When it comes to the vulnerability management process, where can current AI capabilities provide the most value? Have you had success with using AI-enabled tools specifically for deduplication, false positive reduction, prioritization, etc.?
Sort by:
While it’s not specifically AI, I want to mention the prioritization functionality we use, which is a product formerly known as Silk, now acquired by Armis. This tool does a good job of contextualizing vulnerabilities and providing additional information. It employs a proprietary prioritization engine built on AI to enhance the information provided. Although we are not using AI directly for prioritization, this solution has been very useful over the past six months or so.
We conducted a pilot using Claude to integrate with our vulnerability management tool, Tenable, aiming to facilitate communication and gain insights into remediation tasks for our team. The results were underwhelming. The tool struggled with hallucinations and lacked contextual understanding of our environment. Our engineers attempted to make it work across our manufacturing environment, OT security, and enterprise security, but the integration did not yield actionable vulnerability results. It failed to provide recommendations that an agent would actually execute. But the AI performed well in the realm of threat hunting by assisting with tasks like looking up IOCs, finding hashes, and searching within our SOC. For proactive vulnerability management (such as identifying necessary patches or available mitigations) the AI sometimes hallucinated or provided inaccurate information. We are still evaluating its capabilities, but so far, there has not been a measurable ROI to justify the investment; it remains proof of concept.
We use Rapid7 and have encountered the same issue, the context is missing. Prioritization remains a challenge, and we have not seen any added value from AI. Vendors continue to assure us that improvements are forthcoming, but we have yet to experience tangible results.
Some modern enhancement on AI enabled VM tools claims to speed up triage by focusing on fewer, more important problems. They claim to use AI to combine CVSS, EPSS, exploitability, asset criticality, attack path context, and real-world telemetry. Honestly, I haven't deployed them but have seen some interesting demos of their products. I have been evaluating them to reach certain board ready metrics on the below three counts;
1. Mean Time to Remediate (MTTR) for Exploitable Vulnerabilities, based on (AI-detected) exploited-in-the-wild or high-EPSS vulnerabilities.
2. MTTR for Vulnerabilities on our Crown Jewel Systems SAP S/4HANA, POS systems, tenant management systems, leasing platforms, etc.
3. Average Exposure Window (AEW) or time between detection and remediation for top 5% riskiest vulnerabilities.
If I can get these 3 metrics from AI capabilities of VM tools, I would be able to attain 'exposure window metrics' critical to ascertain the speed of risk reduction emanating from ransomware or other malwares due to missing patches and reducing alert fatigue.