Michelangelo Sidagni, CTOToday’s rapidly evolving cyberspace has led organizations to battle each day for keeping their information safe while continuing to be “open” for business. The exponential proliferation of new security vulnerabilities in both commercial and open source software, often pose as a hurdle for the C-Suite. Adding to the complexities, enterprises frequently have a dearth of talented security professionals which results in small and overworked security groups in charge of protecting a growing number of assets. In such a business scenario, NopSec offers a comprehensive SaaS based vulnerability management solution. “Our solution allows small security teams with great challenges to discover, prioritize, and remediate security vulnerabilities in infrastructures and applications efficiently and effectively,” says Michelangelo Sidagni, CTO, NopSec.
The NopSec Unified VRM solution analyzes, prioritizes, and remediates vulnerability data using efficient automated workflows, and exploit, malware, and social media threat intelligence correlation, as well as the intrinsic value of the assets where the vulnerabilities are found. The vulnerabilities are either detected through the provided scanning engine or imported through other commercial scanning engines such as Qualys, Tenable, and Rapid7. Alongside, the solution makes use of machine learning, threat intelligence, and other risk-based analytics to turn static vulnerability scan data into actionable information. “The data is then funnelled into our patented AI Expert Engine to eliminate false positives, reprioritize risks, and eliminate duplicates and other redundant information,” explains Sidagni.
Once the vulnerability data has been cleansed, it is then prioritized using a growing number of threat intelligence feeds, including public exploits, malware, and social media, which help analysts reprioritize their vulnerability remediation efforts. “The overwhelmed security analyst can quickly see a prioritized list of vulnerabilities where remediation efforts should be focused on,” says Sidagni. A NopSec Risk score is also then calculated, considering the value of the information included in the asset. This score is then converted into a Letter Grade and is assigned to asset groups and to the overall system for ease of understanding.
The overwhelmed security analyst can quickly see a prioritized list of vulnerabilities where remediation efforts should be focused on
The company assists many sectors that include financial services, healthcare, and IT/SaaS companies with Unified VRM solution. For mid-market companies, NopSec delivers a vulnerability management workflow as a service so that the companies do not have to implement it themselves. However, for large companies, the firm harnesses the power of the Artificial Intelligence (AI) expert systems and prioritization engine to help clients focus on vulnerabilities that matter the most to their organizations. In an instance, a customer was overwhelmed by the number of vulnerabilities generated by an ongoing scan of a 10,000-node network. The patented risk-based prioritization engine of Unified VRM helped the client to reduce the vulnerabilities to more than 80 percent and added value to the customer’s business.
Since its inception, NopSec has invested on innovation and offensive security automation. The company uses penetration testing in its research lab to refine the latest and greatest offensive security exploits, which is further automated in the Unified VRM platform. The drive towards innovation is also reflected by NopSec’s training practices where each developer and security engineer is cross-trained in both offensive security and software development to drive the entire team towards innovation.
Forging ahead, NopSec is planning to launch a Vulnerability Management Program Governance Module and a Vulnerability Context-aware prioritization. The organization also highlights the importance of social media chatter and directly correlates with the importance of vulnerabilities it talks about. “We use this correlation and data from social media and Twitter as part of our vulnerability risk scoring system to come up with better solutions,” concludes Sidagni.