Security teams across the channel have long utilized databases that collect vast amounts of data to help them identify, assess, and prioritize vulnerabilities; however, changes to external data feeds, such as the National Vulnerability Database (NVD), will impact vulnerability management (VM).
Why CISA funding cuts matter for MSPs
With the Cybersecurity and Infrastructure Security Agency (CISA) facing funding cuts and tools like the NVD under threat, channel organizations have an opportunity to step up and support their clients through these changes.
Scott Kuffer, co-founder, COO, and CPO at Nucleus Security, took some time with Channel Insider to discuss the vulnerability challenges facing the channel and how MSPs can capitalize on new opportunities.
“NVD is funded by NIST, and that contract ended, and so then CISA ended up taking it over, but there was like a 48-hour period where basically everybody thought that the vulnerability database of the world was going to not exist anymore,” Kuffer reflected. “And so it sort of created a big panic and that’s where a lot of this is coming from. And so the impact of that, if it were to go away, is massive.”
This period of uncertainty occurred late last year to early this year, creating a real emphasis for the industry to rethink its dependencies on the supply chain, which in this case is the U.S. federal government. For many service providers, VM was about buying or building a vulnerability scanner that relies on this supply chain to set and forget.
“It’s been a set-it-and-forget-it service for a lot of years, and it really created a serious challenge because vulnerability management and vulnerability assessments are not the core business of most service providers,” said Kuffer.
Why the ‘patch everything’ approach is no longer enough
Kuffer says that as recently as a decade ago, vulnerabilities weren’t the primary reason organizations got hacked, but rather things like credential stuffing or phishing/social engineering.
Then the shift to remote work started happening, leading to massive shifts to the cloud and an increase in endpoints.
“A lot of the zero trust that we had built over the years started to break down, and vulnerability exploitation has become the number one way that organizations get breached,” said Kuffer. “Now that really elevated the importance of vulnerability management, and the challenge is that patch management services tend to be focused on workstations like endpoints.”
A ‘patch everything’ approach is no longer sustainable because a deeper relationship with the customer is required to patch vulnerabilities within an organization effectively. Vulnerability assessment services tend to reach as far as the service provider is contracted to go.
Vulnerabilities in critical infrastructure are beginning to occur at an increasing rate, as service providers are not allowed to patch or modify systems due to contract restrictions. General patch management is beneficial for cyber hygiene, but it’s not a security practice that significantly impacts exploitation activity for customers.
The future of vulnerability intelligence: Public vs. premium feeds
While the future of centralized data sources has faced numerous challenges in recent months, Kuffer doesn’t believe that centralized databases will disappear due to increased regulation and scrutiny.
“The question is whether or not it’s going to split into the same way that our subscription services have on the consumer side, where it’s like you have your ad tier, which is your government run ones, and then you have a premium one where maybe they have more data or they discover things earlier,” said Kuffer. “I do see a scenario where the bigger service providers are going to say it’s worth it to us to pay extra to get access to these kinds of different private databases of vulnerabilities consolidated together.”
He adds that it’s unrealistic to expect every single mid-market or 50-person company to go buy threat intelligence, so this is where channel partners become a huge value add. Channel partners have the ability to purchase services and then utilize them for all their customers.
“I do anticipate we’re going to see a public, free premium offering, and we’re also going to see a tier of vendors that have launched their own vulnerability database feeds,” said Kuffer. “At the same time, I do think that this is actually one of the areas where some AI stuff really does have the potential to disrupt.”
Steps MSPs can take to strengthen customer resilience
Kuffer explained that there is a significant opportunity for MSPs and MSSPs to build their own threat intelligence feeds and vulnerability intelligence feeds, as well, since MSSPs have access to a lot of data that is hard to come by. Additionally, there’s an opportunity for cyber insurance advisement to bring down the cost of cyber insurance premiums.
“It is not as complicated to implement a VM service that is effective as you think it is,” Kuffer added. “Everybody wants to overcomplicate the process. They want to look at implementing seven different scanners and the most fancy prioritization mechanism, but the biggest challenges that you, as a service provider, have are logistical in nature. You can provide a ton of value to any company by giving them visibility, so focusing on a small service to start with is really the biggest impact you can have on most companies that don’t even know where to start.”
Furthermore, Kuffer says service providers can provide greater value to customers by helping them resolve their VM issues rather than simply sending them a report.
“The more demand that there is for something like that, the less likely we’re going to see upstream impacts,” Kuffer says. “If we have a lot of demand– consumer demand drives a lot of how the United States economy works and government action.”
Reimagining vulnerability management is just one way that channel players can rethink partner enablement in 2025. Read more about how channel-focused vendors are approaching AI, security, and managed services this year.