This article can also be found in the Premium Editorial Download "Information Security magazine: Special manager's guide: Monitoring identities."
Download it now to read this article plus other related content.
When thinking about outsourcing VM, break down what types of services an external provider supplies. Here are some of the most commonly outsourced VM services (most large outsourcers supply all of these services, but always check for details of specific vendor offerings):
- Asset identification. There's an old saying that is appropriate in the VM world: "You can't manage what you don't know." There are dozens of vulnerabilities released every day, but many aren't a priority for your network. The only way to know which vulnerabilities and exploits matter to your company and your systems is to know exactly what you've got. It can also help to know where the systems are. Many attacks can be thwarted via port blocking; if a device is in a protected zone and all traffic into that zone can be filtered, the vulnerability can be mitigated. Asset identity services scan your network and return detailed listings that identify what systems are on the network, their patch and configuration levels and their location within the network topology.
- Vulnerability identification/assessment. What vulnerabilities are in the wild? Part of the intelligence process of a VM outsourcer is the ability to gather and disseminate data on vulnerabilities and patches. Vulnerability information can come from a variety of sources: vendors, lists and media reports, among others. The depth
- of the information gathered in the asset identification is then assessed against known vulnerabilities and exploits. The outsourcer can then notify the customer where the problems are and what actions are recommended.
- Remediation and patching. Taking action is a critical part of VM, but what about when remediation is outsourced? It can mean that the outsourcer makes the call and takes action as needed--anything from applying a patch to reconfiguring access control rules on a firewall. Alternately, the outsourcer could integrate with the customer's workflow and trouble ticketing system, so the patch is queued for deployment, but the actual deployment task is completed by the customer.
- Control verification and monitoring. Because VM is fundamentally about closing windows of exposure, it's important to ensure that there is an audit and verification function to verify that changes and fixes have been applied properly. It is also important to know who approved the change and who applied it. An outsourcer should be able to provide the customer with detailed, real-time access into the audit and verification functions. Additionally, many enterprises want to have transparency back to the internal corporate network and event management engines via the export of log information from the service provider.
This was first published in August 2006