Introducing Vulnerability-Based Application Management™ (VBAM)

Morey Haber, Chief Technology Officer
March 3rd, 2014

RSA Conference 2014 saw the birth of a new acronym at the BeyondTrust booth: “VBAM” – otherwise known as Vulnerability-Based Application Management™. This patent-pending technology enforces least-privilege access based on an application’s known vulnerabilities, as well as their age, potential risk, and impact on regulatory compliance initiatives – and is currently included in the PowerBroker for Windows Risk Compliance module.

VBAM evolves privileged account and vulnerability management by assessing vulnerabilities at the time of application execution and granting permissions based on policy violations and/or potential risks to the system and user. With PowerBroker for Windows, it’s easy to create Risk Compliance rules that control application permissions.

A simple UI allows PowerBroker for Windows users to define regulatory compliance, risk and age in relative terms.

How is PowerBroker for Windows so vulnerability savvy? Simple: BeyondTrust Retina. Without any additional licensing, PowerBroker uses a subset of the Retina Network Security Scanner’s vulnerability database to evaluate applications as they are launched and take runtime actions based the rules and policies that you create. These actions can be passive, allow privilege escalation to administrator, remove administrative permissions, or even prevent the application from launching – all in real-time based on the application’s published vulnerabilities.

Since vulnerabilities and risk evolve everyday, the BeyondInsight IT Risk Management Platform seamlessly allows PowerBroker agents to process the latest application-based vulnerabilities list as a part of its normal reporting communications. Rules can be vendor or compliance specific, or generic enough to catch all relevant vulnerabilities upon launch. The result is real-time application vulnerability assessment and application management.

Vulnerability-Based Application Management is a natural extension of other technologies we already know in the space: Network Access Control (NAC), Access Control List (ACL), and plain whitelist or blacklist Application Control (AC). Applications can be measured for risk and permissions decided based on that risk.

Whitelisting and blacklisting methodologies based on hash databases do not consider the application vulnerabilities, and traditional privilege identity solutions fail to consider application risk as a part of the least-privilege model. With PowerBroker for Windows and Vulnerability-Based Application Management, BeyondTrust is changing the way Application Control should be implemented.

Learn more about PowerBroker for Windows.

Morey Haber, Chief Technology Officer

With more than 20 years of IT industry experience and author of Privileged Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees BeyondTrust technology for both vulnerability and privileged access management solutions. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelors of Science in Electrical Engineering from the State University of New York at Stony Brook.