Curious if anyone is using CISA services, i.e. vuln scanning. Any success? Lessons learned? Issues?

Hi there,

We currently use CISA as an augmentation for our external vulnerability management and the reports they send out are customized versions of Tenable.io reports.  It is nice because they do not charge you for it, and the reports can be used for some help with some of Gartner's outcome driven metrics for security (e.g time to patch vulnerabilities etc).

I heard from several of the other CISOs I collaborate with in FL that they have used their risk assessment and tabletop exercise services with good success.  I think nailing CISA down on dates can be hard because they are busy, and they may overdo it a bit if you do not scope them in the beginning, but overall I have heard nothing but good things about their services.

HTH,

Sven

While I haven't personally utilized the CISA vulnerability scanning services, my experience with similar services can shed some light on this topic. Vulnerability scanning as a service, such as what CISA offers, can be a valuable tool in identifying visible weaknesses from an external perspective. These services typically scan for known vulnerabilities in publicly accessible systems, offering insights into potential security gaps that external threats could exploit.

However, it's crucial to understand that these services have limitations. They primarily focus on external-facing systems, often overlooking internal vulnerabilities that could be just as, if not more, critical. While they can provide a snapshot of your external security posture, they don't offer a complete picture of your overall security health.

Effective use of such services also requires a comprehensive understanding of your organization's external IP addresses. Without this, the service might not cover all external assets, leaving some potentially vulnerable systems unscanned.

While external vulnerability scanning services, whether from CISA or another provider, can be useful to your security architecture, they should not be relied upon as the sole measure of your security posture. They are best viewed as one piece of a holistic security strategy, complementing other security measures such as internal vulnerability assessments, penetration testing, and continuous monitoring to ensure a robust defense against internal and external threats.