It always surprises me to find how many organizations believe that a vulnerability scanner is equivalent to a Vulnerability Management Program. A vulnerability scanner can be of great help to a Vulnerability Management Program, but a scanner is just one component of a Vulnerability Management Program. Equating Vulnerability Scanners to Vulnerability Management Programs is similar to equating steering wheels to cars. No one would argue that a car is’t made of many more components than just a steering wheel. Similarly, Vulnerability Management Programs are made of many more components than just a vulnerability scanner. Do cars need steering wheels? Absolutely. Are steering wheels cars? Absolutely not.
How Vulnerability Scanners Can Help (Frodo…Maybe I can help carry the ring for a while?)
In addition to the ability to scan devices in order to find technical vulnerabilities, many vulnerability scanners come with a lot of really great tools.
These tools can greatly assist with the development of a solid Vulnerability Management Program. I have especially been impressed with the Qualys and Nexposetools that help with asset classification (which ties into reports used for prioritization of remediation efforts), reporting, and ticketing systems.
Asset Classification Assistance Tool – Asset Classification is extremely important to a Vulnerability Management Program. Assets must be properly classified in order to prioritize remediation efforts. Asset classification is also important when it comes to determining the true impact the exploitation of a particular vulnerability will have on the organization. Both Qualys and Nexpose provide tools that enable someone to set the criticality of a particular asset or asset group. Reports can then be run that correlate asset criticality with identified vulnerabilities. These reports can then be used in order to assist with prioritizing remediation efforts.
- Reporting – Both Qualys and Nexpose have extensive reporting capabilities. These reports can be very helpful when the organization needs to review how the scanner identified a particular vulnerability (this helps with eliminating false positives and validating that a vulnerability has been remediated), providing information on how to remediate specific vulnerabilities to internal personnel, performing vulnerability trending and analysis, and tracking vulnerability remediation efforts.
- Ticketing Systems- Both Qualys and Nexpose have ticketing systems. Ticketing systems can be used to track vulnerability remediation efforts. Ticketing helps with tracking what vulnerabilities are open and what vulnerabilities have been closed, determining the current threat posture of the organizatio’s eternal and/or internal networks, and how long it takes to remediate specific vulnerabilities.
All of these tools have their place in a solid Vulnerability Management Program, but even with all these extra bells and whistles, they do not equate to a Vulnerability Management Program.
What Vulnerability Scanners Cannot Do (I am a Vulnerability Scanner and I cannot create round squares or married bachelors)
Vulnerability scanners are part of every solid Vulnerability Management Program, but there are a number of things that a vulnerability scanner cannot do. Just to name a few, vulnerability scanners are unable to actually classify assets or determine service level agreements for remediation efforts, determine who needs to remediate what vulnerabilities, or perform root cause analysis.
- Asset Classification – Tools may be used to track asset criticality, correlate asset criticality with identified vulnerabilities, and track the remediation of vulnerabilities on critical assets, but in the end, the tool is unable to determine the actual criticality of a particular asset. The data needed to determine system criticality must be provided by a security professional. Asset classification is not always a straight forward process. Things like business impact, the kind of data being stored/processed/transmitted by the system, and cost per minute of downtime, etc. must be considered when determining asset criticality. To give just a few examples, asset classification should tie directly into SLAs for system downtime, the level of testing patches and configuration changes must go through before being applied to production systems, and how long internal personnel have to remediate a specific vulnerability on a specific system. These tasks are normally tied into and enforced by policies and procedures. A tool is unable to create and/or enforce policies and procedures. The creation and enforcement of such policies and procedures must be performed by internal personnel (Or at least until Skynet rises).
- Asset Ownership – I could use a tool and program it in such a way that when a vulnerability is discovered on “Server A” it sends a notification to “Person X”. Although a tool can follow these instructions it is unable to provide the initial conditions needed to send these notifications. In addition, if “Person X” leaves the organization, the tool does not understand that it needs to update the point of contact to “Person Y”. Asset ownership cannot be determined by a tool. An actual human must perform this task.
- Root Cause Analysis – Without root cause analysis there is a great chance that vulnerabilities that one scan identifies will continue to re-occur on a regular basis. A vulnerability scanner cannot determine if the organizatio’s patch management program is flawed, or if the organization has Minimum Security Baselines policies in place to require patches to be applied to all servers before they are placed in a production environment. Vulnerability scanners can provide data regarding specific vulnerabilities that it identifies, but it takes trained security personnel in order to properly trend the vulnerability scanner’s findings and determine the root cause of the problem.
Conclusion (Death is a natural part of life. Rejoice for those who transform into the Force)
Although vulnerability scanners can greatly assist in a Vulnerability Management Program, we should realize that they are not the program itself. Vulnerability Scanners in and of themselves can do nothing to improve the organization’s security posture. A Vulnerability Management Program combines vulnerability scanners with knowledgeable security personnel and solid process, policies, and procedures. Great Vulnerability Management Programs can take time to build, but can greatly benefit your organization.