What does the Ideal Vulnerability Management Tool Look Like?
Vulnerability management tools are a broad and wide category, but all have the same goal: helping organizations to minimize the risk posed by everyday IT vulnerabilities. Though every tool offers a different feature set, there are nonetheless common qualities – and desired qualities.
In this article, we outline what vulnerability management tools can do for your organization, and point to some of the qualities you should look for in a vulnerability management tool – taking into account our recent TuxCare survey results.
1. Introduction to vulnerability management
2. Vulnerability management as a toolset
3. The capabilities you will commonly find in Vulnerability Management Tools
4. Features that should be present in the ideal vulnerability management tool
5. Automation is at the core of a good vulnerability tool
Introduction to vulnerability management
Vulnerabilities have been a part of the technology landscape for decades. Errors or design flaws in software and hardware make systems vulnerable to exploitation by malevolent actors.
In managing vulnerabilities, security teams would look to close the vulnerability – removing the opportunity for threat actors to exploit it. There are different ways of eliminating a vulnerability, depending on the root cause. Remediation can involve a patch to remove a flaw in software, for example, or changing a system configuration to close a security risk.
In the past, sysadmins could manage these vulnerabilities on a case-by-case basis, but the number of vulnerabilities exploded to the extent that manual vulnerability management just isn’t an option today.
By illustration, in the early 1990s, just a handful of vulnerabilities were reported to the National Vulnerability Database (NVD). Yet by 2020, it becomes clear that this number is trending towards 20,000 reports per annum. Every year thousands of brand-new vulnerabilities are topping up a vast existing catalog.
It’s impossible to guard against such a large volume of vulnerabilities manually, so tools are required to automate the process. Vulnerability management also aims to make the process more efficient – ensuring that only vulnerabilities that are a real risk are flagged and providing a way to prioritize vulnerabilities according to threat level.
Vulnerability management as a toolset
The complexity of today’s enterprise IT environment means that there is no single vulnerability management tool that will manage all types of vulnerabilities across your entire IT estate – even though some tools essentially act as “suites”, combining a wide range of vulnerability management capabilities in one place.
Choosing the right tools will help you run more efficient vulnerability management operations – ensuring tighter security, while also minimizing the drain on your staff.
For example, most organizations will need a network vulnerability scanner to ensure network security is up to scratch. Similarly, you’ll need a tool that monitors your third-party applications for vulnerabilities and that suggests the best way forward. Yet another range of tools provide a birds-eye view of your vulnerability exposure via dashboarding – going as far as to combine the output of several vulnerability management tools in one place.
The capabilities you will commonly find in Vulnerability Management Tools
A good vulnerability management solution should be capable of accomplishing three goals – and to support these goals with automation. First, your tool should be able to detect vulnerabilities on the attack surface it is designed to scan. Next, it should deliver a report and prioritize these vulnerabilities for remediation: not every vulnerability requires urgent action.
Finally, your solution should help you to fix vulnerabilities – instead of requiring your team to manually remediate vulnerabilities, your vulnerability toolset should automate many of these tasks.
Accomplishing the above mix of goals requires a range of capabilities – each targeted to a specific subset of your IT infrastructure – networks, applications, cloud.
We provide an example listing of capabilities you should be looking for and you’re unlikely to find all of the following capabilities in a single vulnerability management tool. However, once you’ve built an arsenal that includes a couple of the better tools in the market you should find that you’re covered for most of the following features:
- Building an inventory. It’s impossible to protect what you don’t know about. Arguably one of the most key aspects of a vulnerability management toolset is the ability to build an inventory of your devices, applications, services, and networks. It should also help you to manage this inventory – adding and removing assets as needed.
- On-host scanning capabilities. The original reason for rolling out vulnerability management tools was in a scanning capacity. In other words, the tool scans the threat surface. Whether that’s hosts including endpoints and servers, applications and services, or networks. The tool then generates a report with the vulnerabilities that it found. Depending on what’s being scanned, these scans could be manually triggered – or automatic.
- Patch enumeration. As part of vulnerability assessment, your toolset should include the ability to evaluate the level of patching across the area it is scanning. It determines what level of software is running, and outlines what patches are required to bring the application or service up to date.
- Active penetration testing. Your vulnerability management toolset should also include the ability to perform penetration testing. Though penetration testing requires manual steps, a capable tool in your vulnerability management arsenal will assist penetration testing capabilities.
- Automated ticket creation. More advanced tools will automatically assign vulnerabilities for remediation, creating internal tickets that provide actionable tasks that sysadmins and their assistants can use to productively step through tasks to ensure that vulnerabilities are dealt with consistently.
- Tracking, monitoring, logging. Managing vulnerabilities is resource-intensive and it’s easy for teams to lose track of the large volume of tasks that they’re faced with. In your vulnerability management toolset you should have a tool that enables you to track, monitor, and log vulnerability management requirements.
These are just a few of the practical capabilities that you should expect from your vulnerability management tools, but your organization’s unique IT requirements will undoubtedly pose unique demands on vulnerability management.
Features that should be present in the ideal vulnerability management tool
The above is a good list of technical features but, in our recent survey on the state of vulnerability management in the enterprise, respondents pointed to features that users would like to see in vulnerability management software – many of which are focused on the more practical aspects of vulnerability management.
- Rapid and live patch rollout. Our respondents suggested that they wanted to see a quick reaction to new CVEs. In other words, the ideal vulnerability management tool needs to roll out patching as fast as it is released – or perhaps even supply a custom patch to ensure a rapid response. Live patching – the ability to patch without restarting or rebooting a service – was also a desired feature.
- Complete and automated reporting. While most vulnerability management tools will deliver some level of reporting, our respondents suggested that users were not happy with the level of reporting provided. Users want to see broad, comprehensive reporting that delivers real insights – and reporting that is automated.
- Comprehensive logging. Tools that have the capacity for automatic remediation will inevitably make changes to your systems. Comprehensive logging that describes these changes can help sysadmins debug errors should something go wrong.
- Limited impact on system resources. Our survey also revealed that users of vulnerability management tools remain concerned about the impact these tools have on system resources, and that best-of-breed tools will have minimal impact on system resources.
- Phased rollouts. Another feature requested by our respondents was phased rollouts, where a security tool enables sysadmins to apply patches selectively. First, to test that a patch does not disrupt operations, but then also to roll out patches in stages to try to minimize the risk of widespread disruption.
- Detection of backported fixes. As a last point, one respondent wanted the ability to detect fixes that have been applied but where the version number was not updated. These “backported” fixes can lead to false positives from a vulnerability management tool – unless the tool knows how to detect a backported fix.
To this list, we can add a few more points. Overall, we’d expect an effective vulnerability management tool to deliver high levels of automation. While automated scanning and detection is in place in most tools, we’d also like to see more automation when it comes to mitigation: from automated prioritization of vulnerabilities through to automated patching.
Finally, given the continuous push-pull between secure operations and available operations, we’d like to see a better effort in balancing availability and continuity against security prerogatives.
Automation is at the core of a good vulnerability tool
Vulnerability management tools are a cornerstone of your cybersecurity arsenal. Mitigating vulnerabilities reduces the opportunities for attackers to take advantage of gaps in your cybersecurity defenses.
The more of this you can automate, the more time your security teams have free to spend on more strategic cybersecurity measures. However, automation should not come at the price of opacity: a good tool should be transparent in the way it works.
You can read our full report on the state of vulnerability management in the enterprise here. Want to know more about how live patching can help you automate your security operations? Check out TuxCare live patching product page.