Not all scanning solutions are created equal…
The vulnerability assessment market has changed dramatically over the past several years. A growing number of vendors who once provided scan tools that merely identified vulnerabilities across your network now enable you to proactively assess those vulnerabilities in terms of the risk they pose to your business.
And it doesn't just stop at scanning vendors. Many vendors offering tools such as security information and event management (SIEM), endpoint detection and response (EDR) and managed detection and response (MDR) have added vulnerability assessment capabilities to their offerings, as well.
The problem is, there's no one clear definition of what it means to assess and manage vulnerabilities. Not all vendors take a risk-based approach. And of those that do, there's certainly no universal agreement on the best way to quantify that risk, which leads to muddled attempts to effectively prioritize remediation efforts. As a result, many security professionals struggle to navigate the wide range of vendor offerings, and to separate the marketing hype from what will truly make them more efficient and effective.
When evaluating any of these products, it's essential to understand how each will help you prioritize the vulnerabilities that pose the greatest risk to your organization. Are they simply taking and repackaging Common Vulnerability Scoring System (CVSS) base scores, or are they adding context using a variety of sources? Do they use data science and machine learning to automate the process of analyzing vast amounts of security data to arrive at a conclusion? Do they take asset criticality into account — and if so, to what extent? The goal is to help you more efficiently manage cyber risk across your attack surface, so you want a solution that can help you get there.
To help you determine what to look for, there's a Gartner research report that we think you'll find valuable: Market Guide for Vulnerability Assessment.
As the report points out, Vulnerability Prioritization Technology (VPT) "saves significant time over trying to do this analysis manually. It also provides better insight and context because acting on these prioritized results will substantially reduce an organization's attack surface, with the least amount of time and the most efficient use of staff resources."
Of course, the vulnerability assessment solution, itself, isn't enough. You want it to integrate with other critical components of your security stack. By integrating with your IT services module (ITSM), configuration management database (CMDB), ticketing and workflow management systems, and even your SIEM and security orchestration, automation, and response (SOAR) solutions, your entire security program can run far more efficiently and maximize your team's effectiveness.
And, finally, the vulnerability assessment solution you choose should be built to support new, emerging and even future technologies. Think of it this way: If your vulnerability assessment tool can only discover and assess physical, on-premises assets today, what use will it be moving forward? Even if you add visibility into cloud assets, you're still behind the curve when it comes to the most dynamic aspects of your network, including containers, web apps, and operational technology environments. You need the ability to expand your scanning program to future environments and asset types, as technology and business needs evolve.
According to the Gartner report, "prioritization by a VA vendor can be a good starting point for small and midsize clients using a homogeneous environment of a VA vendor for security testing. Also, buying an add-on product from the same vendor helps vendor consolidation, and sometimes cost, with less effort placed on new training and tool deployment. This is a key area of innovation that end users are strongly advised to seek out in their procurement cycles and prioritize in the future." We believe that Tenable's comprehensive family of solution offerings, including Tenable.ep, Tenable.io, Tenable Lumin, Tenable.ad and Tenable.ot deliver the breadth of coverage you need to assess your entire attack surface, and the depth of vulnerability prioritization technology to help you reduce the greatest amount of risk with the least amount of resources.
We believe that the 2021 Gartner Market Guide for Vulnerability Assessment can help provide the information you need to make a more informed decision.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner Market Guide for Vulnerability Assessment, Shilpi Handa, Craig Lawson, Mitchell Schneider, 25 June, 2021