6 top vulnerability management tools and how they help prioritize threats

Organizations handle vulnerability management in various ways, from training and best-practice implementations to filtering out all but the most dangerous threats. Here's a look at some of today's more innovative solutions.

Unlocked circuit board / security threat
Thinkstock

Not only has vulnerability management changed considerably over the years, but so have the systems on which enterprise security teams must identify and patch. Today there are systems on-premises, IoT devices, public and private clouds, and substantially more custom applications. No more do vulnerability management systems just focus on networks and private hosted applications. Today, they must be able to assess all of these systems and identify the vulnerabilities and help enterprise security teams make better remediation decisions.

For vulnerabilities to be dangerous, they have to be exploitable. A vulnerability on a system that can't be exploited isn't much of a danger. Knowing what is truly dangerous is essential so enterprises can plan what to fix immediately and what can be patched or mitigated later.

It's also important to categorize vulnerabilities based on their potential impact should they be exploited. This includes the potential severity of the exploit, like wiping out an entire database versus locking out a single user, and the value of the resources affected. Having your public-facing website defaced is embarrassing, but having confidential data stolen can be critical and lead to mandated breach disclosures and regulatory fines.

The best vulnerability management programs should add context to scans. Some even offer automatic fixes, training, or preventative assistance using artificial intelligence—understanding compliance standards, legal mandates, and best practices that apply to the organization launching the scan.

With potentially thousands of vulnerabilities hiding in any extensive enterprise network, it's the only way that fixes can be reliably prioritized and risk reduced. The following six products push the envelope for at least one aspect of vulnerability management.

Qualys VMDR

Qualys was the first SaaS vulnerability management platform launched in 1999. Back then, enterprise devices were connected to the corporate internal network, and vulnerability scanners assessed those internal networks and the few apps hosted and facing the internet. Today. It's not that simple. There are on-premises systems, more custom-built software, cloud systems, more open-source software, and virtualized systems.

Qualys Vulnerability Management Detection and Response (VMDR) is accessed as a cloud service. Its small voice agents, virtual scanners, and passive network scanning capabilities help organizations see their assets and identify previously unknown assets added to the network. Qualys VMDR assesses on-premises assets, all clouds, and endpoints.

Following vulnerability data collection, Qualys VMDR enables users to search the results on certain assets to get deeper insights on configuration, services running, network information, and other data that will help mitigate the risks of vulnerabilities being exploited by threat actors. Its AssetView feature enables security and compliance teams to continuously update their information assets based on what's important to their organization. These dashboards can also be customized.

These scans tend to uncover many vulnerabilities, so it's essential to focus on the most dangerous vulnerabilities on the most critical systems so that security teams can remediate them in the most effective order. After Qualys VMDR identifies assets and vulnerabilities and prioritizes their risk, users can deploy patches from within the platform.

Orca Security

Orca Security us a cloud security posture management (CSPM) tool, which is a fancy way to say it manages vulnerabilities found in cloud infrastructure services like AWS, Azure and Google Cloud Platform. Because Orca is built for the cloud, it operates straightforwardly in these environments, unlike some scanners that were once on-premises and revamped as cloud vulnerability management systems.

Orca's SideScanning technology enables users by providing their credentials to create an inventory of their cloud environment. It gathers data on operating system packages, applications, libraries, and more. For every vulnerability it uncovers, the system provides users a map that details its relationship with other assets so that teams can prioritize remediation efforts.

As one would expect from any advanced vulnerability manager, Orca can map vulnerabilities to graph vulnerability severity within an enterprise's cloud systems. Orca achieves this by discovering cloud systems and workloads and their configurations and security settings. Still, Orca comes to understand the roles workloads perform, such as what work they are configured to perform and what permissions are enabled. In addition to configurations and permissions, Orca determines connectivity and can see what networks are publicly available and which are not. With all of this data, Orca then creates a visualization that attempts to assess the actual risk of a vulnerability within the context of the cloud system.

The Orca Vulnerability Database includes data from the NIST National Vulnerability Database and more than 20 additional sources, such as OVAL, the exploit database, and Debian bug tracker.

Detectify

Detectify isn't precisely a vulnerability management service provider like Qualys. It's in a similar category known as attack surface management (ASM). ASM focuses on vulnerabilities from an attacker's perspective and consists of the continuous discovery of enterprise IT assets, internet-facing systems such as cloud infrastructure, third-party systems, and web applications. It uncovers the vulnerabilities in those systems and then prioritizes and help manage the remediation of those vulnerabilities.

Detectify, founded in 2013, provides external attack surface management. While it allows for the discovery, assessment and prioritization of the enterprise attack surface, Detectify also partners with ethical hackers and provides their research to its scanner in as little as 15 minutes.

Because Detectify is cloud-based, there's no installation needed. Simply add the domain to be assessed and all associated subdomains and applications will be evaluated continuously. Detectify breaks its scanning into two services, Surface Monitoring and Application Monitoring.

Surface Monitoring assesses an organization's internet-facing assets and evaluates the hosts it finds for vulnerabilities, misconfigurations, and the like. Detectify provides remediation information on fixing the weaknesses it finds and shrinks the attack surface.

Application Scanning, on the other hand, continuously evaluates an organization's web applications for vulnerabilities present and provides advice on how to remedy them. Detectify evaluates applications in production and the development pipeline and application staging.

One of the things that strikes me as interesting with Detectify is its combination of automation with crowdsourcing. With this union, automated scans vet systems for vulnerabilities present, while experience security research specialists seek flaws that have yet to be uncovered.

Kenna Security Vulnerability Management

Anyone who has worked with vulnerability management tools knows that different scanners often identify various vulnerabilities. Some are slightly better than others at different tasks, such as evaluating on-premises networks or cloud applications — understanding the risks associated with all of the vulnerabilities uncovered is daunting. That's where Kenna Security Vulnerability Management, or Kenna.VM, comes in.

Kenna does no scans itself. Instead, it provides connector programs that allow it to ingest data from almost any vulnerability scanner, including those made by Tripwire, Qualys, McAfee and CheckMarx. The platform itself is deployed as a service, with customers logging into a cloud portal to check their information and give Kenna permission to learn about the network it's protecting.

The idea behind Kenna is that it collects the many vulnerability alerts sent in by scanners and then compares that with threat data in real-time. It can tie a discovered vulnerability back to an active threat campaign exploiting it and prioritize a quick fix. Any vulnerabilities being exploited worldwide are automatically elevated in priority, so defenders can fix the most dangerous problems before attackers discover and exploit them.

The Kenna.VM platform was one of the first to incorporate real-time threat data into vulnerability management. Since then, the platform has expanded to include additional threat feeds, including one that the company manages based on its client's networks. It has also added support for more vulnerability scanners and today works with just about everyone on the market.

The platform does an excellent job of explaining why vulnerabilities exist in a protected network and gives tips on fixing them. It can prioritize discovered flaws based on what assets they could affect and the severity of the problem. That is an excellent feature, but the prioritization of vulnerabilities based on active threat campaigns is the ace in the hole that makes Kenna's platform one of the best at highlighting critical issues that must be fixed first.

Recently, Kenna Security added what it calls risk-based service-level agreements (SLAs) to Kenna.VM. Risk-based SLAs provide remediation timeframes based on an organization's risk tolerance. The less an organization can accept risk, the more swiftly it needs to fix a vulnerability. Kenna's risk-based SLAs are based on three factors: risk tolerance, asset priority, and the vulnerability risk score, such as high, medium, or low. The company also added a connector for Crowdstrike Falcon Spotlight and a connector for Twistlock.

Flexera Software Vulnerability Management

While many vulnerability managers concentrate on apps and code that a company develops itself, the Flexera Software Vulnerability Management platform is more concerned with third-party software programs that almost every enterprise uses to conduct business. In most cases, fixing a vulnerability in bought or licensed software is done by applying a patch. That can become a huge deal for an enterprise, especially if they have to take thousands of systems or critical services offline to apply the patch. It's even possible that fixing one problem could create others because of how tightly software is integrated these days.

The Flexera software helps with this problem by creating a secure patch management process across an entire enterprise. It can find vulnerabilities in third-party software and advise administrators about the severity of the potential threat. There may be little to gain in putting out a massive patch to thousands of users to fix a minor vulnerability or patch a feature that isn't installed or used by the protected organization. Flexera can help make those decisions by providing context and then deploying the patch when it becomes necessary.

You can also use the Flexera plaform to anchor an automated patch management system by fixing vulnerabilities when needed in ways that don't hurt operations. Finally, it can generate customized reports about vulnerability and patch management and how an organization complies with relevant frameworks, laws, and best practices.

Recently, Flexera enabled interoperability between its vulnerability manager and VMware Workspace ONE UEM (unified endpoint management). This provides customers the ability to identify, prioritize and satisfy the need for third-party patch deployment to remediate software vulnerabilities. Once a vulnerability is identified and prioritized, customers can now deploy such patches to their managed devices using Workspace ONE UEM, reducing the vulnerability window.

Tenable.io 

Tenable is well known for creating security dashboards for any environment. They bring that same diagnostic technology to their vulnerability management program, Tenable.io. This platform is managed in the cloud, so it has a small footprint inside a protected organization. It uses a combination of active scanning agents, passive monitoring, and cloud connectors to search for vulnerabilities. Tenable.io then applies machine learning, data science and AI to predict which fixes need to be made before an attacker can exploit them.

One of the biggest strengths of Tenable.io is that it uses both the dashboard and its customized reports to show vulnerabilities in a way that anyone can understand. Whether someone is a developer, part of the operations team, or a member of IT security, they can easily comprehend the warnings generated by Tenable.io. In a way, Tenable.io provides vulnerability management to everyone with no specialized training or expertise required.

To expand its external attack surface management abilities, Tenable recently acquired ASM vendor Bit Discovery. This provides customers with a comprehensive view of their internal and external attack surfaces.

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.