Vulnerability management tools scan enterprise networks for weaknesses that may be exploited by would-be intruders. Should the scan find a weakness the vulnerability software suggests or initiates remediation action. In this way, vulnerability management software reduces the potential of a network attack. This approach to network security differs from firewalls, antivirus or antispyware software, and Intrusion Detection Systems (IDS). These security tools are designed to manage attacks on the network as they occur. In contrast, vulnerability management tools instead search for potential weaknesses and fix them in an attempt to mitigate potential future network attacks.
Vulnerability management tools initially assess the network using network and port scanners, IP scanners etc. They then prioritize remediation so that the most significant issues are addressed first. Best practice is to allow vulnerability management tools to perform limited scans, and remediate located weaknesses immediately, rather than conduct extensive scans. Conducting more extensive scans delay remediation while the scan completes and therefore leaves weaknesses found during the scan unattended until the scan is complete.
Remediation should happen quickly, and according to the vulnerability software’s prioritization schedule. Systematically eliminating network weaknesses reduces dependence on peripheral intrusion detection technologies. And even if access to the network is achieved, attacks can be minimized by removing vulnerabilities intruders may encounter.
To achieve attack surface reduction, vulnerability management tools include the following features and capabilities:
Continuous monitoring and scanning for potential vulnerabilities
Monitoring profile & rule system (IT can determine which systems and assets to monitor)
Ability to set notifications rules
Attack surface visualization
Attack vector analytics and modeling
Threat intelligence platform integration, data used to update scan heuristics
Graphical attack modeling
Attack simulation and risk-scoring against current network security state
Patch simulation to model patch & update scenarios
Automated update and patching prioritization scheme
Network access path analysis to identify problematic access routes suggest lower risk traffic redirections
Reachability analysis for endpoints and secured assets
Customizable reporting, (e.g. policy-driven compliance reports)
Vulnerability management tools are available via the cloud or, for entities facing strict data governance and sovereignty rules, on-premise. Pricing is dependent on the number of assets and systems monitored. Additionally, vulnerability management software vendors may offer additional modules (e.g. web application firewall) which increase subscription cost. Most vendors offer a 30-day free trial of small business and enterprise products.
FireMon's Network Security Policy Management (NSPM) platform gives security and operations teams automated visibility and analysis for network security devices. FireMon's web-based UI allows users to dissect their network security policies, locate compliance failures, and assess security vulnerab...
NeXpose from Boston-based Rapid7 is a vulnerability management option.
OSSIM leverages the power of the AlienVault Open Threat Exchange by allowing users to both contribute and receive real-time information about malicious hosts. AlienVault OSSIM is an open source Security Information and Event Management (SIEM) product. It is a unified platform providing: Asset dis...
The Qualys Cloud Platform (formerly Qualysguard), from San Francisco-based Qualys, is network security and vulnerability management software featuring app scanning and security, network device mapping and detection, vulnerability prioritization schedule and remediation, and other features to prov...
Skybox Security offers vulnerability and threat management solutions.
Tenable SecurityCenter, from Tenable Network Security in Baltimore, presents a vulnerabiliy management option.
BeyondTrust offers vulnerability management, with the Retina Network Security Scanner. This technology was developed by eEye, before that company's acquisition by BeyondTrust in 2012.
Qualys Private Cloud Platform is the on-premise version of the Qualys Cloud Platform, from Qualys in Redwood City. The platform is designed for entities with strict data sovereignty rules, to patch and reduce enterprise network vulnerability while providing compliance with data security policy.
IP360 from Tripwire is a vulnerability management solution; the technology was acquired with nCircle in 2013 and based on the nCircle 360 Suite product.
New York-based SecurityScorecard presents a vulnerability management solution.
The Penetrator Vulnerability Scanner from Denmark-based SecPoint is a vulnerability management solution.
Dallas-based Critical Watch offers FusionVM, a vulnerability management solution.
Mountain View, California based Skyport Systems presents a vulnerability management solution.
Boston-based Recorded Future presents a vulnerability management solution.
Ivanti Endpoint Security, powered by Heat (formerly known as Heat Unified Endpoint Management & Security, which in turn was formerly a Lumension supported product) presents a vulnerability management and antivirus solution.
Foundstone is a vulnerability management option from Intel Security / McAfee.
San Francisco-based Digital Shadows presents a vulnerability management solution.
Attivo Networks in Fremont, California presents a vulnerability management solution.
Aorato, now from Microsoft, presents a vulnerability management solution.
Aptean Verdiem includes Verdiem Surveyor and Verdiem EvokeIT and presents a device wake and power management solution to measure keyboard, mouse, CPU, print network, and disk activity as well as support patching and updating, conserve power, and prevent vulnerabilities across the network.
SecPod Saner endpoint security solution provides continuous visibility and control for all endpoints. It proactively remediates risks and detects and responds to threats. Saner combines endpoint vulnerability, patch and compliance management with endpoint threat detection and response into one ea...
AnchorPoint’s Integrated Threat Response (ITR) service is a combination of advanced security tools, threat intelligence, and expert action. This service focuses on detection and response. The primary purpose of ITR is to decrease attacker dwell time in an organization’s network. According to the...
SIEMphonic Essentials is designed to help organizations strengthen their security defenses, respond effectively, control costs, and optimize their team's capabilities. The vendor says they have automated and simplified SIEM capabilities to analyze event data in real time, then collect, store, inv...
