News

Vulnerability Management Needed for Security, Study Says

Companies can avoid attacks and minimize security cost overruns by practicing IT vulnerability management, according to a July study published by the Aberdeen Group.

• By Jabulani Leffall
• 08/19/2008

Ignoring the issues won't work, according to Derek Brink, author of the study and vice president and research fellow for IT security at the Boston-based Aberdeen Group.

"Unfortunately, each week brings a new wave of threats and vulnerabilities to be managed," Brink said. "Ignoring or deferring patches for known vulnerabilities is not a responsible strategy, nor is it reasonable for most companies to disconnect their business from the Internet. So managing vulnerabilities simply has to be done."

Aberdeen's study -- titled "Vulnerability Management: Assess, Prioritize, Remediate, Repeat" -- describes what some respondents are doing to foster an effective vulnerability management program.

The "best-in-class" firms described in the study shared several common characteristics. For example, 70 percent of respondents in this category have consistent policies for managing patches and vulnerabilities. Moreover, 67 percent say they monitor external sources for vulnerabilities, threats and remediation tactics. Lastly, 93 percent of those polled maintained an inventory of all IT assets, along with conducting regular patch scans.

For every dollar invested in vulnerability management programs, companies can avoid $1.91 in vulnerability fix-related costs, for a marginal return on investment of 91 percent, according to the report.

The report suggests four essential steps to implementing a vulnerability management program that pays off.

The first step is to understand the computer processing environment -- how it works, what IT assets are essential and what threats pose the greatest risk to the organization.

Second, prioritization is important. IT pros should maintain a constant inventory of all IT assets, along with a database of known vulnerabilities and fixes. Run an initial risk assessment. As with Patch Tuesday hotfixes, know what requires the greatest attention and what's critical versus important.

Third, the report recommends that a good way to preemptively fix problems as well as plug holes is to test fixes, patches and repairs after installing software upgrades. This process is called remediation. IT pros suggest remediation should be automated, wherever possible, with manual oversight of test results conducted by trained employees.

The last step is to repeat steps one through three and then monitor the results. Companies should review the success of the remediation and create a report for auditing and compliance reasons.

When asked about Microsoft's recent appeal to its tech peers, channel partners, security vendors and academia to collaborate on security initiatives, Brink said the move underscores the need to increase the efficiency and effectiveness of an important, never-ending task: security.

"It's a task which is consuming far too high a percentage of limited IT resources," Brink said. "The fact that leading vendors are calling for collaborative, industry-wide frameworks to address threats and vulnerabilities is strong evidence of the level of pain being expressed by their top customers in this area."

Brink added that security pros can expect that their vendors will work to address the pain in the near term through individual point solutions. In the longer term, vendors will work through broader, standards-based approaches that reach across the technology communities.