Solutions Review is pleased and honored to have spoken with Gaurav Banga, CEO of vulnerability management provider Balbix. We discussed the Gartner Market Guide for Vulnerability Assessment Solutions, key vulnerability management capabilities, and what the future might hold.
Here’s our conversation, edited slightly for readability:
Solutions Review: What do you make of Gartner’s Market Guide for Vulnerability Assessment Solutions?
Gaurav Banga: Gartner’s Market Guide for VA is a step in the right direction: to help enterprises and VA vendors understand that there is an overwhelming need to incorporate risk, based on business context, into the VA programs.
Vulnerability assessment (VA) scanners enumerate thousands of vulnerabilities at any given point for a large enterprise—leaving security and IT teams at-a-loss on where to begin, as well as how to allocate finite resources and time. As a result, teams typically go about fixing those vulnerabilities that are perceived to be the most critical (based on CVSS or other standardized ratings) or the easiest to fix, but this leaves many untouched (and potentially the highest business risk ones).
If the VA solution is able to understand and take into account the actual business risk associated with each vulnerability, as it pertains to the organization, and arrange the vulnerabilities in priority order based on risk to the enterprise, coupled with an understanding and correlation with existing security controls, the VA market would evolve to be risk-based vulnerability management (Gartner’s definition of a holistic solution). That would allow enterprise security teams to more effectively and efficiently support their security operations and ultimately contribute to organizations becoming more proactive in mitigating (and avoiding) breaches.
SR: What do you think of Gartner’s stressing of vulnerability management with context?
GB: Gartner stressing the need for context in vulnerability management solutions is an important step towards setting a new industry standard for security tools.
We agree with Gartner that there is a need for vulnerability management solutions that provide context around the risk and potential business impact of each IT asset, so security teams and management can identify which ones should be prioritized in taking action.
There are several important considerations when thinking about context:
- First and foremost is automatically and continuously enumerating the enterprise’s inventory, including every relevant detail (category, type, configuration, usage, etc.) for all devices, users and applications, on-premises and off.
- Second is discovering and understanding deep context around the role and business criticality of each asset and user. Without role and business criticality, enterprises just have an unprioritized laundry list of vulnerabilities.
- Then it is important to incorporate up-to-date knowledge of global and industry-specific threats, such as what is fashionable with the adversary on a daily and weekly basis.
- All these need to be coupled with an understanding of the various security products and processes already deployed in the enterprise, and their negating effects against active threats and vulnerabilities.
All of the above are essential to establishing the context from which effective risk can be computed, which allows for proper prioritization of vulnerabilities. This context must be carefully and automatically constructed device-by-device, application-by-application, and user-by-user, and continuously updated based on the changing landscape of new vulnerabilities and threats.
Like most current VM tools, simply ranking the severity of the findings with a generic rating (high/medium/low risk) is not useful.
With a risk-based vulnerability management approach, each asset is analyzed using the context of the specific asset, its use in the business, the impact of a potential breach on it, existing controls, and the likelihood of a breach occurring. That calculation allows companies to create a precise, prioritized list of security fixes so there is no doubt as to what actions need to be taken in what order.
SR: What capabilities are essential to risk-based vulnerability management? Why do you consider them essential?
GB: The most essential capabilities to risk-based vulnerability management are:
- Accurate inventory and categorization of all existing enterprise assets, including managed, unmanaged, cloud, devices, IoT, apps, users, etc. This needs to be updated continuously.
- Analysis across all attack vectors — not just unpatched software.
- Asset contextualization based on risk and potential impact to the business if a breach occurs.
- Prioritized list of action items unique to each enterprise environment so security teams can proactively tackle mitigation based on business criticality.
When companies compare all assets against all potential attack vectors, it quickly adds up to millions of potential points of attack—far more than any human cybersecurity team can stay on top of without leveraging AI and machine learning. These advanced technologies must be baked into the capabilities listed above in order to provide companies with an accurate and real-time list of prioritized actions.
