Issue 2

1 Vulnerability
Management for
Mobility
5 From the Gartner Files:
Four Ways to Close
the Gap Between
Vulnerability Management for
Mobility
Enterprise Mobility and
Vulnerability
Management
9 About Tenable Network Identify Mobility Risk through Mobile Device Visibility and Vulnerability Assessment
Security

Vulnerability Management for Mobility

The modern enterprise is highly dependent
on mobile devices to keep pace with business
demands and to maintain a competitive edge.
However, mobile devices remain a key challenge
in the security risk they pose. Why?

• The deployment and management of mobile To address these concerns, enterprises should
devices lies in the network operations team, include mobile device assessment (MDM)
and security teams may not be involved in as part of their vulnerability management
the decision process. As a result, the business offering. However, there is no single template
drivers for mobile devices may outweigh for mobile device vulnerability assessment since
security concerns. organizations have various types of mobile devices,
various ways of managing these devices, and
• Mobile devices connect and disconnect from the mobile devices themselves are sensitive to
the corporate network ad-hoc. Because of security software installed. As a result, choosing
this, they may not be visible to traditional a vulnerability assessment solution that addresses
vulnerability scans. these needs and that works with existing IT
investments is critical to provide the maximum
• With Bring Your Own Device (BYOD) flexibility and fullest visibility of mobile risk.
deployments any operating system or
application may be running on the mobile The following research outlines how vulnerability
device, adding another layer of complexity. management solutions are capturing the risk
from mobility, what technologies are used to
The proliferation of mobile devices has increased assess mobile devices, and which vulnerability
the volume of threats and vulnerabilities that management vendors offer the broadest coverage.
target these devices. Organizations must consider
a holistic approach to bring together mobile device
visibility and vulnerability assessment.

Featuring research from

2

Of the vendors evaluated, Tenable Network 2. Provide detailed mobile device information,
Security offers one of the broadest mobile device including serial number, model, version,
assessment coverage that includes: timestamp of last connection, and the user

• Enterprise Mobility Management Integration 3. Detect known mobile vulnerabilities, including

including Apple Profile Manager, AirWatch, out-of-date versions of Apple iOS
Good for Enterprise, and MobileIron
4. Discover jailbroken iOS devices
• ActiveSync Integration with Microsoft Exchange
ActiveSync Read this Gartner research to understand more
about the benefits of integrating mobile device
• Passive Vulnerability Scanning assessment into your vulnerability assessment
program, and the capabilities provided by Tenable
Together these technologies allow Tenable Network Security.
Network Security to:
Source: Tenable Network Security

1. Enumerate iOS, Android-based, and Windows

Phone devices accessing the corporate network
 3

From the Gartner Files:

Four Ways to Close the Gap Between Enterprise

Mobility and Vulnerability Management

Mobile device coverage in vulnerability Strategic Planning Assumptions

assessment solutions has not kept pace with By 2019, 80% of vulnerability assessment (VA)
mobile device adoption in the enterprise. This has vendors will offer enterprise mobility management
resulted in a growing gap in oversight for security (EMM) integration capabilities to assess mobile
organizations. Here are four options for closing devices, up from 20% today.
that gap.
By 2017, 40% of enterprises will deploy or extend
Key Challenges their VA solution to cover smartphones and tablets,
• Mobile and bring your own device adoption in up from 5% today.
the enterprise continue to increase, but security
organizations are not yet including them in Introduction
vulnerability management programs. The adoption of mobile devices in the enterprise
has increased year for year,1 in the case of bring
• Traditional vulnerability assessment solutions your own device (BYOD) with 62% of employees
and methods provide only minimal support for already using theirs for work purposes.2 While the
mobile device assessment, complicating the usage of EMM (see Note 1) and MDM solutions has
process of including them in the vulnerability grown, these rarely include a focus on vulnerability
assessment workflow. management in terms of functionality, as EMMs
are usually bought and operated by nonsecurity
• Without including mobile devices, security actors, such as IT operations. Integration of VA
organizations are failing in maintaining and management solutions has not kept up
responsibility and oversight. pace with the fast growth of enterprise mobility,
and VA vendors are behind this curve, leaving
• Security organizations must address the
organizations to fend for themselves.
organizational issue that IT and mobile systems
are typically managed by distinct organizations. The consequence is that smartphones, tablets and
other mobile devices are not being included in VA
Recommendations
and management programs. This has created a gap
IT security managers: in the ability of IT security organizations to gain a
centralized, environmentwide view of the true risk
• Expand the scope of vulnerability management and security posture. This hole can only grow wider
programs to include mobile devices in addition as mobility becomes a fundamental component of
to traditional devices. an enterprise.

