Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

How to Choose the Right Vulnerability Management Solution

As vulnerability management evolves, organizations are seeing increased need for prioritization, benchmarking and flexible reporting. Here are five things to keep in mind when choosing a VM solution.

Vulnerability management is once again rising to the top of the security agenda — driven by the risks from new technologies, speed of new threats and greater board attention on cybersecurity. As a result, many organizations are now modernizing their VM programs.

What’s out: CVSS-based prioritization, blind spots, inflexible reporting.

What’s in: Risk-based prioritization, benchmarking, complete visibility, flexible reporting with powerful APIs.

The importance of vulnerability management and the evolution of risk-based VM — which are fundamental to the discipline of Cyber Exposure — are driving accelerated spending. Gartner forecasts the worldwide risk-based vulnerability management market to grow 51.52 percent annually (CAGR) from 2018 to 20231. We believe this makes it one of the most dynamic markets in all of cybersecurity.

Why is risk-based VM being adopted so fast? We believe it provides a massive risk reduction opportunity for organizations of all sizes — but don’t take our word for it.

According to Gartner, “By 2022, organizations that use the risk-based vulnerability management method will suffer 80% fewer breaches.”2

Here are five key considerations to help you improve the efficiency and effectiveness of your program today while planning for future needs — as well as key questions to ask of any prospective vendor. This post builds on our our Vulnerability Management Fundamentals series by highlighting key purchase criteria for your next VM solution.

1. Continuous and Complete Discovery

“VA [Vulnerability Assessment] is a function that can be delivered via active scanning, agents and passive monitors. Gartner recommends a combination of agent, network scanners and passive monitoring for complete coverage.” — Gartner3

For asset discovery and vulnerability assessment, breadth of coverage is essential. Achieving continuous discovery and complete visibility into your environment is vital for preventing blind spots. To make this happen you need a portfolio of data collection technologies purpose-fit to each asset and scenario. Ideally, these include:

  • Network scanners for IT assets on the corporate network
  • Agents for endpoints that are frequently off-network, like employee laptops
  • Passive network monitors for continuously discovering rogue and unknown assets and passively detecting vulnerabilities in systems like operational technology (OT)
  • Cloud connectors and pre-authorized cloud scanners for tracking and assessing cloud instances
  • Image scanners for assessing static container images before deployment
  • Web application scanners for discovering and assessing web apps
  • Integrations with cloud, CMDB, CI/CD, ticketing/SOAR and other technologies to unify asset visibility

Ask vendors:

  • Do you provide passive network monitors for continuously discovering assets?
  • Do you provide agents that work with cloud-based and purely on-premises deployments?
  • Do you provide cloud connectors for live visibility into AWS, Azure and GCP environments?

2. Assessment: Beyond Just Running a Scan

“Review your existing VA solution and look for better prioritization, support for new assets like cloud, containers, IoT. If not, augment or replace the solution.” — Gartner4

Assessing assets for vulnerabilities and misconfigurations is no longer about just running a scan. It’s about using a range of data collection technologies to identify diverse security issues. Consider:

  • DevOps pipelines require container assessment before deployment, seamlessly integrated with developer workflows.
  • Cloud workload assessment calls for real-time, API-based visibility into cloud instances.
  • IoT and OT add a different twist, requiring passive detection to avoid impacting system performance and availability.

Ask vendors:

  • Does your container image scanning reduce false positives by considering layer hierarchy?
  • Do you provide passive monitoring for OT and IoT vulnerability detection?
  • How many zero-day vulnerabilities has your research team discovered in the last 12 months? (reflects depth of vulnerability expertise)

3. Advanced Prioritization: A Game Changer for Risk Reduction

“VA solutions should be able to incorporate asset scores into risk scoring for an effective and comprehensive risk-based prioritization.” — Gartner5

“A risk-based approach to prioritizing the remediation focuses efforts on those vulnerabilities for which there are imminent threats prevailing ‘in the wild’ for a business-critical asset. Gartner, therefore, recommends the threat-centric model for tackling risk in the context of VM as the most pragmatic use of your time and effort.” — Gartner6

Modern VM solutions analyze a much broader and more timely set of data than ever before. This exacerbates the problem of vulnerability data overload, increasing the need for effective prioritization.

By leveraging machine learning, advanced solutions can spot hidden patterns in data that correlate with future threat activity. As a result, you can see which vulnerabilities are predicted to have the highest likelihood of near-term exploitation. This helps you answer the question, “What’s the actual risk of my vulnerabilities — based on historical trends, current threat activity and the business value of my assets?”

Look for vendors that clearly explain their prioritization approach and how it works. Evaluate the data inputs they use for prioritization — and the depth of their research and data science teams. Focus on whether asset scoring is automated (since manual processes don’t scale) and look at the level of transparency provided around vulnerability scoring and prioritization.

Ask vendors:

  • Does your vulnerability scoring automatically incorporate real-time intelligence about current threats — or does it primarily look at historical data, like the existence of exploits?
  • Do you leverage machine learning in your vulnerability scoring?
  • Do you provide automated asset criticality scoring?

4. Flexible, Automated Reporting and Benchmarking

“Gartner recommends that organizations benchmark their performances against the industry, and globally, to evaluate the effectiveness and efficiency of their programs. Gartner also recommends doing internal benchmarking by comparing a department’s performance against another to increase the overall security posture and performance.” — Gartner7

Look for solutions that provide both out-of-the-box reporting for your most critical questions and easy report customization for meeting the unique needs of teams, business units or compliance frameworks. You shouldn’t have to export data to Excel every time you want to answer a question or communicate information. You should also expect a powerful and well-documented API, making it possible to automate custom business processes. Lastly, look for a solution that provides external (peer) benchmarking for metrics like cyber risk, vulnerability age and scan frequency, as well as internal benchmarking that compares VM program performance and cyber risk across organizational units.

Ask vendors:

  • Can you show me how I can easily customize reporting for my specific needs?
  • Do you provide external benchmarking of VM and cyber risk metrics?
  • Do you provide internal benchmarking of those metrics for my organizational units?

5. Simplified Pricing and Licensing

When it comes to pricing, look for a simple and straightforward model. You shouldn’t be penalized for deploying scanners and agents across your environment, using the API to integrate with other systems or utilizing threat intelligence in prioritization.

Ask vendors:

  • Is there an additional cost for unlimited scanners and agents?
  • Is there an additional cost for API usage?
  • Is there an additional cost for threat-centric prioritization?

Learn More

As vulnerability management undergoes a dramatic transformation, it’s once again a top priority on the security agenda. With advances in technology, VM and risk-based VM solutions have the potential to reduce breaches by as much as 80 percent while freeing your security team from tedious manual work.

To better inform your evaluation process, we encourage you to download Gartner’s recent report: A Guide to Choosing a Vulnerability Assessment Solution

Footnotes

 1Gartner, “Forecast Analysis: Risk-Based Vulnerability Management, Worldwide,” Dale Gardner, 14 June 2019

 2Gartner, “A Guide to Choosing a Vulnerability Management Solution,” Prateek Bhajanka, Mitchell Schneider, Craig Lawson, 3 April 2019

 3Gartner, “A Guide to Choosing a Vulnerability Management Solution,” Prateek Bhajanka, Mitchell Schneider, Craig Lawson, 3 April 2019

4Gartner Security & Risk Management Summit - Sydney, Australia, Presentation, “Gartner’s Strategic Vision for Vulnerability Management,” Craig Lawson, 19-20 June 2019

5Gartner, “A Guide to Choosing a Vulnerability Management Solution,” Prateek Bhajanka, Mitchell Schneider, Craig Lawson, 3 April 2019

6Gartner, “A Guide to Choosing a Vulnerability Management Solution,” Prateek Bhajanka, Mitchell Schneider, Craig Lawson, 3 April 2019

7Gartner, “A Guide to Choosing a Vulnerability Management Solution,” Prateek Bhajanka, Mitchell Schneider, Craig Lawson, 3 April 2019

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.