Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Does your vulnerability assessment process need more products?

Rather than constantly looking for the next point product, enterprises should focus on the vulnerability assessment process.

Now that we've taken giant steps to stop viruses in their tracks, detect and prevent intrusions, and thwart DoS attacks, what's next?

Before we speculate about the "next big thing" in infosecurity tools, how about stepping back to recall just why you're buying and installing all these solutions in the first place: To ensure that your company can use IT resources to conduct business and minimize the impact of people who attack systems. Every resource you devote to minimizing threats and every security widget you buy impacts the bottom line.

Vulnerability and risk management are at the heart of maintaining strong security. Doing it right involves much more than scanning for weaknesses and, as best you can, applying remediation. You need to prioritize threats and corrective actions according to the real risk -- what's the vulnerable asset worth to your company, and what's the likelihood of a successful attack? That kind of analysis is cumbersome and costly.

So, perhaps the most important advance in infosecurity isn't the next point solution, but the growing class of tools that help organizations assess vulnerability and manage risk on an enterprise scale.

Until now, vulnerability assessment has focused on the quality of the data gathered and not necessarily on the analysis. It's critical for scanner products to be on top of the latest vulnerabilities, but VA tools produce tons of data. Analyzing scanner data is overwhelming, whether you use in-house talent or hire one of the big consulting firms. If you outsource, you're likely to wait up to seven weeks before you have a report in hand, at a cost of tens of thousands of dollars. Worse, you haven't begun remediation, and some of the data is already old.

Wouldn't the VA process be much more efficient if you could apply the appropriate business and technical contexts to what you learn from scans? You could automatically prioritize vulnerabilities and remediation according to your specific needs.

By understanding the value of your business assets, you can prioritize threats and vulnerabilities far more effectively to develop remediation plans. This is the big step towards true IT risk management. Vulnerability management tools are beginning to incorporate sophisticated analytics, applying context to complex database models that incorporate not only scanner data, but input from firewalls and IDSes. Companies like Skybox Security, Qualys and Foundstone, for example, offer solutions that apply both technical and business context to vulnerability and threat data.

Similarly, context and analysis have been missing on the reactive side of IT vulnerability management-responding to threats as they are detected and reported. Again, the problem hasn't been a lack of data. Security devices, including firewalls, access control tools, AV scanners and IDSes detect and block threats, and send alarms and events -- someplace. Real-time event correlation has been elusive because of the disparity in event types, and the sheer volume of data that has to be continuously analyzed. Even with filtering, IT folks are usually overwhelmed with data and can't react quickly.

Even with filtering, IT folks are usually overwhelmed with data and can't react quickly.

Help is at hand. Several vendors are producing sophisticated security information management (SIM) tools that can address correlation and data reduction. In addition, management vendors, like Tivoli and Computer Associates, which have focused for years on similar problems in systems and networks, have extended their information management platforms to correlate event data from multiple sources through their Risk Manager and eTrust Vulnerability Manager products, respectively.

There's a real cost/value proposition here. Companies may be able to implement cost-effective vulnerability/risk management internally for the first time. Outsourcing may actually become more affordable. By employing these tools, companies can present service providers with sophisticated vulnerability/risk information, instead of volumes of raw event data. In turn, security outsourcing firms can use these tools to expedite their evaluations and shorten their engagements.

Managing enterprise-wide infosecurity is an overwhelmingly complex job. Surely, then, tools that help you wrestle it down to a manageable size must rate a strong vote as "next best thing."

About the author:
Dennis Szerszen is a principal for Judith Hurwitz Associates, focusing on infosecurity and systems management.

Article 14 of 17
This was last published in September 2003

Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All