Introduction to vulnerability management tools

Expert Ed Tittel explores how vulnerability management tools can help organizations of all sizes uncover defense weaknesses and close security gaps before they are exploited by attackers.

Organizations today, from small businesses with Web and email access to multisite global enterprises, face increasingly sophisticated attacks carried out over the Internet. Once an attacker gains access to internal networks, the damage that ensues can be catastrophic, resulting in data disclosures and destruction, business disruption and damage to an organization's reputation. Even with solid perimeter defenses (e.g., firewalls, intrusion detection/prevention systems, VPNs and so on), hardened systems and endpoint protection, security breaches still occur. The question is when and how will these security breaches happen?

The attack surface of an IT environment changes constantly. As new computers and devices are installed, operating systems and applications are upgraded and firewall rules are changed, causing new vulnerabilities to be introduced. One way to find out how attackers could breach network defenses and damage internal servers, storage systems and endpoints -- and the data they hold and transfer -- is to discover and close those vulnerabilities. That's where vulnerability management tools come into play.

What is vulnerability management?

Vulnerability management is a continuous process of discovering, prioritizing and mitigating vulnerabilities in an IT environment. Although vulnerability management tools vary in strength and feature sets, most include the following:

  • Discovery: The process of identifying and categorizing every asset in a networked environment and storing attributes in a database. This phase also includes discovering vulnerabilities associated with those assets.
  • Prioritization: The process of ranking known asset vulnerabilities and risk. Vulnerabilities are assigned a severity level, such as from 1 to 5, with 5 being the most critical. Some systems rank vulnerabilities as low, medium and high.
  • Remediation/Mitigation: The system provides links to information about each vulnerability discovered, which includes recommendations for remediation and vendor patches, where applicable. Some vendors maintain their own vulnerability intelligence database information; others provide links to third-party resources such as The MITRE Corporation's Common Vulnerabilities and Exposures database, the Common Vulnerability Scoring System and/or the SANS/FBI Top 20, to name a few.

Organizations tackle the most severe vulnerabilities first and work their way down to the least severe as time and resources permit. Some vulnerabilities don't pose a serious threat to the organization and may simply be accepted, which means they are not remediated. In other words, the risk is judged to be less than the costs of remediation.

How do vulnerability management tools work?

Vulnerability management tools come in three primary forms: stand-alone software, a physical appliance with vulnerability management software or a cloud-hosted service. A customer uses a Web-based interface to configure the product to scan a range of Internet Protocol (IP) addresses -- both IPv4 and IPv6 -- the entire network or URL, and may select other criteria to inspect, such as the file system, configuration files and/or the Windows registry. The more criteria and the larger the number of IPs, the longer a scan takes to complete. Most vulnerability management tools provide preconfigured scans, and an administrator can modify those templates to save customized scans that run on demand or on a scheduled basis.

Note: Highly penetrating scans that assess "hard-to-reach" areas of a network may require an administrator to temporarily modify a firewall to get the most detailed results, although some vendors claim their products can perform complete scans without any such firewall modifications.

A comprehensive vulnerability scanner should be able to perform continuous inventorying of wired and wireless devices, operating systems, applications including Web apps, ports, services, protocols, as well as virtual machines and cloud environments.

Vulnerability management tools may perform authenticated and unauthenticated vulnerability scans. An unauthenticated scan does not require administrative credentials and focuses on basic issues, such as open ports and services, identity of operating systems and so on. Authenticated scans typically require admin credentials and are more intense, and they may negatively impact a system or network. Although authenticated scans must be used cautiously, usually outside of peak usage hours, they reveal more vulnerabilities than unauthenticated ones.

When a vulnerability management tool is put in place, the initial scan that's run should be as complete as possible. This also serves to establish a baseline. Subsequent scans then show trends and help administrators understand the security posture of the environment over time. Most vulnerability management products provide detailed trend analysis reports and charts for display on the console or in print for distribution to managers and executives.

Some of these products also include exploit software that's used as a penetration test tool. When vulnerabilities are exposed, an administrator can use the exploit software to see how an attacker could exploit the vulnerability without disrupting network operations.

A vulnerability management tool must be used regularly to be effective. Like antivirus products, the data gathered during scans is only as good as the last time it was updated. This means daily scans for most organizations; although small environments or those whose critical assets are not exposed to the Internet may find a weekly scan sufficient.

Who needs vulnerability management tools?

Organizations of all sizes -- from small to midsize businesses (SMBs) to enterprises -- with access to the Internet can benefit from vulnerability management. Customers from nearly every industry and vertical niche use vulnerability management, including education, banking and financial services, government, healthcare, insurance, manufacturing, retail (bricks-and-mortar and online), technology and many more.

How are vulnerability management tools sold?

Vulnerability management products may be sold as software-only products, a physical appliance with vulnerability management software or as a cloud-hosted service. When purchasing vulnerability management software, customers can expect to pay either an upfront cost and/or licensing and ongoing maintenance fees. The same applies to a physical appliance and software combo, and in this case, the customer also pays for the initial cost of the appliance. Some vendors offer appliance licensing, just like software, to enable organizations to treat the entire purchase as operational expenditure rather than capital expenditure.

A cloud-hosted service or software as a service offering is typically sold as an annual subscription that includes unlimited scanning. Vendor cloud pricing varies, and may be based on the number of users, IPs -- either active only or total scanned -- and/or agents deployed. Customers can save money by using services that charge only by active IP, which enables them to scan all IPs on a network, but pay only for those currently in use.

Conclusion

Even the smallest of organizations (i.e., those with less than 25 users) need some type of vulnerability management tool, but it's a critical part of a sound security posture for SMBs and enterprises. For organizations that must meet compliance measures, such as HIPAA, Gramm-Leach-Bliley and PCI DSS, vulnerability management is required.

Next Steps

Learn how to hone an effective vulnerability management program

Discover how to most effectively use vulnerability management data

Check out these tips for evaluating vulnerability management tools

Dig Deeper on Threats and vulnerabilities