Vulnerability Management

Actionable insight into component vulnerabilities

The Vulnerability Management Process

When new vulnerabilities are announced in software, it can be difficult to determine if they affect you when they are deeply embedded in components that you may not even be aware of. In the event of high-profile critical vulnerabilities (e.g., Log4j), the ability to quickly find them in your environment is crucial. It is also imperative that you be able to prioritize vulnerabilities because not all of them merit an all-hands-on-deck response.

FACT helps you automate vulnerability management by continuously monitoring the NVD, vendor websites, and other online sources for vulnerability disclosures, and then correlating those with all the software and subcomponents present in your environment. Its advanced AI uses natural language processing to overcome inconsistent naming and versioning, and to analyze complex free-text descriptions.

Vulnerability management solutions are notorious for producing unmanageable numbers of false positives — reporting hundreds of vulnerabilities that simply aren’t present. That’s why FACT’s advanced AI was designed to reduce false positives. You can throttle up or down the confidence level on recommendations from the AI to provide a manageable and prioritized list of vulnerabilities.

Vulnerability Management for OT Product Vendors

Organizations developing and shipping software and firmware for critical industries are facing more regulatory and market pressure to take responsibility for the components in their products. End users want to know if there are vulnerable components present and are even adding transparency clauses to their purchasing contracts.

FACT can help you ship secure software with embedded open source and 3rd-party components that meet customer and regulatory requirements — on time, on budget, and with existing resources.

Identify Vulnerabilities

FACT helps you see where vulnerabilities are present across your entire software ecosystem. It shows you how many of your products are potentially affected by vulnerabilities, as well as the status of your investigations.

This analysis is performed at scale and on a continuous basis so you can see vulnerabilities before attackers do.

Screenshot of the Vulnerabilities card from the Visibility Report Dashboard

Prioritize the Vulnerabilities to Address First

FACT lets you view vulnerabilities in order of severity (e.g., Low, Medium, High, or Critical CVSS score), in order of AI confidence, or both, ensuring you can focus on the most likely and severe vulnerabilities first rather than false positives.

You can adjust the AI confidence filter to hide lower-confidence scores to keep your list manageable for the resources you have.
You can quickly view vulnerabilities by product and determine how many vulnerabilities are involved and which subcomponents contain the vulnerability.

Further details on the vulnerability are a click away, displaying the source of the CVE (such as the NVD or the component vendor’s website) and any further information.

Screenshot of vulnerability management from within the FACT Portal

Evaluate the Exploitability of Vulnerabilities

Once you identify the presence of potential vulnerabilities in your products, you can determine if the vulnerability is actually exploitable. For example, you may be using a vulnerable component, but in your particular implementation, the vulnerable code is inaccessible.

FACT allows you to create “exploit assessments” to help communicate to your customers if a vulnerability does or does not impact your product, as well as share mitigations that customers or site operators can perform.

Internally, exploit assessments help you triage vulnerabilities and work with your development team to investigate and plan remediations.

You can flag vulnerabilities as “under investigation,” allowing your development team the time they need to conduct their assessment.

FACT’s AI learns from the feedback you give, helping it recognize future vulnerabilities with higher confidence.

Vulnerability management is not a “one-and-done” job because new vulnerabilities are discovered and reported continuously. FACT helps you keep on top of this ongoing process.

Screenshot of the Create Exploit Assessment WizardScreenshot of an Exploit Assessment

Remediate Vulnerabilities

For vulnerabilities requiring deeper study, you can conveniently send a prioritized list of vulnerabilities to your development team via a Vulnerability Disclosure Report (VDR) document.

If your team determines...They can...
The vulnerability is present and exploitable in your product
  1. Recommend a remediation or workaround
  2. Remove, update, or mitigate vulnerable packages and release a new version to ship to customers
The vulnerability is present but NOT exploitable in your product
  1. Publish a VDR document that can be shared with customers indicating the product is safe
  2. AND avoid a lot of expensive, unnecessary development time
The vulnerability isn’t present in your product
  1. Flag the vulnerability as not present and the FACT AI will learn from your input and improve future identification
Screenshot of vulnerability management from within the FACT Portal

Report on Vulnerabilities to Customers

When high profile vulnerabilities hit the news, customers start reaching out to ask questions. Addressing their concerns manually via phone, email, or PDF documents is inefficient and time consuming. If there is an exploitable vulnerability in your product, a fast response is critical to stay ahead of adversaries.

