Vulnerability management starts with tools that assess security in network gear and applications, but it's a road that forks, one way leading to host- or agent-based scanners and the other to network-based or agentless scanners.
An agent-based vulnerability scanner is deployed directly on the host system; the alternative, an agentless scanner, probes machines at targeted IP addresses. By year-end, agent-based options are expected to nudge out agentless tools in sales volume by about US$100 million, IDC predicts, with total sales for both types of about US$600 million. Although the market is rich in both varieties, experts say several factors influence the choices that network managers make in vulnerability assessment.
Both approaches have pros and cons. "The bad thing about agents is that they're expensive to install and maintain," says John Pescatore, an analyst at Gartner, in describing the considerations that come up with the decision about which route to take.
The bigger the network, the more the agent-based software that has to be installed. Costs typically range from about $25 to $40 per desktop to hundreds of dollars for servers, according to vendors with agent-based products. On the other hand, "the huge benefit of an agent-based [scanner] is that you can get deeper information about the computer node, such as looking into the registry," Pescatore says.
Vendors selling agent-based products include BigFix, Citadel, Computer Associates, Configuresoft, Elemental, IBM, LANDesk, NetIQ, PatchLink, Secure Elements and Symantec, according to the Burton Group in its "Vulnerability Management" research report.
"The value in an agent is in the scalability with networks of 70,000 and more," says Randy Streu, vice president of product management at Configuresoft, whose Enterprise Configuration Manager consists of software agents that can be added to Windows desktops and servers.
In large networks, the agentless approach stumbles on obstacles such as firewalls, which can block scanning attempts, and overly long scanning time frames. In addition, experts point out that mobile devices are not good candidates for agentless scans because they are often removed from the network and may elude detection.
Cambia, eEye Digital Security, Internet Security Systems (ISS), Lockdown Networks, McAfee, nCircle, PredatorWatch, StillSecure and Visionael are the main contenders in agentless vulnerability management, analysts say. Some vendors, including eEye, sell both agent-based and agentless scanning products. Others, such as Qualys, specialize in services for agentless scanning.
The bigger picture, however, is that vulnerability-management vendors are in the midst of partnering in integration alliances that will let their vulnerability-assessment tools share data directly with patch-management tools for remediation or security-event management (SEM).
According to the Burton Group, ISS, Lockdown, McAfee, nCircle, PredatorWatch, Qualys and StillSecure have integrated with Citadel and PatchLink to automate software fixes.
The biggest push at Qualys during the past year was to integrate its product with SEM products from ArcSight, Network Intelligence and NetForensics that centralize security data, says Gerhard Eschelbach, CTO at the company.
"This integration happened on a large scale, so now it's automatic, not manual," Eschelbach says.
Show me your credentials
Agentless network scanners also can perform credentialed scans for some targeted host systems. Credentialed scans use the appropriate administrator user IDs and passwords so that the scanner's central console or proxy can log into Windows domains or Unix systems to examine the computer for vulnerabilities.
Although credentialed scans closely imitate agent-based scans, most observers consider them less comprehensive in discovering holes or providing a way to fix them.
According to the Burton Group, Altiris' AuditExpress can identify vulnerabilities in Microsoft Windows or Unix systems via a credentialed network scan. AuditExpress also has an option for using agents, making it a possible choice for organizations that want to adopt both approaches.
BindView Development, which Symantec is in the process of acquiring for $207 million, offers the bv-Control product for both credentialed and non-credentialed scans of Windows, NetWare, Unix and OS/400 operating systems, Check Point firewalls, and applications such as Oracle databases.
However, even vendors whose products offer a credentialed scan caution it can be a difficult security procedure. This is particularly the case on large networks, where aggregating authentication credentials for every machine to be scanned is a tough assignment.
"If you think you have the credentials and you don't, you'll end up with false negatives when you scan," says Mike Puterbaugh, director of product management at eEye, whose Retina scanner supports both credentialed and non-credentialed agentless scans.
One of the most popular network-assessment tools is not a commercial product; it's the freeware scanner Nessus, owned by Tenable Network Security. Nessus costs nothing to use. By comparison, the McAfee Foundstone FS850 appliance, which shipped last month, costs $6,400 plus $75 per IP address.
The future of Nessus, which is used by an estimated 80,000 organizations, has come into question, however. In October Tenable announced that the next version of the tool, expected to run vulnerability scans at five times the speed of the current version, will require users to obtain a commercial license.
Nessus 3.0 software will still be free, says Tenable's CEO Ron Gula. However, the company is planning a line of appliances based on Nessus 3.0 that would sell for an as-yet-undisclosed price. A U.K.-based group called GnessusUS has vowed to continue developing Nessus as freeware.
Different strokes for different folks
Network managers express the most confidence in specialized vulnerability-assessment tools that may only check one thing, such as specific databases or Web servers and applications.
Allen Brokken, principal systems security analyst with the University of Missouri, says he depends on SPI Dynamics' WebInspect to scan the Web-based e-commerce hub, which processes about $50 million in transactions for tuition, books and college fees each year.
WebInspect looks for specific types of vulnerabilities associated with the Web, such as buffer overflow and cross-site scripting. It also checks to make sure the e-commerce site conforms to the Payment Card Industry security standard that kicked in last summer.
"Certain scanners definitely lend themselves to certain vulnerabilities," says Anthony Bandos, vice president of information security and the exploit-management team at Countrywide Financial in Callabasas, Calif.
Countrywide Financial, which has more than 1,400 branches and 800 offices nationwide, deploys a range of scanners, including the commercial tools Preventsys, Foundstone and Nexpose, as well as freeware tools nmap and Nessus.
Running multiple tools that purport to do the same thing helps nullify false positives that may come up, Bandos says.