• Assess, select and implement the most suitable The purpose of this research is to provide
best practice for your organization from the four possible alternative approaches and best
ones presented in this research for integrating practices to plug this gap and consolidate VA and
mobile devices into the vulnerability management for mobile and traditional devices.
management workflow.
Analysis
• Make mobile device assessment capabilities a
Vulnerability management has grown and
core requirement for vulnerability assessment
evolved over the past decade, with standardized
product selection.
workflows, a shared terminology and a number of
4

vendor-independent standards, such as Common Option No. 1: Direct Mobile Vulnerability

Vulnerabilities and Exposures (CVE), Common Assessment
Vulnerability Scoring System (CVSS), and Common In direct mobile VA, the VA solution gathers
Vulnerability Reporting Framework (CVRF). VA security information locally from the mobile
solutions have both adopted and helped formalize endpoint, usually via an agent in app form. A
these further, and provide the technological common approach is to publish the agent app
framework for most vulnerability management via an official app store (i.e., Google Play Store),
programs. In addition, other technologies from allowing end users to install the application
the security ecosystem have adapted to the same themselves. The agent app can then be configured
standards and offer interoperability with these with connection and authentication credentials
(e.g., security information and event management for a centralized management platform, usually
[SIEM]) solutions. cloud-based, to couple it with the VA solution. This
particular method is also suited to a BYOD self-
Traditional vulnerability scanning methods rely on service model.
network-based assessments that can connect to
a given target via an IP address, interrogate open A native agent app can provide bidirectional
ports and services, and authenticate remotely. communication for direct management by the
Alternatively, some solutions utilize an installed security organization, for example to schedule
local agent. In the case of mobile devices, both of scans and audits as required, and to execute
these methods pose challenges. Caution is advised scans based on custom profiles. The local system
when vendor offerings claim to support mobile access that an agent app provides also permits
devices such as smartphones and tablets based deeper security audits, including on application
on IP-scanning, as it is neither a reliable nor an permissions and configuration settings.
effective means of assessment. Mobile devices are
not designed to provide remote authentication via Benefits
the network, nor do they as a general rule offer
network services to remotely assess. Installing • A locally installed app directly gathers security-
agents requires an entirely different infrastructure relevant information, instead of relying on
and approach than traditional computer systems. operational data and inference.

EMM systems, with a shorter history and • Deep security assessments are possible due to
experience in commercial environments, have direct system access.
rapidly entered the enterprise space. Unlike
traditional endpoint protection platforms, EMM • Detailed vulnerability findings and asset
tools have focused on managing and securing inventory data are directly integrated into
enterprise mobile devices by enabling them, rather enterprise vulnerability and risk metrics and
than locking them down. As the buying center for reporting.
EMM tools is usually closer to IT operations than
IT security, VA support has not been the focus of • Bidirectional integration occurs — the app
EMM tools so far. can be directly managed by the security
organization.
VA vendors have slowly begun adding capabilities
to bridge this gap, with ActiveSync and EMM Challenges
integration the most widely encountered features,
and a few maverick vendors providing direct • It requires the installation and management of
assessment methods. By integrating mobile device a local agent application, and this challenge
management (MDM) technology with vulnerability is compounded as the number and variety of
management, the security organization regains mobile devices increases.
visibility and oversight back over the rapidly
growing population of mobile-based assets. This • It’s Android only; iOS’s security model severely
allows mobile devices to be included in risk limits the necessary functionality.
metrics and reporting, as well as enabling the
assessment and management of mobile device • Mobile devices must be able to connect back
vulnerabilities by the IT security organization. to the VA management interface, necessitating
either an external service to be exposed on the
 5

