should have the ability to identify these similar issues and consolidate them into unique vulnerabilities. This ensures that a developer is not doing extra work to prioritize, fix, and report out on duplicate issues.
- Threat intelligence enrichment: Mapping vulnerabilities to threat intelligence feeds, commercial or custom. This can help teams further prioritize vulnerabilities beyond assigned risk ratings to understand where exploits exist or what’s being actively exploited in the wild.
- Asset management correlation: To ensure a team understands what a reported vulnerability actually affects, a solution needs to have a robust asset management model. How does it handle ephemeral resources? How about duplicative IP addresses utilized in different data centers or cloud environments?
- Integration support: This one seems obvious, but ensuring that the technology stack you use is supported out of the box or with relative ease (e.g., a well documented and open API) is essential. If a security team cannot integrate its entire stack then this consolidation of extraneous cognitive load will struggle.
As technologies continue to evolve, vulnerability management will adapt and follow. It is essential that security teams not let this constant change lead to constantly growing complexity for the development teams they engage with. The approach outlined in this article is one way to approach the problem, it is certainly not the only viable one. The important takeaway is that teams consider the user journey that developers go through to receive, understand, prioritize, and address vulnerabilities.