Vulnerability management

This is a bit of a difficult category because as the genre has evolved there have been branches and even twigs that have carved out niches within the overall marketspace. For example, we saw tools that were full function vulnerability management systems best applied in large environments and combo vulnerability assessment/penetration testing tools. We also saw a tool that tests just one device: yours. So coming up with a Best Buy and only one Recommended was a challenge.

First, to make a proper selection you need to have a clear idea of what you want to accomplish. Do you just want periodic vulnerability scans? Do you need pen testing? Both? Are you striving for PCI or other compliance and are you content simply with being secure? We heard just about every vendor tell us that their product caught more vulnerabilities than any other - not likely, of course, since all made the same claim. But, as it is with malware, the question today is: Is it really necessary to catch all of the possible vulnerabilities?

What, really, is the bottom line here? Working backwards from the objective - protecting the data - we can say with some confidence that we need to ensure that our data is not subject to exploitable vulnerabilities or vulnerability chains. A little glance into the kill chain is very helpful here. The cyber kill chain is the child of Lockheed Martin and consists of seven steps: reconnaissance, weaponization, delivery, exploitation, installation, command-and-control and actions on objectives. Breaking the kill chain at any point stops the effectiveness of the attack.

There are functions that you can perform at most steps of the kill chain to improve your chances of surviving an attempted intrusion. These attempts are not just external anymore, either. Often they are generated from within by a careless response to a phishing message or a click of an infected site. That invites the intruder into your enterprise and, no matter how good your perimeter defenses are, they still are inside doing you harm. Conventional wisdom was that you assess the perimeter and, perhaps, the server farm and, if all was well there, you probably were OK. That simply is no longer true. Every device on the enterprise - especially now that much of the enterprise is virtualized - is a potential target for a link in the kill chain.

Also, we always have known that risk is not just vulnerability. Vulnerability tool vendors have for a long time equated vulnerability with risk - "how many risks did the scanner find?" The answer? None. What it found were vulnerabilities. So how do vulnerabilities fit into the grand risk picture? Vulnerabilities need to be exploitable. That means that there must be a credible threat to act on the vulnerability. And, of course, the threat must be able to reach the vulnerability to act on it. In the good old days that was a limitation on the bad actors. If they couldn't break through the defenses, they could not deliver their threat.

No more. Reachability is no longer a real stumbling block for attackers. Under the right circumstances, any device on the enterprise may be reachable. Back to the kill chain. The important word here is "chain." In pen testing classes at university, we taught the notion of chained exploits. Analysis of major breaches usually reveals that rather than a single vulnerability, there was a chain of them that, exploited together, yielded a breach. So if we look at the cyber kill chain we see some links that are tailor-made for breaking the back of chained exploits. For example, if we can identify and clear vulnerabilities involved with permitting delivery, exploitation and installation, we won't need to worry about actions on objectives. We have, in a sense, clobbered the notion of reachability, but this time it's a lot more complicated reachability than ever before.

For that reason, you may benefit by a tool that simulates attack traffic in your enterprise and determines where to test. But probably more important is the modern version of defense-in-depth: you likely need more than one tool. For example, constant, ongoing scanning is useful but should never be the only thing you do. Also good is enforced self-testing by users on their own workstations for things that make their computer uniquely vulnerable to attack. The combination of vulnerability scanning and pen testing is a must in today's threatscape. 

So those days of running a scanner and calling it secure are over. Today we need to understand the kill chain, the nature of the treats against our enterprise and the makeup of the enterprise, and only then can we select the right tool or combination of tools to cover the vulnerability side of the cyber kill chain.



Core Security






Tenable Network Security


as a cloud

as a physical appliance

Supports distributed scanning

Creates reports detailing compliance and vulnerabilities 20072007xxxxx20072007

Includes built-in policies and functionality
to support regulatory compliance

vulnerability management via an agent

with patch management systems


Can scan
devices for

(through MDM

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.