perimeter, or a cloud-based model providing a • It permits at least a partial view into security-
centralized public management point. relevant mobile device data, without the need
to gain access to every mobile endpoint.
• It requires access to mobile endpoints by
involvement of both the mobile management • Vulnerability findings and asset inventory data
and VM teams. are directly integrated into vulnerability and
risk metrics and reporting.
• There is currently only a limited selection of
available solutions offering this capability. Challenges

Sample vendors • VA solutions only support a subset of

EMMs. APIs and asset data formats are not
BeyondTrust: Retina CS for Mobile is a native standardized, so that unique integration APIs
mobile VA solution that offers Android device VA have to be created for every EMM vendor to be
via an agent available from Google Play Store. coupled. This restricts choice if integration is a
The solution fully integrates with Retina CS for stringent requirement.
consolidated VA.
• The depth and scope of data that is exportable
Secunia: Secunia offers the free PSI for Android is limited in comparison to native assessment.
client on the Google Play Store. The PSI can scan Very basic implementations will only populate
for missing patches and vulnerable applications, device type (i.e., Android, iOS) and the firmware
and provides alerting and app update features. version, allowing only a superficial assessment.
The PSI agent can be configured to integrate
with the latest release of Secunia’s cloud-based • Integrations not based on strategic
vulnerability and patch management offering, technological vendor partnerships may not be
Secunia CSI 7. further developed and matured in the future
in both the VA and the EMM solution. Vendors
Option No. 2: EMM Integration must be carefully vetted for future plans in this
A small number of VA and management solutions regard.
provide the ability to integrate and communicate
with third-party EMM solutions. By authenticating • Most implementations are unidirectional and
to the EMM and utilizing APIs, they are able can only fetch device information from the
to access, for example, device and application EMM and not initiate assessments or change
inventory data, such as the manufacturer, OS and audit policies.
installed application versions.
Sample Vendors
Coverage is not mature, with VA solutions
commonly only supporting a small subset of Tenable Network Security: Tenable’s Nessus
available third-party offerings, with varying depths and SecurityCenter can integrate with Good for
of integration. For example, some EMMs apply Enterprise and Apple Profile Manager to gather
reputational intelligence to installed apps and such information as OS version, model, serial
maintain other vulnerability and patch information, number and similar device data.
but not necessarily in a format useful or exportable
to a VA solution. In addition, EMM vendors are McAfee: McAfee Enterprise Vulnerability Manager
currently trying to rapidly enrich their suites with can be integrated with McAfee Enterprise Mobility
enablement features, making integration with VA a Management via McAfee ePO.
secondary item in their road maps.
BeyondTrust: Retina CS integrates with
Benefits BlackBerry BES to gather device data.

