what does a VM specialist do and how to become one

We continue the series of publications “Top 10 professions in the field of cybersecurity”. You can read the previous articles Here, Here And Here. The need for such experts is growing at a dizzying rate, “information security specialist” is no longer a single profession, which is divided into dozens of narrower specialties. And today in the rubric Positive Education — the profession of “VM specialist” through the eyes of a person who not only thoroughly understands vulnerability management, but also knows how to build effective vulnerability management in companies.

What is the profession of a vulnerability management specialist like? Maybe like the work of a doctor who monitors the health of a patient? But patients usually come to a doctor with complaints themselves, and no one goes to a VM specialist themselves. Over time, I realized: the work of a VMS specialist most closely resembles the work of an inspector from a government oversight agency… But first things first.

My name is Alexander Leonov, I am a leading expert at PT Expert Security Center. I analyze vulnerabilities and write about it in my blog «Vulnerability Management and more” I recommend that everyone who is just starting their journey in information security read this article to dot all the i's in vulnerability management or, more simply, vulnerability management.

Alexander Leonov — Leading specialist at the Positive Technologies Expert Security Center (PT ESC). Worked at Mail.ru Group (now VK) and Tinkoff (now T-Bank), where he was responsible for vulnerability management development. At Positive Technologies, he analyzes vulnerabilities and develops vulnerability management practices.

He regularly gives presentations at Russian and foreign conferences. He develops several open source projects, among which the most famous is the framework for assessing and prioritizing vulnerabilities — Vulistics.

So, who is a VM specialist? This is a professional who monitors the vulnerabilities of the company's infrastructure: promptly identifies gaps in protection and monitors their correction so that intruders cannot use them during an attack.

The immediate responsibilities of such a specialist depend on the specific VM process, but at a high level they can be reduced to five stages: 1) monitoring vulnerabilities; 2) assessing their danger; 3) determining methods and priorities for eliminating vulnerabilities; 4) eliminating; 5) monitoring. However, the area of ​​responsibility (area of ​​influence) of a VM specialist can be much broader: it is he who, as a rule, conducts an inventory of the company's IT assets, negotiates with the IT department on regular updates and resolves situations when agreements are no longer fulfilled.

Did you recognize that same “inspector” with whom I compared the VEM guy at the beginning of the article? Judge for yourself:

• His arrival is not welcome (colleagues from IT and other departments with whom the VM specialist works may think that he is imposing demands and forcing them to switch from their main, familiar tasks).

• His words are treated with skepticism (“so what if this led to unacceptable events in a neighboring company – we certainly won’t have anything like that”).

• If the danger is realized, the inspector becomes the one held accountable (“where was he, the careless one, looking”).

But there are also several important differences:

• The inspector's employer is the state; accordingly, he can close the organization if the requirements are not met. The VM specialist is paid by the company itself, and therefore his main tool is competent argumentation.

• The inspector focuses on a specific narrow topic. The range of undesirable effects that the VE specialist must take into account, although limited to the field of information security, is still very wide. It would be like one inspector assessing the possible consequences of fires, floods, epidemics, armed raids by bandits – ending with an alien invasion.

• The inspector performs the inspection and leaves, while the VEM specialist works in one company, but deeply, constantly and continuously.

• Finally, the inspector is unlikely to be told: “We can't fix everything – we don't have the resources. So show us what's most dangerous, and the rest can wait.”

What should a VM specialist do to be effective? How can an “inspector” without real authority reach an agreement with the IT service so that his recommendations are followed?

• The first is to thoroughly know the requirements of regulators in terms of vulnerability management. Paradoxically, this is the most reliable tool for a VEM specialist – however, the most underestimated. Of course, everything needs to be done in moderation: if you constantly refer to the regulator and threaten with inevitable retribution, there will be no effective dialogue with the IT department. It is better to save the “heavy artillery” for the last resort – like an ace in the hole.

• The second is obviously to understand vulnerabilities, detection tools and their exploitation. But here it is important to emphasize: for what purpose? To find attack chains yourself and demonstrate the real exploitability of infrastructure vulnerabilities? So this is the task of the internal pentest (red team). To more effectively convince admins? Perhaps, sometimes this makes sense, but the main thing is not to slip into “prove, show” and fix only those vulnerabilities that can be effectively demonstrated. In order to detect all vulnerabilities, is it better to prioritize them and highlight those that pose the greatest danger to the organization? This is, perhaps, the most important thing. Let's not lose focus: we are here to implement a working process of detecting and fixing vulnerabilities, and the rest is secondary (again, see point 1).

• Third, constantly improve your own expertise, and not only in VM. To effectively interact with administrators, DevOps engineers, and developers, you need to understand the subject area. Otherwise, the requirements will be parried with a simple “this is impossible, everything will break.” Thus, a VM specialist must be an administrator, DevOps engineer, and developer to some extent, but with in-depth knowledge in the field of vulnerability management.

