Security.com

Seven criteria for buying vulnerability management tools

By Ed Tittel

Vulnerability management tools use scanners to discover and identify network-attached computers, firewalls and other devices -- as well as operating systems and applications -- and assess those entities for vulnerabilities. An initial scan establishes a baseline for an entire infrastructure, in small-scale environments, or for target areas, such as network segments in large-scale environments, and reveals vulnerabilities that must be fixed or patched, or simply tracked, depending on the level of risk they present. Subsequent scans expose new vulnerabilities and may be compared to the baseline to identify previously known low-risk vulnerabilities that have increased in priority.

Vendors offer vulnerability management tools as software-only, a physical or virtual appliance with management software, a cloud-hosted service or some combination of those options. For example, some cloud services may include appliances that are located on different parts of a network in large environments to run internal scans. The type of vulnerability management system organizations ultimately select will depend on many different factors, in addition to its physical or virtual footprint on-site.

Here is an overview of features and value-adds to consider when evaluating vulnerability management products.

Key features

Most vulnerability management tools share a common set of features, such as asset detection and identification, vulnerability detection, descriptions of vulnerabilities, links to information about patches, scripts and other remediation techniques, report generation from templates or custom settings, a central console -- usually Web-based -- and support for a range of operating systems. However, market-leading vulnerability management products perform many of these tasks more thoroughly and comprehensively, including some facilities for automating remediation, and provide easy-to-use dashboards and reports that streamline management for security administrators.

When evaluating vulnerability management tool vendors and their products, determine whether each tool can:

A relatively easy way to test-drive a vulnerability management tool and compare it to others is to sign up for a demo that runs in an environment. All top-rated vendors offer demos of their products, which should be a part of the evaluation process.

Vulnerability signature updates

New vulnerabilities to IT systems and networks are discovered every day. Much like antivirus software, a vulnerability scanner must have current information on vulnerabilities to be effective. Some vendors rely on their own internal security teams and threat intelligence databases to continuously update vulnerability information for customers. Other vendors use only third parties, such as the MITRE Common Vulnerabilities and Exposures database, the Open Source Vulnerability Database and Common Vulnerability Scoring System scores, for vulnerability information, and push new signatures to customers immediately or on a scheduled basis.

When assessing vendors, find out how often vulnerability signatures are updated, the sources from which signatures are derived, and whether newer technologies like cloud infrastructures and mobile are included.

Ease of use

A vulnerability management tool must be easy to deploy and use, reliable, nonintrusive and safe -- that is, it poses few conflicts for an existing IT environment.

A product that is cumbersome to navigate or presents confusing dashboard information won't be used, at least not to its fullest potential. A vulnerability management tool that requires a lot of maintenance also becomes a problem for staff that's often already overburdened. And any product that causes even a moderate performance hit on network resources may quickly be abandoned or underused.

When evaluating vulnerability management tools, address these questions:

Be aware that various vulnerability management products using default settings can produce different results in the same environment. The best way to evaluate these points is to thoroughly test these tools in the organization and pare down the choices when certain solutions fail to perform as well as required.

Support for cloud and mobile

Many organizations today, small and large, are delving into cloud solutions to supplement on-premises IT infrastructures due to ease of administration and predictable costs. Does the organization need a vulnerability management tool that scans cloud services, such as software as a service or infrastructure as a service? Not every vendor provides this functionality, so be sure to find out if the short list of vendors covers cloud environments.

Mobile also affects nearly every organization nowadays, considering the explosion of BYOD, wearables and Internet of Things. Because mobile devices often connect to business networks and are under attack much like servers and workstations, it's important that they are scanned and assessed for vulnerabilities as well. Some vendors integrate mobile device management systems or deploy endpoint agents that enable organizations to identify devices as assets and manage vulnerabilities through the vulnerability management solution.

Enterprise features

Because of the sheer size of enterprise infrastructures, which are often distributed among several locations, an enterprise customer has unique needs as compared to its small to midsize (SMB) cousins.

Enterprise IT evaluators should have vendors address the following questions when looking at vulnerability management tools:

Enterprises should also run a variety of reports when testing tools for vulnerability management to ensure they can provide relevant information to different staff members, such as senior execs and operations staff.

Pricing and licensing

Software-only vulnerability management tools and appliances -- physical or virtual -- require an upfront investment, and then an annual renewal or licensing fee that includes vulnerability updates and software upgrades. In some cases, it's possible to license an appliance as well.

Software-only products with flat rates start around $1,500 for the initial purchase, with an annual renewal fee of $1,200. Some vendors tier software pricing based on the number of hosts. For example, Tenable Nessus Manager starts at just under $3,000 for 128 hosts or $4,750 for 256 hosts. Preconfigured appliances vary in their upfront costs, starting at under $10,000 and climbing to over $20,000.

A cloud-hosted service is typically sold as an annual subscription that includes unlimited scanning. Cloud pricing is based on the number of users, IP addresses --either active only or total scanned -- and/or agents deployed on network segments or endpoints.

Support

Part of the initial product evaluations should include a hard review of each vendor's support options. Look for vendors that offer 24/7 support, preferably by phone, and find out if customers can expect an immediate response or if escalated service incurs an additional fee.

Another important aspect is training. More advanced vulnerability management systems require training to get up to speed quickly, and training costs can account for a significant portion of start-up costs. Enterprises should find out if the vendors on their list include training as part of the product or service purchase and the costs involved, if applicable.

Although vulnerability management requirements of SMBs may differ somewhat from large enterprises, all organizations can benefit from a solid product of this type. Businesses should research which vendors offer the features their organization needs and how much they can expect to pay for that particular coverage.

19 Jan 2016

All Rights Reserved, Copyright 2000 - 2024, TechTarget | Read our Privacy Statement