Fixing the Wrong Stuff: Automating Pentest Delivery and Vulnerability Lifecycle Management with PlexTrac

driving force I think behind most data analytics is what are we doing and what can we do. [Dan] Yeah, exactly and I mean I think you know I’ve always seen there’s kind of two sides to the fence that there’s the proactive side of trying to actually identify where your key risks are and try to identify how you might get compromised and breached

versus the reactive side which is like hey you know someone’s definitely in the house.

Yeah need to we need to respond. And so I think there’s a constant struggle between how proactive can teams be.

I think they all everybody wants to be proactive. But what do you think what have you seen that that is kind
of causing some more friction or like their inability to be more proactive?
[Victoria]
It’s just the amount of data because if you can get a handle on controlling your data and prioritizing what matters most and having that have a good workflow, then you can be more proactive and looking for new things. But if you’re just constantly stuck in a slog of catching up, then all of your resources are there and you can’t get into the mindset of being proactive. You’re so, you know, bogged down over here like I still have to fix this, I have to fix this, fix this. Okay, I’ll get to that when it actually becomes my problem. I think that’s a lot of the mindset unfortunately, is it’s not a problem now for me, these ARE so I’m not going to deal with that until it actually is my problem.
[Dan]
Yeah. Yeah. Exactly. And so you know and then we’ve got this interesting quote that Gartner from Gartner, you know, because Gartner does a lot of research, right? And they talk through lots of customers. They have they have lots of customers and ears. And so like you know enterprises are going to fail to reduce the threat exposure through like self assessment of risks just by because they have these specific tools that are kind of siloed and doing different things and identifying specific things which is not bad in and of itself but being able to centralize that and truly make sense of like well how does this how do these issues that are being reported over here stack rank against these ones over here. And I think it’s on the both the proactive and the reactive side of the tooling right.
[Victoria] Yeah. It all comes down to having some way to pull all that data together. Like you have things like say Power byBI or or Tableau, those things that can aggregate metric datas, but that doesn’t always tell you the fuller story because data for data sake doesn’t really tell us anything. Numbers are fun, but you need the story behind it. You need the context behind it. You need the why we care. How does it really impact us from a business perspective? And then what do we do with that information? So it’s all about context and then being able to see the threads that connect something from one tool to the next tool to the next tool.
[Dan] Yeah. Yeah. Exactly. So we talked, in that situational analysis around, you know, some of these pain points. We talked a lot about like the disconnected tools and the data, but what are you seeing in this second bullet around kind of manual or, you know, inconsistent workflows, particularly around remediation?
[Victoria] Yeah, everyone does it a little bit differently and everyone I talk to, no one likes how they’re doing it more often than not. Like there’s definitely use cases and places out there where they’ve got that kind of locked down, but that’s usually the outlier versus the norm. A lot of places are like, “Hey, yeah, I discover the vulnerabilities and I give them to my system owners or stakeholders or customers and, you know, three weeks later when I do my next scan or my next test, you know, a few months later, it’s still there because it’s not being actioned or it’s not being actioned quickly.” Or they do action it, they fix it, but then it gets regressed back into code because someone made a change somewhere and they reintroduced it.

Inconsistencies are typically because the process to the point of a slide is manual.

So, there’s room for human error. There’s room for something to get missed or a checkbox not to be followed up on

