A holistic view of network risk

It's easy to get patch management software confused with vulnerability management software. In fact, we often hear the two terms used interchangeably. But there are big differences between patch and vulnerability programs, and how secure your network is depends upon how well you understand those differences.One simple rule of thumb is that vulnerability management software is about policies and procedures. It's a holistic view of your entire network plus every node. In addition to determining whether you've got up-to-date software, vulnerability management finds risks in the passwords your users employ, the applications they load without your knowledge, and more. The best vulnerability management programs investigate how well the holistic view matches the protocols you've determined necessary to maintain a secure environment.Patch management represents a subset of what vulnerability management is supposed to monitor, but in the real world the two platforms have little to do with each other. In fact, most vulnerability management companies, despite including crude patch management features in their programs, recommend a separate and dedicated patch management program to handle the cumbersome task of identifying, testing and installing software patches.Last year, the GCN Lab reviewed patch management programs [see , GCN.com/626]. For this go-round, we moved up the ladder to examine the more complex but very necessary vulnerability management platforms. We tested four enterprise programs from leading vendors in the industry, including AdventNet Inc., Altiris Inc., BigFix Inc. and Rapid7 LLC. A fifth company, eEye Digital Security (), was not able to get their software delivered and running on our test network by our deadline. And Citadel Security Software (www.citadel.com), which has many government customers, did not respond to repeated requests to participate.We're aware there are many solutions we were unable to review, but we chose these products because they were in use in government, demonstrated the full spectrum of vulnerability management capabilities and could meet our rigid schedule.Finding a vulnerability management suite for an agency or federal network is challenging. Every agency and office is different, and there are various regulations that distinct agencies must follow, such as The Office of Management and Budget's Circular A-123 or the Defense Department's Gold Disk standards.It's also daunting to find a vulnerability management solution that does not require extensive training and a large staff to operate. Furthermore, finding a program that monitors your network without compromising your bandwidth, or a vulnerability management suite that can detect multiple types of devices and computers, is also difficult.Before testing, we spent a day with each vendor, training and learning how to deploy their programs. We then installed each program on a contained network and ran tests that measured three main characteristics.Setup and administration was the most important test we ran and entailed examining the installation and user navigation of each program. This test looks at how easy it is for a network admin to access all the software's features, detect and fix vulnerabilities, establish protocols and policies, and catalog network issues.We then looked at the various features available in each suite. No two vulnerability management suites are alike; some include more features than others. By the same logic, some vulnerability management programs are better for smaller enterprises, and some are better for larger networks. We define a small enterprise as up to 5,000 nodes. A medium network is 5,001 to 10,000 nodes and a large enterprise is more than 10,000 nodes.Our final set of tests covered control and automation. In these tests, we explored the sophistication and depth of permissions control in each suite. Having the capability to restrict certain administrative staff and users to certain parts of the network is paramount in maintaining an up-to-date enterprise network.Additionally, the more the software does by itself, the better. A challenge facing vulnerability management, particularly in large enterprises, is the ability to push and to pull software from one node to another in an efficient, automated way.Vulnerability management software has come a long way in the last couple of years. Despite some minor glitches, every suite was easy to install, and vulnerability detection and remediation was automated and effective. Every suite we looked at also covers most of the major regulations and protocols imposed on agencies.On our test network, each software suite detected the 42 main vulnerabilities that we had designed, with the exception of AdventNet SecureCentral ScanFi 4.1, which detected only 32 issues. Although none of the vulnerabilities that SecureScan failed to detect were major issues, the smaller issues, such as improper password lengths and auto-update configuration, could become serious vulnerabilities over time.Another discovery was that not all the vulnerability management suites are compatible with multiple operating systems. SecureCentral and Rapid7's NeXpose, for example, are not currently Mac-compliant, so they could do nothing to help with the Mac client on our test network. More obscure versions of Linux, such as Mandrake, could also make it difficult to install and use vulnerability management software.Beefier security features seem to be the latest frontier in vulnerability management. Most of the products we looked at include full-blown anti-spyware capabilities, and they all have some sort of crude virus recognition engine. Most of the vendors said they were developing high-grade antivirus engines for future versions and seem to be moving more toward robust patch management as well.Of the four solutions we tested, we liked Altiris Security Expressions 3.4 the most, and for every network size. In particular, we found the software was well suited to large enterprises. BigFix Security Configuration Management also impressed us, and because it's fairly affordable, it could be ideal for agencies on a tight budget or just starting out with vulnerability management. The downside to BigFix? It requires you to install an agent on every device you monitor. Security Expressions does not.