Organizing Vulnerability Management Practice

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
L4 Transporter
100% helpful (4/4)

By James McGrath, Senior Customer Success Engineer


A best practice in security is alerting on the assets that you find most critical. The concept of vulnerability and exploit defines that a vulnerability can be exploited. 


Once the Prisma Cloud tool completes the data ingestion, the organization of the data can be daunting. The approach of stepping back into a design mindset is the value and the benefit of organizing first and then ingesting the data.

Some companies start with the database servers due to the corporate rules, and discovered the non-conformed rules (taxonomy) and enforced compliance they could not put in place due to the flat structure of data. 


 Three main use cases for vulnerability management are:

  1. Ensure visibility of vulnerabilities in the environment being reported by Prisma Cloud 
  2. Ensure visibility of application, packages, or OS vulnerabilities 
  3. Ensure monitoring of vulnerabilities in order to avoid compromise of any resources or applications (an example would be running applications on Java or Python infrastructure, and if code base has  increased ability to inject, this can be exploited) 



Figure 1: 3-Tier architecture for a Web Application_palo-alto-networks (Web servers, database servers, and middleware servers) 


A single dashboard allows cloud security engineers to filter out the alerts to the proper groups for alert resolution in Prisma Cloud Compute. 


Figure 2: Prisma Cloud Compute Dashboard_palo-alto-networks (filtered down to the Acmeshop application vulnerabilities) 



Figure 3:  Prisma Cloud Compute Dashboard_palo-alto-networks (Sock Shop is an internal product that is used to track sock inventory before sending the data to the external application from where customers would purchase the socks. This view is filtered down to the Sock Shop application vulnerabilities) 


The teams continue process improvement by fine tuning the rules to reduce the number of vulnerable assets.  As an example, the security team can explain when a driver needs to be updated to remove the vulnerability in the application, and if the OS needs attention from the system administrator to update the Apache server. There are requirements for teams to handle 1000 AWS accounts, 500 GCP accounts and 1400 Azure AD accounts for an organization, and this drives the need to organize the complexity. 


Our recommended approach begins with the current state discovery where customers shine light on the areas that are most crucial for security, while your entire environment is scanned. 


Group the compute resources to the lowest level of detail possible, and prioritize any vulnerabilities by severity of risk:

  • a lower severity on the internal middleware server and the database server.  
  • Higher severity on the  external facing web server, as it is at higher risk of exploitation. 


Group by importance, based on what is the most vulnerable system, and what has the most sensitive information. Remember to review three key items:  

  1. What is your current service grouping today? (Example: “A-B-C-D”) 
  2. What department needs alerts? (Example: Do all 5 sub-groups in Accounting need to be alerted to these vulnerabilities?) 
  3. What audit requirements do you have? 


For financial and banking industry customers, it may be critical to organize the environment by resources that belong to an application,  or by a specific resource group such as “Accounting Team,” or “System Administrator” or “Development Team.” When organizing your resources in Prisma Cloud Compute to send your alerts, consider the most granular way to organize - by host, cluster, and application. This will help you when you get to Runtime rules specifically designed to be detailed and granular. Once your environments are organized, you can set specific runtime rules for each application. Database servers may have different runtime rules than the application servers.


In conclusion, remember to start with design and organize your infrastructure resources in a tool to help you navigate the attack surface landscape. Completing this activity before you turn on the rules will help reduce the alert fatigue, and bring the alerts from 10,000  to 3,000. This will allow you to focus on what matters most: protecting your enterprise from vulnerabilities and making each day safer than the one before.

Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎09-26-2023 11:44 AM
Updated by: