In recent years, the IT infrastructures of many companies have become very complex. Plenty of new digital assets have appeared on the perimeters. It is pretty easy to overlook unpatched vulnerabilities in modern, disparate infrastructures. Even a single unnoticed problem will undoubtedly be found and exploited by an attacker. Malefactors scan the internet on an ongoing basis and have plenty of time to prepare for their attacks.
Therefore, the first step in ensuring an organization's protection is building a Vulnerability Management program. It includes searching for and cataloging all digital assets, assessing the security level of the network infrastructure and web applications, developing recommendations for fixing discovered vulnerabilities, and finally checking the implementation of these recommendations.
The essence of Vulnerability Management
There is no longer any doubt that the control of vulnerabilities is necessary. According to experts, two-thirds of web applications contain critical vulnerabilities that allow hackers to steal confidential data and control the operation of the attacked system. The outer perimeters of some companies have old but still working vulnerabilities like BlueKeep and EternalBlue, although patches were released several years ago.
Weak points can be found in almost every part of the infrastructure, so different objects should be covered by the Vulnerability Management:
- Network infrastructure (both external perimeter and local networks.)
- Web applications (corporate portals, client services, etc.)
- Processes (for example, some programs running on the network may have interconnected interfaces.)
- Software distribution.
Having decided what to scan, you need to decide how. There are several options for Vulnerability Management implementation on the market today. Some vendors offer only a scanner without expertise. Other vendors may provide a range of services, including preparing reports. Scanners can be located in the cloud or at the company's perimeter. They can monitor hosts with or without agents. Vendors use quite a few different data sources to replenish their vulnerability databases.
IT perimeter or cloud
There are two main ways to deploy the scanner: on the company perimeter and in the cloud.
The first option guarantees complete control over access (both to hardware and software) and independence from third parties. However, the company must buy the scanner itself and corresponding licenses. You will also spend money on staff training, maintenance of the scanner, as well as on the dedicated analyst who works with scan results.
The cloud service allows not to spend a lot of resources on scanner deployment and maintenance. The company needs to pay for access to the cloud where the scanner is located. This option also provides high fault tolerance due to virtualization, load balancing, etc. At the same time, the involvement of an external provider is fraught with risks. The quality of its services may turn out to be unsatisfactory. Therefore, it is vital to choose a reliable partner with a good reputation.
Does the scanner need an agent?
There are two basic scanning mechanics: with an agent and without an agent. Both options are relevant both for a cloud service and for a scanner located on the perimeter.
Agents are hosted on scan endpoints (hosts) as a service or software. They collect data about these hosts and regularly send information to the main scanner. This approach allows you to monitor devices located outside the network perimeter (for example, laptops of employees who work from home.) However, getting data about scan results is possible only when the device is connected to the internet. In addition, installing agents on laptops that are not networked (that is, employees do not come to the office and do not use a VPN) is a challenge.
Moreover, some agents may not be compatible with certain operating systems. The company may have computers that run on an unsupported or specialized OS. Also, the purchase of each agent for scanning turns into additional expenses.
Agentless scanning allows you to check both locally hosted assets and assets on the external perimeter without imposing compatibility requirements since software installation on the device is not required. In addition, the company does not incur additional costs associated with the deployment of an agent network, support, and purchase of licenses. However, this technology requires that all scanned objects be connected to the scanner.
Not every scanner provides vulnerability management
Today, the information security market can offer plenty of tools related to Vulnerability Management. However, different vendors and information security providers interpret this service differently. As a Vulnerability Management they offer:
- Software for self-scanning.
- Comprehensive information security services that include Vulnerability Management.
- Vulnerability Management services.
When an organization purchases scanning software, it purchases a self-service tool. This is the most expensive option. Depending on where the software is located, the company incurs the following costs:
- When placing a scanner in your infrastructure, you pay for the purchase, installation, equipment support, and licenses. You also pay salaries to full-time information security and IT specialists.
- When placing software in the cloud, you pay for the maintenance of this cloud, for licenses.
Another option is providing Vulnerability Management as part of a comprehensive cybersecurity solution. This is usually cheaper than self-service. On the other hand, Vulnerability Management functionality in such complex solutions is usually heavily reduced.
For example, you can often find a complex offer like an information security audit, where Vulnerability Management is included. But an audit is a one-time activity. The effectiveness of scanning is achieved only through the regularity of this process. Otherwise, it is impossible to see the dynamics of the emergence of new vulnerabilities, build a strategy for their elimination and monitor its implementation. Therefore, when choosing such services, it is essential to understand their complete composition and the problems they resolve, as well as compare them with the current needs of the company.
Finally, the third option is the Vulnerability Management service. In this case, the scanner is hosted in a service provider's cloud. It provides maintenance and experts for processing and analyzing the collected data. Also, as an additional option, some providers offer access to the scanner for the customer's in-house security specialists.
If a service provider offers high-quality service, then this approach will be the most beneficial for the company for a number of reasons. First, better technology can be obtained for less money. Second, the service provider's experts have access to a large-scale and up-to-date vulnerability database collected from other services. Also, the service is more flexible than proprietary software as you can instantly connect new hosts to it without software reconfigurations and purchasing additional licenses. Finally, when you scan on your own, the analysis of the results falls on the shoulders of a full-time security officer, who, in addition to this, has other tasks. In the end, preparing a report can take a lot of time. A service provider usually seeks to shorten the period for preparing a report since the speed of service can be a competitive advantage.
How does the scanner know about vulnerabilities?
To replenish the bank of vulnerabilities, various databases (for example, CVE) can be used. Some vendors do not consider the regional specifics of the scanned objects. As a result, they will have practically no information about vulnerabilities in software that was created, for example, by Chinese companies. Regional vendors, on the contrary, take into account all the peculiarities of the software used in the region by accessing local vulnerability databases. Such scanners have a noticeably lower speed and completeness of obtaining data from international sources.
Of course, the scanner can use both local and international databases simultaneously, but constant synchronization with so many diverse sources is a difficult task. It is necessary to come to an agreement with regulators from different countries, implement the technical compatibility of different sources, spend funds on subscribing to updates of many databases. Therefore, it is easier and more profitable for a vendor to either define a specific region or work globally without delving into local specifics.
As you can see, there are really a lot of Vulnerability Management implementation options. When choosing from different offers on the market, a company should take into account a number of factors: how its IT infrastructure is built, regional peculiarities, the number of remote hosts, availability of full-time specialists to maintain the scanner, and financial reserves for purchasing its own software. The more clearly the company formulates the answers to these questions, the more successful the information security processes will be.