E-guide

Vulnerability
Management Tools
Buyers Guide part 1
Your expert guide to vulnerability management tools
 E-guide

In this e-guide
Introduction to vulnerability management
Introduction to tools
vulnerability management
tools Ed Tittel, Writer, Trainer, Internet Consultant

Expert Ed Tittel explores how vulnerability management tools can

The business case for
vulnerability management
help organizations of all sizes uncover defense weaknesses and
tools close security gaps before they are exploited by attackers.

Organizations today, from small businesses with Web and email access to
multisite global enterprises, face increasingly sophisticated attacks carried out
over the Internet. Once an attacker gains access to internal networks, the
damage that ensues can be catastrophic, resulting in data disclosures and
destruction, business disruption and damage to an organization's reputation.
Even with solid perimeter defenses (e.g., firewalls, intrusion
detection/prevention systems, VPNs and so on), hardened systems and
endpoint protection, security breaches still occur. The question is when and how
will these security breaches happen?

The attack surface of an IT environment changes constantly. As new computers

and devices are installed, operating systems and applications are upgraded and
firewall rules are changed, causing new vulnerabilities to be introduced. One
way to find out how attackers could breach network defenses and damage

Page 1 of 13
 E-guide

internal servers, storage systems and endpoints -- and the data they hold and
In this e-guide transfer -- is to discover and close those vulnerabilities. That's where
vulnerability management tools come into play.
Introduction to
vulnerability management
tools
What is vulnerability management?

The business case for Vulnerability management is a continuous process of discovering, prioritizing
vulnerability management and mitigating vulnerabilities in an IT environment. Although vulnerability
tools management tools vary in strength and feature sets, most include the following:

Discovery: The process of identifying and categorizing every asset in a

networked environment and storing attributes in a database. This phase
also includes discovering vulnerabilities associated with those assets.
Prioritization: The process of ranking known asset vulnerabilities and
risk. Vulnerabilities are assigned a severity level, such as from 1 to 5,
with 5 being the most critical. Some systems rank vulnerabilities as low,
medium and high.
Remediation/Mitigation: The system provides links to information about
each vulnerability discovered, which includes recommendations for
remediation and vendor patches, where applicable. Some vendors
maintain their own vulnerability intelligence database information; others
provide links to third-party resources such as The MITRE Corporation's
Common Vulnerabilities and Exposures database, the Common
Vulnerability Scoring System and/or the SANS/FBI Top 20, to name a
few.

Page 2 of 13
 E-guide

Organizations tackle the most severe vulnerabilities first and work their way
In this e-guide down to the least severe as time and resources permit. Some vulnerabilities
don't pose a serious threat to the organization and may simply be accepted,
Introduction to which means they are not remediated. In other words, the risk is judged to be
vulnerability management
less than the costs of remediation.
tools

How do vulnerability management tools

The business case for
vulnerability management work?
tools

Vulnerability management tools come in three primary forms: stand-alone

software, a physical appliance with vulnerability management software or a
cloud-hosted service. A customer uses a Web-based interface to configure the
product to scan a range of Internet Protocol (IP) addresses -- both IPv4 and
IPv6 -- the entire network or URL, and may select other criteria to inspect, such
as the file system, configuration files and/or the Windows registry. The more
criteria and the larger the number of IPs, the longer a scan takes to complete.
Most vulnerability management tools provide preconfigured scans, and an
administrator can modify those templates to save customized scans that run on
demand or on a scheduled basis.

Note: Highly penetrating scans that assess "hard-to-reach" areas of a network

may require an administrator to temporarily modify a firewall to get the most

Page 3 of 13
 E-guide

detailed results, although some vendors claim their products can perform
In this e-guide complete scans without any such firewall modifications.

Introduction to A comprehensive vulnerability scanner should be able to perform continuous

vulnerability management inventorying of wired and wireless devices, operating systems, applications
tools including Web apps, ports, services, protocols, as well as virtual machines and
cloud environments.
The business case for
vulnerability management Vulnerability management tools may perform authenticated and unauthenticated
tools vulnerability scans. An unauthenticated scan does not require administrative
credentials and focuses on basic issues, such as open ports and services,
identity of operating systems and so on. Authenticated scans typically require
admin credentials and are more intense, and they may negatively impact a
system or network. Although authenticated scans must be used cautiously,
usually outside of peak usage hours, they reveal more vulnerabilities than
unauthenticated ones.

