I find it utterly amazing that security vendors believe that one size of product and solution can fit in any size organization. Some have had even major summer releases that address scalability and performance in this one-product- fits-all approach. Point and shoot scanners as standalone products can operate in any size environment, but without a dedicated management console, historical reporting, and data warehouse, the solutions fall flat on their faces for mid-size and enterprise clients. Clients in the mid market need a dynamic solution that can scale down to the desktop for ad-hoc assessment and also scale up to meet any regulatory vulnerability management requirements that may be knocking at the door, just like an enterprise client. In addition, for companies of any size, cost is a major factor. Having a single solution that can solve multiple business problems from vulnerability assessment to patch management and endpoint platform protection not only produces a higher return on investment, but also correlates critical security data from attacks, malware, vulnerabilities, and security logs. Outside of using a SIM solution, vulnerability assessment data and attack / malware data generally operate in independent silos and do not have any correlation natively to indicate the true state of an asset.
This approach uses a full n-tier architecture and is illustrated below:
Tier 1: Is a comprehensive unified vulnerability management data warehouse called Retina Insight. It allows reporting over long periods of time for virtually any data collected by the Retina solution. Reports can be generated ad-hoc, scheduled, emailed, posted to a portal and even manually designed to meet virtually any business requirement.
Tier 2: Retina CS is a next generation unified vulnerability management console design to meet the business requirements of virtually any unified vulnerability management needs. With complete command and control of distributed scan agents, the ability to manage patches, endpoint protection agents, role-based access, and dynamic reporting, Retina CS exceeds in meeting the challenges clients need for centralized vulnerability management. In addition, Retina CS can replicate events to other tier 2 Retina CS servers to create a multi-tier architecture that scales to hundreds of thousands of assets.
Tier 3: Retina is a vulnerability assessment scanner that is available as a network scanner or local agent. Blink is an Endpoint Protection Platform (EPP) that performs everything from anti-virus to a localized copy of Retina for agent- based assessment. These solutions can be run standalone or connected to Retina CS for complete policy, assessment, and reporting.
For a mid-size company, this flexibility provides the foundation for a solid vulnerability management implementation. Unfortunately, this is still not enough. Knowing what assets are at risk is critical for any size organization, but even more so for mid-sized markets as the separation of duties between security personal and system administrators may not be fully defined or mature within an organization. Retina CS (tier 2) provides advanced asset risk scoring capabilities above and beyond the correlation of data that is unique to Retina. This information goes beyond what CVSS is considering for version 3.0+ and is already generally available.
Consider the following: Retina CS contains a next-generation methodology for expressing the risk of an asset in Retina CS. The solution takes into consideration multiple security vectors and calculates a single risk score for an asset (in addition to all the other scores for vulnerabilities and attacks at a lower level). In addition, this Risk can be expressed in terms of a logical Smart Group within the solution such that the overall assessment of a business unit, geography, or custom container can be compared to other entities within your environment. The overall expression of Risk is calculated based on four high-level vectors (Vulnerability, Attacks, Exposure, or Threat) and is defined within the solutions as:
- Vulnerability – The quantity and severity of vulnerability audits identified by Retina or Blink.
- Attacks – A direct measure of actual attacks identified by Blink and their severity including malware from other agents installed on the endpoint.
- Exposure - A measure of how open a system is to an attack. This is based on how open a system is based on the number of open ports, shares, services, and users a host contains and the lack of protection such as a firewall or anti-virus solution.
- Threat - A measure of potential danger to an asset based on user-defined criteria and/or system role.
- Vulnerability – The lack of proper patch maintenance on a host and compliance issues to current corporate security policy and best practices.
- Attacks – How are assets in the corporate environment being exposed to threats and what type of threats challenge the asset's integrity to perform business functions and protect data.
- Exposure – Are the assets within the environment properly protected from inappropriate behavior. This includes any protection and verification that illegal or unnecessary solutions have been installed.
- Threat - A measure of potential danger to an asset from sources that may regard the asset as a worthy target.