Is it difficult to become such a specialist? Yes and no. It is quite easy to learn how to use vulnerability detection tools, but understanding what exactly the scanner has detected, what the danger is, and how reliable the results are — all of this requires high qualifications. You need to know how the vulnerability is exploited (i.e. have a set of skills comparable to the knowledge of vulnerability researchers), understand how to fix it without consequences for the operability of IT systems (i.e. have the skills of a system administrator or DevOps). In addition, you often have to develop your own utilities for system integration and data analysis (i.e. be able to program). And for constructive communication with colleagues, often on sensitive issues, soft skills are extremely important — otherwise you will not be able to be convincing.

Such specialists are in high demand in the information security market. What is the reason? Firstly, the number of known vulnerabilities is growing literally every month – only the database NVD has more than 245 thousand vulnerabilities. IT infrastructure is present in any organization, and if there is no dedicated person, then no one will monitor vulnerabilities and updates, and this threatens hacking and the implementation of events that are unacceptable for the organization.

Secondly, since 2022, the situation in the industry has changed dramatically: Western VM vendors have left, and the process of “transplanting” to Russian software products for IT and information security has begun. At the same time, the tasks of VM specialists have expanded: they have added checking updates of foreign commercial and open-source products for bookmarks, accounting for vulnerabilities that are not in NVD. It has become more difficult, but more interesting. The salary level has also increased. For example, on hh.ru I recently saw several vacancies for VM specialists with a salary of 200,000–350,000 rubles. But this is not the ceiling: as in any other profession in cybersecurity, everything is determined individually, taking into account the person’s qualifications.

How do you become a VM specialist? The path to VM quite often begins with the first job or internship of security students or graduates. They are given their first tasks on rolling out and configuring detection tools, analyzing vulnerabilities, pushing fixes or writing utilities for automation. Gradually, young employees get involved and grow into experienced specialists. However, sometimes people come to VM from IT — for example, system administrators who decided to focus on vulnerabilities and secure configuration. Stories vary.

Personally, I started my career in a VM vendor, which gave me a good basis for professional development. How did it happen? After studying to be an information security specialist at Bauman Moscow State Technical University, I got a job at Positive Technologies and was involved in working on the vulnerability and misconfiguration scanner MaxPatrol 8. I became interested in the practical side and decided to try myself from the client's side – building VM processes within companies. I devoted eight years to this: first at Mail.Ru Group (now VK), then at Tinkoff (now T-Bank). And last year I returned to Positive Technologies to use all my experience to develop expertise in our products.

To summarize: It is quite easy to “get into” VM through an internship or as a juniorTo do this you need:

1. Confidently state your interest in this particular specialization.

2. Confirm your interest with activities: course or diploma projects, research, articles, reports, participation in open source projects (exploitation, detection, prioritization of vulnerabilities) – the more and more hardcore, the better.

3. Don't get cut off on basic questions about OS and networks, understand how vulnerability scanners work (ideally, have minimal experience with utilities), be able to program a little (Python is still the most popular); it is also useful to know English at an intermediate level.

4. Read and analyze the regulations, which are still insufficient for VM: “Methodology for assessing the level of criticality of vulnerabilities in software, software and hardware“, “Guide to organizing the vulnerability management process in an agency (organization)“.

5. To be in the context of what is happening in the industry now: I can recommend a telegram channel SecAtor and the channel “Vulnerability Management and more“.

Completing these conditions will allow you to bypass 90% of other applicants and take the first step in the profession of a VM specialist.

Positive Education also invites all interested parties to the course “Vulnerability Management Process: From Theory to Practice” I took part in its preparation, but the main authors of the course will tell you more about it.

Pavel Popov

Leader of Product Practice for Vulnerability Management at Positive Technologies

Even novice specialists do not need to be explained why such basic things as working with antiviruses and firewalls are needed. With vulnerability management, everything is completely different. The importance of searching for vulnerabilities and managing them, on the contrary, has to be justified, sometimes even to experienced specialists. When creating the course, we set ourselves the goal of increasing the number of competent VM specialists, so that in the end, attackers could not hack companies by exploiting vulnerabilities.

With this idea in mind, we tried to make the course short but capacious. In four weeks, we fit all the knowledge that Positive Technologies experts and the company itself have as an information security vendor. At the moment, the course has been completed by two waves of participants, which is more than 60 people, who give positive feedback in 90% of cases. The remaining 10% tell us what can be improved in the course. Many experienced VM specialists note that it includes what they have been studying for 10 years. This program is also interesting because it is suitable not only for individual specialists, but also for training entire teams in a corporate format, which makes it ideal for developing both personal and professional team skills.

Sign up for the new stream that starts September 8. For participants, this is a great opportunity to acquire or systematize existing knowledge about vulnerability management. Beginners will understand where to start working with them, and experienced ones will improve their expertise. Good luck!