This article can also be found in the Premium Editorial Download "Information Security magazine: Security Products Readers' Choice Awards 2007."
Download it now to read this article plus other related content.
In the trenches
VM a sound policy foundation
Vulnerability management tools help your organization build and enforce security policy.
A vulnerability management (VM) strategy offers not only the means to generate a security policy for your enterprise, but the technology to enforce it.
The myriad offerings under the VM umbrella--from scanners and patch-management tools to penetration-testing services and asset-management software--"provide the tools to build and maintain a security program or policy," says Dave Bixler, CISO for Siemens Business Services. In turn, the policy guides how and when such products are used.
Although products that occupy the VM space are becoming increasingly feature-rich, one tidy product addressing all of an organization's VM needs does not exist, in part because security managers don't want to cede control of fixes to automation.
"CISOs have been burned in the past when they put in [an automated solution] that blocked legitimate network traffic," says Khalid Kark, a senior analyst with Forrester Research.
Bixler, who launched an overhaul of his organization's security policy several years ago, says that at the time he not only wanted to keep his hand on remediation, but he wanted easy-to-use reporting to help him plan fixes. "It didn't matter what the tool was, as long as we could understand the reports," he says, noting that Siemens then deployed
While Bixler characterizes the former ISS product as a "fantastic tool for addressing OS-related issues," the organization ultimately moved to products from Qualys, with PatchLink for some remediation. "It was starting to be obvious that the places attackers were attacking weren't necessarily the operating systems," he says. "They were going after Oracle, SQL--all our applications." Furthermore, Qualys' hierarchical permissions model let Bixler delegate responsibility for aspects of VM to different members of his team.
Joe Adams, IT director at Nuclear Fuels Corp., also is a fan of building a VM strategy around a well-delineated policy. NFC's policy dictates how StillSecure's VAM, integrated with Shavlik for patch management, is used.
Judicious application of technology is paramount, Adams says: "We don't treat all of our devices the same. We've got one process for our servers, another for our network backbone technology, and so on." Scans are conducted according to guidelines that determine when they occur, what vulnerabilities are being sought and how remediation should be handled.
These days, given the plethora of products in the VM space, security managers with one eye on the budget must guard against feature redundancy.
"I'm not interested in spending money on a remediation tool when I can remediate some things with my asset-management tool," says Bixler. Expect more products with more bang for the buck as the VM space progresses.
This was first published in April 2007