This article can also be found in the Premium Editorial Download "Information Security magazine: Special manager's guide: Monitoring identities."
Download it now to read this article plus other related content.
Before moving forward with outsourcing of vulnerability management, enterprises must take into account a number of important architectural considerations.
Will the outsourcer be using internal scans, external scans or both? If outsourcers are only scanning from outside the company (usually in front of the firewall), they will only be able to see what an external attacker can. While this is useful information, there are vulnerabilities inside corporate networks that should not be ignored. The traditional single perimeter continues to move deeper and deeper into the network and is distributed on hosts and sub-zones.
If the decision is made to allow the outsourcer to place internal scanners on the network, be clear up front about who is responsible for managing those scanners and how the data being sent back to the outsourcer is protected. What level of trust will the outsourced scanner have inside trusted corporate zones? If the scanner from the outsourcer is being placed in a restricted zone, will the owners of that zone have appropriate control of the scanner?
Then consider how invasive the scans will be on the network. Scanning can be done via an agent or from the network, with or without credentials. An agent requires a piece of code be installed on every host that will be scanned. Does your company feel comfortable having a piece of code from an outsourcer installed on all its monitored devices? Many do not, so the outsourcer
In addition, VM scanning can be more or less invasive based on whether or not credentials are used. In credentialed scanning, some form of valid credentials is given to the scanner so that it can log in and look for vulnerabilities as a legitimate user. This kind of scanning can turn up more information, but can also crash systems.
Some scanners attempt to exploit vulnerabilities, with or without credentials, which can result in system or service crashes. Check with your outsourcer to determine the right level of invasiveness to keep system outages to a minimum.
It's important to consider the general readability of the information gathered by the outsourcer. Having a lot of wonderful data stored at the outsourcing partner won't help much if you can't access it and understand it easily. Is the dashboard data shown in near real-time, or is there a delay? Some VM outsourcers provide dashboards that enable the customer to have the same visibility into the current state of the network that their security operations center engineers have. Also, can the information be accessed securely, with appropriate authentication and protection in transit, and can it be exported to stem systems and consoles, such as a SEIM or other event correlation tool?
This was first published in August 2006