Vulnerability and IT Security Management Are Converging

The pressing need to increase the speed of vulnerability mitigation, coupled with pressure to meet new regulatory requirements, is driving the convergence of vulnerability management and IT security management functions.

When evaluating IT security management and vulnerability management technologies, consider how they will integrate asset classification data and accommodate required mitigation workflow. Organizations that expect to use vulnerability assessment technology to improve their environments’ security should include integration with security configuration policy compliance in their requests for proposal.

Analysis

The goal of vulnerability management processes and technology is to discover and assess vulnerabilities, and to implement and maintain system configurations to create more-secure environments. The overall goal of IT security management technology is to transform security data into security information on which you can act. Thus, the security impact of vulnerability management and IT security management is determined by the ability to change the environment. In addition, functional requirements in the two technology areas are being driven by regulatory compliance issues.

Workflow

Because the value of vulnerability assessment tools, security configuration policy compliance tools and IT security management technology is closely tied to the ability to cause change, technology providers face a common set of requirements in the area of workflow support. Two types of workflow require support:

• Long-lived “macro” workflow that involves human intervention and decisions
• Short-lived “micro” workflow that generates an automated response to an event

Specialized workflow support should be embedded within the respective products – primarily for incident support within the security organization, as well as for integration with enterprise workflow systems – to support the bulk of mitigation and incident response work, which involves a broad set of IT administration, operation and support areas. In addition, an emerging customer requirement is for automated response workflow, especially in the IT security management and vulnerability assessment technology areas, because of the disruption caused by the recent spate of rapidly spreading worms and viruses.

Asset Classification

IT resource classification is needed within vulnerability assessment, security policy compliance and IT security management tools to support business-oriented analysis and vulnerability mitigation. Vulnerability assessment tools, and security audit and policy compliance tools, require asset classification data to enable business-oriented risk reporting and analysis of vulnerabilities, and to drive mitigation workflow. IT security management functions require asset classification to evaluate the priority of threats directed at specific IT resources, to generate business-oriented security metrics and to drive mitigation workflow.

Security products must provide for user-defined classification of IT resources by, for example, business unit, business function, application, geography and support responsibility. Security software vendors should provide a native capability to classify assets that have been discovered by security software. However, asset data is contained in a variety of repositories across a wide set of network, system and security management products. Because the specification and maintenance of asset classification data represents a significant labor investment for IT operations, security management technology also must offer the ability to import classification data from enterprise repositories.

Vulnerability Management: Converging Vulnerability Assessment With Security Configuration Policy Compliance

Most IT security organizations begin their vulnerability management efforts by deploying vulnerability assessment tools or services. Vulnerability assessment is useful and necessary because it discovers vulnerable systems on the network and identifies weaknesses. Mitigating vulnerabilities involves configuration management work that must be performed by network, server, and desktop operation and administration areas. Eliminating the root cause of vulnerabilities requires the development and implementation of configuration standards, which result in secure networks and systems. However, the data generated by vulnerability assessment is notoriously difficult to leverage for business-oriented reporting. More importantly, it is not organized in a way that can be used for mitigation activities that need to be performed by areas outside the IT security organization.

In contrast to vulnerability assessment, security configuration policy compliance tools organize system configuration information in a way that can be used by administration and operation areas to implement security configuration standards. However, these tools do not quantify vulnerabilities and risks. The implementation of security configuration standards is difficult, slow work that involves many system changes. These changes must be implemented in phases after quality assurance testing is completed, and according to a schedule determined by a variety of factors. Configuration changes should be prioritized according to the level of risk that can be eliminated, but security configuration policy compliance tools do not provide guidance on the vulnerabilities that are associated with specific configuration settings.

The limitations of vulnerability assessment and security configuration policy compliance can be resolved by integrating the two processes. A number of vulnerability assessment vendors have heard this from some of their more-forward-thinking customers and are developing security configuration policy compliance functions. Likewise, several security configuration policy compliance vendors are developing vulnerability assessment functions that will be integrated with their products.

IT Security Management: Integrating Policy Compliance

The integration of vulnerability assessment data with real-time security incident data has been a long-standing requirement of IT security management technology customers. This integration enables more-accurate prioritization of threats directed against corporate resources. Many IT security management vendors have satisfied this requirement by correlating data generated by vulnerability assessment tools. In turn, enterprises’ need to satisfy audit and regulatory requirements is driving a new set of functional requirements for IT security management technology.

The ability of IT security management technology to aggregate and normalize host log data should be enhanced to include pre-defined analyses of the identity and access management events that are important for an organization to comply with a set of regulations. The products also must support compliance reporting against a customer-defined reference point – that is, the compliance standards that the organization has defined for a regulation. Many IT security management vendors likely will integrate security policy compliance data from current tools, while some vendors will provide the function directly.

Because IT security management technology is oriented to the aggregation, analysis and prioritization of security data, it will be used by some organizations to converge workflow, asset classification, vulnerability assessment and security configuration policy compliance. The convergence of these functions also is occurring as vulnerability management technology providers expand the scope of their respective point solutions.

Key Issue

How will enterprises arm themselves to address increasing information security risk?

Strategic Planning Assumptions

By 2006, enterprises that use consolidated vulnerability assessment and security configuration policy compliance products will reduce the time required to close vulnerabilities by 40 percent (0.7 probability).

By 2006, IT security management vendors that do not have seamless integration with vulnerability management processes will be relegated to niche status (0.7 probability).

By 2006, 70 percent of vulnerability assessment and security configuration policy compliance vendors will provide both functions in a single product (0.8 probability).

© 2005 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.