You are on page 1of 8

Vulnerability

Management
Buyer’s Guide
10 Essential Questions to Ask Your VM Vendor

FOUNDATIONAL CONTROLS FOR 
SECURITY, COMPLIANCE & IT OPERATIONS
Knowledgeable IT, compliance, and security professionals understand the
critical role vulnerability management (VM) plays in risk reduction and Virtually every major
compliance. From helping ensure availability and uptime to hardening control framework asserts
systems against cyberthreats, a solid VM program aligns your organization that without comprehensive
with cybersecurity best practice frameworks like the Center for Internet visibility into all the
Security’s CIS Controls. hardware and software
However, after investing in VM products actionable information for proactively
assets on the network, risk
and services, you may have discovered defending your critical assets from and compliance profiles
that some VM solutions have serious cyberthreats. There are a few other will never be complete and
limitations. For example, you may challenges that drive organizations to accurate. Approaching VM
experience challenges scaling to large re-evaluate their VM programs: limited
environments, or stretching to support network visibility, identity and access
from multiple perspectives
other key controls like integrity and management integration, and mounting can dramatically improve
configuration management or meeting pressure to reduce compliance costs. accuracy because data from
various compliance requirements. a variety of sensors can
Due to rapid adoption of cloud tech-
1. Limited network visibility be correlated to prioritize
nologies and movement toward hybrid It’s likely that, despite your best inten-
resources where the next
environments, large-scale networks are tions, your visibility into the assets
you’ve been tasked to protect is incom- attack is likely to occur.
in a state of constant change. New phys-
ical and virtual devices are being added plete or outdated. Security teams often
to networks, modified and then removed don’t directly control the assets they’re
at a faster pace than ever. Some of these responsible for protecting, and gaining 2. Identity and access management
changes are unauthorized and introduce deep insight into these assets can be integration
new vulnerabilities. Even if these vul- a challenge. Cloud, virtual and mobile
Since personnel are a crucial aspect
nerabilities are temporary (as in virtual device adoption trends continue to add
of information security, it’s important
and cloud infrastructures) or on remote to the complexity of large networks. This
to keep human resource management
or business partner networks, they results in security risk visibility blind
changes aligned with your VM system.
can still leave the door open for cyber spots—ideal places for adversaries to
This ensures that only authorized
attackers. launch their attacks.
users have access to the data stored
The first step in gaining complete net- in it. Without tight integration between
How to Use This Guide work visibility is an accurate hardware your directory service and VM solution,
The Tripwire Vulnerability Management and software inventory. CIS Control 1, administrators must manually create,
Buyer’s Guide is designed to help you Inventory and Control of Hardware update, and delete accounts every time
choose a new or replacement VM prod- Assets, offers a good explanation as even a minor change is needed.
uct. If it’s been a while since you’ve to why an incomplete view of asset
If those changes aren’t reflected in
evaluated this class of solutions, this inventory is problematic: “Attacks can
the VM system, employees who need
guide will also help you navigate the take advantage of new hardware that
access to vulnerability data may not
recent advancements in VM technol- is installed on the network but is not
have it—and those who don’t need it
ogies. The usability of VM data has configured and patched with appro-
could gain access. Larger, multi-unit
improved significantly with newer tech- priate security updates. Even devices
organizations or managed services
nologies, now making it a key resource that are not visible from the Internet
providers require multi-tenant capabil-
in threat detection and response. The can be used by attackers who have
ities in their VM solution. This lets them
goal of this paper is to tease out the already gained internal access and
optimize sub-account management from
differences between the various VM are hunting for internal jump points or
a master account and comprehensive
products and help identify the features victims.” CIS Control 2, Inventory and
role-based access control (RBAC) with
that matter most in today’s technology Control of Software Assets, requires
each tenant. This makes it easy to seg-
ecosystem. that you “Utilize software inventory tools
regate data and partition user access
throughout the organization to automate
the documentation of all software on
Three Core Problems business systems.” 3. Pressure to reduce
VM Solutions Solve compliance costs
The main purpose of VM solutions is to Every major compliance and regulatory
provide accurate risk assessment and framework, including NIST 800-53,
SOX, NERC CIP, MAS TRM and IRS 1075,
requires a VM program to protect sys-
tems and infrastructure. For example,
PCI DSS requires internal and external
vulnerability assessments every quarter,
and again after any major change to the
network. To compound this problem,
compliance departments are often
under pressure to achieve and maintain
compliance while also decreasing oper-
ating costs. A VM program is essential
for meeting compliance requirements.
VM tools may also promise to monitor
controls other than VM, but they often
fail to provide a scalable solution beyond
the VM domain. Additional tools or ven-
dors are required to fully meet integrity Fig. 1 The Tripwire® IP360™ scanning dashboard
monitoring and compliance assessment.
applications exposed on your network »» Agent-based scanning: Agent-based
Quality Criteria for VM Solutions and identify each device type and scanning can be conducted as a
operating platform. stand-alone process or in tandem with
When evaluating VM solutions, buyers
»» Agentless credentialed scanning: agentless scans to provide a more
should appraise the performance of the
Credentialed assessments use comprehensive view. A network scan
technology and ensure it will allow them
administrative credentials to inspect should dynamically recognize when an
to quickly answer these critical ques-
file system, registry and configuration asset has an agent and optimize the
tions:
files. Credentialed assessments scan by using the data collected by
»» Which areas of my network present take longer to run, but the additional the agent. Ideally, a VM product offers
the greatest risk right now? information gathered dramatically both methods so you can use the one
improves both discovery and that best balances your organization’s
»» Is the most recent high-profile
assessment accuracy. requirements for assessment speed
vulnerability present anywhere on my
versus depth. Combining the in-depth
critical infrastructure? »» Non-credentialed scans: In contrast, assessment provided by agent-based
»» What are the most effective steps we assessments performed remotely or scanning with non-credentialed
can take immediately to reduce our without credentials provide the same remote scanning can be a good
security risks? view an outside attacker would have. If strategy when credentialed access
agent-based or credentialed scanning isn’t viable.
The following capabilities are what you are akin to white box testing, remote
need to look for in order to find a com- analysis would be black box testing.
prehensive VM solution: Less information is gathered about Tripwire Tip: Aim to
the application footprint of the asset, implement both agent-
Varied assessment methods but more data is available regarding
based and agentless VM,
Assessment depth can significantly the protocols and services that can
communicate with the asset. While as each method offers
impact the accuracy of results. Deeper
assessments gather more detailed white and black box assessments advantages. For example,
information, which the system can use should be performed together for a not all devices are always
holistic view of your security posture,
to improve accuracy. There are four connected to the network—
main types of vulnerability assessment it’s important you use accurate
and reliable methods of testing for example, laptops may be
methods to consider:
remotely. In some cases, products offline for extended periods,
»» Agentless discovery: Look for a rely on banner checks that can lead and agentless scans can
solution with unlimited agentless to inaccurate results. It’s better to
miss them. But with an
discovery with comprehensive look for a solution that relies on direct
fingerprinting and application/service condition tests and inference when agent, assessment will take
detection to accurately identify and reporting vulnerabilities remotely on place as scheduled whether
profile the your assets. This allows an asset. the device is connected or
you to inventory ports, services, and
not.
Accurate detection including wired and wireless devices, opposed to depending on a single DP to
virtual machines, cloud instances and do any given scan. This provides sev-
Because many VM tools have significant
containers. eral advantages. First, it gives you the
accuracy problems, they deliver too
»» Continual software inventory: ability to scan a given network faster
much data and too many alerts. Massive
Continual inventory of all software because the load is divided up among
reports that include a lot of undifferen-
applications and versions includes multiple scan appliances. Second, it
tiated data about possible changes or
desktop applications, operating adds resiliency in that if there’s a fail-
vulnerabilities make it nearly impossible
systems, ports and services, and ure on the part of any particular scan
to determine which issues need atten-
protocols. appliance—or if an appliance’s connec-
tion now and which can wait. As a result,
tion to the network is lost or becomes
valuable resources are wasted investi- »» Asset tagging: Your solution should degraded—then the other appliances
gating events that aren’t “bad,” such as provide the ability to tag assets by in the pool will pick up the load for the
reporting false positive findings. group, technical owner, regional lost or degraded appliance and ensure
location and criticality. that the scan completes. Third, it allows
In 2017, the Tripwire Vulnerability
and Exposure Research Team (VERT) you to simplify your scan schedules by
The process of putting these capa-
tracked 64 confirmed defects filed allowing larger network blocks to be
bilities in place helps align your
against our database of over 150,000 scanned by dynamically load balancing
organization with CIS Controls 1–3:
conditions, which represented a false a scan job across the pool of appliances
the top three prioritized controls that
positive rate of 0.04 percent. While false rather than having to break them up and
create a system hardened against risk
positives are easy to track—as they’re schedule them manually.
from vulnerabilities. CIS Control 3 is
reported by customers when they’re Continuous Vulnerability Management:
encountered—it’s much more diffi- “Continuously acquire, assess, and take Intelligent assessment technology
cult to generate a false negative rate. action on new information in order to Intelligent assessment technology
The definition of a false positive is as identify vulnerabilities, remediate, and ensures frequent and accurate assess-
straightforward as “an incorrect result.” minimize the window of opportunity for ments for improved visibility and
A false negative is the lack of a correct attackers.” confidence in security posture assess-
result, but not all missing results are ments.
false negatives. A false negative occurs Look for a solution that does device
when an application or vulnerability profiler (DP) pooling as well. DP pooling »» Indiscriminate testing: In this older
that should be found was not. Typically, lets you group multiple device profilers method, the solution scans through
reported false negatives are better clas- into a pool of appliances that can be a defined range of asset IPs and
sified as requests for coverage. Once used to conduct scheduled scans, as indiscriminately checks each asset
you remove these coverage requests,
Tripwire’s false negative rate quickly
approaches zero.

