Many organizations are now relying upon the vital support that vulnerability assessment can offer as the fourth pillar of security.
The current business environment provides a real spur for growth for this technology. Hence why IDC forecasts the market will double to $846 million by 2006.
For more and more companies the internet is mission critical. Corporations are increasingly moving away from leased lines to internet-based technology. Sharing the global highway has great benefits - but it potentially opens your organization up to a far greater level of risk from outside. In addition, the much-publicized demise of business giants such as Enron and Worldcom has raised some very serious issues with regard to corporate governance. Reports such as the U.K.'s Turnbull Report are forcing IT security up the corporate agenda to the board level. Against this backdrop, the new generation of web-based automated vulnerability assessment tools - and in particular on-demand security auditing offered by companies such as Qualys - has a particularly compelling role to play.
Although intrusion detection systems, anti-virus software and firewalls are crucial to a well-planned security strategy, these three mainstays need careful maintenance and regular updating, and this can be a seriously daunting task. One of the great benefits of automated vulnerability assessment is that it not only flags up vulnerabilities before they become a problem in your system, it also offers one-click links to repairs. Not only can it dramatically boost security efficiency, it can also shrink operating costs for security auditing and repairs by up to 90 percent.
Traditionally vulnerability assessment has consisted of network auditing and penetration testing. Manual network auditing can take a very long time and it is notoriously expensive. It also has connotations of little men in gray suits taking over your organization for months. Penetration testing has its benefits - but some 80 percent of the outlay on penetration testing is surplus to requirements. Many penetration testers not only identify the weaknesses on your system but then go on to exploit them, spending precious corporate funds on an unnecessary activity. The essential truth is, as Bruce Schneier points out in his book Secrets and Lies, that testing for all possible weaknesses is simply impossible.
As the number of attacks proliferates (474 percent since 1997 according to CERT), these traditional methods have less and less chance of keeping up. Just as an ever-increasing number of hacking attacks use automated tools, automated vulnerability assessment will become an imperative - it's a case of fighting fire with fire.
The new generation of web-based vulnerability assessment (VA) tools, which offer automated daily scanning on a subscription basis (often referred to as 'managed vulnerability assessment') not only have the ability to slash VA operating costs by 90 percent, they can close the window of vulnerability almost completely. Essentially, automated vulnerability assessment allows organizations to manage their vulnerabilities via centralized reports and simple one-click links to verified patches - thereby doing away with countless hours of man-time. Because the service is delivered over the web, it is completely on-demand, enabling an organization to run network security audits any time and get results delivered in minutes without the extra cost of deployment and maintenance.
Looking at it through the eyes of a financial director, the total cost of ownership equation for automated vulnerability assessment is highly appealing. For a medium-size or large enterprise, it amounts to one half that of traditional vulnerability assessment - and that's on a conservative evaluation. There are various reasons for this.
Traditional vulnerability assessment not only demands the use of multiple servers and other equipment to host the vulnerability assessment software and scanning tools, it's also extremely labor intensive. The new automated tools carry out all the scans required for the network perimeter without any new hardware whatsoever and use proprietary network scanning appliances for the internal network. In today's economic climate the ability to control costs efficiently is paramount. With automated VA the calculation for total cost of ownership is simple - the web service cost is based on the number of IPs scanned. The vulnerability assessment appliance cost is a system capacity issue based on the number of internal network IPs.
Cost control for the traditional method, on the other hand, is a nightmare. It's largely based on two issues: server cost and VA administration. The former is easy enough to deal with. The latter is a challenging conundrum revolving around a number of factors. Medium-size and large enterprises tend to have multiple network domains demanding huge amounts of repetition of painstaking manual vulnerability assessment tasks. Then, it's very difficult to create the essential enterprise-wide view of vulnerabilities in an organization using freeware solutions. There's a mammoth effort involved in identifying vulnerabilities, finding relevant patches and checking the vulnerability is repaired. Recent research has shown that the average security professional spends 2.1 hours per day hunting for security information - that equates to 25 percent of his or her official working day. When you consider that in the U.K. the average security engineer commands a salary of £35-40,000 per annum and you add to that the other associated employment costs, this research becomes a very costly task.
Automated vulnerability assessment has the scope to cut out 95 percent of the administration costs and still provide effective VA.
For vulnerability assessment to be truly effective for your business it needs to be carried out on a frequent basis. With the manual approach, monthly VA is almost cost prohibitive. The great joy of automated vulnerability assessment is that the more scans you do, the more efficient it becomes all round. Over time on-demand security auditing will become the bulwark of your security strategy.
Amer Deeba is vice president of marketing for Qualys worldwide (www.qualys.com).
Qualys is exhibiting at Infosecurity Europe, stand 360, Europe's largest and most important information security event. Now in its 8th year, the show features Europe's most comprehensive FREE education program, and over 200 exhibitors at the Grand Hall at Olympia from April 29- May 1, 2003. www.infosec.co.uk
