Vulnerability management

Taegis VDR: Review | Security Weekly Labs

October 1, 2021
  • Product cost: Secureworks didn’t provide pricing directly, but pricing we found online is $15.99 per asset per year for our hypothetical small enterprise with around 2,000 assets. That makes the total product cost $31,980 per year. 
  • Deployment cost (labor): Junior-level folks should be able to deploy these virtual appliances, get them up and running, and add hosts for auto discovery. As mentioned in the time-to-value section, we’re estimating 20 hours of labor to get things up and running, which comes out to $673 for junior folks (check out the methodology document for more details on our salary estimates). 
  • Deployment cost (infrastructure): we’ve estimated $2,250 for resources to run three virtual appliances, though we know in many cases, the security team will be able to benefit from sunk costs on existing virtual infrastructure. 
  • Maintaining value (labor): this breaks down into a few categories 
    • Maintenance of the scan engine (e.g., tweaking scan configurations) and the underlying OS: none — the virtual appliance maintains itself — we save some labor here. $0.00. 
    • The work of building and distributing reports and metrics will vary widely depending on the organization, but we’ll say a middle-of-the-road estimate would come to two hours per week, for a total of $3,499.60 per year. Noteworthy here is that Taegis VDR doesn’t really have any reporting functionality to speak of (at least, not in terms of custom report building and exporting executive summaries to PDFs, that kind of traditional reporting), so reporting work may be a bit more manual for some folks. 
    • As mentioned elsewhere in this report, Taegis VDR does considerably more work than most when it comes to prioritizing vulnerabilities, validating them, and correlating with threat intelligence. These efforts should save analysts considerable time over competitors’ products, to the tune of 40% time savings, by our estimates. For our hypothetical organization, we’re estimating 48 hours of work in the first month, split 50/50 between senior and junior security staff. After the first month, we estimate 12 hours per month, with the senior/junior workload split going to 25/75, respectively. The total labor spend comes to $7,975.62 per year. 
    • Finally, tracking down unknown assets and their owners can also eat a lot of time and has a similar workload curve that’s heavy on the front, but tapers off to a constant value over time. Assuming a split between senior and junior staff that mirrors the previous estimate, we can easily see 40 hours spent on this in the first month and 10 hours per month following. The total comes to $6,646.36. 
  1. Vulnerability properties: Many of these factors have to do with the level of confidence in how the vulnerability was detected or could be exploited. Some vulnerability checks must do some guessing, while others are based on easily checkable binary states. Taegis VDR can reprioritize based on these factors. 
  1. Asset context: Much can be learned by paying attention to how an asset is handled. Are manual scans run more often on some hosts than others? Was it manually tagged with a higher importance value? Is it tagged as part of a more critical group (e.g., PCI DMZ)? Do special scheduling windows prevent it from being scanned at certain times? The value of an asset can be inferred from the answers to these questions. 
  1. Network context: Much like how penetration testers and attackers look at assets on networks, looking for patterns that can lead to "low-hanging fruit." Maybe an asset has three times more open services than the average. Maybe it is the only host on the network running a legacy or exotic service or protocol. Maybe it doesn’t match the naming convention everything else has. An open-source project that demonstrates this concept can be found here, on GitHub. 
  1. Organization context: Like how Asset Context above infers priority from actions taken relative to certain assets, analyst actions in the Taegis VDR console are also recorded and analyzed. By analyzing how the UI is used, the system can infer which assets seem to be a higher priority to the customer. This category also includes factors like considering how often a detection method used has resulted in a vulnerability being marked as a false positive. Secureworks can also estimate what a normal timeframe to remediate a particular vulnerability should be, across all their customers. If one customer finds themselves outside that window, the CPS can be increased. 
  1. External context: This one is largely self-explanatory. If reliable exploits are available, or folks on threat intel feeds or in certain forums are excitedly talking about a particular vulnerability, the CPS is adjusted accordingly. 
  • ServiceNow – synchronizes remediation plans with ServiceNow ITSM 
  • Qualys – collect inventory and vulnerabilities 
  • AWS Inspector – collect asset information and vulnerabilities 
Adrian Sanabria

Adrian joined SC Media’s parent company, CyberRisk Alliance in 2020. He will focus primarily on cybersecurity product reviews, but will also provide industry insight trends for both SC Media and Security Weekly (another CyberRisk Alliance company). He brings two decades of industry experience, working as a practitioner, penetration tester, and industry analyst. He spent the last few years as an entrepreneur, challenging norms in sales and marketing for a variety of vendors. Adrian loves to cook, eat, hike, play music and regale his teenagers with stories of what the early days of the Internet were like.

prestitial ad