Sharing change and vulnerability


data between IT operations and secu-
rity teams makes it easy to optimize
resources for specific business goals,
yet most VM data isn’t easy to share.
Many VM tools also waste valuable
resources because they require manual
effort to export and format data for con-
sumption by other teams.

Thorough discovery capabilities


Asset discovery and inventory features
and capabilities differ from product to
product, but a worthwhile VM product
should offer the following discovery
capabilities:

»» Continual device inventory: Your


solution should be able to take a
continuous inventory of all devices,
Fig. 2 Tripwire IP360 vulnerability search reporting dashboard
against a list of known vulnerabilities Virtual and cloud infrastructure »» Audience-specific report filters: Look
maintained by the VM vendor. This for a solution that provides reports
Within large organizations, devices may
results in time-consuming checks with the appropriate level of detail
be owned by different people or depart-
that may not apply to the device being for a variety of audiences, including
ments. They may also exist in many
assessed. For example, this approach auditors who may wish to see proof of
physical and virtual locations. Security
will result in checking a Linux compliance, and business executives,
teams need to be able to quickly identify
machine for a Windows vulnerability. who want an overview of the
the owner, location and criticality of an
This scenario is also likely to occur organization’s risk posture, graphical
asset, as it’s important when assessing
when device and application inventory views of risk trends and visualization
and responding to events on that device.
is inaccurate, such as when a NetApp of risk data by organizational
filer running a UNIX-derivative OS is Many VM solutions require humans to hierarchies or geographical location.
profiled as a Windows device because review and keep a current list of assets It must also allow all users to create,
it’s running a Windows SMB/CIFS (as well as their types and configura- save, and share report filters and
service. tions) in order to identify their criticality. filter report content to include or
»» Targeted testing: This method first An automated API-driven workflow for exclude data based on asset score,
inventories and profiles each asset this time-intensive process allows an vulnerability type or severity,
to determine the type of device, administrator to define a set of rules operating system group, and other
operating system, and applications in which devices can be categorized characteristics. Your solution should
present. It then uses that information based on the unique taxonomy of the also automate report distribution to
to efficiently check for relevant organization. users based on their roles.
vulnerabilities, skipping checks that »» Remediation advice: Effective VM
don’t apply to a particular asset, OS or Real-time data navigation solutions offer advice on correcting
application version. Targeted testing Reporting can transform volumes of vulnerabilities, including accurate
offers several advantages: security data into actionable information and complete remediation details,
-- Improved assessment speed and that can be used to reduce risk. This potential mitigations, links to patches,
efficiency not only makes it easier to identify vul- vendor advisories and relevant
nerabilities that need patching, but also vulnerability information.
-- Custom tests for OSs,
applications and services that to detect misconfigurations that affect »» Transparent vulnerability checks:
exist on a device minimizes compliance or security posture and pro- These checks provide details about
resource usage and improves vide actionable remediation advice. how vulnerabilities are detected so
network stability system administrators can manually
Constantly-changing technology
-- Improved accuracy, resulting in verify them. A vulnerability may
infrastructure combined with rapidly-​
fewer false positives reappear in a report after a patch
emerging vulnerabilities requires orga-
or other fix has been applied—or
-- Ad-hoc assessments limited to nizations to strive for a comprehensive,
misapplied—because the machine
vulnerabilities, configurations or accurate, real-time view of vulnerabil-
is still vulnerable. This can also
software versions specified by the ities—yet many VM solutions produce
happen when the device requires a
user for faster results overly simple reports. These reports
reboot for the patch to take effect.
provide only a snapshot of vulnerabilities
Information on how a vulnerability
Mobile asset management discovered within a specific time period.
was discovered helps teams find
