Tools supporting Vulnerability Management process – how to choose the proper ones

Security-vulnerability-Shutterstock-FuzzBonesTo be able to effectively manage vulnerabilities, you need not only a well-planned, implemented and effectively running Vulnerability Management process. You need also the tools and skills of people who are able to make use of these tools appropriately and effectively. Today I would like to draw your attention to the issues of these tools and bring you the criteria for selection of the best tools to effectively support the process of vulnerability management at its all stages – in a word – in its full life-cycle.

Type of tools: Network based Vulnerability Scanners
Tools application: Automatic detection of vulnerability, risk assessment, generating of reports and remediation plans
Asset Management:

  • Inventory of IT assets ((1) internal asset database managed by and from within VM tool or (2) connection to the external IT assets database (for instance CMDB), (3) the ability to import data to asset database from external sources, (4) the ability to modify the internal structure of the asset database, for example: to add to its structure some tags reflecting the level of asset classification, (5) the ability to automatically detect of IT assets (IT Asset Autodiscovery));
  • Ability to assets classification according to BCM/BIA criteria (business criticality of the asset, level of risk associated with the discontinuity of the particular asset operation) and the criteria used for data classification;
  • Ability to group assets according to various criteria, such as: business criticality, levels of data classification, other architectural and topological criteria;

Vulnerability Discovery and Assessment:

  • The ability to configure different vulnerability testing profiles (choice of the kind and scenario of tests, choice of the invasiveness level of the tests, ability to exclude verified false-positives from reports;
  • Scope of usage (operating systems, application servers, database systems, network devices and security systems etc.) – The possibility of vulnerability discovering in the heterogeneous environment versus narrowly specialized scanners designed for a specific kind of platform or systems;
  • The completeness of the vulnerabilities database, the possibility of references to various sources of information about vulnerabilities and referring to the vulnerability identified in various ways (CVE …);
  • Vulnerability scanning capability with (1) no use and with (2) using of the users credentials;
  • The possible frequency of updating vulnerability database;
  • Scripting language to create any kind of own vulnerability testing scenarios or to customize predefined scenarios;
  • Hardware (appliacne) versus software solution;
  • Agentless versus agent-based solution;
  • Does the supplier have its own team of vulnerability investigators and researchers?
  • Scalability of the solution;

Patch and Remediation Management:

  • The ability to prioritize of recommended remediation actions;
  • The ability to assign tasks associated with remediation actions to specific users or groups of users;
  • Communication with service desks workflow  systems (to assign, track and follow-up remediation action requests);
  • Measuring the effectiveness of remediation actions (‚delta‚ (differential) scans, rescans (verification scans) after applying corrective measures, the possibility of calculating KPI relating to the effectiveness of remediation actions);

Risk Management:

  • The ability of configurable KRI (Key Risk Indicator) calculation, based on such kind of criteria like, for example: (1) system criticality from the business standpoint, (2) the vulnerability severity level, (3) the number of vulnerabilities with different particular severity levels, (4) the nature of vulnerability and (5) ease of performing any kind of security breach through its exploitation.

Configuration Management:

  • Access to database about patch-level, patches and other measures implemented on the hosts covered by VM process;
  • Ability to examine the compliance level of systems configuration with definable security baselines;
  • Having a pre-defined configuration patterns, corresponding to compliance with industry standards (such as PCI DSS, ISO 27001 etc.) and security best practices;

Integration with external security systems and solutions:

  • Ability to send information about detected vulnerabilities to  Security Event Management System (SIEM);
  • Integration with intrusion prevention systems (collecting information about successful attacks and attack attempts from IPS);

Management:

  • Configurability and ability to customize of VM workflows;
  • Quality and functionality of the management console;
  • The network connection options and the way to communicate with the network devices (for example connect to the network via the TRUNK  interfaces (802.1q) and configuration of virtual interfaces (subinterfaces) on the physical interface);
  • Ability to generate reports with different levels of detail and different level of information aggregation;
  • Customizable reporting formats and templates;
  • Possible type of remote access to management console (SSH, SSL, IPSec etc.);
  • License conditions and restrictions;
Type of tools: Host based Vulnerability Scanners
Tools application: Auto-detection of vulnerabilities at the host level, threat and risk assessment, generating of reports and recommendations of the remediation plans.
Vulnerability Discovery and Assessment:

  • The level of integration with other end-point security solutions and functionalities, in particular with HIPS and NAC.
  • Automatic of operation;
  • Availability of the solutions for various platforms, operating systems and type of end-user devices;
  • Ability to automatically update of vulnerability database;
  • The completeness of vulnerability database, the possibility of references to various sources of information about vulnerabilities, and referring to the vulnerability identified in various ways (CVE …);
  • The possible frequency of updating vulnerability database;
  • Does the supplier have its own team of vulnerability investigators and researchers?

