Vulnerability Management

Vulnerability Management

Why VM got a bad rap

The number of servers, desktops, laptops, phones and personal devices accessing network data is constantly growing. The number of applications in use grows nearly exponentially. And as known vulnerabilities grew in number, IT managers found that traditional vulnerability management solutions could easily find more problems than could be fixed.

One solution has been to concentrate on building better walls around the network to keep attackers from accessing the weaknesses. Vulnerabilities are addressed when and if there are resources available.

Other solutions are to scan just the most important network resources, or to prioritize the vulnerabilities so that limited resources could be applied to fixing just those that were most likely to be mis-used.

None of these solutions are working very well. Even random and unfocused attackers are routinely bypassing antivirus, firewall and IPS to find and exploit the vulnerabilities on secondary systems or that were left unrepaired because they weren't high risk.

The vast majority of successful attacks are on the most well known, serious, easily discovered and easily exploited vulnerabilities. Most attackers study up on a specific vulnerability then search broadly for any network that has that weakness and then they exploit it to gain access. From that beachhead they expand their control through the network and then look for the valuable data they can steal without being discovered.

Vulnerability Management as Art?

Vulnerability management fell from grace because it failed on two fronts. It's findings have been riddled with errors and its vendors got into a race of who could find the most vulnerabilities. VM reports became so long as to be un-usable.

If pockets are deep and resources are unlimited then every vulnerability found by a traditional system could be validated as being true and then fixed. In the real world nobody had that much time and patience. And so the decade of building better walls was launched.

And now we are faced with running multiple, complex systems that don't seem to be keeping the attackers out.

We propose that the solution is to revisit VM, but this time focus on accuracy and usability.

"Closing the Door" - Dealing With Known Vulnerabilities

Almost all attacks are accomplished using known vulnerabilities. Even Stuxnet utilized a blend of known and 0-day vulnerabilities and would have been severely limited in its scope had there been no vulnerabilities in the networks it attacked. So, making sure that every server, every workstation and every device is up-to-date with the latest security patches should solve the problem.

Unfortunately this is not so simple. Many organizations need to deal with thousands of network assets and small networks often have hundreds. Even if you have every Microsoft patch in place, you still have devices and applications in your network from dozens of other vendors. Moreover, most networks have accumulated applications and code that are no longer in constant use but are kept around, just in case. If these are not actively discovered and patched or removed, then these offer an easy avenue for entry to your system.

A Vulnerability Management Solution such as AVDS automates this process by identifying all the "known" vulnerabilities in your network and prioritizing them based on the importance of the asset and the criticality level of the vulnerability. With vulnerability management you can gain certainty that your limited resources are being applied to the most serious network issues.

Vulnerability Management with Behavior Analysis

You have limited resources and can't afford to spend them chasing vulnerabilities that don't exist and you certainly don't want to miss fixing something really important.

Most Vulnerability Management solutions rely primarily on checking host banners to read the version number. They then assume that if version X is present, then all the vulnerabilities of version X are also present. This can be false for a number of reasons including if an update was 'back doored' (common in Linux) or if server or application settings make access to the vulnerability impossible.

Most vulnerability management solutions assume that if a host displays the most current version, then it is free of vulnerabilities. This too may not be the case as a patch may not have completely installed or a machine may not have rebooted.

AVDS applies behavior analysis to vulnerability management. It uses specially crafted queries and the resulting behavior of network components and web applications as its primary indicator of whether a specific vulnerability exists or not. This means that AVDS is extremely accurate, generating nearly zero false positives and it finds vulnerabilities that other solutions cannot identify (false negatives).

AVDS for any Vulnerability Management Application

AVDS is available for networks of any size in appliance, hosted and hybrid implementations. It can scan a just a few web sites, or manage a large, widely distributed network that extends across business units or continents. Flexible licensing and great support make it a common sense solution to any vulnerability management requirement.

Print Friendly and PDF