Aerial view: Vulnerability management

Vulnerability management tools provide a realistic picture of the enterprise, where vulnerabilities are viewed in the context of the IT landscape.

Imagine jumping from a plane. Your view from the air is quite different than your view on the ground. And the perception of your surroundings changes as you parachute down. That's because perception is subjective, individual and often fluctuates as new factors arise. The same notion is true when it comes to securing enterprise networks.

By bringing perceptions of the network in line with reality, security practitioners can reduce the likelihood of mistakes. That's where vulnerability management (VM) comes in. Vulnerability management is an effective way for enterprises to understand their networks -- without any preconceived notions.

Case in point: If the perception is that the patch process covers all critical systems, yet the reality is that the corporate e-mail server farm is unpatched, there's a good chance of serious trouble when the next big worm comes around.

By using the four essential tools of VM -- asset identification, correlation, validation and remediation -- VM solutions can provide a big-picture view of vulnerabilities and determine their potential impact on your network.

No single VM solution is a silver bullet. You'll need to assess your enterprise readiness and determine how VM will be used within your organization. Once that evaluation is complete and you're ready to take the plunge, here's what to look for -- and what to avoid -- when it comes to VM tools.

Asset identification

You can't manage what you don't know. Chances are good there are devices on your network that are unmanaged, unmaintained and untracked. These could be machines in quality assurance or development labs, nomadic home machines, machines deliberately hidden behind a NAT device, vendor-maintained devices, or any other rogue, or unexpected device. This is where asset identification tools help

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Because vulnerabilities can occur in any of the software installed on a device, the more granular the information about that device that can be obtained, the better. Specifics on the OS version, patch level, installed applications, configuration settings and assigned roles are all useful data to collect.

Be mindful of the network landscape when placing sensors or scanning equipment. Note the location of switches, routers and firewalls to make sure there aren't any dead zones. And don't forget about unusual network-aware devices such as fax machines and printers.

Correlation

Now comes the tricky stuff: understanding the relationship and connection points between the devices you find. Without this understanding, you simply have a laundry list of gadgets. But knowing how they work together can give valuable insight: for example, during an incident response exercise, this type of data can help explain how a worm is propagating, which machines are spreading it, and how it gained entry in the first place.

This is where correlation is key. By aggregating data from a variety of sources, including application logs, system logs, traps and alerts, correlation tools help administrators track relationships between devices on the network. To ensure a correct comparison, the information is then normalized, or parsed, and put into a standardized format. From there, correlation rules are applied to identify relationships and causality, thus providing a more intelligent view of the network's vulnerability.

A word of advice, though: Keep information about devices current, organized and centralized. A SIM/SEM tool for centralized information or alert management is a good choice for providing this functionality. These tools streamline the collection, storing and indexing of data from various network hosts such as host monitoring tools, log aggregation tools, time synchronization tools, IDS/IPS reports and policy/configuration repositories.

Validation

Not every post on Bugtraq is a reason to panic. Eight vulnerabilities, on average, are discovered daily. Trying to respond to each and every newly discovered vulnerability is a waste of time and resources, since only a small fraction of new vulnerabilities will actually apply to a given enterprise. AIX vulnerabilities aren't a concern to an AIX-free enterprise; IIS vulnerabilities aren't a problem if you're an all-Apache/Tomcat shop. Even if the vulnerability is in a deployed application or operating system, it only applies to unpatched machines or machines with a particular service enabled rather than the entire population.

How do you know which vulnerability reports apply to your environment and which do not? Validation. Validation tools confirm which devices in the network are truly vulnerable and distill the vulnerability data into a focused list to help determine which vulnerabilities merit action. Validation compares information about the vulnerability against information about the environment. If the vulnerability matches what the enterprise has deployed, the vulnerability is flagged as requiring administrator attention. If not, the vulnerability is disregarded.

Remediation

The next step is taking remedial action to keep vulnerable machines safe from threats. Specific steps will vary from vulnerability to vulnerability, but remediation typically includes applying patches, changing application or device-configuration settings, and applying filtering techniques such as firewalls, VLANs or other segmentation techniques to restrict traffic to the machine. When using remediation tools, think carefully about the level of automation that is appropriate. For example, do you perform regression testing on critical applications before deploying a potentially conflicting patch? What patch workflow requires buy-in from teams that currently maintain the process? And what about auditing? Ensuring that automated actions are audited is extremely useful during application debugging.

Look before you leap

Ready to buy VM tools? Before you commit, make sure you have your gear and your plan of action in order. Just like a skydiver, enterprises deploying a VM solution don't want to find out halfway down that something doesn't work.

Consider these tips for buying a vulnerability management tool

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Application and Platform Security,   Enterprise Vulnerability Management,   Vulnerability Risk Assessment,   Risk Management Strategies,   Technology,   Tech strategy,   Compliance,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Vulnerability Risk Assessment Are Web application penetration tests still important? McAfee to acquire Solidcore Systems for whitelisting The Pipe Dream of No More Free Bugs Vulnerability test methods for application security assessments Free HP SWFScan tool detects Adobe Flash flaws PCI QSA assurance program penalizes assessors Information security book excerpts and reviews New York drafts language demanding secure code Security experts identify 25 dangerous coding errors Microsoft Windows XML flaw exploits test desktop antimalware Vulnerability Risk Assessment Research Risk Management Strategies Cloud computing security: Choosing a VPN type to connect to the cloud Cloud computing security: Routing and DNS security threats Cloud computing security model overview: Network infrastructure issues How to align an information security framework to your business model When to use open source security tools over commercial products Vulnerability test methods for application security assessments Security book chapter: Applied Security Visualization The 100-day plan: Achieving success as a new security manager Recovering stolen laptops one step at a time How to get information security buy-in from the executive team Tech strategy Establishing Essential Controls Policy management: Manual vs. automated tools Strategic IT planning for compliance and beyond Become compliant without breaking the bank Become compliant -- without breaking the bank Separating fact from fiction: Security technologies for regulatory compliance Choosing a compliance archiving tool Patching for regulatory compliance SOX-in-a-box: One size does not fit all when it comes to compliance HIPAA security tools helpful for some firms RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.