Cybersecurity Services - Cybersecurity News
Vulnerability scanning is something every organization must do to ensure their network and the devices/software in use do not have any known bugs or security vulnerabilities present that will create additional risk to the business. This is a requirement of all Cybersecurity Frameworks, for example, this is covered within CIS Control 07, which is Continuous Vulnerability Management. In order to accomplish this, a software solution/tool is required to scan the network and all the devices within it.
Vulnerability scanning solutions can be very costly. The pricing is usually structured in a monthly subscription model, where licenses need to be purchased based on the number of devices the organization has that will be scanned. Depending on the number of users and devices that are in use, this can add up very quickly.
It is very important to take into consideration the cost of remediation before implementing a vulnerability scanning solution. Many organizations only look at the cost of scanning, only to realize after the fact that there are hundreds, if not thousands, of vulnerabilities that need to be remediated. This takes a considerable amount of time from skilled IT resources and there may be additional costs to upgrade or replace devices that cannot simply be patched.
When thinking about the scanning process, organizations can split the effort into two core pieces. External vulnerability scanning and internal vulnerability scanning. Both are required activities, but external scanning is treated with higher priority as this will be scanning devices that are accessible from outside the network and are faced with inherently higher risk.
So before you begin your vendor/software review process, make sure you have an inventory of all your externally facing devices (e.g., firewalls, web servers, FTP servers, etc.) and an inventory of all your active internal devices (e.g., computers, servers, network devices, printers, etc.). This should be accomplished as part of CIS Control 01, Asset Management.
After you have your inventories and the device counts, then you are ready to begin assessing potential vulnerability scanning vendors/solutions. Here is a list of key requirements you should take into consideration while conducting this review and comparing one from another.
Total Cost (usually priced per device)
Location and Management
Is the solution SaaS based or does it need to be installed and hosted on your own server?
Is this a managed solution with full support?
External scanning (are there any additional costs or resources required to install an external scanner?)
Internal scanning (are there any additional costs or resources required to install a local scanner?)
Are there remote agents available? (this is important for remote devices, like laptops, that may not always be connected to the internal network)
How often can scanning be run? (are there any additional costs to consider, based on the frequency that you choose to run scans?)
The CIS recommends running external scans at least once per month and internal scans at least once per quarter, but many organizations scan everything at least once per month.
Some organizations are moving to a daily or continuous scanning configuration to ensure they always have the latest data, however, this can require a large team of resources to keep up with.
If your company has custom software or web applications, can the solution effectively scan these depending on the design/architecture?
Can custom testing/input be configured as part of the scans? (e.g., testing input on specific application forms).
Make sure the tool has the ability to compare scan results over time to show trends and determine which vulnerabilities have been successfully resolved.
A nice to have feature would be the ability to connect to major PSA tools and ticketing systems via API integration so findings can automatically create tickets and update the status. If this isn't an option, then you should be able to find workaround leveraging email notifications.
Ensure the solution is SCAP approved (see below for details on SCAP)
Most frameworks or governing agencies require this to ensure data is consistent with industry standards and best practices
Dashboard and Reporting capabilities
Analysis and Remediation are two key phases in Vulnerability Management, so it's important that the tool selected has a sophisticated, yet easy to use, dashboard and reporting features.
Some tools offer a dashboard that gives you the ability to add notes, the response action, and the remediation status of the finding so it is easy to track and manage.
See the list of references below
Review these sources for more information
Qualys Vulnerability Management https://www.qualys.com/apps/vulnerability-management-detection-response/
Tenable Vulnerability Management https://www.tenable.com/products/tenable-ep
Burp Suite by PortSwigger (Good solution but lower cost compared to most enterprise solutions) https://portswigger.net/
Microsoft Defender Vulnerability Management (In Public Preview) https://www.microsoft.com/en-us/security/business/threat-protection/microsoft-defender-vulnerability-management
OWASP provides a list of Vulnerability Scanners https://owasp.org/www-community/Vulnerability_Scanning_Tools
CIS Controls https://www.cisecurity.org/controls