As vulnerability management evolves, organizations are seeing increased need for prioritization, benchmarking and flexible reporting. Here are five things to keep in mind when choosing a VM solution.
Vulnerability management is once again rising to the top of the security agenda — driven by the risks from new technologies, speed of new threats and greater board attention on cybersecurity. As a result, many organizations are now modernizing their VM programs.
What’s out: CVSS-based prioritization, blind spots, inflexible reporting.
What’s in: Risk-based prioritization, benchmarking, complete visibility, flexible reporting with powerful APIs.
The importance of vulnerability management and the evolution of risk-based VM — which are fundamental to the discipline of Cyber Exposure — are driving accelerated spending. Gartner forecasts the worldwide risk-based vulnerability management market to grow 51.52 percent annually (CAGR) from 2018 to 20231. We believe this makes it one of the most dynamic markets in all of cybersecurity.
Why is risk-based VM being adopted so fast? We believe it provides a massive risk reduction opportunity for organizations of all sizes — but don’t take our word for it.
According to Gartner, “By 2022, organizations that use the risk-based vulnerability management method will suffer 80% fewer breaches.”2
Here are five key considerations to help you improve the efficiency and effectiveness of your program today while planning for future needs — as well as key questions to ask of any prospective vendor. This post builds on our our Vulnerability Management Fundamentals series by highlighting key purchase criteria for your next VM solution.
1. Continuous and Complete Discovery
“VA [Vulnerability Assessment] is a function that can be delivered via active scanning, agents and passive monitors. Gartner recommends a combination of agent, network scanners and passive monitoring for complete coverage.” — Gartner3
For asset discovery and vulnerability assessment, breadth of coverage is essential. Achieving continuous discovery and complete visibility into your environment is vital for preventing blind spots. To make this happen you need a portfolio of data collection technologies purpose-fit to each asset and scenario. Ideally, these include:
- Network scanners for IT assets on the corporate network
- Agents for endpoints that are frequently off-network, like employee laptops
- Passive network monitors for continuously discovering rogue and unknown assets and passively detecting vulnerabilities in systems like operational technology (OT)
- Cloud connectors and pre-authorized cloud scanners for tracking and assessing cloud instances
- Image scanners for assessing static container images before deployment
- Web application scanners for discovering and assessing web apps
- Integrations with cloud, CMDB, CI/CD, ticketing/SOAR and other technologies to unify asset visibility
- Do you provide passive network monitors for continuously discovering assets?
- Do you provide agents that work with cloud-based and purely on-premises deployments?
- Do you provide cloud connectors for live visibility into AWS, Azure and GCP environments?
2. Assessment: Beyond Just Running a Scan
“Review your existing VA solution and look for better prioritization, support for new assets like cloud, containers, IoT. If not, augment or replace the solution.” — Gartner4
Assessing assets for vulnerabilities and misconfigurations is no longer about just running a scan. It’s about using a range of data collection technologies to identify diverse security issues. Consider:
- DevOps pipelines require container assessment before deployment, seamlessly integrated with developer workflows.
- Cloud workload assessment calls for real-time, API-based visibility into cloud instances.
- IoT and OT add a different twist, requiring passive detection to avoid impacting system performance and availability.
- Does your container image scanning reduce false positives by considering layer hierarchy?
- Do you provide passive monitoring for OT and IoT vulnerability detection?
- How many zero-day vulnerabilities has your research team discovered in the last 12 months? (reflects depth of vulnerability expertise)
3. Advanced Prioritization: A Game Changer for Risk Reduction
“VA solutions should be able to incorporate asset scores into risk scoring for an effective and comprehensive risk-based prioritization.” — Gartner5
“A risk-based approach to prioritizing the remediation focuses efforts on those vulnerabilities for which there are imminent threats prevailing ‘in the wild’ for a business-critical asset. Gartner, therefore, recommends the threat-centric model for tackling risk in the context of VM as the most pragmatic use of your time and effort.” — Gartner6
Modern VM solutions analyze a much broader and more timely set of data than ever before. This exacerbates the problem of vulnerability data overload, increasing the need for effective prioritization.
