With Alan Shimel, chief strategy officer, StillSecure.
Question: What is the state of traditional vulnerability assessment?
Shimel: I'm telling you that vulnerability assessment as we know it is dead. I don't think people are into taking vulnerability scanning, getting a report for what comes out and using it anymore. There are so many vulnerabilities in this world that people are realizing that the whole paradigm of scanning and fixing just doesn't work. It's a non-winnable game. They can never come out ahead or catch up; no matter how much scanning, they never can adjust.
Question: Are vendors adapting to this?
Shimel: The fact of the matter is the vulnerability assessment market has been in flux for a couple of years. Vendors are asking what more they can do besides scanning to give some value and come up with something people will use. The market has evolved. It is moving from vulnerability assessment to vulnerability management. Still, people are realizing that it still is scanning and fixing, scanning and fixing. So now we are seeing the vulnerability assessment market combining with penetration tests and moving to agent-less security configuration management. Rather than just vulnerability [scanning], it tells me what the box should look like from a configuration point of view. This is not only scanning for vulnerabilities but scanning to see if the configuration looks like it should. I'm saying the market is "calling bull" on that as well.
Question: So if that isn't the answer, what is?
Shimel: The market wants action, preemptive action. If the device doesn't meet security quality, it must be quarantined. The market wants testing and fixing automation. That's part of the sexiness of a NAC solution. NAC is more preemptive. It says that if it doesn't meet minimum requirements, we don't want it on the network. People want action. Vulnerability assessment, just as IDS was in its time, is not about action. The information it gives you is actionable, but not action itself. We are moving toward the policy-driven network. What that means is … devices are tested and access control policy is based on the identity of the user and profile of the device. That is how access is determined. Based on policy, we can determine where and when [to allow access]. It could be done on the network level or the host itself. At its very core, the idea is that just scanning and reporting is bad news. It's reengineering the hamster wheels.
This 3 Questions originally appeared in a weekly report from IT Business Edge.
This was first published in January 2007