Vulnerability assessments are an important part of security, but they’re not always enough. Some vendors only provide pieces of the solution while others have expanded their portfolios to offer a more comprehensive offering that helps organizations find vulnerabilities in order to maximize efficiency. Determining which vendor will work best for you depends on understanding the use cases and capabilities supported by each vendor as well as comparing these against your own needs before making any decisions.
Read to know the insights from Gartner’s Market Guide for Vulnerability Assessment for 2021 that can help you understand the coverage and capabilities of a wide range of vulnerability assessment solutions, as well as insights into vendor offerings.
Desired capabilities of vulnerability assessment tools
Vulnerability assessment (VA) tools identify, categorize, prioritize and orchestrate mitigation of vulnerabilities.VA tools provide an excellent way to stay on top of your security game. They can help you discover, identify and report on software vulnerabilities as well as establish baselines to track changes in state. They allow organizations to have reporting options for compliance, control frameworks and multiple roles and provide pragmatic remediation prioritization with the ability to correlate vulnerability severity.
VA tools also offer guidance for correcting and configuring compensating controls. These also manage scanner instances, agents and API gateways and support direct integration, or API access to, asset management tools, workflow management tools and patch management tools.
Risk-based vulnerability management
Vulnerability management (VM) is a crucial part of any security operation. The way that it’s included in the process can vary based on the size and maturity of the organization. Some organizations use VA as an independent audit or assessment tool to see if risks have been appropriately assessed for potential vulnerabilities, while others rely more heavily upon its operational capacity to assist IT operations.
The ultimate success of a VM program is actual risk reduction. Using only VA tools cannot provide better visibility and reduce exposure in the least amount of time. For achieving the desired results, there must be an appropriate combination of integrated and enabling toolsets that would work through the entire vulnerability life cycle.
The below figure shows the moving parts of a risk-based vulnerability management program and capability provided by each technology in that vulnerability life cycle phase.
Vulnerability Assessment (VA)
In recent years, many users have been focusing more on traditional VA. Vendors are now adding newer technologies like network and cloud coverage and have started offering various levels of sophistication of vulnerability prioritization. Security configuration assessment (SCA) which is a feature of VA tooling, remotely assesses and verifies vulnerabilities and configurations of systems in an environment. As per Gartner’s research, it is common for customers to purchase tools that perform unified vulnerability and SCA scanning.
VA solutions are maturing in their cloud use cases and matching the pace of dynamic cloud workloads with continuous scanning services. Different VA vendors take different approaches toward Operational Technology Assessment. It requires careful consideration, as the balance of business risk and security risk is different from IT.
Penetration testing or pentesting gives insight into whether systems are vulnerable and can be exploited. It finds as many weaknesses as possible in a specific amount of time and makes recommendations around treatment. According to Gartner’s risk-based vulnerability management (RBVM) methodology, pentesting has an important role in the prioritization and assessment of vulnerabilities.
Vulnerability Prioritization Technology (VPT)
Vulnerability Prioritization Technology tools have completely revolutionized the standardized VA market. These solutions are not only used for identifying new threats but also provide intelligence on what an organization’s servers should look like in order to stay secure from known risks. VPT tools are used to analyze and prioritize vulnerabilities by using threat intelligence, organizational asset context, risk modeling approaches such as attack path analysis. Leading VPT vendors have started focusing more on reporting capabilities in their products. Some of these tools provide benchmarking functions too!
Bench and Attack Simulation (BAS)
The (BAS) vendors deploy technologies at various parts within the environment, using agents or virtual machines to actively test for exposure by simulating common methods used by hackers who want access into your network. It is used more as a security control validation tool.
BAS tools help security teams understand which vulnerabilities are most profitable for hackers to exploit in order to monitor and protect against them. Instead of focusing on all potential weaknesses, they concentrate only on those that can be reliably exploited and help take adequate measures to address the discovered vulnerabilities and exposures.
Tips to select the suitable vulnerability assessment vendor
- Most VA tools can identify and scan vulnerabilities. Select a comprehensive VA tool and a vendor that aligns with your organization’s computing architecture to provide wide support for your IT assets.
- To manage cyber risk, implement a risk-based vulnerability management approach by leveraging VPT tools. Tools that have the capabilities of exploitability, prevalence in malware and exploit kits, asset context and active exploitation by threat actors, assess cyber risks well. Identifying and prioritizing the most pressing cyber security issues remains the key feature of VA vendors.
- Evaluate workflows and integrations provided by VA tools for remediation and VPT tool vendors for orchestration in addition to prioritization. Evaluating this capability is important for organizations with VA tools that lack remediation automation.
- The scanning and patching ability of VA vendors’ agent-based solutions and VA features present in endpoint products should be evaluated by organizations having a substantial remote workforce.
VA tool buyers are focusing on comprehensive tools that not only identify vulnerabilities, but also proactively assess, manage, and report the risks posed by those weaknesses. VA tool vendors too have expanded their coverage of nonstandard IT assets, specifically for mobile, cloud, operational technology (OT) and Internet of Things (IoT) and started offering capabilities to help prioritize and improve remediation activities. Vendors in adjacent markets are developing their VA tool capabilities by adding more coverage and risk context and supporting assessment and prioritization features.