How can you know if a technology or technical process is approaching obsolescence and ready to be redefined or replaced? Age isn't the only indicator that counts, as there are a multitude of “older” technologies that still provide benefits generations after they came into being.
In fact, the amount of net benefit that a technology provides is probably the best indicator. When benefit declines to a point where the technology creates more pains than it resolves, you can bet that users and innovators alike will seek out new ways to problem solve.
For IT security practitioners, questions arise every day as to whether existing security technologies and processes are providing enough net benefit to justify their continued use. If a security control doesn't keep out attackers, or a risk reduction process doesn't actually reduce risk level – why spend the time, money and resources to keep doing the same-old-same-old?
Let's examine the usefulness of vulnerability management (VM) processes in a typical enterprise today. VM is a systematic process of identifying, prioritizing, and then mitigating vulnerabilities. These flaws continue to be one of the common vectors used by attackers and malware to get into a network. Vulnerabilities are the “secret entrances” to networks, and once an attacker finds a secret entrance – the network can be exploited.
So, VM sounds like a worthwhile endeavor for a security management team, right? A vulnerability management program should reduce the number of vulnerabilities, particularly critical ones, thus reducing the chance of an intrusion, theft, or attack. But as most IT security practitioners will tell you, the long-standing approach to VM is delivering less and less value over time, and threatening to become an obsolete, irrelevant security process.
Why? Let's examine the reasons that “traditional” VM programs fail in delivering sufficient net benefit, and what security teams can do to return VM into a functioning, beneficial security practice.
Problem: Disruptive vulnerability scans conducted infrequently
Solution: Non-invasive vulnerability detection conducted daily
VM starts with finding the weaknesses in the first place. Traditional active vulnerability scanners find flaws by testing lots of signatures against hosts to see if they are present. But active scanning has a high cost. Scans of live systems can disrupt the normal behavior of running processes, causing them to fail. Deploying scanning agents through a network may be difficult and expensive, or access to certain zones may be limited. Active scanning consumes significant system resources, and monitoring and maintaining the scan processes requires significant IT management resources.
Due to these high costs, enterprises often implement active scanning on a limited and infrequent basis.
Why don't organizations scan more often or more in-depth?
Is there a better way? Vulnerability information can be derived through non-invasive means, using information already available within networks, from security management systems, patch management systems, asset databases, and other repositories of system and software product data.