Vulnerability management process steps can be automated with technology from four main vendor categories that constitute the vulnerability management space. Consider broad-scope vendors when you desire an integrated product suite.
Table of Contents
Vulnerability management is a process that can be implemented to make IT environments more secure and to improve an organization's regulatory compliance posture (see "How to Develop an Effective Vulnerability Management Program" ). The vulnerability management process includes these steps:
Policy definition is the first step and includes defining the desired state for device configurations, user identity and resource access.
Baseline your environment to identify vulnerabilities and policy compliance.
Prioritize mitigation activities based on external threat information, internal security posture and asset classification.
Shield the environment, prior to eliminating the vulnerability, by using desktop and network security tools.
Mitigate the vulnerability and eliminate the root causes.
Maintain and continually monitor the environment for deviations from policy and to identify new vulnerabilities.
The technology provided by vulnerability management vendors can be used to automate various aspects of the vulnerability management process. The four main technology categories are:
Security configuration management and policy compliance
IT security risk management
Security information and event management (SIEM)
Vulnerability assessment (VA) provides baseline and discovery functions in support of vulnerability management. VA products scan an endpoint and attempt to determine vulnerable conditions based on a database of known vulnerabilities. VA products can also determine many other aspects of the endpoint, including open ports, running services and protocols, applications, and operating system. This information provides security groups with the data they need to measure security postures. When your security group documents the weakness of the network and host infrastructure, you can begin to make decisions on how to eliminate the root cause of the majority of exploits, reduce the potential attack vectors and limit the impact of a security incident.
eEye Digital Security, Internet Security Systems, McAfee, nCircle, Qualys, Sourcefire, StillSecure and Tenable Network Security (see “Vulnerability Assessment Vendors Expand to Vulnerability Management” ) offer remote auditing capabilities that do not require agents or credential passing. The ability to audit without agents or credential passing is a key requirement for many security organizations.
Security Configuration Management and Policy Compliance
Security configuration management and policy compliance tools provide a top-down baseline of the IT environment in relation to an organization's defined security configuration policies. An organization can define its "gold-standard" environment — the desired state of system configurations and access rights — or it can use a predefined set of best-practice system security configuration templates (such as the Microsoft Security guide, the SANS Institute, the Center for Internet Security, the National Institute of Standards and Technology or the National Security Agency) or vendor-defined templates for regulatory compliance.
Vendors in this area include BindView, Citadel Security Software, Configuresoft, Ecora Software, LANDesk Software and Pedestal Software (recently acquired by Altiris). In addition, several patch management vendors, including BigFix and PatchLink (see “Security Configuration Management Vendors Expand to Vulnerability Management” ) provide security configuration management capabilities. Through 2006, the number of vendors offering these functions will grow as additional operational configuration management vendors begin to introduce or acquire security configuration management functions.
IT Security Risk Management
The primary focus of IT security risk management products is to quantify IT security risk and prioritize/support remediation activities. These products combine asset classification data, embedded security policy functions, current external threat data and the results of third-party VA scans to support aggregated risk analysis and vulnerability mitigation. Security risk management tools provide varying degrees of embedded support for asset classification and security configuration policy management. The analysis produced by these tools attempts to quantify the IT security business risk for resource groups that are aligned to business functions. The products also provide workflow for mitigation, as well as validation that a vulnerability has been eliminated.
These products provide the ability to develop an asset repository, classify those assets, generate risk-rating reports, implement remediation workflow and monitor status. Most products in this category integrate VA data from third-party products, and directly provide varying levels of support for security configuration policy auditing. All of these products have small installed bases (30 sites or less). Vendors with a focus in this area include Archer Technologies, Preventsys, Skybox Security, TruSecure (now Cybertrust) and Xacta (see “IT Security Risk Management Solutions for Vulnerability Management” ).
Broad-scope vendors offer many aspects of vulnerability management functions. However, each of these vendors has some areas of its products that are challenged by best-of-breed products from point-solution vendors. Vendors in this area include Computer Associates, IBM/Tivoli, NetIQ and Symantec (see "Broad-Scope Vendors Expand to Vulnerability Management" ).
The monitoring step of the vulnerability management process can be automated by regular execution of deployed VA and security configuration management technologies and through the use of SIEM technology. SIEM technology provides real-time event management and historical analysis of security data from a wide set of heterogeneous sources. This technology is used to filter incident information into data that can be acted on for the purposes of incident response and forensic analysis. The need to support regulatory compliance has become the new market driver for the SIEM technology providers. They are working on extending their current offerings to include enhanced regulatory compliance data collection, analysis and reporting features. Vendors in this space include providers of SIEM point solutions and providers of broad-scope products that include security management features.