Professional Documents
Culture Documents
Management
Buyer’s Guide
10 Essential Questions to Ask Your VM Vendor
FOUNDATIONAL CONTROLS FOR
SECURITY, COMPLIANCE & IT OPERATIONS
Knowledgeable IT, compliance, and security professionals understand the
critical role vulnerability management (VM) plays in risk reduction and Virtually every major
compliance. From helping ensure availability and uptime to hardening control framework asserts
systems against cyberthreats, a solid VM program aligns your organization that without comprehensive
with cybersecurity best practice frameworks like the Center for Internet visibility into all the
Security’s CIS Controls. hardware and software
However, after investing in VM products actionable information for proactively
assets on the network, risk
and services, you may have discovered defending your critical assets from and compliance profiles
that some VM solutions have serious cyberthreats. There are a few other will never be complete and
limitations. For example, you may challenges that drive organizations to accurate. Approaching VM
experience challenges scaling to large re-evaluate their VM programs: limited
environments, or stretching to support network visibility, identity and access
from multiple perspectives
other key controls like integrity and management integration, and mounting can dramatically improve
configuration management or meeting pressure to reduce compliance costs. accuracy because data from
various compliance requirements. a variety of sensors can
Due to rapid adoption of cloud tech-
1. Limited network visibility be correlated to prioritize
nologies and movement toward hybrid It’s likely that, despite your best inten-
resources where the next
environments, large-scale networks are tions, your visibility into the assets
you’ve been tasked to protect is incom- attack is likely to occur.
in a state of constant change. New phys-
ical and virtual devices are being added plete or outdated. Security teams often
to networks, modified and then removed don’t directly control the assets they’re
at a faster pace than ever. Some of these responsible for protecting, and gaining 2. Identity and access management
changes are unauthorized and introduce deep insight into these assets can be integration
new vulnerabilities. Even if these vul- a challenge. Cloud, virtual and mobile
Since personnel are a crucial aspect
nerabilities are temporary (as in virtual device adoption trends continue to add
of information security, it’s important
and cloud infrastructures) or on remote to the complexity of large networks. This
to keep human resource management
or business partner networks, they results in security risk visibility blind
changes aligned with your VM system.
can still leave the door open for cyber spots—ideal places for adversaries to
This ensures that only authorized
attackers. launch their attacks.
users have access to the data stored
The first step in gaining complete net- in it. Without tight integration between
How to Use This Guide work visibility is an accurate hardware your directory service and VM solution,
The Tripwire Vulnerability Management and software inventory. CIS Control 1, administrators must manually create,
Buyer’s Guide is designed to help you Inventory and Control of Hardware update, and delete accounts every time
choose a new or replacement VM prod- Assets, offers a good explanation as even a minor change is needed.
uct. If it’s been a while since you’ve to why an incomplete view of asset
If those changes aren’t reflected in
evaluated this class of solutions, this inventory is problematic: “Attacks can
the VM system, employees who need
guide will also help you navigate the take advantage of new hardware that
access to vulnerability data may not
recent advancements in VM technol- is installed on the network but is not
have it—and those who don’t need it
ogies. The usability of VM data has configured and patched with appro-
could gain access. Larger, multi-unit
improved significantly with newer tech- priate security updates. Even devices
organizations or managed services
nologies, now making it a key resource that are not visible from the Internet
providers require multi-tenant capabil-
in threat detection and response. The can be used by attackers who have
ities in their VM solution. This lets them
goal of this paper is to tease out the already gained internal access and
optimize sub-account management from
differences between the various VM are hunting for internal jump points or
a master account and comprehensive
products and help identify the features victims.” CIS Control 2, Inventory and
role-based access control (RBAC) with
that matter most in today’s technology Control of Software Assets, requires
each tenant. This makes it easy to seg-
ecosystem. that you “Utilize software inventory tools
regate data and partition user access
throughout the organization to automate
the documentation of all software on
Three Core Problems business systems.” 3. Pressure to reduce
VM Solutions Solve compliance costs
The main purpose of VM solutions is to Every major compliance and regulatory
provide accurate risk assessment and framework, including NIST 800-53,
SOX, NERC CIP, MAS TRM and IRS 1075,
requires a VM program to protect sys-
tems and infrastructure. For example,
PCI DSS requires internal and external
vulnerability assessments every quarter,
and again after any major change to the
network. To compound this problem,
compliance departments are often
under pressure to achieve and maintain
compliance while also decreasing oper-
ating costs. A VM program is essential
for meeting compliance requirements.