When a vulnerability management tool is put in place, the initial scan that's run
should be as complete as possible. This also serves to establish a baseline.
Subsequent scans then show trends and help administrators understand the
security posture of the environment over time. Most vulnerability management
products provide detailed trend analysis reports and charts for display on the
console or in print for distribution to managers and executives.

Page 4 of 13
 E-guide

Some of these products also include exploit software that's used as a

In this e-guide penetration test tool. When vulnerabilities are exposed, an administrator can
use the exploit software to see how an attacker could exploit the vulnerability
Introduction to without disrupting network operations.
vulnerability management
tools A vulnerability management tool must be used regularly to be effective. Like
antivirus products, the data gathered during scans is only as good as the last
The business case for time it was updated. This means daily scans for most organizations; although
vulnerability management small environments or those whose critical assets are not exposed to the
tools Internet may find a weekly scan sufficient.

Who needs vulnerability management tools?

Organizations of all sizes -- from small to midsize businesses (SMBs) to

enterprises -- with access to the Internet can benefit from vulnerability
management. Customers from nearly every industry and vertical niche use
vulnerability management, including education, banking and financial services,
government, healthcare, insurance, manufacturing, retail (bricks-and-mortar and
online), technology and many more.

Page 5 of 13
 E-guide

In this e-guide How are vulnerability management tools

sold?
Introduction to
vulnerability management
tools
Vulnerability management products may be sold as software-only products, a
physical appliance with vulnerability management software or as a cloud-hosted
service. When purchasing vulnerability management software, customers can
The business case for
expect to pay either an upfront cost and/or licensing and ongoing maintenance
vulnerability management
tools fees. The same applies to a physical appliance and software combo, and in this
case, the customer also pays for the initial cost of the appliance. Some vendors
offer appliance licensing, just like software, to enable organizations to treat the
entire purchase as operational expenditure rather than capital expenditure.

A cloud-hosted service or software as a service offering is typically sold as an

annual subscription that includes unlimited scanning. Vendor cloud pricing
varies, and may be based on the number of users, IPs -- either active only or
total scanned -- and/or agents deployed. Customers can save money by using
services that charge only by active IP, which enables them to scan all IPs on a
network, but pay only for those currently in use.

Page 6 of 13
 E-guide

In this e-guide Conclusion

Introduction to Even the smallest of organizations (i.e., those with less than 25 users) need
vulnerability management some type of vulnerability management tool, but it's a critical part of a sound
tools security posture for SMBs and enterprises. For organizations that must meet
compliance measures, such as HIPAA, Gramm-Leach-Bliley and PCI DSS,
The business case for vulnerability management is required.
vulnerability management
tools The next article in this series presents the business case for vulnerability
management in more detail. It will also look at various use cases where
vulnerability management is a must-have.

Next article

Page 7 of 13
 E-guide

In this e-guide The business case for vulnerability

management tools
Introduction to
vulnerability management Ed Tittel, Writer, Trainer, Internet Consultant
tools
Expert Ed Tittel describes business use cases for vulnerability
management tools and examines how organizations of all sizes
The business case for
benefit from these products.
vulnerability management
tools IT vulnerabilities can affect any organization of any size, in any industry across
the world. The Verizon 2015 Data Breach Investigations Report provides some
sobering facts on threats and intrusions, including:

Twenty-three percent of email recipients open phishing messages and

11% click on attachments.
The total number of malware events across all organizations is roughly
170 million, which means five malware events occur every second.

What might pique the interest of managers and senior executives even more is
the fact that the average total cost of a data breach, according to IBM's 2015
Cost of Data Breach study, is around $3.79 million. Granted, we're not talking
about mom-and-pop businesses, but the monetary losses are staggering all the
same.

Page 8 of 13
 E-guide

So which organizations truly need vulnerability management tools, and how can
In this e-guide they help them? Here are several use cases for different sized organizations
that show the value of vulnerability management tools.
Introduction to
vulnerability management
tools
Use case #1: Small businesses

The business case for When reading about vulnerability management, personnel roles like security
vulnerability management officer, asset owner and IT engineer often come into play. Rarely are those
tools roles found in a small business, but any business -- even a small business --
with a live Internet connection and staff that sends and receives emails is
enough to warrant some sort of vulnerability management product that can be
managed by any IT person who wears lots of hats.