or because it’s manual and everyone has their jobs outside of just remediation, they they don’t do certain steps or they wave it off because something else takes priority. Yeah, it being manual leads to inconsistency and having a a real process in place that can be more automated helps teams not have to worry about that small busy stuff and just focus on the actual maybe validation or the actual fix of the issue, not the individual pieces of the process that go into it. [Dan] Yeah. Yeah. And I think you see some teams trying to like bring this data together manually and then you know you have different prioritization mechanisms within each team right or like the different data sets. So people may be very opinionated about oh you for example like pentesting right like we you know we would say that pentesting data is going to maybe have a higher priority than you know just straight up volt scanning data or like breach and attack simulation data but other teams might have different opinions right and that’s just an example so like that kind of drives home this next point of like how you how do you bring that data together and prioritize it within the entire context of the organization. Yeah. so I mean I’ve definitely seen teams struggle in that area and I think we’re seeing in the industry as well everybody likes to have a risk score but nobody we’re not doing it right in that each tool is going to have their own risk score or each team may kind of [Victoria] will care about different their own specific pieces of it or their specific criteria that makes their portion of it look a certain way versus what the organization as a whole needs. [Dan] Yeah. Exactly. So all right cool. I think we’re obviously like excited about this because we’re teasing out like how we how we know Plex Track can help, but I think it’s always important to just say like, hey, it’s not just us, you know, speculating or, you know, talking about this. These are these are actually customer quotes as well as prospect quotes from PlexTrac of like what are some of their bigger challenges. You know, being able to consolidate the pentest and vulnerability data, in a unified view and and being able to take the severity ratings or the findings, the finding scores and risks, but being able to bring them down to like how do we prioritize them in our environment, right?

and then, manual spreadsheets. I think like that’s always been the go-to for a long time for folks is, kind of static reporting, tracking things through spreadsheets and that just makes it really hard to manage
large amounts of findings and data over time and then those things can get lost quite easily, right? [Victoria] Yeah. so fun fact I used to work for, as a contractor, for an agency and we had

to track poems and vulnerabilities and
task and frag orders actually that would come in sometimes like hey new CVE new issue go do it now and then they have to track it. I actually created a spreadsheet. This is to show I created a spreadsheet that took 13 other spreadsheets did VLOOKUPs on all the data from the specific fields to build like this master dashboard that then I would then present on a weekly basis. I’m very proud of that spreadsheet, but I never want to go back and do that again because it’s a nightmare trying to get the code to work and it not just lag out and break or something be missing. Yeah. So, I’m very very aware of the spreadsheet. [Dan] Yeah. And when you think about how much time that took you to get that and then to maintain it, you know, that’s time taken away from being able to do you know more like I say more important things in terms of actually like hey actually fixing the issues that have been identified

or finding new ones right so I mean that’s that’s uh those are those are key components like what is the

cost what’s the opportunity cost in some of these manual workflows right. So that is definitely a problem, definitely recognized, definitely validated in the field. So let’s talk about like how how we help, talk about the shift of like how do we centralize this data and why it’s important like you know, what what are some of your thoughts. [Victoria] I mean, we have to look at data, as a living entity because it is like when when you’re looking at a vulnerability that is a known issue or an issue. It may not have been known to you previously, but it’s known to you now. And now it’s like, okay, this asset that I have or this in object that I have is vulnerable to these things. That’s not just a point in time. And historically a lot of data has been pointed down like hey this month or these three months we’ve had these sort of events happen. Okay where are we now in these three months? Well we’ve got this but life continues between those points. So it’s centralizing the data but also looking at it as a just a living register of what is our risk or ongoing risk. Have it has it decreased? Has it increased? Things like that. So it goes into you know as I said centralizing that data prioritizing the data as we mentioned before making the processes as automated as possible and then just understanding that

