VULNERABILITY MANAGEMENT SERVICE

EthicalHat’s customisable Vulnerability Management Service helps you identify, evaluate, and prioritize the vulnerabilities in your IT environment.

We use top-of-the-line scanning software from Rapid7, SAINT, Qualys and Tenable to run periodic vulnerability scans on your systems. While we recommend weekly or monthly scans to reduce exposure time between scans, the frequency of scans varies based on your particular risk environment and the service plan you opt for. After the scanning process, our team classifies the vulnerabilities detected into low, moderate, and high severity categories and creates a vulnerability tracking page to help you draw up a remediation plan. Remediation measures may include applying appropriate patches, making configuration changes, restricting network access where needed, and accepting the risk where remediation is not feasible.

We conduct periodic meetings with your IT and business teams to go over your risk profile and important threat vectors, and the measures you can take to mitigate risk. Our security team also helps you prepare a risk acceptance document for vulnerabilities that cannot be remediated and require compensating controls until complete remediation such as application or system upgrade becomes possible. These may also include vulnerabilities that are not relevant to your specific business needs.

If you need help with implementing remediation measures, you can opt for our Patch Management Service that covers both patch implementation and any configuration changes needed to harden your security posture.

OUR EXPERTS GO BEYOND JUST THAN SCAN

Our Process

PLANNING & DEFINING

The Scope of Vulnerability Management

The planning process before the scans is critical to the success of any vulnerability management strategy. Our security officers will help you identify your critical assets and systems to include in the scan and to decide if you want an external or internal scan. While some organizations like to focus on internet-facing systems when conducting a scan, others focus on protecting sensitive information. We will collaborate with your IT and business teams to draw up a plan that clearly defines the scope of the vulnerability management process and determine how often you need to repeat the scans based on your risk environment.

SCANNING

Run the Scan on Selected Systems

Step 2 of the process is running the scan based on the scope defined in Step 1. At this point, a vulnerability engineer will configure the scanner and run the scan on selected systems. We use scanning software by Qualys, Rapid7 and SAINT to run vulnerability scans. We will also help you decide which software is best suited to your specific requirements and budget.

EVALUATION

Of The Vulnerabilities that are Detected

The vulnerabilities identified during the scans are then classified and prioritized. Our team identifies and eliminates false positive results at this point and takes steps to make future scans more accurate. We help you determine the severity levels of detected vulnerabilities and decide which ones need immediate remediation, which ones can go through the regular cycle and which ones can be accepted. Critical vulnerabilities with known exploits on production assets are placed highest on the remediation list.

DOCUMENTATION & REPORTING

REPORT PREPARATION

At the end of each step, our team will prepare a report that you can share with your business team and stakeholders to help them understand your risk exposure and remediation steps. You will receive:

  1. A vulnerability management scope document,
  2. A vulnerability summary and classification report,
  3. A remediation plan with a list of recommendations for vulnerability remediation and mitigation, and
  4. A risk acceptance statement, if needed

SUBSCRIBE TO OUR MANAGED VULNERABILITY SCANNING SERVICE

GET A SUBSCRIPTION FOR THREE YEARS & GET FOURTH YEAR FOR FREE

Subscribe to our Managed Vulnerability Scanning Service using Rapid7, Qualys or Tenable (BYOL) for three years and get one year for free.
ADDITIONAL SERVICES

In addition to Vulnerability Management, we offer Patch Management, Web Application Scanning, PCI Scanning, and Policy Compliance services.

Patch Management
The planning process before the scans are critical to the success of any vulnerability management strategy. Our security officers will help you identify your critical assets and systems to include in the scan and to decide if you want an external or internal scan. While some organizations like to focus on internet-facing systems when conducting a scan, others focus on protecting sensitive information. We will collaborate with your IT and business teams to draw up a plan that clearly defines the scope of the vulnerability management process and determine how often you need to repeat the scans based on your risk environment.
Web Application Scanning
Our web application scanning service scans your web apps against the OWASP top 10 and other important cybersecurity standards. With our service, we make sure your developers only need to focus on true positives, with minimal waste of time and resources. The service can either be fully managed by us or run alongside your SDLC based on your chosen software. It scales across your CI/CD pipeline and integrates with your tech DevOps environment.
PCI Scanning
Our PCI ASV Scanning service helps you protect cardholder data by making sure you are complying with PCI Data Security Standards. The service identifies vulnerabilities and areas of weakness in your security infrastructure that you can then patch or update to achieve full PCI DSS compliance. Each time you get your network and systems scanned for PCI compliance, you will receive a comprehensive report detailing the vulnerabilities detected and the ways to fix these vulnerabilities to move closer to compliance.
Policy Compliance
Policy Compliance involves (1) understanding various cybersecurity laws and regulations, (2) determining which of these regulations apply to your organization, and (3) making sure you are in compliance with the regulations that are relevant to you. Our policy compliance experts will work with you to create a comprehensive compliance plan for your organization based on your business domain and IT environment and make sure you achieve compliance.

We can also help you harden your systems against CIS Critical Controls with CIS CSAT – a free tool we developed for CIS to assist businesses to track their documentation, implementation, automation, and reporting of the 20 CIS Controls.

Get The Recent UpdatesArticlesNews In Your Inbox