E-guide

Vulnerability Management Tools Buyer’s Guide – part 1 Your expert guide to vulnerability management tools

Page 1 of 13

In this e-guide

Introduction to

vulnerability management

tools

The business case for

vulnerability management

tools

E-guide

Introduction to vulnerability management tools

Ed Tittel, Writer, Trainer, Internet Consultant

Expert Ed Tittel explores how vulnerability management tools can

help organizations of all sizes uncover defense weaknesses and

close security gaps before they are exploited by attackers.

Organizations today, from small businesses with Web and email access to

multisite global enterprises, face increasingly sophisticated attacks carried out

over the Internet. Once an attacker gains access to internal networks, the

damage that ensues can be catastrophic, resulting in data disclosures and

destruction, business disruption and damage to an organization's reputation.

Even with solid perimeter defenses (e.g., firewalls, intrusion

detection/prevention systems, VPNs and so on), hardened systems and

endpoint protection, security breaches still occur. The question is when and how

will these security breaches happen?

The attack surface of an IT environment changes constantly. As new computers

and devices are installed, operating systems and applications are upgraded and

firewall rules are changed, causing new vulnerabilities to be introduced. One

way to find out how attackers could breach network defenses and damage

Page 2 of 13

In this e-guide

Introduction to

vulnerability management

tools

The business case for

vulnerability management

tools

E-guide

internal servers, storage systems and endpoints -- and the data they hold and

transfer -- is to discover and close those vulnerabilities. That's where

vulnerability management tools come into play.

What is vulnerability management?

Vulnerability management is a continuous process of discovering, prioritizing

and mitigating vulnerabilities in an IT environment. Although vulnerability

management tools vary in strength and feature sets, most include the following:

Discovery: The process of identifying and categorizing every asset in a networked environment and storing attributes in a database. This phase also includes discovering vulnerabilities associated with those assets.

Prioritization: The process of ranking known asset vulnerabilities and risk. Vulnerabilities are assigned a severity level, such as from 1 to 5, with 5 being the most critical. Some systems rank vulnerabilities as low, medium and high.

Remediation/Mitigation: The system provides links to information about each vulnerability discovered, which includes recommendations for remediation and vendor patches, where applicable. Some vendors maintain their own vulnerability intelligence database information; others provide links to third-party resources such as The MITRE Corporation's Common Vulnerabilities and Exposures database, the Common Vulnerability Scoring System and/or the SANS/FBI Top 20, to name a few.

Page 3 of 13

In this e-guide

Introduction to

vulnerability management

tools

The business case for

vulnerability management

tools

E-guide

Organizations tackle the most severe vulnerabilities first and work their way

down to the least severe as time and resources permit. Some vulnerabilities

don't pose a serious threat to the organization and may simply be accepted,

which means they are not remediated. In other words, the risk is judged to be

less than the costs of remediation.

How do vulnerability management tools

work?

Vulnerability management tools come in three primary forms: stand-alone

software, a physical appliance with vulnerability management software or a

cloud-hosted service. A customer uses a Web-based interface to configure the

product to scan a range of Internet Protocol (IP) addresses -- both IPv4 and

IPv6 -- the entire network or URL, and may select other criteria to inspect, such

as the file system, configuration files and/or the Windows registry. The more

criteria and the larger the number of IPs, the longer a scan takes to complete.

Most vulnerability management tools provide preconfigured scans, and an

administrator can modify those templates to save customized scans that run on

demand or on a scheduled basis.

Note: Highly penetrating scans that assess "hard-to-reach" areas of a network

may require an administrator to temporarily modify a firewall to get the most

Page 4 of 13

In this e-guide

Introduction to

vulnerability management

tools

The business case for

vulnerability management

tools

E-guide

detailed results, although some vendors claim their products can perform

complete scans without any such firewall modifications.

A comprehensive vulnerability scanner should be able to perform continuous

inventorying of wired and wireless devices, operating systems, applications

including Web apps, ports, services, protocols, as well as virtual machines and

cloud environments.

Vulnerability management tools may perform authenticated and unauthenticated

vulnerability scans. An unauthenticated scan does not require administrative

credentials and focuses on basic issues, such as open ports and services,

identity of operating systems and so on. Authenticated scans typically require

admin credentials and are more intense, and they may negatively impact a

system or network. Although authenticated scans must be used cautiously,

usually outside of peak usage hours, they reveal more vulnerabilities than

unauthenticated ones.

When a vulnerability management tool is put in place, the initial scan that's run

should be as complete as possible. This also serves to establish a baseline.

Subsequent scans then show trends and help administrators understand the

security posture of the environment over time. Most vulnerability management

products provide detailed trend analysis reports and charts for display on the

console or in print for distribution to managers and executives.

Page 5 of 13

In this e-guide

Introduction to

vulnerability management

tools

The business case for

vulnerability management

tools

E-guide

Some of these products also include exploit software that's used as a

penetration test tool. When vulnerabilities are exposed, an administrator can

use the exploit software to see how an attacker could exploit the vulnerability

without disrupting network operations.

A vulnerability management tool must be used regularly to be effective. Like

antivirus products, the data gathered during scans is only as good as the last

time it was updated. This means daily scans for most organizations; although

small environments or those whose critical assets are not exposed to the

Internet may find a weekly scan sufficient.

Who needs vulnerability management tools?

Organizations of all sizes -- from small to midsize businesses (SMBs) to

enterprises -- with access to the Internet can benefit from vulnerability

management. Customers from nearly every industry and vertical niche use

vulnerability management, including education, banking and financial services,

government, healthcare, insurance, manufacturing, retail (bricks-and-mortar and

online), technology and many more.

Page 6 of 13

In this e-guide

Introduction to

vulnerability management

tools

The business case for

vulnerability management

tools

E-guide

How are vulnerability management tools

sold?

Vulnerability management products may be sold as software-only products, a

physical appliance with vulnerability management software or as a cloud-hosted

service. When purchasing vulnerability management software, customers can

expect to pay either an upfront cost and/or licensing and ongoing maintenance

fees. The same applies to a physical appliance and software combo, and in this

case, the customer also pays for the initial cost of the appliance. Some vendors

offer appliance licensing, just like software, to enable organizations to treat the

entire purchase as operational expenditure rather than capital expenditure.

A cloud-hosted service or software as a service offering is typically sold as an

annual subscription that includes unlimited scanning. Vendor cloud pricing

varies, and may be based on the number of users, IPs -- either active only or

total scanned -- and/or agents deployed. Customers can save money by using

services that charge only by active IP, which enables them to scan all IPs on a

network, but pay only for those currently in use.

Page 7 of 13

In this e-guide

Introduction to

vulnerability management

tools

The business case for

vulnerability management

tools

E-guide

Conclusion

Even the smallest of organizations (i.e., those with less than 25 users) need

some type of vulnerability management tool, but it's a critical part of a sound

security posture for SMBs and enterprises. For organizations that must meet

compliance measures, such as HIPAA, Gramm-Leach-Bliley and PCI DSS,

vulnerability management is required.

The next article in this series presents the business case for vulnerability

management in more detail. It will also look at various use cases where

vulnerability management is a must-have.

Next article

Page 8 of 13

In this e-guide

Introduction to

vulnerability management

tools

The business case for

vulnerability management

tools

E-guide

The business case for vulnerability management tools

Ed Tittel, Writer, Trainer, Internet Consultant

Expert Ed Tittel describes business use cases for vulnerability

management tools and examines how organizations of all sizes

benefit from these products.

IT vulnerabilities can affect any organization of any size, in any industry across

the world. The Verizon 2015 Data Breach Investigations Report provides some

sobering facts on threats and intrusions, including:

Twenty-three percent of email recipients open phishing messages and 11% click on attachments.

The total number of malware events across all organizations is roughly 170 million, which means five malware events occur every second.

What might pique the interest of managers and senior executives even more is

the fact that the average total cost of a data breach, according to IBM's 2015

Cost of Data Breach study, is around $3.79 million. Granted, we're not talking

about mom-and-pop businesses, but the monetary losses are staggering all the

same.

Page 9 of 13

In this e-guide

Introduction to

vulnerability management

tools

The business case for

vulnerability management

tools

E-guide

So which organizations truly need vulnerability management tools, and how can

they help them? Here are several use cases for different sized organizations

that show the value of vulnerability management tools.

Use case #1: Small businesses

When reading about vulnerability management, personnel roles like security

officer, asset owner and IT engineer often come into play. Rarely are those

roles found in a small business, but any business -- even a small business --

with a live Internet connection and staff that sends and receives emails is

enough to warrant some sort of vulnerability management product that can be

managed by any IT person who wears lots of hats.