Prompt disclosure of vulnerabilities isn’t just good business; it’s mandated by legislation in the USEurope, and other jurisdictions.

FACT helps you:

Comply with disclosure regulations quickly and without additional resources

Ensure transparency with your customers and keep satisfaction high

Demonstrate a responsive and industry-leading cybersecurity posture

With FACT you can generate machine-readable Vulnerability Disclosure Report (VDR) documents to communicate with customers about vulnerabilities in each of your products.

Vulnerability Management for OT Asset Owners

Vulnerability management in environments combining OT, IT, and IoT is a daunting task:

  • New vulnerabilities are emerging all the time, and it is impossible for humans to manually — and continually — hunt the internet for vulnerability announcements.
  • Most asset owners aren’t aware of the components embedded in the products they use, so if a vulnerability is announced for one of those components, they won’t know to look for it.
  • As a result of mergers, acquisitions, rebranding, and simple typos, asset owners can’t always count on a product’s name to research vulnerabilities.
  • The National Vulnerability Database is missing an estimated 76%1 of vulnerabilities affecting OT products.

Legislation is putting pressure on vendors to improve disclosure, but FACT can give you a head start, revealing vulnerabilities not yet acknowledged or reported by your vendors.

Identify Vulnerabilities in Your Operations

FACT identifies vulnerabilities that may be present in products across your operations, regardless of who the suppliers are. It provides a single pane of glass to show you how many of your products are potentially affected by vulnerabilities. This analysis is performed at scale and continuously so you can avoid assigning valuable resources to this tedious task.

If a vulnerable product is disclosed and you want to know if it affects you, just search for it and FACT will tell you what files contain it.

After Log4j was announced, the CISO for a major US defense contractor reported:

“My team was forced to manually call almost 200 of our software suppliers to determine if the software they had sold us contained Log4j. It took over two weeks to complete.”

If specific packages (e.g., Log4j) or vulnerabilities (e.g., CVE-2021-44228) are of concern, FACT helps you quickly identify where these packages exist in your software ecosystem.

Screenshot of the submitted files table from within the FACT Portal

Prioritize Which Vulnerabilities to Pursue with Vendors

FACT allows you to view vulnerabilities by order of AI confidence, CVSS score (e.g., Low, Medium, High, Critical), or both, in order to review the most likely and severe vulnerabilities.

You can adjust the confidence level on the AI, allowing you to filter out false positives and concentrate on the vulnerabilities that have an extremely high probability of being present – or vulnerabilities that your vendor has actually provided confirmation on.

  1. Review any exploit assessments your vendors have created on vulnerabilities found in products at your site to see if there are any mitigations or workarounds you can perform to reduce exploitation risk.
  2. Review vulnerable products to see if your vendor has a newer version and if an update is recommended.
  3. Export any suggested fixes in your vendor’s exploit assessments for your onsite technicians to address via Vulnerability Disclosure Reports (VDRs) as .csv files to aid in recommended patching.
Screenshot of vulnerability management from within the FACT Portal

Save Valuable Time

Don't waste time searching the internet for vulnerability information: let the FACT platform do the searching for you.

FACT automatically checks each file and all of its subcomponents against both vulnerability databases and advisories published on vendor websites. When a potential match is found, FACT adds the vulnerability to the parent file as a suggested association.

Each vulnerability associated with a file can negatively impact its Trust Score.

Let AI Do the Heavy Lifting

FACT uses Artificial Intelligence (AI), specifically Machine Learning (ML) and Natural Language Processing (NLP), to perform the extraordinarily difficult task of linking vulnerabilities to products.

  • The National Vulnerability Database (NVD) is far from complete and rarely maps component vulnerabilities back to the products containing those components.

  • Thanks to mergers and acquisitions (and even simple spelling errors), the vendor name on a product often doesn't match the vendor name in the NVD disclosure details or the Common Platform Enumeration (CPE) listing.

  • Even the most experienced security analysts cannot efficiently match vulnerabilities with their installed products (or the other way around). With AI, FACT creates these vulnerability associations quickly and comprehensively.

Vulnerabilities Namespace Problem Example ft GE and Fanuc

Just searching for the vendor name on your device doesn’t work. You need to know the vendor’s merger and acquisition history as well as any rebranding or renaming the product line underwent.

Let's get in touch so we can show you how FACT automates vulnerability management.