Frequently Asked Questions

Frequently Asked Questions

TARA is transforming vulnerability management for organizations of all sizes. To learn more about this next generation vulnerability management system, check out our Frequently Asked Questions.

How has vulnerability management changed in over time?

The goal of vulnerability scanning is to identify software gaps that are historically responsible for 60% of all data breaches.  For years, the industry was focused on patching all known vulnerabilities…a time-consuming and largely impossible task.  Recent trends have led to widespread adoption of a risk-based patching model that uses threat intelligence and AI technology to identify the riskiest vulnerabilities and prioritize patching accordingly.  

What is Risk-Based Vulnerability Management (RBVM)?

Legacy vulnerability management uses the Common Vulnerability Scoring System (CVSS) to categorize vulnerabilities as Critical, High, Medium, and Low risk. Most organizations focus efforts on the Critical and High findings; but the sheer volume they represent can overload remediation (patching) resources. A risk-based vulnerability program leverages external threat feeds and AI scoring algorithms to assign a numerical risk score for each unique vulnerability collected during a scan. This approach provides clear patching priorities and helps organizations focus remediation efforts on vulnerabilities that represent the greatest risk.

How does an organization transition from legacy CVSS-based to a risk-based vulnerability management?

Applying a numerical score to each vulnerability collected makes it possible to define a risk scoring threshold for remediation resources. In other words, any vulnerability at or above the threshold will be patched. The transition may require adjusting patching policies to reflect risk scores rather than CVSS definitions. It also means that vulnerabilities targeted for remediation in the past (Critical/High) may go unpatched in lieu of others that represent more real risk to the organization. Some TARA clients have seen up to 50% of the riskiest scoring vulnerabilities falling under the Medium CVSS classification.

Why is there such a large reduction in mitigation efforts?

TARA Risk-based vulnerability management prioritizes mitigation activities based on the combination of global threat intelligence and predictive AI technology. The result is a specific and prioritized list of vulnerabilities that have the highest likelihood of impacting the environment where they exist. For most organizations, mitigation efforts will shift from 26% (average Critical/High) of the overall vulnerabilities to 1-3% with risk-based prioritization. When compared to a legacy Critical/High mitigation approach, a risk-based program will deliver 90% or more in mitigation resource savings.

What are some of the challenges in moving to a risk-based approach?

While the process of shifting from a legacy to a risk-based program is straightforward, one of the biggest obstacles to overcome is the perceived risk of leaving some Critical/High vulnerabilities unpatched. Old habits can be hard to break, and an effective risk-based vulnerability program requires ongoing education and structural changes in policies that govern operating level standards. For organizations with compliance mandates, the education process extends to governing bodies and auditors that conduct risk assessments. It’s important to be proactive and update key resources on the details and approach employed to effectively manage risk levels.

How are mitigation priorities defined?

The TARA platform uses a two-fold approach to prioritizing mitigation activities. The first layer utilizes a defined risk score threshold above which all vulnerabilities are prioritized for mitigation; every vulnerability that is scored above the threshold is tagged for remediation. The second layer allows organizations to filter (segregate) vulnerabilities targeted for remediation by stakeholder groups. This blended approach provides a prioritized list of high-risk vulnerabilities to the individuals responsible for fixing them. With fewer vulnerabilities to fix…program efficiency improves while ultimately decreasing organizational risk.

How does TARA track mitigation priorities for organizations that have distributed teams/locations?

One of the key differentiators for the TARA platform is its ability to filter vulnerability results by stakeholder group or location. Using graphically rich Power BI dashboard screens, users can display specific data sets based on options defined during product deployment. For some organizations, the options are location based while others elect to segregate data based on support group (workstation, server, network, etc.). In either case, the value lies in the ability to provide clear mitigation priorities and workload in a manner that supports the structure of an organization.

What sources are used to generate risk scores?

TARA risk scoring uses a variety of threat intelligence resources including Cyr3con, MITRE, Exploit DB, and others. Threat details are aggregated from research that scours social media, deepweb, darkweb, security websites, and Opensource Intelligence (OSINT) resources. Data collected from threat sources is fed into an AI engine that profiles evolving attack techniques and maps them to vulnerabilities. Each vulnerability is assigned a risk score that varies from Low (20) to High (760).

Where is vulnerability data stored?

TARA is a cloud hosted platform that collects internal and external vulnerability data. For internal scans, scan nodes are configured to collect data, which sent via encrypted connection to the TARA platform. Customer data is stored in a Microsoft Azure instance where it is protected with multiple levels of security controls before being vetted against the threat intelligence for risk scoring.

How is vulnerability scanning configured and managed?

Since TARA is a managed platform, the deployment, configuration, and ongoing management of vulnerability scans is handled by the Security Vitals team. This approach eliminates the up-front resource challenges of purchasing and deploying a vulnerability scanning technology. It also avoids many of the common pitfalls related to ramping up an enterprise-wide scanning program. Our team follows a defined methodology that approaches deployment using a two-step process. The first piece includes a discovery scan to identify assets that may be adversely affected by the scanning process. Once that is completed, the full vulnerability scans are configured and scheduled to collect data, transfer it to the cloud platform for analysis, and ultimately load it into the TARA dashboard.

How can data be exported for use outside the TARA platform?

TARA content is managed in Power BI reports organized with tabs that reflect the support structure of each organization.   In sections that have detailed data listings an ellipsis icon allows users to click and download data in .CSV or .XLS formats. After applying filters to select the appropriate subset of organizational data, users can export the details for off-platform data sharing and further analysis.

Stop managing vulnerabilities. Start managing cyber risk.

Request a demo to find out how TARA can benefit your organization.