Vulnerability management solutions scan hosts and devices on your network in an effort to find chinks in system and network armor that might be exploited to compromise the integrity of data and network. A vulnerability scanner such as Nessus or Qualys is typically used to probe operating systems, applications, databases and services in an effort to discover missing patches and needed upgrades that would help prevent attacks.

Challenges for Vulnerability Analytics
The greatest challenge for vulnerability analytics is the same for all the other components of an integrated security and compliance management platform: to achieve TIMELY identification and remediation of security incidents and instances of noncompliance with regulations, standards and best practices (compliance gaps). To meet this challenge, a security management platform must seamlessly integrate the results of vulnerability scans into the end-to-end correlation of all key security and compliance data.

Consider a typical “low and slow” breach in which an attacker remains undetected once they have compromised an organization’s systems by progressing slowly with minimal activity to evade detection from existing defenses like IPS and device security. The timely detection of a “low and slow” attack has proven especially elusive because it requires the collection of data from multiple sources. Specifically, log, asset, configuration, vulnerability, performance and network flow data can each reveal different aspects of an attack. The following table outlines the typical steps involved in this type of attack and the data source that would reveal each step’s activity.

A Typical “Low and Slow” Attack

Attack step:	Attacker action:	Action revealed in:
1. Probe	Runs port scans seeking targets with known vulnerabilities.	Log data
2. ID entry point	Identifies a target system with a known vulnerability.	Log data
3. Access	Brute-forces access to the system with multiple failed logins preceding the successful login.	Log data
4. Admin privilege	Escalates to Admin/Root or created a new account with Admin privilege.	Asset data
5. Config change	Disables logging.	Configuration data
6. Exploit vulnerability	Creates a buffer overflow that spikes performance by exploiting a vulnerability.	Vulnerability & Performance data
7. Rogue app	Installs a back door to the system.	Asset data
8. Data theft	Steals confidential data.	Flow data

If a vulnerability scan reveals a weakness in the system or device, you can move quickly to repair that weakness and contain the potential damage. If, however, an attacker is exploiting zero day vulnerability that is not known to the scanner, other types of data such as performance, log, asset or configuration data are required reveal the attack. Vulnerability scans alone DO NOT provide enough information to determine whether an attack is underway and the relative priority of fixing the vulnerabilities.

To meet its primary challenge for timely security and compliance event resolution, a security and compliance management solution must collect and correlate multiple types of data. Vulnerability data is correlated alongside these other types of data to quickly detect an exposure and contain any resulting exploit regardless of whether the vulnerability scanner knows about the vulnerability or not.

Once integrated with the security platform, vulnerability analytics face additional, more function-specific, challenges such as:

• Vulnerability analytics should quickly detect and identify vulnerabilities that require remediation. Vulnerability data by itself, however, may be insufficient to detect very new exploits and does not help prioritize which exposures need to be addressed immediately.
  

• Vulnerability analytics should be easy to use by closely integrating the vulnerability scanning tool with the security management solution and by automating ongoing scans. You should not have to go outside the security management environment to use the scanner nor should you have to remember to perform scans regularly and frequently. Network, host and device vulnerability scanning and analysis should be automated.

• Like other correlated security data, vulnerability information should be collected and available over a significantly long period time to support historical trending. Adding this historical dimension enables the efficient and timely detection of attacks that unfold slowly over time.

Vulnerability Analytics Using SecureVue
The most commonly used vulnerability scanners available today integrate with SecureVue to provide an in-depth view into open security issues across all devices and hosts on the network. As with the other key security analyses, vulnerability analytics is closely integrated into SecureVue and its correlation of log, vulnerability, asset, configuration, performance and network flow data. This integration of key data types with the end-to-end correlation function allows SecureVue to deliver more timely identification and subsequent mitigation of elusive attacks and instances of noncompliance.

Focusing on the vulnerability analytics capabilities of SecureVue reveals that it meets all the other key challenges as well:

• Tight integration with vulnerability scanners frees you from having to leave SecureVue to start a scanner, and from porting the results back into SecureVue. It is all done within SecureVue so you can more efficiently and quickly detect and identify vulnerabilities that require remediation such as non-compliant hosts running P2P, spyware or malware (worms, Trojans).
  

• SecureVue allows you to define vulnerability policies, assign them to a specific devices or hosts and configure policy violation alerts. You can then instantaneously run a scan, receive an alert on any vulnerability policy violations, and see the user name, policy name and type, criteria details, result and number of differences to more effectively pinpoint potential security issues.

• With Nessus—the leading vulnerability scanner—integrated into its GUI, SecureVue sets the standard for vulnerability analysis ease of use. Vulnerability scanning can be configured to automatically and continuously scan hosts and devices on the network and to automatically alert an administrator upon discovery of a potential vulnerability issue or vulnerability policy violation. Nessus is capable of scanning all ports on every host and device, and can also issue remediation strategy suggestions as required.

• Finally, SecureVue supports historical trending in vulnerability analytics allowing you to evaluate the changes in potential vulnerabilities by comparing snap shots over time. By correlating vulnerability data over time, you can more efficiently and quickly detect vulnerability exploits unfolding slowly over time.

Discover why Network World wrote, “eIQnetworks has the broadest range of capabilities we have seen in one integrated product”. Download whitepapers, datasheets, case studies and more from the eIQ Resource Center today. When you are ready, don’t hesitate to test drive a free evaluation copy of SecureVue to see how it can simplify management, boost efficiency, and enable easy audit reporting for your organization.