Welcome to our annual rundown of vulnerability management tools. This is an interesting category as much for its stability as its evolution. Contradictory statements? Not really. For example, the traditional approach to vulnerability management is – at its simplest – test, patch and test some more. There is some of that still happening, but the evolving trend is to test constantly and remediate as you go. Some tools even add in threat data to the mix so that they behave smarter.
So the basic idea of the test/remediation cycle still is with us, but it isn't quite your grandparents' vulnerability management either. The reason, of course, is that the whole idea of vulnerability has changed. Today, the traditional issue of unpatched devices, while still a huge problem, has to share vulnerability space with sophisticated malware. There is a myth that most, if not all, breaches are caused by malware. Actually, some of the worst ones start with a manual incursion into a vulnerable edge device. That could be a web server or other internet-facing computer.
The problem is then exacerbated by a skilled insertion of appropriate – and usually custom – malware. The purpose of this usually is to exfiltrate data or to provide a back door for the attacker to use to return. This usually is not an attack of opportunity as are many pure malware-based attacks. This is targeted and very specific to the victim. So here is where we start thinking about the different forms that vulnerability can take.
Certainly there is vulnerability in the unpatched server that admitted the attacker in the first place. But very often a bigger vulnerability exists in the network architecture itself. This is not something you can patch. When an organization places a development web server on the network with direct access from the internet, it is an open invitation for an intrusion. These devices often are not carefully secured. Rather, they do often provide a clear path into the network. If the developers are using live instances of backend databases for testing, it is even worse. Nobody would do that? Don't kid yourself. It happens frequently.
Another type of vulnerability outside of the mainstream is vulnerability to exfiltration by malware. We all believe that encryption is the answer to protecting data at rest – and even such regulatory laws as HIPAA suggest encrypting such data. But, if a piece of malware or an intruder has escalated its privilege to root, the data is open to it, encrypted or not. So the vulnerability is the access control, not an unpatched device.
This month, we take a close look at some excellent vulnerability management tools and not all of them are restricted to the traditional types of vulnerabilities. There are several familiar players here – players we've seen for years. But like the vulnerabilities they manage, these are not your legacy vulnerability assessment tools.
Testing and reviewing this month was by our trusty SC Lab team of Sal Picheria, Ben Jones and James Verderico.