The question we often encounter from security teams that have implemented risk-driven findings prioritization is: How can we teams translate findings into actionable remediation tasks that we can track and report on, without having to log into multiple ticketing and workflow systems, multiple times?
Silk’s remediation campaigns are a flexible and scalable operationalization tool, designed to answer this question. Teams can put thousands of findings based on any logic that makes sense for their operations, metrics or intended outcomes (such as resolving a large number of findings with a common fix) into a campaign. Silk’s bulk ticketing capability automates the process of generating the tickets across multiple systems, and then consolidates visibility into all remediation activity.
Remediation campaigns deliver almost immediate operational benefits by:
- eliminating the manual effort of generating single tickets for the same remediation task (especially copy and paste for each ticket)
- reducing time spent in creating tickets for the same fix across different systems used by different teams
- centralizing tracking and reporting of remediation activity
These capabilities mean 90% less time spent on ticketing, but the benefits of remediation campaigns extend further. Because security teams have broad flexibility on how to define groupings within a campaign - including vulnerability category, asset profile, or network segment - they can focus remediation activity on addressing specific security, business or compliance objectives.
With centralized tracking, security teams can collaborate with teams responsible for remediation on doing the right thing to reduce risk - as opposed to metrics based on raw vulnerability counts. In turn, by defining the campaign based on a specific objective, remediation teams have a clear understanding of why they are implementing remediation changes - as well as more clear accountability for their activity.
An illustrative example of the impact of remediation campaigns is when customers respond to an update to the CISA KEV Catalog. CISA KEV is a federally maintained project that is updated on an ongoing basis to help security teams better prioritize based on whether an exploit in the wild has been reported for a vulnerability.
When a new vulnerability is added (such as CVE-2023-27524), security teams can quickly identify which assets are affected, the relative risk associated with the asset, and initiate a remediation campaign. Security teams can provide clear guidance to the teams responsible for implementing the fix on why the vulnerability is prioritized - and in turn, ensuring they are accountable for reducing risk.
How do remediation campaigns fit into risk resolution?
Remediation campaigns can serve as an integral tool in an overall transformation in how organizations identify, resolve and report on risk. This project-like capability grew out of the need we identified to reduce repetitive, time-consuming ticketing tasks for security teams, especially when dealing with multiple instances of a finding with a common fix. We also recognized that integrations across multiple ticketing systems to enable the ‘last mile’ of remediation, would be valuable for scenarios where multiple teams use different tools for managing the remediation tasks they would be responsible for.
To facilitate resolution tasks, Silk generates predictive ownership rules to assign fixes and enables ongoing communication for distributed teams through bidirectional integration with their preferred workflow or ticketing system. Silk automates ticketing and task routing across multiple instances of the same workflow tools, as well as integrations to multiple types of workflow tools within the same enterprise.
In turn, the ability to quickly scope and configure campaigns leverages Silk’s prioritization assessment that uses holistic risk evaluation, environmental context, and asset profiles, tags and labels to generate findings from detection tool output.
In tandem, these capabilities allow security teams to take a systematic and automated approach to how they operationalize remediation: scope a campaign based on rich findings data and filtering, enable via ticketing automation, and track progress toward a defined outcome.
Remediation Campaign Options
Group by asset
One example of this type of campaign is when customers are in the initial stage of implementing Silk, security teams will often look to focus remediation activities on Internet-accessible assets where critical or high severity findings were identified. The motivation may be to focus on near-term risk reduction, or on shifting the dynamics and winning back credibility with teams responsible for remediation, since the security team can now consistently identify what remediation tasks are a priority. The campaigns can be scoped to focus on a specific class of assets. Or, security teams can take a more of a global approach that can inform ongoing reporting of what teams often consider a key risk resolution operational metric.
Group by vulnerability or finding class
The most obvious example here is Log4J as a high-severity CVE, but customers can use this type of campaign to marshall resources when a zero day with an active exploit is made public or identified via threat intelligence. Teams can focus campaigns on a particular vulnerability, or class of vulnerabilities, such as the CISA KEV catalog of vulnerabilities with a known exploit in the wild being actively exploited. Creating a campaign allows the security team to clearly scope the task at hand, track progress and streamline reporting for security, cyber risk and executive stakeholders.
Group by network
For compliance or business risk reasons, security teams may want to ensure that a network segment is entirely free from vulnerabilities. Silk allows teams to scope these campaigns based on environment variables as well as asset tags or custom labels. With growing scrutiny by the SEC on cyber-risk disclosures, teams could also execute a campaign for findings specifically related to a cyber-risk disclosure to regulatory authorities.
Conclusion
Remediation campaigns help security teams eliminate the manual work involved in operationalizing remediation through bulk ticketing automation. But the capability is flexible enough to serve discrete objectives - such as responding quickly to a new published CVE - as well as broader goals, such as improving compliance conformance, improving security risk posture - all while providing teams with better context and accountability through tracking and reporting.