Vulnerability Assessment is dead, can I sell you a scanner?
Taking a page from the Richard Stiennon playbook, let me make an outrageous statement/prediction, that if it pans out will result in me being labeled a visionary (yeah right). I say now that vulnerability assessment as it has existed for the last 5 or 6 years is dead! I think everyone familiar with the VA market has been pussyfooting around this issue for a while now. To understand why I say this, you need to take a look at the evolution of the VA market.
When StillSecure first entered the VA market back in 2002, the state of the art was that there were scanners out there that would scan your network for vulnerabilities and give you a report on what was found. Players such as eEye and ISS sold commercial scanners and the open source Nessus scanner was by many viewed as the equal or superior of them. There was another category of vulnerability assessment that was performed via an agent like NetIQ and Pedestal Software (acquired by Altiris). Essentially, one was network scanner based, the other agent based but doing similar things. The scanner based versions then matured to include distributed systems that allowed large enterprises to be scanned in a timely manner and centrally managed.
The next step in the evolution of VA occurred when some of the pure scan and report vendors started adding workflow and vulnerability management to the mix. StillSecure's VAM and Foundstone were early entries in that space. The next big trend in vulnerability assessment was its integration with other security and network management tools. Integration with patch management, trouble ticket systems, asset inventory systems, network management, etc. began to integrate vulnerability assessment products into the larger fabric of IT management. At the same time integrating and correlating vulnerability data with other security technologies also came into vogue.
The next big thing in VA was risk management/compliance (some might say it was all about risk management from the beginning). Expanded, customized reporting that allowed administrators to manage their risk month to month and generate reports for auditors and geared towards compliance issues were a new way for VA to offer more value.
Over the past year, many have asked what is next for VA. I think we are seeing the answer. The answer is VA is morphing into security configuration management. Ron Gula and the Tenable team have been pushing this with Nessus and their commercial products for a while now. Now nCircle announces today their Configuration Compliance Manager. At StillSecure we have had this ability for some time and our newer tests are more geared to this type of test and policies. Our customized reporting lends itself well to this task. I am sure we will see the rest of the VA pack hopping on this bandwagon soon.
Why is vulnerability management in this torpid state and morphing into configuration management? There is no easy answer. First of all, even though it is not growing as fast as it was or is as cutting edge as it was, it is still a widely deployed and used technology and will continue to be so for years to come. Much as IDS is dead, but alive and well in networks everywhere, vulnerability assessment will continue to live on. However, it has seemed to loose some of its appeal. The reasons for this are many. One is the natural evolution of the security market. Another is the basic fact that vulnerability assessment and the patch management market it works with is a hamster wheel game, bad news generator. You scan, you find bad stuff, you fix, you scan again and again and again. Can you ever get out ahead with that strategy? I think the market is looking to break the cycle and find a more efficient way of dealing with the problem. In the meantime the security configuration management space is not an end game for VA, just a another step on the road. The problem with using these tools for security configuration management is they do not have any enforcement or teeth. Unless combined with some sort of NAC solution (that is where this stuff is really going), configuration scanning is just good for generating reports. The market will demand action if these products are going to succeed. Look for that action coming soon.
At StillSecure we already have this. We call it the policy driven network and we are implementing it with a large government customer. This is the future of VA. In the meantime remember you read it here first, VA is dead!