Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

6/27/2007
09:22 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Vulnerability Management Grows Up

Tools are evolving to handle more than patch check-boxes, Burton Group says

Vulnerability management isn't just about slapping on the latest patches anymore.

That's because a vulnerability isn't always just a publicly identified bug by Microsoft or CERT. "Vulnerabilities can be problems in configurations, missing patches, software that was loaded on a machine that shouldn’t be there, or security mechanisms that are not loaded or up-to-date and should be," says Eric Maiwald, senior analyst with the Burton Group and author of two vulnerability management reports for Burton, which were published late last week.

Maiwald says vulnerability management should be how an organization identifies, classifies, prioritizes, and deals with these exceptions due to business requirements -- and how they remediate problems and verify that all is well.

Trouble is, some vulnerability management products out there just scan for known bugs and don't detect human error in system configurations, for instance, he says. "And other products are very good at identifying configuration issues or missing software or going about deploying software, but they don't tell you about missing patches or have the ability to deploy them."

Maiwald says the gradual integration of these features is coming, albeit slowly. It all started last year when Symantec purchased BindView, and most recently, Altiris, as well as with PatchLink, which purchased vulnerability management vendor Harris STAT. In his report, Maiwald notes that the integrated products remain mostly in the planning stages, however.

The missing link is an integrated vulnerability tool that not only finds the holes, but can gauge the risk as well. "What is the real problem with these vulnerabilities?" he says.

Not all bugs are exploitable. "Say I have a vulnerability in my Unix machine, but because it's sitting in a particular zone of the network with some perimeter protections, someone from the Internet can't get to that machine to execute that exploit."

So that vulnerability doesn't carry the same risk as one that would be accessible to someone via the Net, he notes.

Enterprises also must consider risk from the business perspective rather than just go about wielding a patch checklist. "If a system has limited business value, it's less important than a vulnerability in a server that holds our credit card numbers," Maiwald says.

Maiwald says a few products are offering some of the capabilities, however -- McAfee, Archer Technologies, nCircle, and Symantec with its BindView policy manager, for instance. "You have to look at the entire enterprise... And you have to get vulnerability information and marry it with some knowledge of value and consequence associated with a particular breach."

And underlying this is the fact that patch management is mostly reactive. "You're always behind the power curve," he says, waiting for a publicly disclosed bug to get patched before you can get protected.

A better approach, of course, is more secure and clean applications and operating systems, according to Maiwald. But no one can write flawlessly secure software. A more likely scenario, he says, is for vendors to limit bugs: "Providing a window of breathing room so the enterprise doesn't have to patch [right] this minute."

Burton's reports on the evolution of vulnerability management, "Vulnerability Management Becomes Technical Security Policy Management" and "The Changing Face of Vulnerability Management," are available to Burton Group clients at http://www.burtongroup.com.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Burton Group
  • Symantec Corp. (Nasdaq: SYMC)
  • McAfee Inc. (NYSE: MFE)
  • PatchLink Corp.
  • Archer Technologies LLC
  • nCircle Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Zero-Factor Authentication: Owning Our Data
    Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
    44% of Security Threats Start in the Cloud
    Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
    Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
    Robert Lemos, Contributing Writer,  2/20/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2012-1093
    PUBLISHED: 2020-02-21
    The init script in the Debian x11-common package before 1:7.6+12 is vulnerable to a symlink attack that can lead to a privilege escalation during package installation.
    CVE-2012-0828
    PUBLISHED: 2020-02-21
    Heap-based buffer overflow in Xchat-WDK before 1499-4 (2012-01-18) xchat 2.8.6 on Maemo architecture could allow remote attackers to cause a denial of service (xchat client crash) or execute arbitrary code via a UTF-8 line from server containing characters outside of the Basic Multilingual Plane (BM...
    CVE-2012-0844
    PUBLISHED: 2020-02-21
    Information-disclosure vulnerability in Netsurf through 2.8 due to a world-readable cookie jar.
    CVE-2013-3587
    PUBLISHED: 2020-02-21
    The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses...
    CVE-2012-6277
    PUBLISHED: 2020-02-21
    Multiple unspecified vulnerabilities in Autonomy KeyView IDOL before 10.16, as used in Symantec Mail Security for Microsoft Exchange before 6.5.8, Symantec Mail Security for Domino before 8.1.1, Symantec Messaging Gateway before 10.0.1, Symantec Data Loss Prevention (DLP) before 11.6.1, IBM Notes 8....