Patch and Remediation Management:

  • Measuring the effectiveness of remediation actions (‚delta‚ (differential) scans, rescans (verification scans) after applying corrective measures, the possibility of calculating KPI relating to the effectiveness of remediation actions);

Configuration Management:

  • Ability to examine the compliance level of systems configuration with definable security baselines;
  • Having a pre-defined configuration patterns, corresponding to compliance with industry standards (such as PCI DSS, ISO 27001 etc.) and security best practices;

Management:

  • Ability of central administration of vulnerability detection policies and reporting;
  • Quality and functionality of the management console;
  • Ability to generate reports with different levels of detail and different levels of information aggregation;
  • Customizable reporting formats and templates;
  • License conditions and restrictions;
Type of tools: Pen-testing tools
Tools application: Pen-testing, vulnerability false- positives and true-negatives verification, risk assessment derived from the identified vulnerabilities.
  • The scope of applications (general purpose tools versus specialized ones, dedicated for usage with specific platform or system type);
  • Ability to automatically generate of attack payloads, shellcodes, opcodes etc;
  • Ability to define attack scenarios, use of predefined attack vectors and define/create your own attack vectors;
  • The ease of use of user interface, framework and internal development environment for creating and customization of attack tools and scenarios;
  • Ability of developing own tools to carry out attacks, based on scripting languages​​, and possibility of inserts own compiled languages​​ codes;
  • Agentless versus agent-based solutions;
  • The level of usage automation;
  • Distributed network-based solution versus a single station solution;
  • Access to the updates of scripts and tools facilitating new possible attacks;
  • The frequency of updating the database of scenarios and tools for attacks;
  • Supported operating system;
  • License conditions and restrictions;
Type of tools: Scripts and in-house development supporting tools
Tools application: Complementary toolset for VM and pen-testing.
  • Level of manageability of the toolsets (change management and quality management, code repositories, documentation etc.) and the ability of access control and accountability for their use;
  • Quality, effects of working predictability and usage safety of the tools;
  • The quality of documentation concerning the tools;
  • The possibility of installing the tools in a single, standardized operating environment, possible on a single computer;
  • Portability of the tools (ability to install on testers laptops);
Type of tools: Reporting tools
Tools application: Reporting
  • Ability to define own patterns of reports;
  • The existence of pre-defined reporting standards with the possibility of their customization and adaptation to the needs of the organization;
  • Ability to generate tabular, graphical and hybrid reports;
  • Ability to generate reports in an editable form for further processing;
  • Ability to define own criteria for reporting (including KPI and KRI);
  • Ability to illustrate the trends (for example: the level of risk and effectiveness of remediation processes).
  • Ability to export data to other reporting and processing tools;
Type of tools: Knowledge database
Tools application: Improving the efficiency and quality of VM process, involved team skills and competence improvement, supporting risk management, security incident management processes, support for maintenance of IT systems, value for education and awareness of information security within the organization.
  • User-friendly interface, ease of access;
  • Configurability;
  • Data quality;
  • The quality and speed of the search;
  • Access control;

Informacje Janusz Nawrat
Just ordinary man who likes thinking...

Skomentuj

Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:

Logo WordPress.com

Komentujesz korzystając z konta WordPress.com. Log Out / Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Log Out / Zmień )

Facebook photo

Komentujesz korzystając z konta Facebook. Log Out / Zmień )

Google+ photo

Komentujesz korzystając z konta Google+. Log Out / Zmień )

Connecting to %s

TOMASZ WEŁNA

artysta grafik | wykładowca

PRACOWNIA OKO

Szkoła Rysunku Malarstwa i Grafiki DR TOMASZA WEŁNY | KRAKÓW | Plac Matejki 10 | tel 691 81 75 74

Piękno neurobiologii

Blog Jerzego Vetulaniego

Teoria muzyki, zasady muzyki, podstawy muzyki

Teoria muzyki, zasady muzyki, podstawy muzyki - czyli to co każdy amator muzyki wiedzieć powinien :)

Personal Development & Inspirations

Przemyślenia i refleksje, którymi warto się podzielić (blog by Janusz Nawrat)

Business IT Cooperation Platform

Biznes i IT - dwa światy, które muszą współdziałać

%d bloggers like this: