iQoncept - Fotolia

Choose the best vulnerability assessment tools

This Buyer's Essentials guide helps InfoSec pros assess vulnerability management products by explaining how they work and by highlighting key features corporate buyers should look for so they can evaluate vendor offerings.

Vulnerability management explained

Security vulnerabilities exist in every organization. The sheer volume of operating system, application and infrastructure security alerts announced each day means that there could be dozens of security issues lurking in your environment, awaiting discovery. The reality is your technology environment likely contains more vulnerabilities than your team can correct before the next batch rears its head.

Vulnerability management tools help information security teams stay ahead of the rising tide of security issues in their organizations. They combine state-of-the art vulnerability detection capabilities with prioritization algorithms that help organizations identify the issues requiring immediate attention, so they can focus efforts on the vulnerabilities most likely to result in a breach.

This Buyer’s Essentials guide provides you with the information you’ll need to make a wise choice when selecting a vulnerability management product for your organization. You’ll learn about the integration of vulnerability management into enterprise security and the must-have features of vulnerability management systems. With the information in this guide, you’ll be well prepared to choose a product that bolsters your information security program.

How vulnerability management tools work

The foundation of a vulnerability management product rests upon the vendor’s vulnerability database. This frequently updated database contains information on every security vulnerability known to the vendor’s security research team. It also contains testing information that enables the scanner to probe network systems for the presence of that vulnerability.

Vulnerability management products typically start by performing a network asset inventory. It may pull information from Active Directory or an existing asset management system and combines that information with the results of a high-level network scan that probes for active IP addresses. Once it’s identified the systems residing on a network, it performs a baseline scan of each system to identify the operating system and applications running on that host. A vulnerability management tool then reaches into its vulnerability database, retrieves information on vulnerabilities that might affect the host and begins executing tests against the system to identify possible vulnerabilities.

Once the scan completes, the fun really begins. Security professionals often shake their heads at the initial results of vulnerability scans because they may reveal hundreds or thousands of configuration flaws on their network. The real power of a vulnerability management system rests in its ability to help security teams sort through that morass of information and prioritize the actions that will have the greatest impact on their organization’s security posture. It does this by incorporating information about the severity and impact of the vulnerability, the priority of the system and any compliance issues that may exist in the environment. This prioritization is what transforms a simple vulnerability scanner into a powerful vulnerability management platform.

Vulnerability management product features

The market for vulnerability management tools is a mature space with many quality products available to assist security professionals with identification and remediation tasks. As you evaluate systems for your environment, you should begin by casting a broad net and then identify several different products to evaluate in a live environment. There’s really no substitute for hands-on experience with a product as you walk through your selection.

One of the most important criteria during your evaluation should be the user experience with the product. This is particularly true if you plan to extend access beyond the information security team to systems engineers who may not be well versed in the use of security products. If they find the product difficult to navigate or the results difficult to interpret, you’ll be fighting an uphill battle as you seek to adopt it in your enterprise.

Other important features of vulnerability management tools that you may wish to consider as you evaluate a solution include:

  • Quality and Speed of Updates. How often does the vendor release new vulnerability updates? Do they accurately detect vulnerabilities? One way you can facilitate this part of the assessment process is to select a recent, high-profile vulnerability and look at the gap between the time the vulnerability was announced and when the vendor released a signature. How long did it take?
  • Compatibility with Your Environment. Does the product’s signature database include coverage for all of the major applications, operating systems and infrastructure components in your environment?
  • Support for Cloud Services. Does the product include the ability to detect issues with configurations in the environments of any tools you use for Infrastructure as a Service, Platform as a Service or Software as a Service.
  • Compliance. Does the product provide support for compliance programs that apply to your environment? If you are subject to PCI DSS, can you use the product to perform required scans and complete self-assessments?
  • Prioritization. What information factors into the product’s prioritization algorithm? Does it include a mix of automated prioritization and manual configuration that allows you to meet your goals in an efficient manner?
  • Active and Passive Detection. Does the product integrate both traditional active scanning of systems with passive vulnerability detection based upon observation of network traffic?
  • Authenticated and Unauthenticated Scanning. Does the product allow you to install an agent on systems in your environment to perform authenticated scans that lower false positive rates? Is an agent available for your major platforms?
  • Remediation Guidance. What type of remediation guidance does the product provide for identified vulnerabilities? As you look at the product’s reports, do you have enough information to remediate the vulnerability, or will you need to perform additional research?
  • Vendor Support. What support options are available to you as part of your contract? What is the vendor’s promised response time?

Use this feature list as a starting point for your own selection process. You’ll want to develop your own prioritized list of criteria and use it to rank potential products for use in your organization.

The Bottom Line

Vulnerability management tools begin by inventorying the security issues you face and then helps you prioritize the results based upon severity, exposure, compliance status and data classification. These tools provide information security professionals with the direction needed to focus their scarce remediation time on the places where their actions will have the greatest impact.

About the author
Mike Chapple, Ph. D., CISA, CISSP, is a senior director of IT with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He previously served as site expert on network security, is a technical editor for Information Security magazine and the author of several information security titles, including a CISSP prep guide and Information Security Illuminated.

Next Steps

Vulnerability management is needed more than ever. See why.

Learn more about the intricacies of security vulnerability management.

Get up to speed about next-generation vulnerability management tools.

Dig Deeper on Risk management