• It reuses already existing agent infrastructure

from EMM.
6

Option No. 3: ActiveSync (EAS) Integration Sample vendors

Certain mobile solutions are installed on the
Exchange Client Access Server and perform VA by BeyondTrust Retina CS and Tenable Network
comparing device information with vulnerability Security offer this capability.
databases. These solutions leverage the Microsoft
Exchange ActiveSync (EAS) protocol that provides Option No. 4: Passive Vulnerability
synchronization of data such as emails and Scanning
contacts between the Exchange server and Passive vulnerability scanning (PVS) inspects
mobile devices, as well as mobile device policy network traffic on the wire to identify vulnerabilities
enforcement. EAS has the advantage of being based on heuristics, such as banner, session, and
ubiquitous, as it is inbuilt in most modern mobile protocol information. An example is identifying a
devices. However, it lacks structure and granularity Web browser’s version by inspecting the browser
as the number of policies is limited (e.g., jailbreak agent string sent when viewing a Web page.
detection is missing) and each mobile device
supports a different subset of those policies. The technology can be used to identify device
EAS-based solutions are a lightweight option for types, such as iOS or Android devices, OS versions
organizations that either do not yet have an EMM and some applications. The distinct advantage
in place, or have not worked with the department of PVS is that it is nonintrusive and requires no
deploying the EMM to cover VA functionality, and installation or configuration on the end devices.
need a quick fix to this.
PVS can only provide limited visibility, as it relies
Benefits solely on what is available in network traffic to
infer pertinent information, such as the application
• It integrates with existing Windows/exchange name and version, and associated vulnerabilities.
infrastructure. Practically, this means that it can only detect
network-enabled applications that send and
• It does not require additional external services receive data, and only when they actively do so.
to be exposed. Encryption, for example, can severely limit the
effectiveness.
• It’s the most commonly supported method
across VA solutions and mobile OSs, as it PVS for mobile devices is useful as stopgap
leverages the broad third-party device coverage measure before implementing a more direct
that EAS provides. method for managed devices, or as an
augmentation to more direct access to mobile
Challenges devices. In the case of unmanaged or even rogue
devices, it is the only method. It can either be
• ActiveSync does not yet provide full-fledged implemented at the perimeter, or at the border
EMM capabilities, and these same limitations between different network zones, to identify client
limit the data available to VA solutions. vulnerabilities via their traffic. This requires mobile
traffic to be routed to a network chokepoint on
• Security-relevant information is only partially the network that will allow the inspection of all
available. mobile traffic in one place (e.g., via a SPAN port). A
good example would be between an organization’s
• VA vendor EAS integration implementations wireless LAN (WLAN) and the Internet. Mitigation
must be continuously developed to maintain can then take the form of either informing the
lockstep with new EAS releases and leverage device owner that he has to take remediation
new features, so vendors must be assessed for steps, or by actively blocking access to the
their ongoing commitment. network or specific resources for that device.
• Support for cloud-based (e.g., Office 365) and
third-party EAS implementations (e.g., Lotus)
varies.
 7

Benefits improvement in functionality dependent on

parallel improvements in the EMM.
• It’s noninvasive; inspects traffic on the wire.
As for many mobile implementations, cloud-based
• It allows coverage of noncentrally managed deployments for VA solutions intended to also
devices requiring access to internal resources. assess mobile devices have a true advantage with
respect to alternatives. We have seen this with
• It’s a suitable stopgap measure when no other secure Web gateways as well as with data loss
option is available. prevention (DLP) tools. However, as with secure
Web gateways (SWGs) or DLP, efficient cloud-
• It adds additional features, such as activity based implementations are still far away from
monitoring and malware activity. being a reality. Cloud and SaaS offerings will be in
the vanguard of fully native, direct mobile VA, and
Challenges will increasingly add functionality that will directly
compete with EMM offerings.
• Only vulnerabilities affecting applications that
generate network traffic can be detected. EMM vendors will also align more closely with
common vulnerability and risk management
• It can only assess assets that traverse the standards and practices, adding more security
company network infrastructure. capabilities and features themselves. The ability to
leverage their already existing agent infrastructure
• It requires network chokepoints to centralize
provides an ideal foundation for this. This will also
mobile traffic for inspection.
simplify tighter integrations with VA solutions. We
are already seeing this trend, with vendors such
• Network encryption can greatly reduce the
as Lacoon and Skycure offering pure-play mobile
effectiveness.
security products that bridge this gap.
Sample vendor
As enterprise mobility keeps maturing and network
performance will keep improving, these issues will
Tenable Network Security: Tenable offers the
be increasingly easier to solve and bring mobile VA
Nessus Passive Vulnerability Scanner (PVS).
to the mainstream.
A Look Forward
Additional research contribution and review were
Two trends, the general growing proliferation provided by Anton Chuvakin.
of mobile devices such as smartphones and
smartpads, as well as the increasing acceptance
and adoption of BYOD policies within enterprises,
will increasingly mandate that security
organizations regain and maintain oversight over
these. As the overall percentage of mobile devices
in the enterprise asset population increases, so will
the risks.

