The business case for vulnerability management tools
Expert Ed Tittel describes business use cases for vulnerability management tools and examines how organizations of all sizes benefit from these products.
IT vulnerabilities can affect any organization of any size, in any industry across the world. The Verizon 2015 Data Breach Investigations Report provides some sobering facts on threats and intrusions, including:
- Twenty-three percent of email recipients open phishing messages and 11% click on attachments.
- The total number of malware events across all organizations is roughly 170 million, which means five malware events occur every second.
What might pique the interest of managers and senior executives even more is the fact that the average total cost of a data breach, according to IBM's 2015 Cost of Data Breach study, is around $3.79 million. Granted, we're not talking about mom-and-pop businesses, but the monetary losses are staggering all the same.
So which organizations truly need vulnerability management tools, and how can they help them? Here are several use cases for different sized organizations that show the value of vulnerability management tools.
Use case #1: Small businesses
When reading about vulnerability management, personnel roles like security officer, asset owner and IT engineer often come into play. Rarely are those roles found in a small business, but any business -- even a small business -- with a live Internet connection and staff that sends and receives emails is enough to warrant some sort of vulnerability management product that can be managed by any IT person who wears lots of hats.
Why? Even with a reputable and well-tuned firewall, antivirus software and an intrusion detection system (IDS), small organizations are still at risk. Typical firewalls aren't designed to protect networks or systems from vulnerabilities, and a misconfigured firewall is a major vulnerability. Antivirus software catches known viruses, Trojan horses and so on, but cannot always identify hitherto unknown threats. An IDS can flag most incoming threats, but can also be bypassed by remotely executed code.
Small organizations often tend to be somewhat lax in imposing and enforcing IT security -- as well as in providing security budget and staffing -- and attackers know that. All of these reasons underscore a strong need for vulnerability management. A solid vulnerability management tool can help a small organization find and eliminate vulnerabilities that place their business systems at risk.
These organizations may opt to use simple scanning services or open source vulnerability tools. The downside is that small business staff might wind up spending too much time trying to determine which vulnerabilities are the most severe. A better option is to find an affordable software as a service solution or stand-alone software that runs periodic scans and generates reports that clearly prioritize vulnerabilities.
Use case #2: Midsize organizations
A midsize organization is at risk from the same vulnerabilities as a small one, but is typically better-known, has a well-developed Web presence and many more attack surfaces, and therefore has a higher threat profile. That leaves a midsize organization more vulnerable to targeted attacks, such as an advanced persistent threat, and random attacks that seek out specific vulnerabilities, like the Code Red or Sasser worms.
While senior management in many midsize organizations may feel confident that their IT staff can handle nearly any security issue that comes their way, that's not always the case. It's more likely that staff members are too busy or do not have the skills and necessary experience to maintain a far-reaching security strategy, and they react to problems rather than proactively managing layered security.
Another concern is that the midsize organization may have more resources to throw at security than a small business, but the concept of a "company needing to look like a bigger company" can result in an urgent requirement to grow quickly. This common situation creates challenges beyond staff members' experience and capabilities. A company that is suddenly involved with managing new operations and interests can easily lose sight of essential security planning and practices.
Cloud services that offer data storage, server infrastructure and even entire IT infrastructures as a service are increasingly popular with the midsize organization that's growing or simply cannot afford to maintain everything itself. However, unless the service is part of a managed services agreement, the subscribing organization may still be responsible for protecting all of the data and systems that now reside off premises, adding a new wrinkle to maintaining security.
Also consider that the effort and cost of IT staff identifying and recovering from a damaging vulnerability exploitation or security breach could be more expensive than simply implementing a vulnerability management tool in the first place.
Use case #3: Enterprise organizations
Enterprise organizations have always been and will always be key targets of attackers. They also have huge attack surfaces with thousands of network nodes spread across campuses and remote business locations.
Given that a typical vulnerability assessment scan in a high-node environment can yield thousands to millions of findings, from low to high criticality, it's easy to see why an enterprise needs a comprehensive vulnerability management tool. Not only does it reduce vulnerabilities, it eliminates manual configuration of security scanning and provides a vehicle for managing the voluminous amount of scan data and reports.
Enterprises, as well as small and midsize organizations, are also subject to regulatory compliance of one sort or another. Many regulatory laws, such as HIPAA and Gramm-Leach-Bliley, and the PCI DSS standard require vulnerability assessments to maintain compliance. Even internal security policies and audits require adherence to a risk management plan, which includes vulnerability management as a core process.