LICENSED FOR DISTRIBUTION

Market Guide for Vulnerability Assessment

Published: 05 December 2016 ID: G00294756

Analyst(s):

Summary

The vulnerability assessment market is mature, but it is being challenged by the need to cover changing device demographics and emerging technologies. Security and risk management leaders seeking a VA solution must evaluate vendors carefully for ongoing commitment to these trends.

Overview

Key Findings

  • Assessment of traditional network-based assets, such as workstations and servers based on Windows and Linux, is universally supported by VA vendors, but support for less-common technologies and third-party applications varies widely.

  • Support for cloud, OT and mobile technologies in VA solutions is sporadic and immature, and found to be almost nonexistent for emerging technologies such as software containers.

  • Vendors are improving reporting, analytics and remediation prioritization capabilities, but these are also offered by threat and vulnerability management solutions.

  • A small number of enterprise-ready VA solutions dominate the market.

Recommendations

Security and risk management leaders selecting a VA solution should:

  • Make dedicated and ongoing support and maintenance of vulnerability signatures and advisories for the majority of assets a critical requirement.

  • Assess the workflow, enterprise management and third-party technology integrations that a VA solution provides.

  • Select the VA solution with consideration for future asset demographics, along with extensive coverage of emerging technologies and approaches, such as cloud, virtualization and DevOps.

  • Evaluate the methods that a VA solution provides to aid in the assessment of the impact, criticality and prioritization of vulnerabilities.

Market Definition

The vulnerability assessment market is composed of vendors that provide capabilities to identify, categorize and manage vulnerabilities, such as unsecure system configurations or missing security updates in network-attached devices. VA products or services have several common capabilities:

  • Discover and identify network-attached IT assets

  • Report on the security configuration of IT assets

  • Establish a baseline of vulnerability conditions for network-attached devices, applications and databases to identify and track changes in vulnerability states

  • Produce reports with content and format to support specific compliance regimes, control frameworks and roles

  • Support risk assessment and remediation prioritization with context regarding vulnerability severity, asset criticality and prevalent threat

  • Support operations groups with information and recommendations for remediation and mitigation

  • Manage and administrate decentralized and distributed scanner instances and architectures

VA can be delivered via an on-premises solution based on software and appliances, via the cloud or hosted solutions, and/or as a hybrid of the two.

How VA is included in the vulnerability management process varies. Some organizations deploy VA in a stand-alone capacity, providing audit or assessment capabilities to assess risks or to measure compliance. Others use it in a more operational capacity to assist IT operations in prioritizing and verifying mitigation. Many organizations do both.

VA technology is typically used to support security threat management or compliance use cases — or for both. Security use cases include vulnerability and security configuration assessments for enterprise risk reduction.

Enterprises with more mature security programs augment VA and security configuration assessments with more advanced network penetration and custom application testing to validate where they are vulnerable to sophisticated attacks. Compliance use cases include meeting scanning requirements for regulatory or other compliance regimes, such as the Payment Card Industry Data Security Standard (PCI DSS) or ISO 27001. These requirements can also include application assessment of the infrastructure in scope of the regulatory requirements.

Gartner considers VA a foundational component of a greater information security management program and recommends using it to support those processes.

The market is characterized by privately held, small-to-midsize providers, primarily offering only VA, with a few larger vendors marketing VA as one component of a broader unified security management portfolio of security technologies or services.

Market Direction

The VA market is mature, and grew by 7% to 8% from 2015 to 2016, with an estimated market size of $615 million. Market growth overall is stable, but has decreased from previous years, reflecting that vulnerability assessment is a standard component of most information security management and regulatory frameworks. Adoption of managed security service providers to execute vulnerability assessment for end-user organizations is also experiencing growth. Gartner has seen an increase in clients exploring this option.

Revenue in the VA market is concentrated among a few vendors, with approximately 70% of the revenue going to three vendors (Rapid7, Tenable Network Security and Qualys), which also dominate vendor visibility on enterprise shortlists. There is a noticeable division in the market between vendors that serve large enterprises and those that service smaller organizations.

In addition to competing with other VA product and service vendors, VA vendors must compete with consultants, open-source scanning tools, and other security and IT operations products that provide a scanning and configuration assessment capability.

Vulnerability assessment against generic and standard platforms, such as Windows or Linux, is universally covered in the overall market, with only minute differences between solutions in terms of scope and coverage. Differentiating solutions based on these criteria is seldom possible. Vendors are also difficult to differentiate based on scanning accuracy and performance alone. Gartner sees competition increasingly based on pricing, rather than features.

Gaps in coverage — for example, for less common end devices or third-party applications — will persist, since these are difficult to convert into new sales, yet require the same overhead as more common technologies. Additionally, the vast majority of organizations doing vulnerability assessment are not large enterprises, so scalability and enterprise management features are inconsistently developed and maintained.

