Questions to Amrit on effective vulnerability management
Amrit has part 1 of an article he is writing on effective vulnerability management up. As some of you many know, Amrit spent a few years as an analyst in the VM field and certainly knows a thing or two about it. In many ways reading Amrit's article reminded me of my own VA is dead thesis. I say AMEN to what you have written about traditional scan and fix being a losing approach Amrit.
I think though Amrit is proposing a Big Fix like (no surprise there) approach as the evolutionary successor to traditional vulnerability management scanning. So Amrit, while I agree with the dead end that vulnerability assessment scanning seems to be, let me ask you two questions regarding your position on this:
1. Does configuration management boil down to remediation being the only answer? If so what is remediation? Is it only applying patches or shutting down a port or service? Could applying limitations on access be part of the equation? Access control based upon configuration baseline is I think an important part of managing the system.
2. Can configuration management be done outside of an on board agent. Looking at some of the traditional VM scanners like nCircle and Tenable, they are claiming configuration management capabilities. Can their "point in time" scanning compare to always on configuration management agent based solutions? If not, what about unmanaged devices coming on the network without an agent? Do you fall back to scanning them with a scanner? Is the position really that if all company owned assets are fully compliant, we don't worry about what a guest computer can introduce? It is for this reason that I think you can never have a pure agent based configuration management system, but need both agent and agentless based.
Comments