data is living. It doesn’t just appear and then it never comes back again. And I think that’s a big thing that a lot of people don’t really consider is like they think data is like a one-time thing, right? [Dan] Yeah. Like a static report is good for a point in time kind of like view, but you know teams need to know like hey well where does this sit today right and so being able to conceptualize that this also helps you like focus on that that continuous paradigm of being able to assess on a continuous basis and have a have a real-time view of your risk and your risk posture so that’s the I think that’s like you know what everybody wants and that’s the that’s the ideal state and so it this this will also help to eliminate some of those manual processes that we’ll talk to here in a second. But at the end of the day keeping keeping focus on like what are we actually doing this for? And that’s to be able to truly be able to answer like how are we doing like, you know, what are are the key trends and like as new threats, you know, come on the scene, which you know, can be daily. Where do we stack up and and could we can we identify the issues that
these threat threat actors might expose to us, right? [Victoria] Yeah, and how quickly can we respond to them, right? Because if we’re stuck still being reactive to all this other stuff that we already have, then that prevents us from being you know, not proactive. Well, actually, I would say, yeah, proactive because if you hear of a new threat in the, you know, out in the wild, it may not have you may not be getting alerts for it yet, but you can be proactive to start looking at it. But again, if you don’t have your other processes in place and you’re just stuck being reactive to everything, then it goes back to what I was saying before. It’s like that’s not my problem yet. [Dan] Right. Yeah. Yeah. Exactly. And then having a way to actually know that this is something that is really important like this these, you know, these TTPs or these vulnerabilities truly will, you know, can lead to a breach, right? as opposed to like not every vulnerability is created equal right so yeah you know being able to truly assess that and take action on it so let’s talk about like you know we talked a lot about like you know the problem how we feel people can solve it let’s talk about how PlexTrac can solve it we’ve introduced our workflow automation engine and we’re really excited about it customers are really excited about it and so like maybe talk through like how you’re seeing customers today you know start to implement it and what you’re excited about [Victoria] Yeah. So, first and foremost, I love our workflow automation engine and I mean, yes, I know I work here and I should probably say this. No, I’m just being genuine. It is probably one of my favorite releases that we have done in a while. And it allows teams to remove the busy work of setting say, hey, I need to create a Jira ticket against this. I need to send an email about this. I need to assign this to a person. Update the statuses on this particular finding. the automation engine takes care of that by allowing them to set those triggers themselves and then put actions against them. Like one of the most simplest workflows that there is and I have introduced this to another a number of like customers is close all the informational findings because no one cares about them but they still show up from tools. So unless you’re just not including them and have been able to weed them out ahead of time, just have the system close them is the simplest and wonderful thing. It’s very satisfying for me. we also have customers who are really keen on like hey if this particular finding if a finding triggers as critical and that could be critical by severity or maybe by a scoring methodology type then automatically you know kick off a a series of things of assign it to this specific person on my team and then also create a Jira ticket around it so that it goes to the appropriate system owner or stakeholder to start actioning it now versus waiting for us to finish everything else out. So workflow really gives us that ability to automate the busy work and I say busy work as if it doesn’t have value. It does have value but it’s just like take that portion out of it out of your need to do. Yeah, you might check up on it every now and again, but that way you as a tester or whomever can just focus on, as we’ve been saying, the actual testing, the actual engagement, the actual validation work, and not have to worry about, hey, did I remember to notify a person about something. [Dan] Yeah. And you can just you can just observe the status of the workflow, like, hey, yeah, it sent it sent the email. It notified people. I think one of the things that I’m also really excited about is that, you know, you combine this with our our ability to allow customers to score their risks based on the context of their environment, you know, which we were talking about before really just starts to help, you know, truly answer the question like, hey, are we fixing the wrong stuff or the right stuff, right? So combining those those key features, and you’re going to show them here in a second, I think is is extremely powerful and truly helps people accomplish Hey, we know we’re working on the right things, you know, and you can apply it somewhat objectively now, you know, it’s like it’s across the environment as opposed to like, oh, this tool said that thing and now you have this kind of, right?
So let’s talk a little bit about like what we see in PlexTrac today and and then we’re going to jump into the demo. [Victoria] Yeah, I mean we can send as
you can kind of read on the slides, you can send email alerts and the nice thing about the email alerts and I will definitely show this is is that
they don’t have to be emails to people who have access to the platform. that’s been a big thing. So you can send your emails to like a distro list. You can send off alerts to Slack and Teams so that that can maybe be a part of a larger automated flow that you already have external to PlexTrac to kick off more processes that way. Update the status, finding statuses. So as you know we have our standard statuses of open, processed and close. Well you always have your sub statuses that you can create as well. You can tie those into the workflow. You can make sure that that automatically updates those statuses, sub statuses as well. So a lot of things that we can do with it and which I will be showing you here in a second. [Dan] Yeah. Yeah. So, these are some of the common ones. And then like Victoria, why don’t you just dive in? I’m going to stop sharing and can show yours.

