Generate Revenue Through IT Using Business Service Management Sponsored by HP Making sure that your business applications are available to their end users is an important part of running your business smoothly. Business operations have evolved to where IT must now broaden its focus to help the company attract, retain and grow customer relationships and increase customer satisfaction. Business service management (BSM) helps lay the foundation by managing services in dynamic support of business requirements. »     Managing the Modern Network Sponsored by HP Networks are more than vehicles to transport e-mail and Web pages. In a global economy where information crosses the globe in an instant, and where Web-based applications power business, it's more important than ever to ensure your network is safe from threats and optimized to deliver the data your business needs. »     Storage Networking 2, Configuration and Planning Sponsored by HP In Part 1, we discussed storage area networks (SANs) and fibre channel. In Part 2, delve into best practices and cover the general concepts you must know before configuring SAN-attached storage. The most critical, sometimes tedious, part of setting up a SAN is configuring each individual disk array. This guide examines configurations for SAN-attached servers and disk arrays, and also includes a look at the future of IP storage. »     Is Your Disaster Recovery Plan Good Enough? Get Disaster Recovery Right Sponsored by HP Preparing for a disaster is more often than not part of the storage planning process, and without question it is one of the most difficult task, since it includes local hardware and software, networking equipment, and a test plan to ensure that you can recover from the disaster. Learn how to put your organization on the proper disaster recovery plan, now. »

Related Articles •Does Zero Day Mean Zero Profit? •Top 10 Security Trends

Security Products • Mazu Profiler (Mazu Networks, Inc) • MHZ2 CJ Series (Fujitsu Computer Products of America, Inc) • Secure Mail / Secure DOX (Echoworx Corp) • Enterprise Security Reporter (ScriptLogic Corp) • AlgoSec Firewall Analyzer (Algorithmic Security, Inc) • Gatekeeper / Firestick (Yoggie Security Systems)

Feel Vulnerable? Time for Vulnerability Management Tools

Email Print Digg This Add to del.icio.us

In the current security climate, threats, outbreaks and breaches are a fact of life. There simply aren't enough dollars to throw at the problem to buy the ultimate solution that eliminates all avenues of attack.

However, vulnerability management tools can be of value in isolating the precise areas of risk, enabling organizations to take steps to minimize them.

"Vulnerability Management is the continual process of measuring and managing the risk presented by flaws in software and configuration within an organization," said Tim Erlin, principal product manager at nCircle Network Security Inc. of San Francisco. "The process generally includes comprehensive discovery and profiling of network assets, assessment of each asset for applications and vulnerabilities within those applications, prioritization of the assets and vulnerabilities, and finally workflow for remediation of the prioritized conditions."

Many tools provide some piece of the vulnerability management process, assessing only network vulnerabilities, web application vulnerabilities, or configuration. But all the areas outlined above can present risk in an environment. Leaving any one out leaves the vulnerability management puzzle missing pieces.

It all starts with an inventory of what currently exists in the organization. And once everything is catalogued, it has to stay updated as IT is not a static entity. Tools, therefore, should provide automatic discovery, scheduling and network profiling so that different parts of the organization can be addressed.

"Vulnerabilities cannot be accurately assessed without an inventory of the applications in which they exist," said Erlin. "Tools that don't provide a complete and separate assessment of applications on an asset are missing a vital component to vulnerability management."

One thing to beware of is a tool that produces long lists of vulnerabilities. Remember the old Y2K detector from Symantec Corp. of Cupertino, CA? It seemed to label everything on a computer as a threat and then didn't provide much real help in handling anything. Similarly with vulnerability management, you don't want something that just overwhelms you with information. Ideally, results should be prioritized and the biggest threats clearly labeled.

"Every vulnerability management tool will produce more work than an organization can accomplish, therefore every vulnerability management program must provide a mechanism for prioritizing the results to address the highest risk conditions first, even if all the discovered vulnerabilities are critical," said Erlin.

Of course, a tool alone is not enough. It has to be supported by a vulnerability management workflow that addresses risk appropriately – though tools such as nCircle can support such a workflow by including automation, built-in ticketing systems and data accuracy.

"Remember that each organization is different in how they assign ownership and responsibility," said Erlin. "Before acquiring a vulnerability management tool, examine the processes in place for applying patches and upgrading to determine where they should change and where a tool can assist with automation."

Tool Selection

Michael Montecillo, an analyst at Enterprise Management Associates Inc. of Boulder CO, believes that the way to embark upon vulnerability management is to harness a tool as the catalyst for instituting vulnerability practices.

"Ultimately, you should use the software that does the best job of identifying everything within your own environment," he said. "Tools by vendors such as as nCircle, Qualys and eEYE will simplify the process, create a reporting methodology and do the assessment in a repeatable fashion."

Montecillo suggests making use of regular assessment to find out how effective ongoing mitigation efforts have been. In addition, he believes that the subject should not be left to one team or department. To really get anywhere with vulnerability management takes a collaborative effort across the organization – including support from top management.

For those viewing this as yet another sales job being pushed by security vendors, Montecillo explains that today's climate demands layered security. Spyware, viruses and other malware are specific threats. A variety of remedies have been supplied by security vendors over the last decade to cope with them and that trend won't stop anytime soon. End users will have to get used to the idea that as the malicious and criminal fringe comes out with new and better ways to infiltrate organizations or wreak havoc, vendors will respond with new and better tools.

Vulnerability management, however, is in a different category all together. Rather than being a tool to address a specific threat, it is a way to view the entire security picture and see where you are most at risk.

"Viruses come in where you are vulnerable, so there is less risk if you have eliminated that zone of attack," said Montecillo. "Recently, we are seeing calls for vulnerability management software in legislation."

Email Print Digg This Add to del.icio.us

eBook: Evaluating Software as a Service for Your Business. Sponsored by Webroot
Five Trends for Application Development & Program Management. Download Complimentary Report Now.
Download: Solaris 8 Migration Assistant. Run Solaris 8 apps on the latest SPARC systems and Solaris 10.
Learn about expanding business opportunities for the reseller channel. Visit IT Channel Planet.
Flash Demo: Learn how IBM Information Server Blade is easy to manage, highly scalable and efficient.