Antivirus, access control, firewall and Intrusion Prevention Systems are failing to keep attackers from reaching vulnerable systems and most network administrators aren't given the budget or time to add yet more layers. This is a problem because successful attacks are often done with these solutions in place and being run in a standard manner by capable people. It doesn't take an analyst to tell you that something about these common perimeter guards isn't getting the job done.
In all successful attacks hackers bypass the network security perimeter to exploit existing vulnerabilities inside the network. The fact that all hackers consider breaking the perimeter to be job #1 and that most refer to it as being a trivial achievement should be a wakeup call to admins who think perimeter solutions are enough.
In fact, all successful attacks are on networks whose admins (or entire security teams) were doing their best to maintain a perimeter! This includes the highly publicized break-ins at Fortune 500 companies and governments with large network security staffs and deep pockets. Apparently something about the focus on perimeter defense is not working. Yes, the well tended perimeter stops a great number of attacks but the fact is, they don't stop enough.
Setting aside political or financial high value targets that get picked because they stand our, the remaining attacks are almost always done as a 'drive by'. Attackers rarely choose a target first and then spend time looking for a weakness. It is far easier to study up on a well known vulnerability, scan broadly for ANY network that has this weakness and then exploit it to gain access. From that beachhead hackers expand their control through the network and then look for the most valuable data they can steal.
Therefore, in order to better secure any network, it appears that these well known vulnerabilities must be found and fixed regardless of ANY set of perimeter defense solutions being in place. Vulnerability Assessment and Management (VAM) is the solution that achieves this goal.
Technical, organizational, financial and cultural forces in network security have combined to push known vulnerabilities, the single most important factor regarding network security into the background.
Given these factors, security through the elimination of network vulnerabilities has become more of a compliance checkbox than being the front line defense strategy that the current state of network security indicates it deserves. The truth is that the perimeter today is the device itself.
VAM was the new kid on the network security block 10 years ago. It was a short and not terribly happy childhood. Early tools were complicated, cumbersome and ill suited for rolling into corporate networks. Those admins that did install what was then called just Vulnerability Assessment ran into the kiss of death for any security tool: huge reports filled with inaccurate results.
Accuracy is the missing ingredient in many network security tools. Ask any admin who has tested several competing solutions side by side on a network. The variation in what each tool discovers and reports is enough to keep one up at night. This applies to all security tools but particularly to VAM.
Inaccuracy in a firewall, antivirus or IPS is most often invisible. These systems can't stop what they don't know about. Yes this is a disaster waiting to happen, but while waiting it bothers no one. On the other hand an inaccurate VAM report is really irritating, sending network staff searching high and low for things that don't exist. A VAM report that has a couple of errors in the first page is going to get tossed in the bottom drawer.
Most VAM systems sold today are now at 95% accuracy, which is a lot better than the early days. That still means one false positive for every 20 reported issues. And that is still enough to get the monthly VAM report relegated to the shred pile.
VAM has grown up and at the same time federal and industrial network security standards are pushing for VAM as a component of constant monitoring. Our solution, AVDS has become a simple to install, easy to operate, complete solution that incorporates web application scanning and database scanning with the traditional network scanning duties. It assigns asset value and vulnerability severity and so gives admins an accurate idea of what MUST be done, what should be done and what might be done in the future to secure the network. And it does this with accuracy unmatched in the industry.
All of the top end Vulnerability Management solutions identify vulnerabilities primarily by checking host banners to read the version number. They then assume that if version X is present, then all the vulnerabilities of version X are also present. This is not true if an update was 'back ported' (common in Linux) or if server or application settings make access to the vulnerability impossible. Alternatively a banner can report an patch is in place even if the server did not get rebooted. It is common in even high end VAM solutions to have 3% to 8% false positive results.
AVDS goes beyond just checking for banners, it uses specially crafted queries and the resulting behavior of network components and web applications as its primary indicator of whether a specific vulnerability exists or not. This means that AVDS is highly accurate, generating near-zero false positives and finding vulnerabilities that other solutions miss.
AVDS accuracy means you can be certain that if a report says the network has a high risk on a high value asset, it actually DOES exist. You can also know, without a doubt, that when you are handling the risks discovered by AVDS you are doing the best job possible to protect your network.
Management of vulnerabilities is the recognition that not all security issues are of equal severity and that not all network assets are equally valuable. Thus in the real world where IT budgets are never large enough to buy every possible solution or patch every single weakness, VAM will guide the way to applying whatever resources are available to the most truly serious weaknesses on the network.
AVDS maps all the network assets (including servers, operating systems, network infrastructure, workstations, applications, phones, printers etc.) and prioritizes them based on their importance/criticality. A web or database server will be regarded as more critical than a printer server. It then examines each item on the network, and lists the vulnerabilities discovered. Each is assigned a severity rating based on an internationally agreed upon set of guidelines. AVDS combines the importance level of the asset and the vulnerability risk level, to produce an accurate mitigation strategy.
We hope you will incorporate VAM into your network security strategy. If you are already using a VAM solution please seriously consider extending it to cover your entire network, including test servers, phones, printers, etc. If you don't have VAM installed on your network, now is the time. If you aren't happy with your current system or you would like more info on how to deploy one for the first time, we hope that you will drop us a note.