Evolution Ron Gula of Tenable Network Security hosted a webinar yesterday on the future of vulnerability management. It was an excellent webinar that really started me thinking on what my own views are regarding the future of vulnerability management. Many of the observations Ron made were in sync with our own experience here at StillSecure. We see vulnerability management as undergoing a very profound change in the market and as security vendors it is important that we recognize this to stay current and relevant.
To understand where the market in vulnerability management is going, I think you have to look at where is has been. At StillSecure, our VAM product has been in the market since September of 2002. We have seen many changes in the market since then and like to think that we helped bring many of them about. So for a moment, lets go back to those dark days right after 9/11/01 when our ideas for VAM were being forumulated (VAM has nothing to do with 9/11, I just remember us working on the idea around that time). At that time vulnerability management really meant scanning and reporting. Generally a vulnerability scan was done, usually manually once a year or maybe twice a year. A report was generated showing all of the vulnerabilities found. This was usually put into a spread sheet, that someone was then responsible for tracking. You had to track down and filter out the false positives and see if you could fix the real vulnerabilities. I always say it was a form of job security, similar to bridge painters. By the time you got done painting the whole bridge from start to finish, it was time to start painting again. Same with vulnerability management. By the time you remediated the last vulnerability on the report, it was time to run a vulnerability scan again.
We saw two things that were critical to the process that were missing. One was the automation of network discovery and vulnerability scanning. The second was a closed loop process to manage the remediation process through discovery to confirmation, repair assignment, verification of repair and reporting. When VAM came out in Sept. 2002, this was pretty cutting edge. Most of the competition were just manual scan and report. Over time much of our competition has caught up and today there are several good VM commercial solutions available. The next evolutionary step we saw in VM, was integration. VM is very much an enterprise problem. As such it does not exist in a vacum and works with and is intrinsically linked to other security and management processes and applications. Therefore in order to be successful a VM tool has to be able to leverage your existing investments in systems for patch management, trouble ticketing, network management, configuration management, etc. Again, we came out with this years ago as an enterprise integration framework. Today, most good VM solutions have published API's and integration into systems such as those above.
Another key evolutionary step was correlation. Actually, the folks at Tenable jumped on this one early on. Much of the correlation has to do with correlating vulnerability data with IDS/IPS data or syslog files. This sort of crossed the line into SEM or SIM territory, but the key for me is what action is taken as a result of the correlation. Correlation for correlations sake alone is not enough, it must be actionable. We took a slightly different tack, in that we import vulnerability data directly into our IPS so it can take action accordingly. Again, today several of the leading VM solutions perform some correlation with IDS/IPS and other systems.
So what is next? This is why I asked Ron to sit in on his webinar. I think to a certain extent the VM vendors themselves are asking themselves the same question. A couple of things are apparent. First of all the reporting function has grown tremendously. Today reporting is really about risk management. Like our own Security POV module for VAM, reporting-risk managment has to be able to show with historical context how the enterprise is faring with managing the risk of vulnerabilities. Reporting has to be tailored for compliance issues such as SOX, PCI, FISMA, etc. Different reports need to be generated for different levels of the organization (CIO, auditors, sys admin, etc.). Reports have to be generated on the fly and delivered automatically to the relevant parties. What else is needed? NAC has certainly influenced VM. In fact NAC in some ways is real time actionability with VM. Instead of testing on a pre-determined or random schedule, now devices can be tested whenever they log on (though a NAC policy test is an should be very different than a vulnerability scan). I think correlation and interoperability of NAC and VM systems will be become more prevelant. Expect something from StillSecure soon on this. Configuration Management is another one. The scanning and patching game is to some extent like chasing your tail. You never quite win. Better to be proactive with configuration management. Is patching the right way? With so many vulnerabilities and patches constantly flooding us, is their another way?
We could go on for longer on this and I welcome your comments and thoughts. I do know that we have not seen the final chapter in the evolution of vulnerability management and I am looking forward to what else will come down the road. BTW, Ron is doing a few more webinars on VM. You can find out about them at the Tenable site.
订阅数:362252
Evolution Ron Gula of Tenable Network Security hosted a webinar yesterday on the future of vulnerability management. It was an excellent webinar that really started me thinking on what my own views are regarding the future of vulnerability management. Many of the observations Ron made were in sync with our own experience here at StillSecure. We see vulnerability management as undergoing a very profound change in the market and as security vendors it is important that we recognize this to stay current and relevant.
http://www.i170.com/Article/42597/trackback
主题:[