BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

Unified Vulnerability Management – From The Cloud to Agents

Post by Morey Haber June 23, 2011
I have written a few articles regarding comments from analysts and found a recent one that needs more visibility. In a recent paper, the analyst stated that any enterprise vulnerability assessment deployment should have at least 2 of 3 following technologies deployed for full coverage while performing a vulnerability assessment:
  1. Network Based Vulnerability Assessment Scanner – This is a traditional network based vulnerability assessment scanner.
  2. Agent Based Vulnerability Assessment Scanner – For devices that air gapped, mobile, hardened or do not permit a network based scan, agent based technology provides the solution to gather the required information.
  3. Passive Network Traffic Analysis – Using tools like a sniffer, traffic is decoded and vulnerabilities identified based on packet contents.

What was intriguing about this piece is that no vulnerability assessment vendor in the market place actually can do all three items within their own solution set. In fact, the leading vendors (in terms of revenue) only do one item and only two vendors can do two (eEye is one of the two).

These facts lead to some interesting questions regarding vulnerability assessment coverage, especially around regulatory compliance. Let’s take PCI for example. All assets that have sensitive card holder data need to be assessed for vulnerabilities. Traditionally administrators think of this as the card holder network and generally secured in the data center. In reality, this includes mobile devices team members use to take sales orders and executives that may have sensitive financial information in relationship to SOX or GLBA. A traditional network based vulnerability assessment solution is not enough to cover these devices. The targets are not reliably connected to the network nor have the privileges or open firewall settings to allow a network based authenticated scan into the device. This is why the analyst recommends item #2.

Item #3 makes perfect sense as well but in reality only works for non encrypted traffic. In addition, the deployment requires sensors on uplinks and on all wide area network branches for proper coverage. For an enterprise, this represents a very large quantity of devices that can only assess a very small fraction of the traffic being sniffed on the wire. If the environment uses open source products, the false product rate generally is quite high since patches using the source in embedded solutions do not always modify the revision of headers and banners in order to stay in sync with the open source release.

This brings me back to the general statement made in the beginning of the blog. The analyst recognizes that proper coverage for vulnerability assessment is more than a network scanner. It is much more than a cloud based solution with appliances probing your network. That architecture can only see devices when they are connected to the network. So, ask yourself the following questions:

  • What about all the devices that are not reliably connected? 
  • What about the devices that are hardened and opening ports and firewalls to run a scan are just not an acceptable risk?
  • Do mobile devices have any sensitive data? How are you monitoring their vulnerabilities?
  • Do you have two of the three assessment techniques in place today?
  • eEye can provide complete coverage for vulnerability assessment with network scanners and host based vulnerability assessment agents. We are the only vendor with both solutions natively integrated into a single console for complete management, control, and reporting of vulnerabilities from a single pane of glass. This analyst understands the threats that clients are truly experiencing and that with the expansion of cloud computing and mobile devices, a network scan alone is not enough. A more comprehensive approach is required and eEye has that solution.

    For more information on Retina, please contact eEye by clicking here.

    Leave a Reply

    Additional articles

    smart rules manager for vulnerabilities - v2

    A New Way of Looking at Vulnerabilities in Your Environment

    Assets, users, vulnerabilities and exploits; all are common themes in my posts on BeyondInsight. With BeyondInsight v5.1, we unveiled a new way to view exploitable assets. Sure, most vulnerability management solutions link vulnerability data to exploit information, allowing tools like NeXpose and QualysGuard to list an asset, its vulnerabilities, and any related exploits. BeyondInsight does…

    Post by Morey Haber April 23, 2014
    Tags:
    , , , , ,
    smart rules manager for vulnerabilities

    Staying on Top of the Latest Vulnerabilities with BeyondInsight v5.1

    It’s no secret that dozens of new OS and application vulnerabilities are revealed every day. Staying on top of these new exposures normally requires paying for services or subscribing to multiple RSS feeds. BeyondInsight 5.1 provides customers with another option: a built-in, customizable vulnerability alerting system that delivers up-to-date information on the latest vulnerabilities in…

    Post by Morey Haber April 21, 2014
    Tags:
    , , , , , ,
    BI-Qualys-Connector-IMG1

    Getting More Value from QualysGuard Vulnerability Data with BeyondInsight v5.1

    If your vulnerability assessment scans can’t produce meaningful and actionable reports, performing a scan does no good for anyone. If you’ve read my other blog posts, you know I have no qualms about stating that BeyondTrust provides the best vulnerability reporting in the industry. Ask your favorite analyst and they’ll tend to agree. Of course,…

    Post by Morey Haber April 18, 2014
    Tags:
    , , , , , , , ,