Keeping customers aware of the latest threats and vulnerabilities is a daunting task. How much time do customers spend thinking about threat and vulnerability management? The results of a recent TechTarget survey of more than 900 security professionals suggest that end users intend to spend more on vulnerability management in 2009. But this data doesn't necessarily match up with what solution providers are seeing in the field.
Approximately 21% of survey respondents indicated they would spend more on defending against viruses, malware and intrusions in 2009. This spending would come before data protection, identity management and application security expenditures.
However, Adam Gray, chief technology officer of Novacoast Inc., a consulting company in Santa Barbara, Calif., has not seen any evidence, anecdotal or otherwise, to support an increased interest in threat and vulnerability management.
"I wish more attention was paid to that, but we're still seeing enterprise accounts that have malicious software problems and we're still seeing attacks on the rise without appropriate controls," he said, adding that patch management is still a struggle for a number of companies.
Customers with patch management problems are perhaps not paying enough attention to the more commoditized threat management issues, according to Gray. "We haven't seen as many companies invest in that, especially as the economy has worsened," Gray said. With 45% of survey respondents saying that they plan on leveraging features in existing hardware or software for patch management, Gray's concerns are no surprise.
This behavior, Gray warned, can quickly damage a company. "Being stagnant in the security world puts you at a worse risk position. If you do nothing at all, you're worse off than you were yesterday." That's because he noted that threat and vulnerability problems can quickly mount if they aren't resolved, making customer environments dramatically less secure.
Half of the survey respondents cited correlating threats and vulnerabilities as their major vulnerability management challenge.
"Understanding how to correlate is more of an art than a science," said Kent Knudsen, information systems security manager at K2Share LLC, a provider of information technology-based business solutions based in College Station, Tx. He added that correlation is greatly needed, but today's correlation tools are still maturing and expensive.
Knudsen also mentioned that there are open source alternatives to threat correlation, but the risks outweigh the benefits of using such software.
"Unless you're able to go through the code yourself line by line to make sure [the programmers] haven't put some sort of back door in it, you have to ask if you can trust that software." While not without merit, free and open source correlation tools can have serious security implications if used incorrectly and must be considered extremely carefully.
Another aspect of the survey asked respondents how their spending would change on individual technologies. Approximately 56% said their antivirus/antiworm spending would remain the same as last year, while 59% said their antispyware investments would also be flat.
This is a problem, according to Knudsen. Citing recent data breaches in the news, he wondered if solution providers would soon need to consider antivirus alternatives.
"The real curiosity point for me," Knudsen said, "is how did [the affected companies] get infected; they had antivirus software and it was malware that took them down." If antivirus cannot pick up on threats that can seriously affect a company's security posture, he continued, then something else may need to be considered.
Knudsen mentioned that whitelisting was one technology he was keeping his eye on as an alternative to antivirus. "It will be something to watch to see if it takes off or if it just muddles along."
Still, regardless of a customer's size or risk posture, it is vital that solution providers communicate the importance of threat and vulnerability management to customers. "I try to first understand what it is they're trying to protect and what value it has," Knudsen said. "If they understand their information and the level to which they need to protect it, it's a simple matter of telling them what it would cost to protect it."