Buyer's Guide

Select the vulnerability management tool that fits your business needs

A collection of articles that takes you from defining technology needs to purchasing options
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Introduction to vulnerability management tools

Expert Ed Tittel explores how vulnerability management tools can help organizations of all sizes uncover defense weaknesses and close security gaps before they are exploited by attackers.

Organizations today, from small businesses with Web and email access to multisite global enterprises, face increasingly sophisticated attacks carried out over the Internet. Once an attacker gains access to internal networks, the damage that ensues can be catastrophic, resulting in data disclosures and destruction, business disruption and damage to an organization's reputation. Even with solid perimeter defenses (e.g., firewalls, intrusion detection/prevention systems, VPNs and so on), hardened systems and endpoint protection, security breaches still occur. The question is when and how will these security breaches happen?

The attack surface of an IT environment changes constantly. As new computers and devices are installed, operating systems and applications are upgraded and firewall rules are changed, causing new vulnerabilities to be introduced. One way to find out how attackers could breach network defenses and damage internal servers, storage systems and endpoints -- and the data they hold and transfer -- is to discover and close those vulnerabilities. That's where vulnerability management tools come into play.

What is vulnerability management?

Vulnerability management is a continuous process of discovering, prioritizing and mitigating vulnerabilities in an IT environment. Although vulnerability management tools vary in strength and feature sets, most include the following:

  • Discovery: The process of identifying and categorizing every asset in a networked environment and storing attributes in a database. This phase also includes discovering vulnerabilities associated with those assets.
  • Prioritization: The process of ranking known asset vulnerabilities and risk. Vulnerabilities are assigned a severity level, such as from 1 to 5, with 5 being the most critical. Some systems rank vulnerabilities as low, medium and high.
  • Remediation/Mitigation: The system provides links to information about each vulnerability discovered, which includes recommendations for remediation and vendor patches, where applicable. Some vendors maintain their own vulnerability intelligence database information; others provide links to third-party resources such as The MITRE Corporation's Common Vulnerabilities and Exposures database, the Common Vulnerability Scoring System and/or the SANS/FBI Top 20, to name a few.

Organizations tackle the most severe vulnerabilities first and work their way down to the least severe as time and resources permit. Some vulnerabilities don't pose a serious threat to the organization and may simply be accepted, which means they are not remediated. In other words, the risk is judged to be less than the costs of remediation.

How do vulnerability management tools work?

Vulnerability management tools come in three primary forms: stand-alone software, a physical appliance with vulnerability management software or a cloud-hosted service. A customer uses a Web-based interface to configure the product to scan a range of Internet Protocol (IP) addresses -- both IPv4 and IPv6 -- the entire network or URL, and may select other criteria to inspect, such as the file system, configuration files and/or the Windows registry. The more criteria and the larger the number of IPs, the longer a scan takes to complete. Most vulnerability management tools provide preconfigured scans, and an administrator can modify those templates to save customized scans that run on demand or on a scheduled basis.

Note: Highly penetrating scans that assess "hard-to-reach" areas of a network may require an administrator to temporarily modify a firewall to get the most detailed results, although some vendors claim their products can perform complete scans without any such firewall modifications.

A comprehensive vulnerability scanner should be able to perform continuous inventorying of wired and wireless devices, operating systems, applications including Web apps, ports, services, protocols, as well as virtual machines and cloud environments.

Vulnerability management tools may perform authenticated and unauthenticated vulnerability scans. An unauthenticated scan does not require administrative credentials and focuses on basic issues, such as open ports and services, identity of operating systems and so on. Authenticated scans typically require admin credentials and are more intense, and they may negatively impact a system or network. Although authenticated scans must be used cautiously, usually outside of peak usage hours, they reveal more vulnerabilities than unauthenticated ones.

When a vulnerability management tool is put in place, the initial scan that's run should be as complete as possible. This also serves to establish a baseline. Subsequent scans then show trends and help administrators understand the security posture of the environment over time. Most vulnerability management products provide detailed trend analysis reports and charts for display on the console or in print for distribution to managers and executives.

Some of these products also include exploit software that's used as a penetration test tool. When vulnerabilities are exposed, an administrator can use the exploit software to see how an attacker could exploit the vulnerability without disrupting network operations.

A vulnerability management tool must be used regularly to be effective. Like antivirus products, the data gathered during scans is only as good as the last time it was updated. This means daily scans for most organizations; although small environments or those whose critical assets are not exposed to the Internet may find a weekly scan sufficient.

Who needs vulnerability management tools?

Organizations of all sizes -- from small to midsize businesses (SMBs) to enterprises -- with access to the Internet can benefit from vulnerability management. Customers from nearly every industry and vertical niche use vulnerability management, including education, banking and financial services, government, healthcare, insurance, manufacturing, retail (bricks-and-mortar and online), technology and many more.

How are vulnerability management tools sold?

Vulnerability management products may be sold as software-only products, a physical appliance with vulnerability management software or as a cloud-hosted service. When purchasing vulnerability management software, customers can expect to pay either an upfront cost and/or licensing and ongoing maintenance fees. The same applies to a physical appliance and software combo, and in this case, the customer also pays for the initial cost of the appliance. Some vendors offer appliance licensing, just like software, to enable organizations to treat the entire purchase as operational expenditure rather than capital expenditure.

A cloud-hosted service or software as a service offering is typically sold as an annual subscription that includes unlimited scanning. Vendor cloud pricing varies, and may be based on the number of users, IPs -- either active only or total scanned -- and/or agents deployed. Customers can save money by using services that charge only by active IP, which enables them to scan all IPs on a network, but pay only for those currently in use.

Conclusion

Even the smallest of organizations (i.e., those with less than 25 users) need some type of vulnerability management tool, but it's a critical part of a sound security posture for SMBs and enterprises. For organizations that must meet compliance measures, such as HIPAA, Gramm-Leach-Bliley and PCI DSS, vulnerability management is required.

Next Steps

Learn how to hone an effective vulnerability management program

Discover how to most effectively use vulnerability management data

Check out these tips for evaluating vulnerability management tools

This was last published in January 2016

PRO+

Content

Find more PRO+ content and other member only offers, here.

Buyer's Guide

Select the vulnerability management tool that fits your business needs

Join the conversation

6 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your organization perform vulnerability management?
Cancel
Ed,

Good question. We have about 10 employees in New Jersey and 10 at remote locations. 

In New Jersey we connect to the internet through a wireless router in our basement. We used to host our own email but now a third party service provider does it for us. 

Plus there is an accounts server that we host internally. Four guys use it for updating account information. 

We have not run vulnerability management software tests on our network. 

But each computer is protected by an anti virus program such as Mcaffee. 

Please advise if we should run a vulnerability scan and if so is there a good open source scan available? 

Thanks.   
Cancel
Yes, you should installed vulnerability tools in your system so that you can easily find bug errors and gets automatically repaired.
Cancel
ED,

There is an error when I post a comment to your blog post on vulnerability management. 

However I received an email reply with no content but a rewrite of my original comment. 

Ravi

  
Cancel
We have a team of security experts who always keep on testing different set of tools to keep the structure flow intact.
Cancel
Thanks Justin. What do you think of Nessus and OpenVas? Is the source code available for extending the product?  

Happy Memorial Day.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close