By leveraging machine learning, advanced solutions can spot hidden patterns in data that correlate with future threat activity. As a result, you can see which vulnerabilities are predicted to have the highest likelihood of near-term exploitation. This helps you answer the question, “What’s the actual risk of my vulnerabilities — based on historical trends, current threat activity and the business value of my assets?”
Look for vendors that clearly explain their prioritization approach and how it works. Evaluate the data inputs they use for prioritization — and the depth of their research and data science teams. Focus on whether asset scoring is automated (since manual processes don’t scale) and look at the level of transparency provided around vulnerability scoring and prioritization.
- Does your vulnerability scoring automatically incorporate real-time intelligence about current threats — or does it primarily look at historical data, like the existence of exploits?
- Do you leverage machine learning in your vulnerability scoring?
- Do you provide automated asset criticality scoring?
4. Flexible, Automated Reporting and Benchmarking
“Gartner recommends that organizations benchmark their performances against the industry, and globally, to evaluate the effectiveness and efficiency of their programs. Gartner also recommends doing internal benchmarking by comparing a department’s performance against another to increase the overall security posture and performance.” — Gartner7
Look for solutions that provide both out-of-the-box reporting for your most critical questions and easy report customization for meeting the unique needs of teams, business units or compliance frameworks. You shouldn’t have to export data to Excel every time you want to answer a question or communicate information. You should also expect a powerful and well-documented API, making it possible to automate custom business processes. Lastly, look for a solution that provides external (peer) benchmarking for metrics like cyber risk, vulnerability age and scan frequency, as well as internal benchmarking that compares VM program performance and cyber risk across organizational units.
- Can you show me how I can easily customize reporting for my specific needs?
- Do you provide external benchmarking of VM and cyber risk metrics?
- Do you provide internal benchmarking of those metrics for my organizational units?
5. Simplified Pricing and Licensing
When it comes to pricing, look for a simple and straightforward model. You shouldn’t be penalized for deploying scanners and agents across your environment, using the API to integrate with other systems or utilizing threat intelligence in prioritization.
- Is there an additional cost for unlimited scanners and agents?
- Is there an additional cost for API usage?
- Is there an additional cost for threat-centric prioritization?
As vulnerability management undergoes a dramatic transformation, it’s once again a top priority on the security agenda. With advances in technology, VM and risk-based VM solutions have the potential to reduce breaches by as much as 80 percent while freeing your security team from tedious manual work.
To better inform your evaluation process, we encourage you to download Gartner’s recent report: A Guide to Choosing a Vulnerability Assessment Solution
1Gartner, “Forecast Analysis: Risk-Based Vulnerability Management, Worldwide,” Dale Gardner, 14 June 2019
2Gartner, “A Guide to Choosing a Vulnerability Management Solution,” Prateek Bhajanka, Mitchell Schneider, Craig Lawson, 3 April 2019
3Gartner, “A Guide to Choosing a Vulnerability Management Solution,” Prateek Bhajanka, Mitchell Schneider, Craig Lawson, 3 April 2019
4Gartner Security & Risk Management Summit - Sydney, Australia, Presentation, “Gartner’s Strategic Vision for Vulnerability Management,” Craig Lawson, 19-20 June 2019
5Gartner, “A Guide to Choosing a Vulnerability Management Solution,” Prateek Bhajanka, Mitchell Schneider, Craig Lawson, 3 April 2019
6Gartner, “A Guide to Choosing a Vulnerability Management Solution,” Prateek Bhajanka, Mitchell Schneider, Craig Lawson, 3 April 2019
7Gartner, “A Guide to Choosing a Vulnerability Management Solution,” Prateek Bhajanka, Mitchell Schneider, Craig Lawson, 3 April 2019