Getty Images/iStockphoto

VMDR: Inside vulnerability management, detection and response

VMDR offers automated asset identification, threat prioritization and patch management. But do companies need another vulnerability management tool?

Get ready detection and response market -- there's a new acronym entering the fray. Joining NDR, EDR, MDR and XDR is VMDR: vulnerability management, detection and response.

So far, Qualys is the only vendor specifically using the phrase to describe its product, but a couple others have similarly named offerings. Let's examine this new acronym and what features and benefits it provides organizations that many current vulnerability management tools may not.

What is VMDR?

VMDR aims to take traditional vulnerability management products to the next level. It helps companies handle the entire vulnerability management lifecycle -- from asset management and vulnerability identification to threat level assignment and remediation.

"The key piece to the whole process is identifying what's internally or externally exposed and classifying those assets and determining the level of criticality to the larger organization," said Ken Smith, analyst at RSM US. "With that in place, you can get to the real heart of vulnerability management, which is finding your own flaws before anyone can take advantage."

Qualys first released its SaaS-based VMDR in 2020. It does not require any on-site hardware or software, which reduces setup time for IT teams creating custom rules. Customers also don't need to deploy new servers; rather, they install Qualys Cloud Agent from the product console.

Mitchell Schneider, analyst at Gartner, said he couldn't corroborate with Qualys on how simple it is to deploy VMDR but said the vendor doesn't charge for professional services, which makes it easier -- and cheaper -- for companies to get help should they need assistance.

The SaaS product provides continuous vulnerability scanning -- from periodic scanning to real time -- to provide an improved picture of asset management and vulnerabilities. Qualys' VMDR consists of the following:

  • asset inventory
  • vulnerability management
  • threat prioritization
  • patch management

VMDR 2.0 with TruRisk was released in June 2022, with upgrades that automate the entire lifecycle and speed up how quickly an organization responds to vulnerabilities. The new cyber-risk content quantification feature enables customers to determine what their high-risk assets and vulnerabilities are. The updated dashboard now indicates whether a certain vulnerability is actively being exploited or if only a proof of concept exists.

The release also has IT service management connections with ServiceNow, so tickets are sent out to the right in-house teams to get vulnerabilities remediated. The ServiceNow apps are free to VMDR customers, said Mehul Revankar, vice president of product management at Qualys. These apps add automation designed to aid short-handed IT teams in figuring out which vulnerabilities to focus on and remediate, reducing wasted time.

VMDR 2.0 also offers optional add-ons, including endpoint detection and response (EDR) and cybersecurity asset management. While VMDR is designed to work with Qualys EDR, it has an open API to allow other vendor products to connect and use Qualys vulnerability and threat data.

Other next-gen vulnerability management options

While Qualys is the only one calling its product VMDR, it isn't alone in releasing products to tackle vulnerability management. In May 2022, Microsoft announced Microsoft Defender Vulnerability Management, which will feature asset visibility, intelligent assessments and remediation capabilities upon general release. The product is available in public preview.

Secureworks currently offers Taegis VDR, a vulnerability detection and response product that scans for vulnerabilities, automates manual tasks, and integrates with third-party scanning and ticketing products. Schneider listed Tenable and Rapid7 as other competitors. Tenable.ep packages the vendor's separate products into one vulnerability management license. Rapid7 InsightVM scans a company's network and tracks the vulnerability mitigation process, while providing instructions on how to efficiently remediate discovered vulnerabilities.

The growing vulnerability management market

The vulnerability management marketplace is evolving as more companies start providing additional and revamped services. With nearly 180,000 CVEs reported by the end of June 2022 and more than 8,000 published in the first quarter of 2022 alone, vulnerability management vendors need to find a way to stand out.

"There are a lot of angles that you're going to start to see vulnerability management vendors go as more technology and security companies offer their own products," said Erik Nost, analyst at Forrester Research. "For example, we're seeing convergence with attack surface management and application security."

Next Steps

Why organizations need risk-based vulnerability management

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing