There are 20,000 or more new software and hardware vulnerabilities every year, yet only a few hundred might be actively exploited. It falls to IT security teams to determine where those vulnerabilities lie in their organization and which ones they need to prioritize.
That process can be overwhelming. Vulnerability management tools can help, but even then finding, patching and testing vulnerabilities can still take an extraordinary amount of time. That’s where more automated solutions can help — and one growing in popularity is vulnerability management-as-a-service (VMaaS).
- What is Vulnerability Management as a Service?
- What are the Main Steps Involved in VMaaS?
- Benefits of Using VMaaS
- Disadvantages of Using Vulnerability Management Services
- Vulnerability Management as a Service Costs
- Top Vulnerability Management as a Service Providers
What is Vulnerability Management as a Service?
Vulnerability management is so much more than being able to run vulnerability scans against an environment. It includes patch management and IT asset management (ITAM), and increasingly, it also incorporates automation and remediation. The goal of vulnerability management is to be able to rapidly address vulnerabilities in the environment through remediation, mitigation, or removal.
VMaaS is a way to deliver these services via the cloud rather than downloading and running on-premises software. VMaaS is a continuous process of identifying, assessing, reporting on, and managing vulnerabilities across on-premises and cloud identities, workloads, platform configurations, and infrastructure.
Typically, a security team will leverage a cloud security platform to detect vulnerabilities, misconfigurations, and other cloud risks. A strong cloud security vulnerability management program analyzes risk in context to address the vulnerabilities that matter the most as quickly as possible.
“Vulnerabilities can be found in various parts of a system, from low-level device firmware to the operating system, all the way through to software applications running on the device,” said Jeremy Linden, senior director of product management at Asimily.
Some VMaaS vendors will deliver prioritized remediation plans for security teams to address. Others may automate the fixes too. And some operate in a more hands-on and involved way, similar to a managed security service provider (MSSP), some of which also offer vulnerability management services. The level of assistance and control required is up to the buyer.
What are the Main Steps Involved in VMaaS?
Vulnerability management as a service is a cyclical process that includes several steps:
- Discovery: The longer vulnerabilities remain undetected, the more likely they are to result in a breach. To combat this, companies should perform weekly external and internal network scans to identify new vulnerabilities.
- Prioritize Assets: Once it’s known which systems are in use, companies can assign each asset a value based on its usage or role. This context helps companies know how pressing a vulnerability is to fix.
- Assess Vulnerabilities: This helps companies understand the state of the applications and systems in their environments.
- Prioritize Vulnerabilities: During a scan, vulnerabilities will likely be uncovered. Here, companies will need to prioritize them based on their potential risk to the business, workforce, and customers.
- Remediate Vulnerabilities: Once vulnerabilities are identified and prioritized, the next step is to mitigate their impact. Here, organizations should work toward achieving an effective system-wide process between security operations, IT operations, and system administration teams to ensure everyone is on the same page.
- Verify Remediation: Once mitigated, verification ensures the incident is recorded in a tracking system which facilitates key performance metrics from the incident.
- Report on Status: Especially when there is a major software flaw, internal stakeholders may be wondering about how well the organization addressed the once-active vulnerabilities. Reporting on the status of these vulnerabilities may require additional reports and dashboards to share with different users, stakeholders, and lenses.
Benefits of Using VMaaS
Organizations often develop their own custom software applications, which can heighten application security risks. According to the Verizon Data Breach Investigations Report, 39% of data breaches came from web application compromise, which can often be a result of organizations leveraging open-source code, which can lead to the mess of dependencies that became apparent in vulnerabilities like Log4j Log4Shell and Apache Commons Text4Shell.
While the benefits of open-source code include faster application development, this code is enticing for criminals to study and exploit. That’s why finding and fixing these vulnerabilities has become so vital. By leveraging VMaaS systems that provide effective, additional layers of protection, security flaws can be found, managed. and corrected on an ongoing basis.
“Vulnerability management as a service improves on traditional vulnerability management practices by placing an agent on managed assets,” said Graham Brooks, senior security solutions architect at Syxsense. “Traditional vulnerability management tools cannot review or remediate issues beyond the traditional business network perimeter. VMaaS circumvents this dependency by allowing assets to be monitored and managed regardless of network topography.”
Disadvantages of Using Vulnerability Management Services
Like any other software on the market, vulnerability management software is far from perfect. Using vulnerability services doesn’t mean every vulnerability will be caught. Therefore, it’s important for IT teams to maintain best practices and conduct frequent scans to ensure they are not blinded by a false sense of security. VMaaS is not a panacea; IT teams will still need all the security tools they currently have.
While vulnerability management services are imperfect, they perform an essential process, and organizations need to make sure they are maximizing the benefits of these solutions. They can potentially keep an organization from becoming one of those mystifying breach headlines involving a long-patched vulnerability.
Vulnerability Management as a Service Costs
Costs can range drastically between vendors, as the types of services provided can also vary widely. Some security vendors simply perform vulnerability scans. Others provide fully automated management of the vulnerability life cycle.
It’s important to first understand requirements before selecting any security product vendor. Among lower functionality VMaaS products, prices range to under $1 per endpoint per month. Other platforms with higher levels of service can range up to $8 to $12 per asset per month.
Top Vulnerability Management as a Service Providers
eSecurity Planet evaluated multiple VMaaS providers. Some are simply delivered over the cloud rather than on-premises. Some do the scanning, scheduling, and prioritization but leave remediation to local IT resources. Others take care of everything. These are the VMaaS vendors that stood out in our analysis.
Ivanti Neurons for RBVM (risk-based vulnerability management) can ingest data from multiple third-party scanners to help close gaps and blind spots. These tools autonomously analyze data from vulnerability scanners and provide insight to the IT and security teams so they don’t have to sift through that data manually.
- This service pairs expert security analysts with scanning tools and processes to identify vulnerabilities on the network and in applications.
- Scan findings are automatically correlated and contextualized with threat data and analysis and prioritized.
- The service offers easy-to-follow remediation plans.
- Misconfigurations and vulnerabilities can be identified on internal and/or external networks.
- The service finds code weakness and pinpoints coding errors and their exploitability within web applications.
- The service offers validation of identified critical scanner vulnerabilities and verifies false positives, reducing noise and data overload.
ServiceNow Vulnerability Response
ServiceNow Vulnerability Response is built on the Now Platform. It connects disparate tools and data from across the organization, so solutions that run on the Now Platform, like ServiceNow Vulnerability Response, have access to the information they need to make informed decisions fast.
- ServiceNow Vulnerability Response offers complete visibility of an organization’s IT estate.
- The service assesses dynamic and static testing results to track vulnerable items and coordinate remediation of applications.
- With ServiceNow, users can view the organization’s most impactful remediation activities and monitor their completion.
- ServiceNow Vulnerability Response includes patch orchestration, which identifies and recommends patches for critical vulnerabilities quickly and schedules patch updates.
- The service works strategically with IT teams to remediate vulnerabilities using collaborative workspaces.
Syxsense Active Secure
Syxsense can perform all aspects of the vulnerability life cycle. It provides vulnerability scanning, patch management, IT management, and remediation. In addition, Syxsense finds and remediates vulnerabilities related to all compute devices (laptops, desktops, servers) except network hardware.
- Syxsense provides 24-hour coverage and compliance regulation.
- Users can get accurate data from thousands of devices in under 10 seconds.
- Syxsense Active Secure instantly detects and eliminates running .exes, malware, or viruses.
- Syxsense enables businesses to meet governance or compliance regulations with help from its services team.
- Users will have access to experts that actively prevent zero-day attacks.
- Those upgrading to the full Syxsense Enterprise suite also gain automated remediation and mobile device management (MDM) functions.
