After listing all your vulnerabilities and getting an overview of your security posture, it's time to start improving
Now that you've identified vulnerabilities through Autobahn Fit scans, by importing issues from third-party tools, or a combination of both, it's time to tackle them and improve your security posture! Here's how:
- Assign Ownership: Delegate responsibility by assigning vulnerable assets and issues to specific team members. This ensures everyone knows what needs to be addressed.
- Organize with Tags: Use tags to categorize your assets and, if needed, vulnerabilities. This simplifies managing your Workouts by allowing you to filter and prioritize tasks based on tags. It will also make it easier to create custom Dashboards and analyze your data.
This guide assumed that you will drive remediation through Autobahn Fit. If you wish to send your Workouts to your ticketing system, please refer to this guide for advice instead.
Table of contents
5. Next steps
1. Invite your team members
When inviting your team to be part of the remediation process, you need to decide what you want them to see. This will inform the role you give them:
-
Administrators will see everything in the platform. They will also be able to start scans and invite users.
-
General users will see only three pages: Workouts, Assets, and Issues. The specific Workouts, assets and issues that they see will depend on the things you assign to them (more on that below).
In general, we recommend to have few administrators responsible for the whole vulnerability management process, and several general users who are simply responsible for remediation.
You can refer to this article for more information on how to manage your team members.
2. Manage your assets
There's two things we recommend doing with your assets: tagging them, and assigning them to users.
2.1. Tagging your assets
Tagging your assets is useful to manage them more efficiently. By tagging your assets, you will be able to filter your Workouts easier, and create custom dashboards. There are different tags you can use, for example:
- Location
- Team
- OS
- Network
- Services hosted
What matters is that you use a tag (or multiple tags) that ultimately help you in the long run. You can also start with one type of tag, and expand it afterwards.
You can tag your assets from the Asset detail (article detail here) or in bulk from the Assets page (article detail here).
If you are using integrations from third-party tools, your tags will be carried over.
2.2. Assigning your assets
As an admin or owner, you can assign an asset to another user. All issues detected on that asset will automatically be assigned to this person, as well as the Workouts that fix those issues.
As with tags, you can do this either from the Asset detail (article detail here) or in bulk from the Assets page (article detail here).
3. Review your issues
If you don't typically have asset owners in your organization (although we recommend having owners for assets because what gets owned, gets done), you can also tag and assign issues.
In the case of assigning an issue instead of an asset, the user will only be assigned to that specific issue on that specific asset and be able to see the Workout only for them.
Refer to this article to learn how to assign and tag issues.
What we often see is people assigning issues of a specific type (for example, all issues related to web browsers) to a specific team. In this case, we would recommend assigning but also tagging them - since that will make it easier to filter your Workouts.
4. Remediate with Workouts
Cyber Fitness Workouts are step-by-step guides which remediate the root cause of vulnerabilities, thereby closing multiple issues in one go. You can either access them from your Dashboard, or from the Workouts page.
In both the Dashboard and Workouts page, they will be sorted by the impact it will have on your security posture (as measured by the Hackability reduction). They will also be labelled by the Effort it takes to do them.
You can read more about the Workout page in this article.
Clicking on a Workout opens a page with:
- a short description of the Workout (Warmup)
- a list of assets to be applied (Setup)
- step-by-step instructions (Workout)
Tagging your issues and assets comes in handy when managing Workouts: you can filter your Workouts page based on tags, as well as the Setup tab. This way you know which Workouts apply to specific areas of your organization.
Note: If someone is a General User, they will only see the Workouts that apply to them. In the Setup page, they will only see the assets that have been assigned to them.
After finishing a Workout, there's two ways to label an issue as remediated:
- By labelling the issue from the Individual Issues page (see here)
- By running a rescan. If the asset and port are still reachable but the issue isn't found, it will be automatically be labelled as Remediated by the platform
5. Next Steps
By now you should have:
✔️ Run at least one scan
✔️ Reviewed the results in your dashboard
✔️ Created a custom dashboard
✔️ Invited your team members
✔️ Assigned assets and issues to them
✔️ Done a Workout
So what comes next? Repeating the steps again. It's important to run scans regularly to a) make sure that your issues are being properly remediated, and b) keep an eye out for new issues.
Some tips and tricks
- Create custom dashboards for the different teams - this way you can track remediation for each of them and see which one might need extra support
- Make sure your assets and issues all have owners (what's owned, gets done) - see how to do that through the "Unassigned Assets" in the Cyber Fitness Dashboard
- Make use of the Risk accepted button. Not all issues are fixable, at least not with an unreasonable investment. If you can't fix something but are aware that it's there, make sure to quarantine your asset, report it, and then label the finding as Risk Accepted (learn how to apply our "Double Control Principle" here to make sure someone always needs to accept risks).