Exploring PlexTrac Priorities + Metrics

Understanding the benefits of risk prioritization

Charles Snyder, director of cybersecurity at CAI, joined Dan DeCloss, founder and CTO of PlexTrac, and Katie Morelan, product manager at PlexTrac, for a webinar showcasing PlexTrac Priorities for risk management. 

The interactive conversation addressed the struggles CAI and most security teams face in managing the data from offensive security activities, including 

• We need a single pane of glass
• We need to understand business context
• We need to report on our progress

Learn how CAI is using PlexTrac Priorities to evaluate offensive security findings in the context of risk frameworks and how your organization can measurably reduce cyber risk with PlexTrac Priorities. 

Watch the full webinar or read on for highlights.

We need a single pane of glass

The first pain point that the group discussed was the challenge of sprawling data from offensive security testing and assessments. Whether from internal testing or a service provider, data overload is a major problem prohibiting efficient prioritization in remediation efforts. 

Dan said, “What I’ve always emphasized is that somebody has to get the work done. And how do you know what you’re supposed to be doing if you don’t have all the data in the same source, being able to help with all the prioritization? So that’s what we’re excited about to be able to offer through Priorities.”

Charles added, “And then I think the last piece is just being able to track and manage your remediation in a streamlined and consolidated way for your particular clients or for your business units is really, really important.” 

PlexTrac ingests data from all your automated and manual testing sources and, with Priorities, enables you to consolidate, aggregate, and group that data into themes based on risk.

We need to understand business impact

Useful prioritization and remediation must be specific to the context of the given organization, not just generalized, to be truly useful in improving security posture. However, efficiently incorporating business context and understanding business impact is difficult and something many teams haven’t fully conquered. 

Charles shared an example from his experience, “An interesting use case that came up, actually, about a year ago from one of our clients who’s a major passenger rail provider, and we were developing vulnerability and pentesting training programs and procedures for them. So one of the things we tried to highlight was you that just can’t take the raw score out of Qualys or Tenable and say that’s the highest priority. For instance, I could have a high score on a server that is a back-end office server we don’t use much. No real critical data on there. Is that really that important or do you have a moderate risk vulnerability on your most critical e-commerce server, that if it goes down, you’re shut down? And so you can leverage things like the number of assets, the number of findings, the criticality of the assets. 

“And I explained to the client at the time that you need to develop a formula for this. And what you can do now is actually take that formula and build it into the PlexTrac tool so you get the results from your pentesting, let’s say, or purple team, and it will automatically score it.” 

PlexTrac’s metrics capabilities — now live in the Priorities module — add another layer of visibility on top of contextual scoring. Visualize reporting with easy-to-understand chart-based views that simplify stakeholder conversations and clearly show status and risk reduction. 

Charles explained, “The PlexTrac Metrics module will make it much easier for you to grab, especially day-to-day operational metrics like hey, where is the status of this Joe, have you got this done? Be able to provide, when you see the demo, you’ll see, be able to grab some screenshots of nice graphics that you can send to executives.”

We need to report on our progress

PlexTrac Priorities Metrics directly addresses the third pain point covered: showing progress over time. Whether a service provider or consultant trying to support clients and communicate value or an internal team needing to report to leadership, clearly demonstrating the progress of security efforts is hard and time-consuming. 

Charles shared, “In the past, I was having to maintain a separate spreadsheet and having a periodic review, and we’d actually have one of my clients — I’d have the IT and the OT or the engineering team on a 1-hour call — and we would walk through this because I was maintaining it on my end. We’d have to walk through line-by-line. So think, there’s an hour with two consultants being paid and two directors, two managers from the company. So money is going through just updating the status report. 

“So one of the things, too is, and I was having to create, manually create graphs and charts. And again, unfortunately, consultants do charge for their time. So if I take an hour creating a PowerPoint presentation for your quarterly review — that’s just the nature of consultants — we’re going to charge for that. So if we can make this built in, so the results provide you the graphics that you need. Again, you can use this operationally, like, I assigned Bob to get that MFA implemented on that Office 365 server. Has Bob done that? You can manage day-to-day that way, but you can also report on things like, okay, Mr. Executive, last month we had three critical open issues, this month we only have one, and we’re going to be done by next month. That’s a much better conversation to have, instead of fumbling through a bunch of paper and you don’t have a good answer.” 

Dan summed up the point and the conversation: “And I think this is the adage that we tend to emphasize is that the document is still a valuable artifact of the engagement and the report. But it’s a snapshot in time. Right? And what we’re now providing with Priorities and our new metrics is that ability to truly see the trends and the progress. Because at the end of the day, everybody wants to understand are we improving? Are we getting better at our security posture, and are we focused on the right things? And that’s the whole goal around Priorities. And just in general, that’s what a security team really should be focused on: being able to track the highest priority issues, report on them effectively, and being able to show progress.” 

Ready to find out more about PlexTrac Priorities with metrics? Request a personalized platform demo.