In the current security climate, threats, outbreaks and breaches are a fact of life. There simply aren't enough dollars to throw at the problem to buy the ultimate solution that eliminates all avenues of attack.

However, vulnerability management tools can be of value in isolating the precise areas of risk, enabling organizations to take steps to minimize them.

"Vulnerability Management is the continual process of measuring and managing the risk presented by flaws in software and configuration within an organization," said Tim Erlin, principal product manager at nCircle Network Security Inc. of San Francisco. "The process generally includes comprehensive discovery and profiling of network assets, assessment of each asset for applications and vulnerabilities within those applications, prioritization of the assets and vulnerabilities, and finally workflow for remediation of the prioritized conditions."

Many tools provide some piece of the vulnerability management process, assessing only network vulnerabilities, web application vulnerabilities, or configuration. But all the areas outlined above can present risk in an environment. Leaving any one out leaves the vulnerability management puzzle missing pieces.

It all starts with an inventory of what currently exists in the organization. And once everything is catalogued, it has to stay updated as IT is not a static entity. Tools, therefore, should provide automatic discovery, scheduling and network profiling so that different parts of the organization can be addressed.

"Vulnerabilities cannot be accurately assessed without an inventory of the applications in which they exist," said Erlin. "Tools that don't provide a complete and separate assessment of applications on an asset are missing a vital component to vulnerability management."

One thing to beware of is a tool that produces long lists of vulnerabilities. Remember the old Y2K detector from Symantec Corp. of Cupertino, CA? It seemed to label everything on a computer as a threat and then didn't provide much real help in handling anything. Similarly with vulnerability management, you don't want something that just overwhelms you with information. Ideally, results should be prioritized and the biggest threats clearly labeled.

"Every vulnerability management tool will produce more work than an organization can accomplish, therefore every vulnerability management program must provide a mechanism for prioritizing the results to address the highest risk conditions first, even if all the discovered vulnerabilities are critical," said Erlin.

Of course, a tool alone is not enough. It has to be supported by a vulnerability management workflow that addresses risk appropriately – though tools such as nCircle can support such a workflow by including automation, built-in ticketing systems and data accuracy.

"Remember that each organization is different in how they assign ownership and responsibility," said Erlin. "Before acquiring a vulnerability management tool, examine the processes in place for applying patches and upgrading to determine where they should change and where a tool can assist with automation."

Tool Selection

Michael Montecillo, an analyst at Enterprise Management Associates Inc. of Boulder CO, believes that the way to embark upon vulnerability management is to harness a tool as the catalyst for instituting vulnerability practices.

"Ultimately, you should use the software that does the best job of identifying everything within your own environment," he said. "Tools by vendors such as as nCircle, Qualys and eEYE will simplify the process, create a reporting methodology and do the assessment in a repeatable fashion."

Montecillo suggests making use of regular assessment to find out how effective ongoing mitigation efforts have been. In addition, he believes that the subject should not be left to one team or department. To really get anywhere with vulnerability management takes a collaborative effort across the organization – including support from top management.

For those viewing this as yet another sales job being pushed by security vendors, Montecillo explains that today's climate demands layered security. Spyware, viruses and other malware are specific threats. A variety of remedies have been supplied by security vendors over the last decade to cope with them and that trend won't stop anytime soon. End users will have to get used to the idea that as the malicious and criminal fringe comes out with new and better ways to infiltrate organizations or wreak havoc, vendors will respond with new and better tools.

Vulnerability management, however, is in a different category all together. Rather than being a tool to address a specific threat, it is a way to view the entire security picture and see where you are most at risk.

"Viruses come in where you are vulnerable, so there is less risk if you have eliminated that zone of attack," said Montecillo. "Recently, we are seeing calls for vulnerability management software in legislation."

This article was first published on EnterpriseITPlanet.com.