Remote vulnerability scanning: Process, roles and responsibilities

During hard times, it's important to go the extra mile to accommodate anything your customer may need. Rounding out your security offerings can make you invaluable to customers. Consider offering options such as vulnerability scans, pen testing and compliance and software inventory.

Point, click and shoot. Sounds like an advertisement for a new camera, but for security professionals, that's how security products that scan for vulnerabilities fundamentally operate. Vulnerability scans can be targeted at entire networks, subnets, specific machines or even individual users. Automation has further enabled widespread, yet granular monitoring. Alerts are channeled to email and SMS alert of potential dangers in real time.

Running vulnerability scans against machines connected to the corporate network has become a fairly straightforward product or service for most VARs and MSPs because of the evolution of those tools. But determining who is responsible for scanning remote workers and branch offices is a murky area.

Remote vulnerability scanning: Who is responsible?

"It depends on the corporation," said Ron Gula, CEO and CTO at Columbia, Md.-based Tenable Network Security Inc., and maker of the Nessus network vulnerability scanner.

In the case of remote workers using corporate-owned computers, Gula said it's the company's responsibility to provide some sort of mechanism, such as an agent -- a scan when connecting over the VPN -- or a requirement to come to the office for updates. On the other hand, if a remote worker uses his or her own equipment and conducts all interactions through Web-based services, Gula doesn't believe the security falls under corporate jurisdiction.

Billy Austin, CSO at Bethesda, Md.-based Saint Corp., a vulnerability scanning software, hardware and managed services vendor, places the responsibility in corporate hands, but ultimately wants to see remote users and offices maintaining the security of their own equipment.

"Many organizations have a VAR/MSP and believe this is a very basic offering that one should be trained and offering to their clients," Austin said.

He said solution providers should be flexible with their products and services. "Some customers want a fully managed vulnerability management system," Austin said, "others want the VAR/MSP to manage most of it but yet at the same time to log in and run their own audits from time to time." He added that some organizations want to perform confidential data scans with their own tools and then hire their VAR/MSP on a periodic basis to validate their audits.

Gula warned that channel providers need to make a clear distinction between the solutions they provide and what falls under the responsibility of the customer.

Today, customers ask for more than security scanning products and services. Logging and auditing for regulatory compliance services can tip the sales scales in an accommodating vendor's direction. Cloud-based managed services are gaining in popularity, helping alleviate an organization's responsibility to manage its hardware and/or software. To that end, solution providers have the opportunity to integrate complementary technologies into their customers' environments and improve the way they do business by offering different products or services.

Besides basic vulnerability scanning offerings, Gula mentioned that solution providers can offer compliance services as well.

"If there is a regulatory requirement to demonstrate scanning, then clearly, the VAR or MSP can provide this."

In addition to security audits that identify vulnerable or compromised systems, Gula listed the ability to inventory software on Windows and Unix servers as well as specific hardware, including routers, switches and Web servers sold by the VAR. "If a VAR offers services such as incident response, the results of a vulnerability scan can also help make that offering more effective," he added.

In this challenging economy, channel providers can strengthen their market presence by increasing the variety and scope of their security solutions to best meet their customers current needs.

Although proactive security measures have always been a challenging sell to executives, experts suggest that organizations have started to realize that preventative measures can reap quantitative savings in the event of commonplace digital attacks, such as information theft of customers' private data, trade secrets and intellectual property, not to mention possible irreparable damage to brand image caused by highly publicized security breaches.

Tough economic times have forced organizations to improve efficiency, minimize unnecessary spending and focus on their core business. Vulnerability scanners that can deliver these results will garner a slice of organizations' security budgets.

Dig Deeper on Best practices for cybersecurity management