VM tools may also promise to monitor
controls other than VM, but they often
fail to provide a scalable solution beyond
the VM domain. Additional tools or ven-
dors are required to fully meet integrity Fig. 1 The Tripwire® IP360™ scanning dashboard
monitoring and compliance assessment.
applications exposed on your network »» Agent-based scanning: Agent-based
Quality Criteria for VM Solutions and identify each device type and scanning can be conducted as a
operating platform. stand-alone process or in tandem with
When evaluating VM solutions, buyers
»» Agentless credentialed scanning: agentless scans to provide a more
should appraise the performance of the
Credentialed assessments use comprehensive view. A network scan
technology and ensure it will allow them
administrative credentials to inspect should dynamically recognize when an
to quickly answer these critical ques-
file system, registry and configuration asset has an agent and optimize the
tions:
files. Credentialed assessments scan by using the data collected by
»» Which areas of my network present take longer to run, but the additional the agent. Ideally, a VM product offers
the greatest risk right now? information gathered dramatically both methods so you can use the one
improves both discovery and that best balances your organization’s
»» Is the most recent high-profile
assessment accuracy. requirements for assessment speed
vulnerability present anywhere on my
versus depth. Combining the in-depth
critical infrastructure? »» Non-credentialed scans: In contrast, assessment provided by agent-based
»» What are the most effective steps we assessments performed remotely or scanning with non-credentialed
can take immediately to reduce our without credentials provide the same remote scanning can be a good
security risks? view an outside attacker would have. If strategy when credentialed access
agent-based or credentialed scanning isn’t viable.
The following capabilities are what you are akin to white box testing, remote
need to look for in order to find a com- analysis would be black box testing.
prehensive VM solution: Less information is gathered about Tripwire Tip: Aim to
the application footprint of the asset, implement both agent-
Varied assessment methods but more data is available regarding
based and agentless VM,
Assessment depth can significantly the protocols and services that can
communicate with the asset. While as each method offers
impact the accuracy of results. Deeper
assessments gather more detailed white and black box assessments advantages. For example,
information, which the system can use should be performed together for a not all devices are always
holistic view of your security posture,
to improve accuracy. There are four connected to the network—
main types of vulnerability assessment it’s important you use accurate
and reliable methods of testing for example, laptops may be
methods to consider:
remotely. In some cases, products offline for extended periods,
»» Agentless discovery: Look for a rely on banner checks that can lead and agentless scans can
solution with unlimited agentless to inaccurate results. It’s better to
miss them. But with an
discovery with comprehensive look for a solution that relies on direct
fingerprinting and application/service condition tests and inference when agent, assessment will take
detection to accurately identify and reporting vulnerabilities remotely on place as scheduled whether
profile the your assets. This allows an asset. the device is connected or
you to inventory ports, services, and
not.
Accurate detection including wired and wireless devices, opposed to depending on a single DP to
virtual machines, cloud instances and do any given scan. This provides sev-
Because many VM tools have significant
containers. eral advantages. First, it gives you the
accuracy problems, they deliver too
»» Continual software inventory: ability to scan a given network faster
much data and too many alerts. Massive
Continual inventory of all software because the load is divided up among
reports that include a lot of undifferen-
applications and versions includes multiple scan appliances. Second, it
tiated data about possible changes or
desktop applications, operating adds resiliency in that if there’s a fail-
vulnerabilities make it nearly impossible
systems, ports and services, and ure on the part of any particular scan
to determine which issues need atten-
protocols. appliance—or if an appliance’s connec-
tion now and which can wait. As a result,
tion to the network is lost or becomes
valuable resources are wasted investi- »» Asset tagging: Your solution should degraded—then the other appliances
gating events that aren’t “bad,” such as provide the ability to tag assets by in the pool will pick up the load for the
reporting false positive findings. group, technical owner, regional lost or degraded appliance and ensure
location and criticality. that the scan completes. Third, it allows
In 2017, the Tripwire Vulnerability
and Exposure Research Team (VERT) you to simplify your scan schedules by
The process of putting these capa-
tracked 64 confirmed defects filed allowing larger network blocks to be
bilities in place helps align your
against our database of over 150,000 scanned by dynamically load balancing
organization with CIS Controls 1–3:
conditions, which represented a false a scan job across the pool of appliances
the top three prioritized controls that
positive rate of 0.04 percent. While false rather than having to break them up and
create a system hardened against risk
positives are easy to track—as they’re schedule them manually.
from vulnerabilities. CIS Control 3 is
reported by customers when they’re Continuous Vulnerability Management:
encountered—it’s much more diffi- “Continuously acquire, assess, and take Intelligent assessment technology
cult to generate a false negative rate. action on new information in order to Intelligent assessment technology
The definition of a false positive is as identify vulnerabilities, remediate, and ensures frequent and accurate assess-
straightforward as “an incorrect result.” minimize the window of opportunity for ments for improved visibility and
A false negative is the lack of a correct attackers.” confidence in security posture assess-
result, but not all missing results are ments.
false negatives. A false negative occurs Look for a solution that does device
when an application or vulnerability profiler (DP) pooling as well. DP pooling »» Indiscriminate testing: In this older
that should be found was not. Typically, lets you group multiple device profilers method, the solution scans through
reported false negatives are better clas- into a pool of appliances that can be a defined range of asset IPs and
sified as requests for coverage. Once used to conduct scheduled scans, as indiscriminately checks each asset
you remove these coverage requests,
Tripwire’s false negative rate quickly
approaches zero.
©2018 Tripwire, Inc. Tripwire, Log Center/LogCenter, IP360 and Tripwire Axon are trademarks or registered trademarks of Tripwire, Inc.
All other product and company names are property of their respective owners. All rights reserved. BRVMBG3a 1810