In 1999, Retina Network Security Scanner was conceived as one of the first commercial vulnerability scanners. Retina offered the ability to assess all network-attached endpoints for vulnerabilities and identify at-risk systems.
Vulnerabilities are not difficult to find. The Common Vulnerability Scoring System (CVSS) was created as an international engineering standard to assess the severity of network endpoint vulnerabilities. Common Vulnerability and Exposures are cataloged by MITRE and shared with Forum for Incident Response and Security Teams (FIRST) and the US National Vulnerability Database (NVD). Currently, CVSS v.21 scores exploitability (access complexity, access vector, authentication), and impact (confidentiality, integrity, availability) severities. Each criterion is weighted and ultimately a score from 1-10 is given to confirmed vulnerabilities (a score of 10 being the highest and most vulnerable).
Vulnerability scanning is the first component of vulnerability management (VM). However, VM is considered to be the detection of vulnerable endpoints (scanning), formal reporting of vulnerabilities, auditing and compliance reporting, and the ability to initiate scans after patch management has occurred (to validate that the patch has taken hold). VM remains an important network security protection technology today. However, traditional VM has several limitations:
- The current cyber defense philosophy is moving toward multi-layered defense and continuous monitoring. Intrusion detection and prevention (IDS/IPS) systems, antivirus (AV), firewalls, next generation firewalls (NGFW), and Web application firewalls (WAF) can be associated as perimeter defense technologies. Network access control (NAC), session information and event
management (SIEM), Web application scanning (WAS), and VM are network monitoring technologies using analytics as a way to detect anomalies. In a modern cyber-defense grid bidirectional communication between perimeter defenses and network monitoring is essential to how continuous monitoring is achieved.
- Scan technology is semi-persistent at best. As a network protection technology, VM scanning is only effective at the time of a scan. The best a VM scan can do is to identify a vulnerable endpoint at the time of a scan; however, a threat may already be active behind the vulnerability. Additionally, VM scanning generally occurs at scheduled intervals leaving large event opportunities in between scans.
- Vulnerability reporting can be cumbersome. Isolating and acting on threats with the highest CVSS scores is a daunting task. A security team would prefer to understand vulnerabilities from many different perspectives including the value of the asset, asset groups, types of devices, compliance reporting, and data-loss prevention (DLP) perspectives in addition to the formal CVSS score.
- Heterogeneous networking is the norm and not the exception. VM scan technology traditionally covered Ethernet connect devices behind a stateful firewall. However, the topology of networks is changing. Enterprise networks now include different types of cloud and virtual environments and cellular and Wi-Fi access. Scan engines themselves, once used as software or an appliance behind a network’s firewall and on-premises, can also be cloud-based.
- The attack vector is changing. Miscreants are as likely to enter the enterprise network through weaknesses in Web application software as through vulnerable endpoints. Web application firewalls and Web application scanning are needed to provide strong network security in addition to VM.
- Differentiation between commodity scan products. Several companies that offer Secure Socket Link (SSL) certificates also add basic network scanning for cross-site scripting (XSS), and SQL injections (SQLi) as a complementary service. VM scanning is becoming a commodity service.
- VM done well still resonates as an important network security technology. Identifying vulnerable endpoints and patching found vulnerabilities is fundamental to defend a network properly. However, VM vendors do see this as a shrinking market opportunity, and understand that their service offerings have to incorporate more than VM to win cyber-defense licenses.