Vulnerability Management Grows Up

Vulnerability management isn't just about slapping on the latest patches anymore.

That's because a vulnerability isn't always just a publicly identified bug by Microsoft or CERT. "Vulnerabilities can be problems in configurations, missing patches, software that was loaded on a machine that shouldn’t be there, or security mechanisms that are not loaded or up-to-date and should be," says Eric Maiwald, senior analyst with the Burton Group and author of two vulnerability management reports for Burton, which were published late last week.

Maiwald says vulnerability management should be how an organization identifies, classifies, prioritizes, and deals with these exceptions due to business requirements -- and how they remediate problems and verify that all is well.

Trouble is, some vulnerability management products out there just scan for known bugs and don't detect human error in system configurations, for instance, he says. "And other products are very good at identifying configuration issues or missing software or going about deploying software, but they don't tell you about missing patches or have the ability to deploy them."

Maiwald says the gradual integration of these features is coming, albeit slowly. It all started last year when Symantec purchased BindView, and most recently, Altiris, as well as with PatchLink, which purchased vulnerability management vendor Harris STAT. In his report, Maiwald notes that the integrated products remain mostly in the planning stages, however.

The missing link is an integrated vulnerability tool that not only finds the holes, but can gauge the risk as well. "What is the real problem with these vulnerabilities?" he says.

Not all bugs are exploitable. "Say I have a vulnerability in my Unix machine, but because it's sitting in a particular zone of the network with some perimeter protections, someone from the Internet can't get to that machine to execute that exploit."

So that vulnerability doesn't carry the same risk as one that would be accessible to someone via the Net, he notes.

Enterprises also must consider risk from the business perspective rather than just go about wielding a patch checklist. "If a system has limited business value, it's less important than a vulnerability in a server that holds our credit card numbers," Maiwald says.

Maiwald says a few products are offering some of the capabilities, however -- McAfee, Archer Technologies, nCircle, and Symantec with its BindView policy manager, for instance. "You have to look at the entire enterprise... And you have to get vulnerability information and marry it with some knowledge of value and consequence associated with a particular breach."

And underlying this is the fact that patch management is mostly reactive. "You're always behind the power curve," he says, waiting for a publicly disclosed bug to get patched before you can get protected.

A better approach, of course, is more secure and clean applications and operating systems, according to Maiwald. But no one can write flawlessly secure software. A more likely scenario, he says, is for vendors to limit bugs: "Providing a window of breathing room so the enterprise doesn't have to patch [right] this minute."

Burton's reports on the evolution of vulnerability management, "Vulnerability Management Becomes Technical Security Policy Management" and "The Changing Face of Vulnerability Management," are available to Burton Group clients at http://www.burtongroup.com.

— Kelly Jackson Higgins, Senior Editor, Dark Reading