Flexera Software Vulnerability Management
Flexera Software Vulnerability Management (SVM), formerly Secunia Corporate Software Inspector, is available in a cloud edition. It is focused squarely on the challenge of identifying, prioritizing, and patching software vulnerabilities.
- Security advisories consolidate all vulnerabilities related to a given patch or version.
- The Secunia Research team validates and rescores vulnerabilities to prioritize actions.
- SVM is said to detect more third-party applications than any other solution.
- Prioritization is made according to CVSS scores for patches, a Flexera criticality rating, and a threat score based on the likelihood of exploitation.
- Flexera Software Vulnerability Management has released over 4,000 patches.
- Automation features allow users to set the criteria for patches they would like to publish automatically.
- Integration is available with endpoint management solutions such as Intune, ConfigMan, WSUS, Workspace ONE, or BigFix for deployment.
Asimily Insight is more specialized than some on the list, but it shows the diversity of VMaaS. It is a vulnerability management and risk remediation platform built for Internet of Medical Things (IoMT) devices — the critical web-connected equipment used by hospital systems, pharmaceutical labs, and other healthcare organizations.
- Instead of showing a laundry list of vulnerabilities (many of which are not actually exploitable or are patchable), it predicts potential paths for an attacker into an IoMT device to solve the biggest problems.
- Asimily Insight prioritizes remediation and mitigates risk when patching is not an option.
- Distributed Sniffer captures network traffic from any devices on the network — either on demand or automatically in response to a network anomaly event.
- Asimily Insight provides risk and vulnerability assessment and modeling on pre-procurement devices and those that haven’t been connected to the network.
Rapid7 Managed Vulnerability Management (MVM) is a service that manages, executes, and prioritizes remediation across the environment. It proactively assesses risk to stay ahead of threats and attain ecosystem visibility.
- Rapid7 MVM prioritizes threats that may have the biggest impact.
- Rapid7 MVM enables users to accelerate remediation with prioritized guidance as well as exposure and risk mitigation advice.
- With Rapid7 MVM, users can enact policies, procedures, and vulnerability management processes to build collaboration across the organization, perform remediations, and measure impact.
- Rapid7 MVM features include asset discovery, cloud configuration, container assessment, and reporting.
- Rapid7 MVM improves emerging threat response as new vulnerabilities happen.
Qualys VMDR (Vulnerability Management, Detection, and Response) automatically discovers and inventories all software and hardware assets wherever they are in an environment. This cloud-based app continuously assesses vulnerabilities and applies threat intelligence to prioritize and fix actively exploitable vulnerabilities.
- Qualys VMDR incorporates artificial intelligence (AI) and machine learning capabilities acquired from Blue Hexagon.
- Qualys VMDR offers new risk assessment and attack surface management features.
- The service provides real-time threat intelligence linked to machine learning to control and respond to evolving threats and prevent breaches.
- Qualys VMDR automatically detects the latest superseding patch for the vulnerable asset and deploys it.
- Qualys VMDR lists critical misconfigurations.
- Qualys VMDR covers mobile devices in addition to operating systems and applications.
Crowdstrike Falcon Spotlight
CrowdStrike Falcon Spotlight offers automated assessment for vulnerabilities, whether on or off the network, as well as fast time-to-respond. This tool brings real-time visibility to vulnerabilities and threats.
- CrowdStrike Falcon Spotlight prioritizes and predicts which vulnerabilities are most likely to affect the organization with ExPRT rating.
- It is a module that is part of a larger Falcon suite that includes endpoint detection and response (EDR), antivirus, threat hunting and intelligence, and more.
- CrowdStrike Falcon Spotlight has built-in AI, which ties together threat intelligence with vulnerability assessment in real time.
- CrowdStrike Falcon Spotlight is a single lightweight agent architecture.
- CrowdStrike Falcon Spotlight utilizes scanless technology to deliver an always-on, automated approach with prioritized data in real time.
- CrowdStrike Falcon Spotlight eliminates bulky reports, replacing them with its dashboard.