Why? Even with a reputable and well-tuned firewall, antivirus software and an

intrusion detection system (IDS), small organizations are still at risk. Typical

firewalls aren't designed to protect networks or systems from vulnerabilities, and

a misconfigured firewall is a major vulnerability. Antivirus software catches

known viruses, Trojan horses and so on, but cannot always identify hitherto

unknown threats. An IDS can flag most incoming threats, but can also be

bypassed by remotely executed code.

Small organizations often tend to be somewhat lax in imposing and enforcing IT

security -- as well as in providing security budget and staffing -- and attackers

know that. All of these reasons underscore a strong need for vulnerability

Page 10 of 13

In this e-guide

Introduction to

vulnerability management

tools

The business case for

vulnerability management

tools

E-guide

management. A solid vulnerability management tool can help a small

organization find and eliminate vulnerabilities that place their business systems

at risk.

These organizations may opt to use simple scanning services or open source

vulnerability tools. The downside is that small business staff might wind up

spending too much time trying to determine which vulnerabilities are the most

severe. A better option is to find an affordable software as a service solution or

stand-alone software that runs periodic scans and generates reports that clearly

prioritize vulnerabilities.

Use case #2: Midsize organizations

A midsize organization is at risk from the same vulnerabilities as a small one,

but is typically better-known, has a well-developed Web presence and many

more attack surfaces, and therefore has a higher threat profile. That leaves a

midsize organization more vulnerable to targeted attacks, such as an advanced

persistent threat, and random attacks that seek out specific vulnerabilities, like

the Code Red or Sasser worms.

While senior management in many midsize organizations may feel confident

that their IT staff can handle nearly any security issue that comes their way,

that's not always the case. It's more likely that staff members are too busy or do

not have the skills and necessary experience to maintain a far-reaching security

Page 11 of 13

In this e-guide

Introduction to

vulnerability management

tools

The business case for

vulnerability management

tools

E-guide

strategy, and they react to problems rather than proactively managing layered

security.

Another concern is that the midsize organization may have more resources to

throw at security than a small business, but the concept of a "company needing

to look like a bigger company" can result in an urgent requirement to grow

quickly. This common situation creates challenges beyond staff members'

experience and capabilities. A company that is suddenly involved with

managing new operations and interests can easily lose sight of essential

security planning and practices.

Cloud services that offer data storage, server infrastructure and even entire IT

infrastructures as a service are increasingly popular with the midsize

organization that's growing or simply cannot afford to maintain everything itself.

However, unless the service is part of a managed services agreement, the

subscribing organization may still be responsible for protecting all of the data

and systems that now reside off premises, adding a new wrinkle to maintaining

security.

Also consider that the effort and cost of IT staff identifying and recovering from a

damaging vulnerability exploitation or security breach could be more expensive

than simply implementing a vulnerability management tool in the first place.

Page 12 of 13

In this e-guide

Introduction to

vulnerability management

tools

The business case for

vulnerability management

tools

E-guide

Use case #3: Enterprise organizations

Enterprise organizations have always been and will always be key targets of

attackers. They also have huge attack surfaces with thousands of network

nodes spread across campuses and remote business locations.

Given that a typical vulnerability assessment scan in a high-node environment

can yield thousands to millions of findings, from low to high criticality, it's easy to

see why an enterprise needs a comprehensive vulnerability management tool.

Not only does it reduce vulnerabilities, it eliminates manual configuration of

security scanning and provides a vehicle for managing the voluminous amount

of scan data and reports.

Enterprises, as well as small and midsize organizations, are also subject to

regulatory compliance of one sort or another. Many regulatory laws, such as

HIPAA and Gramm-Leach-Bliley, and the PCI DSS standard require

vulnerability assessments to maintain compliance. Even internal security

policies and audits require adherence to a risk management plan, which

includes vulnerability management as a core process.

Once the need for vulnerability management tools is established, the next step

is to select one that best meets your organization's business requirements and

budget. Find out about the vulnerability management purchase selection

process in the next article in this series.

Page 13 of 13

In this e-guide

Introduction to

vulnerability management

tools

The business case for

vulnerability management

tools

E-guide

About the author

Ed Tittel is a 30-plus year IT veteran who's worked as a developer, networking

consultant, technical trainer, writer and expert witness. Perhaps best known for

creating the Exam Cram series, Ed has contributed to more than 100 books on

many computing topics, including titles on information security, Windows OSes

and HTML. Ed also blogs regularly for TechTarget (Windows Enterprise

Desktop), Tom's IT Pro and GoCertify.