Evaluating vulnerability management tools
Vendors typically market their tools as the panacea for everything; vulnerability
management vendors are no exception. Although some products address
multiple areas of the vulnerability management life cycle, others attempt to
bridge the gap between vulnerability management tools in an effort to provide
synergy among products -- for example, integrating patch management
tools with vulnerability scanners. In the end, no one vendor or solution provides
all of the components necessary to support a vulnerability management
|Download this chapter|
|Want the full chapter? Download the .pdf, reprinted from Network Security Assessment by Manzuik, Gold and Gatford with permission from Syngress, a division of Elsevier. Copyright 2007.||
Prior to deciding upon a tool, you must understand its capabilities as well
as its shortcomings. To aid you in this you should consider the following
points when evaluating vulnerability management technologies:
Asset management. Does the technology provide an asset inventory
database? If so, can you extend the database schema to support
additional fields, such as asset classification? If not, can the technology
integrate with other asset management repositories?
Coverage. What's the breadth and platform coverage of the technology?
Many technologies can perform operations against the
Windows family of products, but you'll need technologies that can
operate in a heterogeneous environment and can support a variety of
platforms, applications, and infrastructure devices.
Aggregation of vulnerability data. Does the product interoperate
with other security technologies? Can the product aggregate
data from security technologies such as Internet Security Systems' IIS
Scanner, Microsoft's MBSA,Tenable Network Security's Nessus,
McAfee's Foundstone, eEye's Retina, and Symantec's BindView
bvControl? The ability to aggregate data from multiple and disparate
sources is key.
Third-party vulnerability references. Is the product Common
Vulnerabilities and Exposures (CVE) compliant? Does it identify the
source from which it received its information?
Prioritization. Can the tool prioritize remediation efforts?
Remediation policy enforcement. Does the product provide the
capability to designate the selected remediation at varying enforcement
levels, from mandatory (required) to forbidden (acceptable risk),
via a centralized policy-driven interface?
Remediation group management. Does the tool allow for the
grouping of systems to manage remediation and control access to
Remediation. Can you use the product to address vulnerabilities
induced by a system misconfiguration as well as vulnerabilities represented
by not having the appropriate patch? For example:
■ Patch management, or deploying patches to the operating system
■ Configuration management, or deploying changes to the operating
system or application, such as disabling and removing
accounts (i.e., accounts with no password, no password expiration,
etc.), disabling and removing unnecessary services, and so on
■ The ability to harden services for NetBIOS, anonymous FTP,
hosts.equiv, and so on
Patch management. Does the product include or integrate with
existing patch management tools?
Distributed patch repository. Does the product provide the capability
to load balance and distribute the bandwidth associated for
patch distribution to repositories installed in various strategic
Patch uninstallation support. Can the tool report whether a
patch was unsuccessful and whether it needs to be reapplied?
Workflow. Does the product have a workflow system that allows
you to assign and track issues? Can it auto-assign tickets based on
rule sets defined (i.e., vulnerability, owner, asset classification, etc.)?
Can it interface with common corporate workflow products such as
BMC Software's Remedy and the Hewlett-Packard HP Service
Usability. Can the tool participate in network services with minimal
impact to business operations? Is the user interface intuitive?
Reporting. Does the tool provide reports to determine remediation
success rates? Can you use the tool for trending remediation efforts?
Is the reporting detailed and customizable?
Appliances. Is the tool software based or appliance based?
Appliances often offer performance and reliability advantages.
However, software solutions are more affordable and may be able to
run on existing hardware, helping to reduce upfront capital expenditures.
Agents. Does the application require agents? Is the application
capable of leveraging existing agents on the system? If agents are necessary,
can you deploy agents to groups of assets simultaneously, to
facilitate ease of deployment? Agents generally provide more information
on a particular system, but also increase the system's complexity.
An ideal application would allow for the collection of system
information with or without the use of agents.
Configuration standards. Does the technology possess predefined
security configuration templates that you can use to assess the system?
Some products have defined operating system standards and are able
to perform reporting based on defined templates to support some
regulatory requirements (e.g., Sarbanes-Oxley, HIPAA, and the
ISO/IEC 27000 series).
Vulnerability research. Does the vendor have its own vulnerability
research team? Does the vendor actively participate in the security
community through the identification and release of security vulnerabilities?
Does the vendor practice responsible disclosure? Does the
vendor release checks for vulnerabilities it has discovered prior to the
OEM remediating the vulnerability? How has the vendor responded
to vulnerabilities in its own products?
Vulnerability updates. How frequently does the vendor release
updates? How are the updates distributed? Does the distribution
mechanism leverage industry-recognized security communications
Interoperability. Can the application integrate into existing patch
management, configuration management, and/or monitoring tools
Note that the items in the preceding list aren't applicable to all vulnerability
technologies. We presented a germane list of points that apply to the
collection of tools which support a vulnerability management program.
Vulnerability management tools
1: Evaluating vulnerability management tools
2: Commercial and open source network tools
3: Summary/Fast track
This was first published in December 2007