Yeah. So, now that we’re in the environment, I’m going to show off a few ones. like a real base one, as I mentioned before, is that just close all informational findings. This one is tied to report findings. and as a note, when it comes to triggers, you have a few different trigger types. We can either do this by findings when they’re created or edited or do a combination. I typically do a combination just because well 1
I work in a demo environment so I’m always playing with things that you might not always come back to play with but I feel that it should be just in case something changes over time. We also have report level triggers as well. But you select which trigger you want and then you set up your criteria for that trigger. So in this case I’m saying hey if this particular finding is published, first and foremost, and it’s severity is informational I want it to automatically be set to closed informational just that simple and maybe I do want to at least capture or notify the someone or a system that hey these are being auto closed I have a web hook set up here that is going to Slack to say hey these particular findings are closed informational just for you know records purposes, but I could just leave it at just with these two if I wanted to. the nice thing about our workflows, and I’m going to just create a couple new ones here, is I can do this across all of my profiles. So my profiles in this environment are called departments. or I could do this specific to a department. So I might have say for the accounting department versus my comm’s department or to say they have two different project types or they have different criteria that they need to be worried about or I could say for all of my customers if I’m more of an MSSP this is going to be something that happens to all. So I’m going to say, hey, if any of my customers they have a finding that is created and edited and the severity of that finding is critical

or the maybe the CVSS scoring is greater than 9.0. So that’s my criteria there. I want to set the status to it as open and make the sub status needs immediate triage because this is my way of telling hey I might still be working on the larger engagement or the larger body of work but anything that meets these criteria immediately I want to set as such and I want to assign it to a specific user.

obviously if we’re doing this from a say service provider perspective, we probably would do this per customer. That way we can identify the exact user we want to utilize here. otherwise again in like a more enterprise perspective, we probably have a set person who we can tie this into. So in this case, I’m just going to tie it to myself. And then I do have some other options. I can create Jira tickets off of here. I, as we mentioned before, I can send an email. That email again can be any users within the platform, users based off their role. So I might say, hey, any user based off of my in my executive team is going to get it. That’s fine. And then I might also say we’ll say a list of emails. So, we’ll say myself

and we’ll say Dan because I can pick on him because he’s here and maybe you know distrolist at test.com something like that. When it comes to the emails, just a quick note for you. We do have variables in place. So I can tell the system have the system when it sends that email and I’ll say hey this particular report finding where’s the yeah finding title needs immediate triage

and then I can fill in the content of my you know the body work here and that also has variables that we can throw in here but this just allows us to send out custom notifications via email to whoever it makes sense to based off these particular triggers. another fun one that we can do is say, hey, when a report itself is created or edited, in my case, I’m going to go with edit it. And we can say when that is edited and the source is… so something in the past for folks who may not know is when you created a report or from an assessment or a runbooks module or schedule well not schedule module but one of those you had to set the report template yourself. Now with workflow automation we can have that as an automated action. So I can say hey if the report source is a runbooks module from the runbooks module I can automatically make sure that the appropriate template is placed with it. So we’ll say this is going to be my tabletop one. I can also update the status on it do bulk tagging on here. So I can say hey we’re going to bulk tag this as runbooks test as well as say we’ll say as a web app. So these things can be automatically added. The other bit though and this is something that a lot of our customers are utilizing the workflow for and have been really interested in from the report level specifically is if this comes in if this is edited. We’re going to adjust this. Oh no, we’ll actually leave it there. And the status of it is say ready for review or in review or what have you. I can now also automate, hey, send a email to the correct source or a web hook to the correct QA user to come in and make updates to this. So, we’re really getting into that. [Dan] Yeah. Yeah. No, this is great. And you know, I think if of the workflows that you just showed, I’m just kind of sitting here thinking of how much time this takes people to do manually, right? like closing all those informational findings or making sure that that everybody that needs notification around a critical finding has been alerted. I mean that that takes time. And so here
we’re able to keep people focused on, hey, those those all those things are now getting done automatically and I can stay focused on like, hey, am I fixing it or am I finding other things, right? [Victoria] Yeah. One other one that I actually personally like and this
was actually brought up by a customer who had a particular scenario or workflow that they wanted to try to work out or tease out was I have end of life, end of service assets. I want to be able to set up automatic notifications and actions whenever any findings are created that affect those particular assets. So what I walked them through building, I would say, okay, cool. You’re focused on the findings tied to any of those types of assets. From a criteria perspective, we have a ton of criteria from finding level variables to asset the assets tied to those particular finding variables and report variables. So what we decided on was to create tags on those specific assets. So now we can look for those tags and then anytime there is any finding that is edited or created that is associated with an asset with those tags we can kick off that automation alert the appropriate people make sure that tickets are created put it into the correct starting process etc. [Dan] Yeah. And that’s fantastic, right? I think this is what’s so cool about the power of our workflow engine is it allows for a lot of customization, a lot of capability. Our platform already allows for a lot of customizations and different workflows.
So as we kind of like close out this demo, we’re talking about how to fix the right things, right? And making sure you’re automating as much as possible. Part of that is the validation phase, like hey, we fixed this, we fixed these issues. How do we like actually, you know, go back and make sure do the validation piece? Is it actually fixed? Can you are you seeing people use workflows to help in that that retest and validation? [Victoria] Definitely. Yeah, definitely. And there’s a number of ways we can do that. if we’re just talking about

