Vulnerability management keeps getting sexier
Vulnerability management tools do more than scan networks. Here's how to use them to detect and mitigate risk across the enterprise infrastructure.
By Neil Roiter
February 14, 2011 — CSO —
Security-smart organizations have gone well beyond thinking just in terms of assessing and addressing vulnerability—now vulnerability management is a cornerstone of their corporate security, risk and compliance programs. As views of IT risk have matured, so have vulnerability management tools, which now support a continuous enterprisewide lifecycle of vulnerability discovery, remediation and reporting.
The scope of products available has also expanded as regulatory compliance requirements increase and companies begin seeking more well-defined and strongly enforced change control. Vendors have also responded to the expanded threat landscape, in which network vulnerability scanning is still table stakes, but application-layer and even database-security assessment and remediation have become essential.
Also read the companion article Vulnerability management tools: Dos and don'ts
The process of selecting of a vulnerability management product is far more complicated than answering the question, "Who makes the best vulnerability assessment scanner?"
A full-featured vulnerability management product or suite of products must be able to support, at minimum, a repeatable lifecycle of asset discovery and enumeration, vulnerability detection, risk assessment, configuration compliance assessment, change management and remediation, verification, and auditing and reporting.
"The entire cycle of things you need to do is always ongoing," says a security manager at a major financial institution that uses McAfee vulnerability management products. "The tail end is that once you are done with remediation, you have to continue to repeat the process. You have to do it consistently and on a regular basis."
Most of the major players have been in this market for years, as product vendors, service providers or a combination of the two, giving you a broad range of companies with deep expertise and long track records to choose from. Vendors include Beyond Security, Critical Watch, eEye, GFI, IBM, Lumension Security, McAfee, nCircle, Perimeter e-Security, Qualys, Rapid7 and Tenable Network Security (creators of the formerly open-source Nessus scanner).
The Essentials of Vulnerability Management
At their foundation, vulnerability management tools perform two basic tasks: They help you discover the assets across your networks and they detect vulnerabilities, typically in the operating systems and key applications.
The discovery phase is worthwhile in itself, though organizations often overlook its importance, settling for working from what they know—or, more accurately, what they think they know—about what's on their network.
"You may think you have solid network inventory," says the security manager at the financial institution. "A company says they don't have wireless. How do they know if they aren't monitoring with wireless intrusion detection systems? They will be dinged by an auditor that asks that kind of question."