Why? Even with a reputable and well-tuned firewall, antivirus software and an
intrusion detection system (IDS), small organizations are still at risk. Typical
firewalls aren't designed to protect networks or systems from vulnerabilities, and
a misconfigured firewall is a major vulnerability. Antivirus software catches
known viruses, Trojan horses and so on, but cannot always identify hitherto
unknown threats. An IDS can flag most incoming threats, but can also be
bypassed by remotely executed code.

Small organizations often tend to be somewhat lax in imposing and enforcing IT

security -- as well as in providing security budget and staffing -- and attackers
know that. All of these reasons underscore a strong need for vulnerability

Page 9 of 13
 E-guide

management. A solid vulnerability management tool can help a small

In this e-guide organization find and eliminate vulnerabilities that place their business systems
at risk.
Introduction to
vulnerability management These organizations may opt to use simple scanning services or open source
tools vulnerability tools. The downside is that small business staff might wind up
spending too much time trying to determine which vulnerabilities are the most
The business case for severe. A better option is to find an affordable software as a service solution or
vulnerability management stand-alone software that runs periodic scans and generates reports that clearly
tools prioritize vulnerabilities.

Use case #2: Midsize organizations

A midsize organization is at risk from the same vulnerabilities as a small one,

but is typically better-known, has a well-developed Web presence and many
more attack surfaces, and therefore has a higher threat profile. That leaves a
midsize organization more vulnerable to targeted attacks, such as an advanced
persistent threat, and random attacks that seek out specific vulnerabilities, like
the Code Red or Sasser worms.

While senior management in many midsize organizations may feel confident

that their IT staff can handle nearly any security issue that comes their way,
that's not always the case. It's more likely that staff members are too busy or do
not have the skills and necessary experience to maintain a far-reaching security

Page 10 of 13
 E-guide

strategy, and they react to problems rather than proactively managing layered
In this e-guide security.

Introduction to Another concern is that the midsize organization may have more resources to
vulnerability management throw at security than a small business, but the concept of a "company needing
tools to look like a bigger company" can result in an urgent requirement to grow
quickly. This common situation creates challenges beyond staff members'
The business case for experience and capabilities. A company that is suddenly involved with
vulnerability management managing new operations and interests can easily lose sight of essential
tools security planning and practices.

Cloud services that offer data storage, server infrastructure and even entire IT
infrastructures as a service are increasingly popular with the midsize
organization that's growing or simply cannot afford to maintain everything itself.
However, unless the service is part of a managed services agreement, the
subscribing organization may still be responsible for protecting all of the data
and systems that now reside off premises, adding a new wrinkle to maintaining
security.

Also consider that the effort and cost of IT staff identifying and recovering from a
damaging vulnerability exploitation or security breach could be more expensive
than simply implementing a vulnerability management tool in the first place.

Page 11 of 13
 E-guide

In this e-guide Use case #3: Enterprise organizations

Introduction to Enterprise organizations have always been and will always be key targets of
vulnerability management attackers. They also have huge attack surfaces with thousands of network
tools nodes spread across campuses and remote business locations.

The business case for Given that a typical vulnerability assessment scan in a high-node environment
vulnerability management can yield thousands to millions of findings, from low to high criticality, it's easy to
tools see why an enterprise needs a comprehensive vulnerability management tool.
Not only does it reduce vulnerabilities, it eliminates manual configuration of
security scanning and provides a vehicle for managing the voluminous amount
of scan data and reports.

Enterprises, as well as small and midsize organizations, are also subject to

regulatory compliance of one sort or another. Many regulatory laws, such as
HIPAA and Gramm-Leach-Bliley, and the PCI DSS standard require
vulnerability assessments to maintain compliance. Even internal security
policies and audits require adherence to a risk management plan, which
includes vulnerability management as a core process.

Once the need for vulnerability management tools is established, the next step
is to select one that best meets your organization's business requirements and
budget. Find out about the vulnerability management purchase selection
process in the next article in this series.

Page 12 of 13
 E-guide

About the author

In this e-guide
Ed Tittel is a 30-plus year IT veteran who's worked as a developer, networking
Introduction to consultant, technical trainer, writer and expert witness. Perhaps best known for
vulnerability management creating the Exam Cram series, Ed has contributed to more than 100 books on
tools many computing topics, including titles on information security, Windows OSes
and HTML. Ed also blogs regularly for TechTarget (Windows Enterprise
The business case for Desktop), Tom's IT Pro and GoCertify.
vulnerability management
tools

Page 13 of 13