How Vulnerability Management Fits in to Cybersecurity

No single security solution can make a network safe from all attacks. Firewalls and IPS can’t keep workstations free of viruses and malware. Antivirus can’t protect the data on a database server. So it’s a matter of balancing multiple solutions. To understand how these solutions complement each other, let’s look at some of the most common security solutions, and how they holistically fit in with one another.

Peripheral Solutions

Every known peripheral (packet watching) security solution can be avoided under the right circumstances, but with proper vulnerability management software in place, such as beSECURE, the attacker who gains admittance to the network will not find internal weaknesses to take advantage of. Here are some examples

Firewall Attacks

Attackers will always try to use a legitimate network access, and will eventually bypassing the firewall. Vulnerability Management software finds and helps repair the vulnerabilities that attackers are searching for. If you have no serious vulnerabilities in important assets, then your chances of data loss and dependence on perfect firewall management is reduced.

Antivirus

Antivirus studies incoming packets, not the system itself to see if there is a weakness that malicious code can exploit. VAM finds the vulnerabilities and helps you eliminate them. As such, beSECURE complements anti-virus software in protecting the system.

Intrusion Detection and Prevention Systems

The ideal IPS installation, with careful maintenance and using the strictest rules possible, will stop 99.9% of malicious packets. Given that even modest networks get thousands a day that means that only dozens get through under these idea circumstances. However such strict settings also captures a great number of valid packets and false positive rates can exceed double digit percentages. The nearly universal solution in IPS is to stop using the strictest rules and so stop only 99% of the real attacks. Thus in real world IPS installations network assets get hundreds of attack attempts and ensuring that they are free of vulnerabilities though VAM becomes vital.

Internal Solutions

Attackers are looking for network weaknesses, and these solutions focus on finding the weaknesses first and fixing them.

  • Network scanners, port scanners, IP scanners and network mappers can all assist in the detection of network assets and weaknesses.
  • Vulnerability Management Software – Vulnerability Management solutions first assess the network, then prioritize the weaknesses discovered so that the most important can be addressed first.

Why is Vulnerability Management Important?

Protects Against Web Vulnerabilities

Attacks resulting in data loss are usually performed by exploiting know and well documented security vulnerabilities in software, network infrastructure, servers, workstations, phone systems, printers and employee devices.

Security flaws are constantly addressed by the vendors who issue security patches and updates on an ongoing basis. In even modest size networks making sure that all assets are running all the security patches can be a nightmare. A single host that that is missing patches or that didn’t get patches installed correctly can compromise the security of the network.

Helps Allocate Resources

There are degrees of compromise, as not all vulnerabilities are created equal and not all assets are of equal importance or are equally available to a hacker’s access. That is where good management comes in. No security effort has an unlimited budget, so vulnerability management software helps focus the available resources on the most serious issues that exists at any one moment.

Omitting Vulnerability Management software is like securing your house with a sophisticated alarm system but leaving the door open (unresolved, known vulnerabilities). This is a vast oversimplification because networks have many hosts and each one of them has dozens of potential issues.

What to Look for in a Vulnerability Scanner Tool

Unsure what you need to look for in a network vulnerability scanner tool? There are a lot of questions, especially when it comes to compliance and protection levels, be sure to get all of the necessary answers.

Accuracy

The primary requirement for a network vulnerability scanner tool is accurate testing. Poor accuracy produces two kinds of testing error. Overlooking a vulnerability (a false negative) leaves a security flaw you don’t know about. Reporting a vulnerability as present when in fact none exists (false positive) sends you looking for something that can’t be found. Obviously you don’t want either. It’s important for a solution to find the vulnerabilities. But an inaccurate vulnerability scanner report can be more trouble than it’s worth.

If the first 4 vulnerabilities reported by your solution didn’t actually exist upon close examination, it becomes pretty difficult to take the 5th vulnerability seriously.  A report that says there are dozens of serious security issues when there are really only 10 is more distraction than assistance. Also, how valuable is your time? Your security budget doesn’t get larger just because your VA system says there *may be* dozens or hundreds of vulnerabilities on your network.

The hidden cost of an inaccurate vulnerability scanner tool is the man-hours it takes to chase false positives, and prove that they are false. The total cost of ownership of a VA system with a 5 to 8% false positive rate is doubled when the time to verify and eliminate false positives is included. Even a 2% error rate can be a headache.

Simple, fast and comprehensive vulnerability scanning

Manual vulnerability scanner tools are problematic for complicated, large or widely distributed networks due to the man-hours it takes to maintain them and are infrequently used. Tools that aren’t automated can be time consuming to set up and operate, plagued by high false positive rates and cause network resource issues.

Vulnerability scanning tools need to:

  1. Get your tactical security work done routinely and quickly
  2. Provide the fixes you and your staff need for fast mitigation
  3. Automatically scan and find new equipment, open ports and apps
  4. Scale to handle multiple networks, business units, security teams

Compliance

The frequency and increasing severity of today’s security threats are forcing companies to:

  1. Simplify PCI-DSS, GDPR, SOX and HIPAA compliance
  2. Strengthen current network security processes and procedures to protect against attacks by both external and internal threats
  3. Deploy security solutions that can span the entire company and compile cumulative reporting
  4. Respond to Security Compliance mandates, IT upgrades and internal policy changes
  5. Perform penetration tests.

Your vulnerability scanner needs to complement, support and simplify your work on meeting compliance standards, and to do this with actual and measurable improvement in network security.  

Automation

Vulnerability scanning can be done weekly or monthly, if properly automated. Your team may not act on every scan, but when it is ready to take action, having recently completed scans make it possible to put their precious time into the most important vulnerabilities present at that moment. Multiple levels of reporting should allow each stakeholder in each business unit the level of detail they need to act. 

The right tool will pinpoint your most vulnerable IPs at any one time by either a ranked list or drill down graph. Identify exactly which patches, solutions and workarounds to install. Re-scan networks and hosts after solutions have been implemented to verify and document compliance and remediation.

Solutions to vulnerabilities delivered

Each vulnerability scanner report should contain the exact solutions needed to repair the problems found. This in-depth information should show how to fix and improve the security of your network, both as whole and for each of the devices in it. The recommended solutions include device specific information as well as custom tailored solutions for your environment.

Manage vulnerabilities across the enterprise with one tool

Whether your network is as small as one LAN, involves hundreds of business units, or crosses continents, all testing and report generation of your chosen vulnerability scanner tool should be managed from one location. Individual reports can be automatically delivered to each business unit.

Schedule a demo to see how a vulnerability scanner tool
can keep your network secure.