Evaluating vulnerability management tools

When it comes to vulnerability assessments, you must make sure that you are using the right management tool. Learn how to evaluate and select the right tool, depending on your customer's needs.

Vendors typically market their tools as the panacea for everything; vulnerability management vendors are no exception. Although some products address multiple areas of the vulnerability management life cycle, others attempt to bridge the gap between vulnerability management tools in an effort to provide synergy among products -- for example, integrating patch management tools with vulnerability scanners. In the end, no one vendor or solution provides all of the components necessary to support a vulnerability management program.

Download this chapter
Want the full chapter? Download the .pdf, reprinted from Network Security Assessment by Manzuik, Gold and Gatford with permission from Syngress, a division of Elsevier. Copyright 2007.

Prior to deciding upon a tool, you must understand its capabilities as well as its shortcomings. To aid you in this you should consider the following points when evaluating vulnerability management technologies:

  • Asset management. Does the technology provide an asset inventory database? If so, can you extend the database schema to support additional fields, such as asset classification? If not, can the technology integrate with other asset management repositories?
  • Coverage. What's the breadth and platform coverage of the technology? Many technologies can perform operations against the Windows family of products, but you'll need technologies that can operate in a heterogeneous environment and can support a variety of platforms, applications, and infrastructure devices.
  • Aggregation of vulnerability data. Does the product interoperate with other security technologies? Can the product aggregate data from security technologies such as Internet Security Systems' IIS Scanner, Microsoft's MBSA,Tenable Network Security's Nessus, McAfee's Foundstone, eEye's Retina, and Symantec's BindView bvControl? The ability to aggregate data from multiple and disparate sources is key.
  • Third-party vulnerability references. Is the product Common Vulnerabilities and Exposures (CVE) compliant? Does it identify the source from which it received its information?
  • Prioritization. Can the tool prioritize remediation efforts?
  • Remediation policy enforcement. Does the product provide the capability to designate the selected remediation at varying enforcement levels, from mandatory (required) to forbidden (acceptable risk), via a centralized policy-driven interface?
  • Remediation group management. Does the tool allow for the grouping of systems to manage remediation and control access to devices?
  • Remediation. Can you use the product to address vulnerabilities induced by a system misconfiguration as well as vulnerabilities represented by not having the appropriate patch? For example:
          ■ Patch management, or deploying patches to the operating system or applications
          ■ Configuration management, or deploying changes to the operating system or application, such as disabling and removing accounts (i.e., accounts with no password, no password expiration, etc.), disabling and removing unnecessary services, and so on
          ■ The ability to harden services for NetBIOS, anonymous FTP, hosts.equiv, and so on
  • Patch management. Does the product include or integrate with existing patch management tools?
  • Distributed patch repository. Does the product provide the capability to load balance and distribute the bandwidth associated for patch distribution to repositories installed in various strategic locations?
  • Patch uninstallation support. Can the tool report whether a patch was unsuccessful and whether it needs to be reapplied?
  • Workflow. Does the product have a workflow system that allows you to assign and track issues? Can it auto-assign tickets based on rule sets defined (i.e., vulnerability, owner, asset classification, etc.)? Can it interface with common corporate workflow products such as BMC Software's Remedy and the Hewlett-Packard HP Service Desk?
  • Usability. Can the tool participate in network services with minimal impact to business operations? Is the user interface intuitive?
  • Reporting. Does the tool provide reports to determine remediation success rates? Can you use the tool for trending remediation efforts? Is the reporting detailed and customizable?
  • Appliances. Is the tool software based or appliance based? Appliances often offer performance and reliability advantages. However, software solutions are more affordable and may be able to run on existing hardware, helping to reduce upfront capital expenditures.
  • Agents. Does the application require agents? Is the application capable of leveraging existing agents on the system? If agents are necessary, can you deploy agents to groups of assets simultaneously, to facilitate ease of deployment? Agents generally provide more information on a particular system, but also increase the system's complexity. An ideal application would allow for the collection of system information with or without the use of agents.
  • Configuration standards. Does the technology possess predefined security configuration templates that you can use to assess the system? Some products have defined operating system standards and are able to perform reporting based on defined templates to support some regulatory requirements (e.g., Sarbanes-Oxley, HIPAA, and the ISO/IEC 27000 series).
  • Vulnerability research. Does the vendor have its own vulnerability research team? Does the vendor actively participate in the security community through the identification and release of security vulnerabilities? Does the vendor practice responsible disclosure? Does the vendor release checks for vulnerabilities it has discovered prior to the OEM remediating the vulnerability? How has the vendor responded to vulnerabilities in its own products?
  • Vulnerability updates. How frequently does the vendor release updates? How are the updates distributed? Does the distribution mechanism leverage industry-recognized security communications protocols?
  • Interoperability. Can the application integrate into existing patch management, configuration management, and/or monitoring tools and services?
  • Note that the items in the preceding list aren't applicable to all vulnerability technologies. We presented a germane list of points that apply to the collection of tools which support a vulnerability management program.

    Vulnerability management tools
      Home: Introduction
      1: Evaluating vulnerability management tools
      2: Commercial and open source network tools
      3: Summary/Fast track

    Dig Deeper on Cybersecurity risk assessment and management