As previously discussed, the VM is just a part of the overall security capability, and so we should start looking at the capability as a process from end to end. Let's review the following diagram:

We want the VM processes and results from all scanning activities to flow into security state analysis so that all stakeholders have relevant information from this capability.

The following is how VM integrates with the SOC at the Tactical Level. This is important as the SOC can provide additional feedback, command and control, and situational awareness to the VM team:

Again, this seems simple, but we need have the mindset of, if we are scanning and trying to fix everything, in the long run, we are not fixing anything. We need to apply the same logic of placing our resources where they will make the most impact and improve as we go.

For VM, we have a dependency that we discussed in an earlier chapter. That dependency is to have a complete list of systems and applications to be scanned.

For review, the following is the Capability Maturity Model—continuous monitoring—VM and asset management:

As a minimum, we will need to have completed the initial phase and phase A to begin on our next adventure of building the VM capability of scanning and remediation.