Is the plain vanilla vulnerability assessment scanner dead?

Vulnerability assessment tools aren't just for scanning devices and spitting out a list of vulnerabilities anymore: VA tools are now being bundled with configuration management, policy, and penetration testing functions. Some vendors, like StillSecure, even envision VA eventually becoming part of the network access control (NAC) equation.

"It's definitely not dead," says Ron Gula, CEO of Tenable Network Security, which sells the popular Nessus vulnerability scanner. "There are people who scan several million IP addresses per day, and penetration testers are still using it [the vulnerability assessment tool]. If VA scanning were dead, we wouldn't have 80,000 people downloading us as plug-ins."

But Gula admits that VA, including Nessus, is evolving. Aside from pinpointing vulnerabilities, Nessus also enumerates all hosts and devices connected to Web services, SNMP, and other network services, he says.

The trouble with merely finding vulnerabilities with a VA scan is each vulnerability doesn't necessarily equal a risk. And the sheer volume of vulnerabilities can be overwhelming.

"I don't think you're ever going to lose the need to scan your stuff. The question is what you do with that data and how you make it actionable," says Michael Rothman, president and principal analyst of Security Incite.

Tim Keanini, CTO of nCircle, says there was a time when VA vendors competed on who could find the most vulnerabilities. "He who had the longest list won," Keanini says. "But an enumeration of 8,000 or 9,000 vulnerabilities finally became overwhelming... Buyers no longer want the longest list, but they want to know what they can do to lower their target surface. That's the biggest shift in the [VA] mindset."

That means not only reporting on glaring vulnerabilities, but also determining resource details like where, and how many, Apache servers are on the network, or how many machines are compliant with a particular policy checklist, Keanini says. "We went from assessment to management," he says. "This goes to operational risk."

There are two basic directions VA is going, security experts say -- VA/configuration management and compliance, and VA/penetration testing tools, and they each address different types of users and uses.

Security Incite's Rothman says the configuration side is more of a systems management discipline than a vulnerability/patching one. "This helps you with compliance," he says. "There's value in that, but it's more valuable to the operational manager versus the security manager."

The penetration testing suites -- such as Core Security's Impact, Metasploit, and Immunity's Canvas -- are aimed more at the security manager. These are for finding out what can actually be compromised, Rothman says, rather than just creating a list of vulnerabilities.

Alan Shimel, chief strategy officer at StillSecure, which makes both NAC and vulnerability management products, agrees that the market is splitting into two types of VA-based tools. But he contends that the pure vulnerability scan alone has outlived its usefulness. "I don't how many people are truly finding the value of doing VA scanning once a month, getting a report, and importing it to a patch manager without automation," Shimel says. "There are just too many patches and vulnerabilities...too much data."

"The dirty little secret about VA scanning is of all the vulnerabilities you find, only 25 percent of them are fixable via patches," he says. "It's a dead end for the VA market."

The missing link is enforcement, as well as automation, Shimmel says. "This is where security configuration management and VA meet NAC, the darling of the security set," he says. "NAC can do that security configuration and on top of that, provide enforcement if I'm not meeting my minimal security configuration policies -- by quarantining or denying access."

But security experts say a marriage between VA and NAC is a ways away. "That's going to be a long time coming," says Security Incite's Rothman. "We keep getting back to what is policy, who can configure it, and how we decide who gets quarantined," he says. "In practice, there's a lot of operational inertia to be dealt with first."

— Kelly Jackson Higgins, Senior Editor, Dark Reading