Vendors are faced with the very real prospect that the changing device landscape, with an expanding focus on mobile devices , cloud and operational technology (OT), as well as the consolidation of IT functions into virtualized data centers or outsourcing to service providers, will shrink their potential customer base faster than they can develop new capabilities to address these new trends. The new technologies work in a fundamentally different way, and pose challenges from a vulnerability assessment point of view that will not allow existing approaches to be reused. As a consequence, support for these new technologies is immature and can rarely be covered by a single VA solution, if at all.

Instead, many of the VA vendors are expanding their portfolios with products into adjacent domains, such as log management, security analytics and dynamic application security testing. Gartner clients have stated that, as a consequence, some vendors have reduced investment and focus on their VA products, with less frequent updates and new features.

Market Analysis

Below we highlight some recent trends in the market.

Web Application Scanning

Web application security assessment is a capability that all major VA vendors now offer in some form. However, with a few notable exceptions (see "Magic Quadrant for Application Security Testing" ), these must be considered "dynamic application security testing (DAST)-lite" tools, and are not suited to be a full-blown replacement for a dedicated DAST solution.

In brief, what separates VA tools from DAST tools is the DAST tools' ability to discover new vulnerabilities in commercial software of select types and to discover vulnerabilities in custom applications. (However, VA and DAST tools can neither discover vulnerabilities at the business-logic level nor find completely unknown types of code vulnerabilities.) DAST tools are commonly run by application security teams, ideally before an application is deployed to production or as component of a secure development life cycle. VA tools are operational security tools, while DAST tools lean more toward being application development security tools.

Security Configuration Assessment

Security configuration assessment (SCA; see "Best Practices for Secure Policy Configuration Assessment" ), provides the ability to remotely assess and verify settings, such as password complexity in Windows domain group policies. All of the vendors surveyed for this Market Guide now offer this capability in some form, although some may require this capability to be licensed separately. It is frequently used to fulfill regulatory compliance, such as for PCI, or internal security policy compliance.

This integration ranges from basic password policy checks to advanced application-level control analysis. This trend led to the current VA/SCA dual functionality. The use of dissolvable agents deployed during an authenticated scan allowed some vendors to achieve even deeper scanning across the tested systems. Many organizations still separate vulnerability scanning and configuration weakness assessment. Gartner research indicates that it is not uncommon for a customer to purchase a tool that does unified vulnerability and configuration scanning, then use it only for vulnerability assessment (sometimes even without credentials) — thus missing an opportunity to mature their vulnerability management program.

Cloud and Operational Technology Asset Assessment

Coverage for more exotic assets and technologies, such as cloud services or operational technology (such as supervisory control and data acquisition [SCADA] or industrial control system [ICS]) devices, is less mature and nonexistent in many solutions. Specialist third-party offerings and solutions beyond a few mainstream service offerings, such as Amazon Web Services (AWS) and Microsoft Azure, are still required. OT especially requires careful consideration — many VA vendors claim SCADA or ICS support for their solutions — but when looked at in detail, in terms of scope, coverage and, most importantly, ongoing dedicated support, end users will often be underwhelmed.

Assessment Methods

Historically, the majority of VA solutions have focused on remote scanning, primarily due to the complexities and overheads of deploying and managing large agent populations. However, virtual hosts are more challenging to assess remotely, because they may only be powered up for short periods of time and because they can be provisioned on demand. For virtual systems, agents can be included in the base image and then initiated to scan when the system is booted up. Infrastructure as a service (IaaS) environments also pose the similar challenges as virtual environments. Remote and mobile users also cannot be reliably assessed using remote scanning, and also benefit from an agent-based approach, often delivered from the cloud, where the assessment is conducted locally on the host and then the results are sent to the management instance.

Another significant factor contributing to increased agent usage in VA is the paradigm shift from scheduled VA to continuous monitoring (see Table 1).

Table 1.   VA Scanner Deployment Methods

Effective Scanner Deployment Model

Types of Organizational IT & Related Assets

Agent-Based Scanning

On-Premises Scanning

Cloud-Based Scanning

Assets permanently connected to organization network

Cloud assets (SaaS, IaaS, PaaS)

Mobile users with intermittent connectivity to organization network

BYOD assets (not owned by organization)

Virtualized assets

Network assets (e.g., firewall, routers)

Operational technologies (e.g., SCADA, ICS)

BYOD: bring your own device; PaaS: platform as a service

Source: Gartner (December 2016)

Analysis of Vulnerability Risk Impact and Remediation Prioritization

VA tools capture large amounts of vulnerability data, typically exceeding the ability of IT operations to remediate the sheer volume of found issues. Many VA solutions assign a low to critical severity score on the vulnerabilities based on the Common Vulnerability Scoring System (CVSS) scores, which are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. But these metrics fail at scale when the objective is, for example, to identify the 100 most critical vulnerabilities out of 1,000 critical vulnerabilities. Not all vulnerabilities are created equally — exploitability, prevalence in malware and exploit kits, asset context, and active exploitation by threat actors are important qualifiers (see "It's Time to Align Your Vulnerability Management Priorities With the Biggest Threats" ).