Many smartphones and tablets—like underlying sources of additional risk
Advanced VM solutions offer real-time
Apple iOS devices—require special to the organization.
data navigation and synthesis. For
tools for management and assessment.
example, they can produce a list of
Because of this, many organizations run
mobile device assessment separately
assets that share a specific vulnerability System integrity monitoring
or compare two historical asset assess- System integrity monitoring, which
from their vulnerability assessment
ments to identify new vulnerabilities or includes file integrity monitoring (FIM),
and then aggregate the report data.
applications that have changed. Indexing is another foundational security control
At a minimum, a high-quality VM
OS, application, and vulnerability results used by most enterprise security teams,
product should be able to discover the
enables a real-time response to emerg- but this data often exists in a separate
exposed surface area of mobile devices
ing threats by searching the conditions silo from VM data. Correlating these two
connected to wired and/or wireless
that would make assets vulnerable controls provides critical insights into
networks.
without having to wait for a signature attack methods and targets. However,
or the need to run a scan. Advanced it requires coordination across multiple
solutions offer benefits in the following teams, and access might be hindered by
areas: internal policies or business processes.
Without “who” data, it’s more difficult Risk scoring is a good example of how necessary integrations current. To be
to know if a change is good or bad. For customization can help organizations an effective tool in breach detection
example, an unauthorized or unrecog- tailor VM data to their specific business and prevention, VM solutions should let
nized user may be an indicator of “bad” requirements. Many VM systems offer users instantly view and manipulate the
change, but if you know who made the a 1–10 or High/Medium/Low scores. historical and current data they need in
change, you can ask that person about In organizations with thousands—or real time.
it or investigate further to verify that tens of thousands—of vulnerabilities,
the account hasn’t been compromised. these rough scores lose meaning. Your Business context
Combining change data that contains VM solution should be supported by a You should also look for a solution that
“who” information with VM data allows world-class research team that ana- can organize hosts and networks in a
security teams to quickly identify sys- lyzes conditions and risks rather than business-aligned structure. For exam-
tems at high risk. relying on automated feeds and scoring ple, business unit categories like finance
metrics. and sales, or geographies like North
Another example of the correlation
between robust vulnerability data and America or EMEA should be offered.
detailed FIM data is the versioning This helps the solution apply business
Advanced VM solutions context when calculating and trending
and history of a specific file. Without
this data, it’s hard to connect multiple provide flexible, granular vulnerability scores.
pieces of information and then conclude scoring systems that can be
whether a change was good or bad. To adapted to even the largest 10 Essential Questions to Ask
determine if a breach is in progress,
networks. Your VM Vendor
security teams need to be able to quickly
Asset discovery and inventory features
answer these questions:
and capabilities differ from product to
»» When did this change occur? product, but you’ll know if you’re pur-
Accurate, up-to-date vulnerability data
chasing a sophisticated VM solutions by
»» What did the configuration of this combined with a variety of other security
asking the following questions:
device look like before the change? solutions provides valuable insights.
»» Are there other changes that have However, combining data manually from 1. Does it offer both credentialed
happened in the past on this device? multiple sources is costly and increases and uncredentialed, and agent-
response time to breaches and incident based and agentless assessment
In order to identify the exact changes detection. Many VM tools offer limited or capabilities so you can choose
taking place, you need detailed informa- API-only integration with other security which method to use for
tion that’s only available by comparing tools. These solutions require expensive assessments and adjust as needs
reports from different security tools. internal resources to build and keep change over time?
Change data alone doesn’t identify the
changes that indicate a potential breach.
You need a known, “good” baseline state
and a way to do a side-by-side com-
parison of the change data against that
state.

