There can be no argument about the fact that Vulnerability Management is one of the oldest problems in Information Security. There are many reasons why it has remained a problem, even today.
In this post I will cover what Vulnerability Intelligence is and what are those tough lingering problems that it attempts to address. (btw, it is not the same as Threat Intelligence).
You can also learn about Auja's vulnerability management approach here.
Vulnerability Management is all about data!
There is tons of data everywhere, but not of much use from a risk mitigation perspective. It reminds us of the popular rhyme by Coleridge - "Water, water, everywhere and all the boards did shrink; Water, water, everywhere, nor any drop to drink".
The data challenges related to vulnerability management can be best explained using the info graphic below:
In a nut shell - You can win the vulnerabilities game only if you have the ability to consolidate the different large sets of data, irrespective of the sources, formats, structured/unstructured, offline/online, and be able to pick the ones that matter the most to your organization.
In simpler terms - Piling up all the hay in a corner to create a stack, and being able to find the needle from that stack is the solution.
Vulnerability Intelligence helps do exactly that.
It helps create the system of record for vulnerabilities by consolidating all available sources, external and internal, including your assets and offline CMDB. It helps create the larger set of comprehensive vulnerabilities data that is contextual to your organization, so that analytics is pulling out insights from the complete set instead of the smaller sub-set. Thus drastically tilting the scales in your favor when it comes to the race of risk mitigation.
The below visual helps explain it the best.