Some VA vendors have begun adding capabilities to support improved vulnerability remediation prioritization based on threat intelligence correlation (see "Threat-Centric Vulnerability Remediation Prioritization" ).

There is also an emerging market of threat and vulnerability management platforms (TVMP) that consolidate the output of different security testing technologies, such as VA and DAST, to permit holistic risk posture assessment and model asset risk. These are designed to support an organization's vulnerability life cycle management, providing formalized workflow as well as reporting and collaboration capabilities. They usually do not execute vulnerability assessments themselves, but consolidate and normalize output from multiple vulnerability, application security and penetration testing solutions. Methods are applied that analyze and prioritize vulnerabilities by using threat intelligence and organizational context, or via advanced risk modeling approaches, such as attack path analysis. This permits more granular and intelligent remediation strategies than simplistic severity or CVSS-based approaches, especially at scale and when remediating with limited resources.

Risk ratings are provided to each vulnerability based on a proprietary threat-processing engine. There are some specific vendor tools specialized in remediation prioritization and analysis that can ingest data generated by various VA tools, and use proprietary algorithms to provide risk ratings. These tools automate some of the manual tasks in the remediation process by delivering automated workflow capabilities via dashboards and integration with IT operations management tools.

Representative Vendors

The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.

The vendors listed in this Market Guide all provide mature capabilities for vulnerability assessment of common network-based devices, as well as features to allow the analysis, reporting and management of vulnerabilities and remediation:

  • BeyondTrust

  • Digital Defense

  • F-Secure

  • Greenbone Networks

  • Outpost24

  • Positive Technologies

  • Qualys

  • Rapid7

  • Tenable Network Security

  • Tripwire

Market Recommendations

Security and risk leaders selecting a VA tool should:

  • Evaluate the scope of device and third-party operating system and application coverage, especially for those that are deployed but nonmainstream.

  • Dedicated ongoing vulnerability signature support and maintenance for the majority of the vendor's asset base should be made a critical requirement. Asking whether a vendor supports technology "x" is not sufficient to yield a detailed answer. However, expectations must also be realistic; while obtaining 100% coverage is the ideal, from a practical standpoint, covering as many technologies as possible is as good as it gets. In-depth assessments of databases and applications, such as ERP systems (for example, SAP or Oracle), especially, are not widely supported in traditional VA solutions, which generally focus on devices. DAST solutions will often still be required.

  • Appraise the methods that a VA solution provides to aid in the assessment of the impact, criticality and prioritization of vulnerabilities.

  • Remediation prioritization is a key element to make VA tools usable and to have a real impact in reducing an organization's attack surface. VA tools can produce extremely large reports, which are virtually impossible to use effectively. Hence, security managers should look to add additional capabilities to VA tools that can remove a lot of manual effort, and also provide analysis and recommend which vulnerabilities to focus on first. If the capabilities provided by the VA solutions are insufficient, also evaluate threat and vulnerability management (TVM) solutions or supported third-party integration tools.

  • Evaluate the assessment deployment options.

    As the shift proceeds from regularly scheduled scans to continuous monitoring, and to more agile and decentralized deployments, the available methods to scan for vulnerabilities will play an increasing role. This includes the ability to use an agent on remote assets for mobile and off-site users, as well as for transient, virtualized architectures and DevOps practices, and the ability to assess system images at rest or in containers.

  • Assess the vendor's current support, and future plans and roadmap, for supporting emerging technologies.

  • Organizations with large or growing cloud, virtualization and DevOps deployments must select a VA solution with these asset demographics in mind, and must consider a vendor's current and future commitment to these technologies. In some cases, these gaps will be closed by collaboration with technology partners and via third-party integrations, not by native support in the VA solutions. Integrations with platform management systems, such as enterprise mobility management (EMM) suites, hypervisors and cloud security platforms, are especially important, providing extended visibility and some vulnerability assessment capabilities.

  • Evaluate available vendor portfolio synergies.

  • Some of the vendors in this Market Guide also offer their VA solution as one component in a broader integrated portfolio. Depending on your requirements, these combined technologies can provide a sum-greater-than-the-parts security posture, and can also prove cost-effective due to bundled licensing. However, potential buyers of VA solutions should not be tempted by the implied benefits if they are not seeking these from the outset.

In addition, the following capabilities are critical, especially in larger enterprises:

  • Scope, quality and speed of signature updates

  • Capability to centrally manage, administrate and schedule scanners and scans

  • Role-based access control (RBAC)

  • Integrated support for managing and tracking vulnerability data, such as vulnerability management workflow and ticket management

  • Integration with enterprise workflow and security management solutions, such as configuration management databases (CMDBs), enterprise directories, and identity and access management (IAM) solutions

  • Flexible architecture options, such as virtualized deployment and cloud-based scanning

  • Automation of scanning and alerting

Evidence

This research is based on a combination of briefings from the vendors mentioned in the text, as well as client inquiries.