The Security and Vulnerability Management Market was valued at $6.61 billion in 2019 and is expected to reach $ 11.72 billion by 2025, at a CAGR of 10% over the forecast period 2020 – 2025. As the current cybersecurity threat landscape is uniformly evolving, organizations need to be proactive in their threat and vulnerability management efforts. The efficiency of vulnerability management depends on the organization’s ability to keep up with current security threats and trends. According to “Security and Vulnerability Management Market Trends and Forecasts 2020-2025 Study
Vulnerability Assessment tools capture large amounts of vulnerability data, typically exceeding the ability of IT operations to remediate the sheer volume of found issues. Many Vulnerability Assessment solutions assign a low cyber threat score on the vulnerabilities based on the Common Vulnerability Scoring System (CVSS) scores, which are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. But these metrics fail at scale when the objective is, for example, to identify the 100 most critical vulnerabilities out of 1,000 critical vulnerabilities. Not all vulnerabilities are created equally – exploitability, prevalence in malware and exploit kits, asset context, and active exploitation by threat actors are important qualifiers.
Some Vulnerability Assessment vendors have begun adding capabilities to support improved vulnerability remediation prioritisation based on threat intelligence correlation.
Prioritisation of Threat and Vulnerability Management Platforms (TVMP)
There is also an emerging market of threat and vulnerability management platforms (TVMP) that consolidate the output of different security testing technologies, such as VA and DAST, to permit holistic risk posture assessment and model asset risk. These are designed to support an organization’s vulnerability life cycle management, providing formalized workflow as well as reporting and collaboration capabilities. They usually do not execute vulnerability assessments themselves, but consolidate and normalize output from multiple vulnerability, application security and penetration testing solutions.
Methods are applied that analyze and prioritize vulnerabilities by using threat intelligence and organizational context, or via advanced risk modeling approaches, such as attack path analysis. This permits more granular and intelligent remediation strategies than simplistic severity or CVSS-based approaches, especially at scale and when remediating with limited resources.
Risk ratings are provided to each vulnerability based on a proprietary threat-processing engine. There are some specific vendor tools specialized in remediation prioritization and analysis that can ingest data generated by various Vulnerability Assessment tools, and use proprietary algorithms to provide risk ratings. These tools automate some of the manual tasks in the remediation process by delivering automated workflow capabilities via dashboards and integration with IT operations management tools.
Most vendors provide mature capabilities for vulnerability assessment of common network-based devices, as well as features to allow the analysis, reporting and management of vulnerabilities and remediation.
How should security and risk leaders select a vulnerability assessment and management tool?
Security and risk leaders selecting a cybersecurity system or tool should:
- Evaluate the scope of device and third-party operating system and application coverage, especially for those that are deployed but non-mainstream.
Dedicated ongoing vulnerability signature support and maintenance for the majority of the vendor’s asset base should be made a critical requirement. Asking whether a vendor supports technology “x” is not sufficient to yield a detailed answer. However, expectations must also be realistic; while obtaining 100% coverage is the ideal, from a practical standpoint, covering as many technologies as possible is as good as it gets. In-depth assessments of databases and applications, such as ERP systems (for example, SAP or Oracle), especially, are not widely supported in traditional cyber security solutions, which generally focus on devices. DAST solutions will often still be required.
- Appraise the methods that an information security solution provides to aid in the assessment of the impact, criticality and prioritization of vulnerabilities.
Remediation prioritization is a key element to make security tools usable and to have a real impact in reducing an organization’s attack surface. cybersecurity tools can produce extremely large reports, which are virtually impossible to use effectively. Hence, security managers should look to add additional capabilities to organisation security tools that can remove a lot of manual effort, and also provide analysis and recommend which vulnerabilities to focus on first. If the capabilities provided by the security systems and solutions are insufficient, also evaluate threat and vulnerability management (TVM) solutions or supported third-party integration tools.
- Evaluate the assessment deployment options.
As the shift proceeds from regularly scheduled scans to continuous monitoring, and to more agile and decentralized deployments, the available methods to scan for vulnerabilities will play an increasing role. This includes the ability to use an agent on remote assets for mobile and off-site users, as well as for transient, virtualized architectures and DevOps practices, and the ability to assess system images at rest or in containers.
- Assess the vendor’s current support, and future plans and roadmap, for supporting emerging technologies.
Any organization with large or growing cloud, virtualization and DevOps deployments must select a cybersecurity solution with these asset demographics in mind, and must consider a vendor’s current and future commitment to these technologies. In some cases, these gaps will be closed by collaboration with technology partners and via third-party integrations, not by native support in the cybersecurity solutions. Integrations with platform management systems, such as enterprise mobility management (EMM) suites, hypervisors and cloud security platforms, are especially important, providing extended visibility and some vulnerability assessment capabilities.
- Evaluate available vendor portfolio synergies.
Some of the vendors offer their client business cyber risks management solution as one component in a broader integrated portfolio. Depending on your requirements, these combined technologies can provide a sum-greater-than-the-parts security posture, and can also prove cost-effective due to bundled licensing. However, potential buyers of risk management solutions should not be tempted by the implied benefits if they are not seeking these from the outset.
Critical capabilities of vulnerabilities management systems in larger enterprises
- Scope, quality and speed of signature updates
- Capability to centrally manage, administrate and schedule scanners and scans
- Role-based access control (RBAC)
- Integrated support for managing and tracking vulnerability data, such as vulnerability management workflow and ticket management
- Integration with enterprise workflow and security management solutions, such as configuration management databases (CMDBs), enterprise directories, and identity and access management (IAM) solutions
Flexible architecture options, such as virtualized deployment and cloud-based scanning
- Automation of scanning and alerting
The vulnerability assessment market is mature, but it is being challenged by the need to cover changing device demographics and ever changing higher performance emerging technologies and cyber threats. Security and risk management leaders seeking a vulnerability management solution must evaluate vendors carefully for ongoing commitment to these trends.