Contents

Build vs Buy: Considerations for Remediation Platforms

Considerations for fixing vulnerabilities efficiently - and cost effectively

Introduction

For some companies, there are reasons why on the surface it makes sense to build a custom remediation platform. Every company has different vulnerability data sources, prioritization logic, and remediation workflows. If you have in-house development resources and experts who understand the code to cloud pathway and all security detection sources, why not build a platform to harness it all together?

We’ve spoken to many large organizations with plentiful development resources that have tried to build their own remediation platform. While some have made marginal gains in improved visibility and prioritization, most have fallen short of driving a measurably improved remediation process.

In this post, we’ll break down the considerations to weigh if you’re thinking about building a remediation platform rather than buying one.

Working with the Data

A remediation platform needs to ingest data from numerous sources, including security detection tools, cloud and on-premise IT infrastructure, development pipelines, source code, and more. This means that a platform needs to account for:

Data Heterogeneity

Disparate solutions often generate data in different formats, structures, and schemas

Data Quality

Each solution may have its own data quality issues, such as missing values, duplicates, or inconsistencies. When aggregating data, these issues can compound and lead to inaccurate or unreliable results.

Data Processing

Disparate solutions may generate large volumes of data at varying rates. Handling high data volumes and fast data velocity requires robust infrastructure and data processing capabilities.

API Versioning and Updates

Software and system updates can lead to changes in data formats or APIs, which can disrupt data aggregation efforts. Maintaining compatibility with evolving systems can be a constant challenge.

Build considerations

  • How long will it take to build a framework to normalize data from disparate sources? 
Do you have the expertise needed across Security and Engineering teams?
  • How long will you need to test data quality once you’ve unified the data?
  • How much data will be processed and how will you store it?
  • How will you deal with vendor API changes to maintain data schemas and normalization? Do you have a headcount dedicated to this?

Analyzing the Data

A remediation platform should not only ingest and correlate data from disparate sources, it should also make data as actionable as possible to enable processes to shorten the time needed to resolve issues. This means remediation platforms should automatically identify the root causes of security issues and highlight the most effective fixes to make. A custom-built remediation platform will need to account for:

Root Cause Analysis

The ability to automatically pinpoint the root cause of vulnerabilities, down to the code repos, lines of code, and associated developers drastically reduces the time needed to remediate. Root cause analysis needs to take into account different technologies, including container orchestration, infrastructure as code (IaC), and machine image creation.

Remediation Owners

How do you tie any root cause back to the owner (developer/team-lead/infrastructure owner) who is the best person to make the fix? Is this something you can automate?

Data Normalization and Deduplication

How can you normalize and deduplicate data from disparate sources to make it easy to search security alerts across any detection sources, vulnerabilities, infrastructure and resources, and more?

Build considerations

  • Cnn you build nutomntion thnt trnces security nlerts to the nrtifncts nnd code thntintroduces them? How much time will you need to build nnd test the efficncy of this nutomntionm
  • How long will you need to test data quality once you’ve unified the data?
  • How much data will be processed and how will you store it?
  • How will you deal with vendor API changes to maintain data schemas and normalization? Do you have a headcount dedicated to this?

Automating Remediation Actions

Once you’ve found the most pressing risks, how can you automate the remediation process? Automations are key to reducing manual work, enriching data to make it actionable, and making the fix faster. A remediation platform should:

Automate Code Fixes When Possible

When a viable code fix is discovered, a remediation platform should be able to raise a pull request and integrate it into existing CI/CD pipelines to test and deploy it.

Auto Assign Owners to Detected Issues

Using custom logic, you should be able to automatically assign future security detections to particular people. For instance, you may assign alerts associated with a certain cloud account to a specific DevOps engineer who owns it. Or, you may assign alerts for a specific code repository to a specific leader on the AppDev team.

Adjust SLA Due Dates and Severity According to Custom Logic

After you have agreed upon remediation SLAs across all teams and stakeholders, a platform should be able to standardize SLA tracking across all detection tools.

Dismiss, Deprioritize, and Risk Accept Findings According to Custom Logic

A remediation platform should allow you to customize conditions for which to mark certain alerts as dismissed, deprioritized, or risk accepted.

Visualization and Reporting

If you’re going to invest the time in getting that data to be actionable and building automation on top of it, then you’ll also need to build visualizations for reporting purposes.

If you’re already using business intelligence tools, it’s likely you’re already feeding various data feeds to a custom dashboard that tracks remediation efforts. Once you’ve gotten data into an actionable and reliable state, you’ll still need to spend the time building the right reports.

Time to Value

We’ve outlined many build considerations, which need to be answered to understand the time to value for remediation. What do we mean by value? Value will differ from your objectives, but we typically find that companies realize value when:

With all the considerations outlined, building a remediation solution from scratch can take more time than procuring existing software. Timing aside, the risk of failure is also high: the solution you build may not turn out to reliably and consistently fulfill your requirements.

Beyond time to value, a successful custom-built remediation solution may be harder to maintain long term for a multitude of reasons.

Long-term Value & Solution Maintenance

Technology Changes

As you switch out technologies across used security, development, and infrastructure teams, you may need to rebuild data models, reports, and automation. Moreover, even if you stick with the same solutions, vendor APIs change so frequently that someone will need to have the capacity dedicated to making changes.

People Risk

What happens if your experts who created the solution leave? How easy will it be to maintain if new employees need to work on the custom-built solution?

Opportunity Cost

How many security and development resources would need to be involved in maintaining the solution? What other business initiatives could they support if they were offloaded from system maintenance?

Conclusion

Your company may have more developers and capacity to build custom solutions than most. However, the execution risk and costs involved in building your own remediation solution are considerable.

If you’re weighing this decision and would like to understand how Dazz approaches remediation, reach out to us. We’d be happy to help in any way we can.

Thank you for your interest in:

Build vs Buy: Considerations for Remediation Platforms

Download Now

Build vs Buy: Considerations for Remediation Platforms

April 10, 2024

See Dazz for  yourself.

Get a demo