Detailed risk scoring


Every organization is different, with
different priorities, risk tolerance and
unique threats to combat. Standard
industry vulnerability scoring systems,
such as CVSS, may rate a vulnerability
as an 8 on a scale of 1–10, but for your
specific organization, the same threat
may present a higher or lower risk.
CVSS is a good baseline scoring option
that allows you to compare vulnerabil-
ities across products. But because you
can have 5,000 CVSS “8”s, you’re likely
to need more granular scoring.
Fig. 3 Vulnerability scan results with risk scoring in Tripwire IP360
2. Does it conduct accurate breach 7. Is there real-time data navigation
detection? What is the rate of false and synthesis with audience-
positives? specific report filters, remediation
Request A Demo
3. Does it perform continual advice, and transparent Let us take you through
hardware and software inventory vulnerability checks? a demo of Tripwire’s
and satisfy CIS Controls #1–3? 8. Does it perform system integrity security and vulnerability
monitoring to give you “who” data
4. Does it leverage both management products
indiscriminate and targeted on important changes?
and services customized
testing assessments for optimum 9. Does it offer detailed risk scoring
accuracy? supported by a team of expert
to your specific IT security
researchers and analysts? and compliance needs. Visit
5. Does it conduct asset management
for occasionally-connected 10. Does it provide business context tripwire.com to schedule
endpoints? by organizing assets and networks your demo.
6. Does it quickly identify the owner, to help you better align with your
location, and criticality of each objectives?
asset, even in virtual and cloud
environments?
Tripwire is a leading provider of security, compliance and IT operations solutions for enterprises, industrial
organizations, service providers and government agencies. Tripwire solutions are based on high-fidelity
asset visibility and deep endpoint intelligence combined with business context; together these solutions
integrate and automate security and IT operations. Tripwire’s portfolio of enterprise-class solutions
includes configuration and policy management, file integrity monitoring, vulnerability management,
log management, and reporting and analytics. Learn more at tripwire.com

The State of Security: Security News, Trends and Insights at tripwire.com/blog


Follow us on Twitter @TripwireInc » Watch us at youtube.com/TripwireInc

©2018 Tripwire, Inc. Tripwire, Log Center/LogCenter, IP360 and Tripwire Axon are trademarks or registered trademarks of Tripwire, Inc.
All other product and company names are property of their respective owners. All rights reserved. BRVMBG3a 1810