Frost & Sullivan North America Measurement & Instrumentation
The ability of assessment is in general very mature. While most organizations have technologies implemented, remediation is one of the most common points of failure for organizations. Manual remediation has failed. Sending state alerts to information technology (IT) teams leads to a friction between teams without any real improvement in security. There is thus a need to make remediation easier and the process more efficient.
There are two areas that pose remediation challenges: collection and prioritization. With cloud and virtual machines and people working remotely connecting and disconnecting from the corporate network, an organization’s footprint changes dramatically on a minute-to-minute basis. Therefore, to being able to collect the data and transmit it poses the first challenge to ensuring that users do not miss out the remediation. Today, there is a need to collect information not only from servers and desktops but also across endpoints, applications, and third-party cloud services using behavior data and attacker analysis data. Once the data is collected, prioritization and identification of the most critical issues poses another challenge. Security test providers need to prioritize how an attack is behaving under a risk query system. Risk prioritization focuses on vulnerabilities that are the easiest for attackers to use. There is a need to identify the most critical things that an attacker will attack first. A vulnerability scanner is required to not only detect but also prioritize security gaps, identifying ones that need to be protected first.
- Depth of analytics: The depth of analytical platforms could be a differentiator—behavioral analysis, Indicators of Compromise (IOC), and establishment of statistical baselines, etc. Wisely, virtual machine (VM) vendors have deemphasized virtual appliance (VA) scan in the sense that vulnerabilities and reporting is just a part of what VM vendors offer. VM vendors are building technologies that help with contextual analysis, forensics triage, and deeper threat analysis than what mere VM scanning can provide.
- Adjacent technologies: Conventional VA scanning or on-premise scanning is not a viable product strategy. However, over the last several years, VM vendors have come to realize that associated technologies such as compliance reporting or threat management services could be offered with VM products. Customers typically come for the VM but stay for risk prioritization and heterogeneous network visibility.
- Consolidated solution: Application security is complex. Today, there are many teams involved in security applications. Network security and Web application security teams maintain security. A wide range of security systems, including next-generation firewalls and scanning systems, are involved. Therefore, there is a need for a more simplified and consolidated solution that can include VM, continuous monitoring, Web application scanning solutions, and Web application firewalls. In the past, VM vendors were selected solely based on the strength of their VA scanning and VM reporting. However, now, in the spirit of consolidating tools, a VM vendor could be competitive in VM (not necessarily the best) but win business as it offers continuous threat monitoring, agent/agentless scanning, and Web application scanning services and has a strong portfolio of integration partners or other services and products it can provide.
Last Thoughts and Transformational Shifts
The ability to provide remediation means prioritization of the necessary actions to be taken and the vulnerabilities to be addressed. There is a need to provide more advanced and granular scoring mechanisms (beyond traditional industrial standards such as Common Vulnerability Scoring System (CVSS)) for users to distinguish different high-risk vulnerabilities and determine what needs to be addressed first. There is a need for more precise metrics for vulnerability prioritization to take remediation actions. Some of the leading VM vendors are introducing a scoring system based on three criteria: the risk class of the vulnerability, exploit availability, and the aging and time of the vulnerability to be publicly known. These criteria generate extremely granular scoring under a risk matrix. Users can use this as part of their prioritization process.
A future vision for VM is expanding beyond the assessment of scanning and prioritization of risks. With virtualization growing, VM will evolve from the traditional scanning of servers. Organizations are looking into live assessment of the network. The next step is creating a VM solution that will work across application security, IT, and DevOps teams, providing a holistic view in terms of how the dynamic environment is evolving, how new vulnerabilities are introduced, and what attackers are thinking, ensuring robust security. In the past, a security team worked in a silo. Now, an IT security team needs to work together with DevOps and application security teams. These roles are going to merge in terms of responsibility. VM solutions can potentially facilitate secure communication among these sectors and teams.
Moreover, VA scanning is a great technology to find vulnerabilities for comparatively rugged devices such as personal computers (PCs). VM vendors have an opportunity if they can find non-abrasive, inexpensive scan technologies for Internet of Things (IoT) devices. However, VM vendors realize that the value of their platforms is not the VA scan; it is what is done with the intelligence acquired from the scan and how the information is gathered on vulnerabilities through continuous monitoring. Most organizations are starting to accept that remote scanning is not going to cover all the existing environments. They are starting to look for more agent-based VM solutions and capabilities that can be combined with network scanning capabilities. This is a strong area to look at in the future.