Vulnerability Management: Processes Strengthen IT’s Security Performance

Vulnerability management services (VMSs) have arisen from the pragmatic need to make existing security technologies work together to mitigate today’s network securicyty vulnerabilities while the security product vendors develop new technologies. Enterprise security teams are overwhelmed with the volume of information from intrusion detection systems (IDSs) and patch notifications from vendors. Security officers are befuddled: They must implement process improvements to raise the security profile of their network, but they also must manage a lean operating budget that precludes them from sending in security experts to rectify the problem. There are significant challenges in identifying vulnerabilities in their network infrastructure and in tuning network security products for optimal efficiency and protection.

Security teams that once reacted to security incidents now are proactively addressing network security through the life cycle of vulnerability intelligence all the way to confirmation of a deployed correction. Managed security service providers are evolving service product lines from managing security technology, such as managed firewall and managed IDS services, to the higher value service of managing the process across technologies to secure the extended enterprise.

Vulnerability management services are one of the few areas in the network security industry where best-of-breed marketing does not rule. Enterprises will consolidate managed services with a single preferred vendor to capture enterprise experience, simplify escalation procedures across multiple security products and streamline contract negotiations.

Smaller VMS organizations will be forced to extend expert services to new areas of a security policy, such as identity management services, remote connectivity assessment services and wireless security services.

The Yankee Group believes VMS vendors will consolidate throughout 2004, driven by the shortage of skilled security professionals. Companies with core technology strengths, such as Foundstone, Qualys, Securify and TruSecure, will be targeted by the likes of Cisco, ISS, Symantec and VeriSign. VMS vendors with state-of-the-art security operations centers will be forced to merge in an attempt to reach critical mass to sustain the business. Counterpane, Guardent, NetSec, Solutionary and Ubizen are likely candidates for mergers.

Enterprise Recommendations

The Yankee Group recommends VMSs for enterprises that would incur financial risk if their network or key business applications were to become unavailable due to a misconfiguration or cyber attack. VMSs are an excellent way to gain the security expertise of professionals that would be prohibitively expensive to hire as full-time staff.

• Use VMSs to track the performance of security policy and implementation teams. Continual applications of VMSs should show a decline in the number of vulnerabilities discovered. The VMS finds vulnerabilities, IT corrects the problem and the VMS can determine if the problem is fixed. Proper use of VMSs should show a decline in the rate of discovered vulnerabilities in the network. Distribute assessments reports to add visibility to corporate security efforts and heighten the awareness of security to organizations outside of IT.
• Know your VMS team. The most important element of the business relationship is the VMS people assigned to the enterprise account. These are the experts who will learn the enterprise applications, policies and procedures to keep the VMS tuned to customer needs. In some cases, the individuals that the enterprise meets from the VMS firm may not be the same individuals performing the work. The Yankee Group recommends that enterprises meet and approve the team members before committing to contract terms.
• Transfer knowledge from the VMS team to enterprise IT staff. The security and IT staff are responsible for securing network resources. The Yankee Group recommends the enterprise institute a program where the IT staff learns from the best practices of the VMS firm. Rotating assessments between VMS vendors also provides a diverse view of best practices and approach to security. Security products will someday improve enough for VMS functionality to be brought in-house.