This month we take a look at the vulnerability management tools, one of the often-overlooked basics in your security posture. The main takeaway from WannaCry, Petya and others was that patch management is vital to your organisation. The most effective way to ensure your organisation is targeting its current weaknesses is by implementing a vulnerability management programme. A well-run vulnerability management programme will help bring all “low hanging fruit” to your attention and allow you to take the appropriate remediation steps to secure your organisation. The tools we looked at allow you to do just that and all have a unique and visually appealing way of displaying risks inside your environment.
These tools have taken a lot of guesswork out of the process, it is still very important to know what your environment looks like before selecting a tool. Do you need AWS/Azure/Google Cloud Platform support? Do you need agent-based scanning options? Do you have compliance or regulatory requirements that you need to worry about? Once you have the answers, narrowing down these products will become an easier feat.
While the typical network design has changed over the years, the vulnerability management tools have been able to keep pace. These tools have included compliance reporting, cloud scanning and even included remote scanners and agent-based tools to keep an eye on your remote users, which has always been a difficult task in the past.
With compliance and regulatory requirements of some type is tightening down on almost every business sector, it's nice to see that these tools haven't shied away from developing custom reports that meet the needs of your business. Some even have implemented dashboard customisation that allows you to display these risks to the entire security operations team or whomever inside your organisation works with the vulnerability data.
A nice inclusion we've seen in these toolsets is the ability to scan mobile devices and remote users. As the typical user base continues to evolve, these tools have continued to evolve to keep pace. Some have even included malware scanning functions to help you identify any exposures to your ever-vulnerable endpoints.
Another change that we love to see is API integration. Vulnerability management should be a large part of your organization's security programme, so it only makes sense that you should be able to kickoff scans/tests from other tools and be able to ingest the results into your ticketing system, bug tracking software or other important toolsets. With these additions, there is almost no reason why one of these tools is not already inside your organisation.
One of the tools under review has started popping up more and more in third-party toolsets as the default scanning engine, unseating some of the open-source tools that once was a go-to for integrators. Does this mean that we are seeing additional value on the paid services or maybe the APIs are finally making these paid tools more attractive? Whatever the case, we are happy to see that these tools are continuing to evolve and provide useful information about risks that are present inside the organization.
While scanning is never enough, it's a good start. We always recommend conducting independent security testing (e.g. penetration testing) on your environment. However, some of these tools have some testing capabilities that are as good (if not better) than some automatic tests that are out there. While it may not meet the burden for your compliance / regulatory requirements, it's a good practice to get ahead of the curve and ensure that you are protected.
Overall, this was a very refreshing look at some reliable tools of the past that we enjoyed testing and hope to see continued improvements from these veterans. While we didn't see any newcomers, these products have evolved, and we enjoyed the new features and layouts that keep these products feeling fresh.
Here are all the reviews for the month, conducted under the auspices of SC Media in the US, thus all prices and support are US-based thus purely indicative for other territories: