remote workforce vulnerability management

Vulnerability management for your remote workforce using ThreatWatch

by Paresh Borkar

In an earlier blog article, we had a look at the challenges that organizations are facing with vulnerability management (VM) for their remote workforce. We briefly described what a Next Generation Vulnerability Management solution should look like for these scenarios. To summarize a Next Generation VM needs to be a cloud-based service which can provide continuous visibility into vulnerabilities on remote systems without need for any scans.

In this article, we will do a deep dive to better understand how ThreatWatch addresses these challenges with remote workforce VM.

ThreatWatch is a SaaS based VM service, which ensures that organizations do not need to worry about nor spend cycles on upgrades and maintenance. Each customer gets a dedicated ThreatWatch instance which is completely locked down only for their organizational users. The obvious next question in your mind is –  How do I (the customer) get my remote devices (aka assets) in my dedicated ThreatWatch instance? It is important to note that ThreatWatch being a SaaS service, all assets are inherently remote from ThreatWatch perspective. ThreatWatch provides twigs (ThreatWatch Information Gathering Script) which is essentially an open source CLI maintained by ThreatWatch. Twigs is your gateway to discover all kinds of assets. Here are some quick facts about twigs:

  • It is open source and one can inspect (and contribute) to its source code (unlike blackbox agents from competitors).
  • It does not require super user privileges (unlike blackbox agents from competitors).
  • It is low touch and zero impact when it comes to discovery.
  • Organizations can install twigs on as many devices as they like (it is free and open source) and run it as often as needed (can be scheduled via cron or equivalent)
  • It caters to all kinds of assets (cloud, container, code repository, compliance, etc.)
  • It can pull existing asset inventory from CMDBs, ITAMs, etc.
  • Twigs is DevOps friendly and engineers love it!

Twigs is available as a signed PowerShell script for discovering Windows based assets as well.

Twigs is essentially responsible for loading asset details in your dedicated ThreatWatch instance. It does this over HTTPS via an API key that you generate in the TW console and provide in the twigs run. Essentially twigs captures required metadata about the asset being discovered in ThreatWatch. This helps ThreatWatch perform virtual vulnerability assessment using this metadata of your asset in ThreatWatch cloud. Note how this differs from traditional VA providers who perform vulnerability scans over the network and these scans end up hogging CPU & burdening network as well.

The virtual vulnerability assessment also ensures that your assets are protected round the clock. Basically ThreatWatch is continuously discovering new vulnerabilities in the wild and updates to existing vulnerabilities round the clock. It applies these vulnerabilities updates to your asset in an automated manner without need for any (scheduled) scans. Read more about the need for machine curated vulnerabilities intelligence.

Attenu8 helps prioritize vulnerabilities impacts automatically by considering the complete context around the vulnerability and impacted asset. This helps ensure that your teams tackle the most important vulnerabilities first. Let us take an example to better understand this – consider that you discovered a new asset, say a docker container, and the initial assessment identified a vulnerability impacting ones of the installed packages. However, there were no known exploits for this vulnerability then and hence it was prioritized as ‘Do Later’. A week later a new exploit is published for the same vulnerability and as a result Attenu8 may update its priority to ‘Do Now’. This helps ensure that the vulnerability impact bubbles up to gain attention from your security team and they are able to remedy it. These updates are easily disseminated to your security teams via collaboration tools (like MS Teams, Slack, etc.) or email.

ThreatWatch is engineered as a Vulnerability Management as a Service (VMaaS) and hence suited for your remote workforce, as compared to traditional VA solutions which mainly rely on network scans or have dropped in an heavy blackbox agent as bandage solution. Take control of the security posture of your remote workforce using ThreatWatch.

For more information on how we can help secure your remote workforce, please write to us at


Comments are closed.