just making sure people are notified when hey something moves into that state. So what we can say is hey if the let’s assume for a second we are utilizing Jira and we had created Jira tickets against that particular finding to start with and with Jira when you know something changes from that side we obviously have that birectional sync so what we can do is we can take in a custom data field from Jira maybe it’s the Jira retest ready field that’s been checked or set to read ready for retest. When that happens, we can then feed that into the via the workflow. Say, hey, whenever this is true on a given finding, we’re going to update the status for that finding to ready for retest. We’re going to assign it to our retest guy, our contractor, or whomever. And then maybe we even also send off again that email notification or that web hook. And web hooks can go to Teams, Slack, or any custom tools that can just accept those feeds. And that way we can make sure that the appropriate people know that their stakeholders, their system owners, their customers, etc. have say, “Hey, I’m ready for you to retest and validate this is closed for me.” [Dan] That’s awesome. Yeah. So, this is so this I mean this kind of this kind of brings it full circle, right, of like allowing allowing our workflow engine to truly help one consolidate the data and aggregate it into a platform where you have now a centralized view. you can assess the risk and prioritize them based on everything that you have and set automated workflows around who to assign them to and then and then once they’ve been fixed, how do we make sure we’ve got the validation piece covered? And so just gives this holistic workflow around around the life cycle and leads to a great story for being able to answer those questions like hey we’re working on the right things you know what what’s the status and and provide real time you know analytics around this. [Victoria] Exactly. Exactly. So I’m going to Yep. There we go. [Dan] So kind of coming back back to the the deck and kind of wrapping up. we showed a lot of like the common workflows. We did the demo. so the key takeaway is like hey uh static reports are good for point in time you know kind of analysis but you know like let’s eliminate them from our ways of tracking and remediating findings and providing data on a real-time basis. Bring all this together automate everything around it right being able to like route it to the right people right teams notify the right folks who’s responsible for remediation and retesting. it’s just it’s just a powerful workflow engine that we’ve provided for our customers. And we’re getting great feedback already, so this just continues to help you stay focused on the right things because, here at PlexTrac, our mission is to help you stay focused on winning the right battles and so how do you know you’re working on the right things and then actually making progress on those? So use our workflow engine to do that. It’s going to be great and I think you’re going to love it. So if you have questions, feel free to reach out to us post this webinar. You will be receiving a playbook around our workflow automation engine. And really appreciate you taking time today. Victoria, thanks for your time. I know we’re all busy, but appreciate you showing this off and and you know, being the voice of our customer and prospects. And so we’ll catch you again next time, but if you have any questions, don’t hesitate to reach out. And we’re looking forward to getting this into your hands. [Victoria] Yeah. Thanks everyone. [Dan] Thank you.

[Music]