VA vendors will strengthen and extend their

capabilities with tighter partner ecosystems and
integrations between VA and EMM technologies,
especially for on-premises and remote scanning
solutions, where roaming agent support and
the associated infrastructure are not feasible.
Relying on the EMM capabilities will make any
8

Appendix
Table 1. Vendor Options

Vendor Native EMM EAS/ PVS

Mobile Integration ActiveSync
Assessment
BeyondTrust Retina CS X1 X2 X
McAfee Enterprise X3

Vulnerability Manager
Rapid7 Nexpose * **
Tenable Nessus/ X4 X X
SecurityCenter
Secunia CSI/PSI X1
Qualys **
* Rapid7 offers a SaaS mobile security solution called Mobilisafe. There are
plans to integrate Mobilisafe with Nexpose
** Via integration with Cisco Sourcefire
1
Android agent
2
BlackBerry BES; MobileIron is being planned
3
McAfee EVM integrates with McAfee Enterprise Mobility Management via
McAfee ePO
4
Good for Enterprise
Source: Gartner (April 2014)

Acronym Key and Glossary Terms Evidence

BYOD Bring your own device 1
“Forecast Analysis: Devices, Worldwide, 4Q13
Update”
EAS Exchange ActiceSync
2
“User Survey Analysis: Is Bring Your Own Device
EMM Enterprise mobility management Job Essential or a Personal Preference?”

MDM Mobile device management Note 1. MDM/EMM

This note refers to mobile device management
PVS Passive vulnerability scanner/scanning
solutions as enterprise mobility management
throughout the document.
VA Vulnerability assessment

VM Vulnerability management
Gartner Research Note G00260857, Oliver Rochford Dionisio Zumerle,
30 April 2014
 9

About Tenable Network Security

Founded in 2002, Tenable Network Security provides continuous
network monitoring to identify vulnerabilities, reduce risk and ensure
compliance. Relied upon by more than 24,000 organizations around
the world, Tenable’s key clients include Fortune Global 500 companies
across industries as well as the entire U.S. Department of Defense and
many of the world’s leading governments.

Our family of products includes SecurityCenter Continuous View™

and Nessus®. SecurityCenter Continuous View allows for the most
comprehensive and integrated view of network health. Nessus is the
global standard in detecting and assessing network data. With the
largest install base and best expertise in our industry, Tenable gives
customers the ability to identify their biggest threats and respond
quickly.

In 2014 Tenable was selected as a Red Herring Top 100 North America
award winner. The company was also named Best Vulnerability
Management Solution at the SC Magazine Europe awards. Tenable has
been selected as a Deloitte Technology Fast 500 Company every year
since 2009.

Our Mission
Tenable founders Ron Gula, Renaud Deraison, and Jack Huffard build
technology that secures and protects any device from threats on the
Internet – malicious software, hackers, viruses, and more. Tenable
wants its customers and every company to have access to the latest
and best technology that will ensure they stay connected, online, and
in business.

For more information, contact Tenable.

Vulnerability Management for Mobility is published by Tenable Network Security. Editorial content supplied by Tenable Network Security is independent of Gartner analysis. All
Gartner research is used with Gartner’s permission, and was originally published as part of Gartner’s syndicated research service available to all entitled Gartner clients.
© 2014 Gartner, Inc. and/or its affiliates. All rights reserved. The use of Gartner research in this publication does not indicate Gartner’s endorsement of Tenable Network
Security’s products and/or strategies. Reproduction or distribution of this publication in any form without Gartner’s prior written permission is forbidden. The information
contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. The
opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice
or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in
entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research
organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding
Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.