With these four capabilities, vulnerability assessment tools go from primitive scanning for unpatched software and bulk patch recommendations to helping companies proactively mitigate risk across IT assets and attack types.
SR: Does the industry need a new definition of vulnerability assessment? Why?
GB: As noted above, vulnerability assessment (VA, formerly known as vulnerability management) tools are limited from multiple angles—limited types of assets (corporate-managed, e.g. servers and company notebooks), sole focus on unpatched software, and operate in a cyclical mode (run a scan, then assess the results/output) and not real-time. Equally important, VA tools today do not assess and use business risk in computing their output and recommendation for SecOps.
In contrast, the enterprise attack surface is expanding (the opposite of limited) across the two axes of asset types (e.g. IoT, BYOD, ICS, etc.) and attack vectors (regularly growing).
This combination of severe limitations and an ever-growing enterprise attack surface are mandating the VA get redefined and refocused on minimizing business risk and increasing cyber-resilience. Hence Gartner defining the risk-based vulnerability management market.
SR: What does the future of vulnerability assessment look like to you?
GB: Traditionally, vulnerability assessment (formerly known as vulnerability management) has been defined as the practice of identifying security vulnerabilities in unpatched software. Though it is typically an integral part of every organization’s cybersecurity strategy, the traditional VA approach has become increasingly ineffective for a couple of reasons.
First, the traditional tools do not present an accurate picture of the enterprises’ asset inventory (which includes all types of assets, including managed, unmanaged, BYOD, IoT, on-premises, and cloud) and secondly, it is no longer enough to just enumerate vulnerabilities due to unpatched systems, when there are 200+ other attack vectors that can be exploited. This is where traditional VA falls short.
Organizations need to take a more modern approach to properly understand their comprehensive risk posture, with a risk-based approach to vulnerability management (RBVM) that not only identifies vulnerabilities but also predicts breach risk, prioritizes action items based on business risk, and offers guidance on fixes to correct the issues.
The modern approach to RBVM has the following two key features:
- It covers the multi-dimensional attack surface.
Traditional VA tools have limited coverage across the vast and rapidly expanding set of attack vectors. Phishing, ransomware, misconfigurations, and credentials are just some of the vectors not covered by traditional VA.
Next-generation VA needs to monitor and scan for many other attack vectors like device/network and application misconfigurations, risk from weak or no encryption, use of weak passwords & shared passwords, denial of service, password reuse, propagation risk, phishing and ransomware, zero-day threats, and more.
- It offers visibility for all types of assets, including BYOD.
Traditional VM tools typically scan enterprise-owned and managed IT assets such as corporate servers and laptops, and they leave out all the rest. But in today’s modern enterprise, device demographics have shifted dramatically with the proliferation of different asset categories (unmanaged, BYOD, cloud-based, IoT, and mobile, to name just a few).
Next-generation VM should be able to discover, monitor, and scan all types of devices and assets – including BYOD, IoT, cloud, and third party – to automatically and continuously predict breach risk through a single integrated system.
Modern enterprises require risk-based vulnerability management. Only this new approach can provide the critical information that is required to proactively protect a large modern enterprise network that spread out across on-prem, cloud, mobile, leased, software-defined and other evolving system architectures.
Thank you to Gaurav Banga of Balbix for his time and expertise!
Other Resources from Solutions Review:
- The 10 Coolest SIEM and Security Analytics CEO Leaders
- Get Your Employees to Embrace SIEM Best Practices!
- 4 Tips to Make Data Breach Detection Easier For Your Enterprise
- Enterprises: Don’t Become Complacent in Your Cybersecurity!
- Comparing the Top SIEM Vendors — Solutions Review
Latest posts by Ben Canner (see all)
- 5 Key Security Analytics Capabilities for Security Operations Centers - October 17, 2019
- 40 Percent of Security Practitioners Don’t Report to the Board - October 15, 2019
- What Do SIEM Components Actually Do For Enterprises? - October 10, 2019