Today’s cybersecurity threat landscape is so vast and complex that it’s impossible to manage threats manually. Vulnerability management is a typical example: tech teams wrestle with many vulnerabilities across apps, networks, and endpoints.
A 2019 Kaspersky report outlines the size of the challenge. The security firm identified over 24 million unique malicious malware objects in 2019. The company also described the growing nature of the malware problem, noting that the 2019 figure is a 14 percent increase over 2018.
That’s why a vulnerability scan is such a critical tool. It helps IT teams identify and prioritize the most vital vulnerabilities across the technology tools they use to address vulnerabilities before malware takes hold and business operations are impacted.
The cost of an attack can be significant: the 2019 Accenture Cost of Cybercrime study found that the average price of an attack went up from $11.7m per incident in 2017 to $13m in 2018.
But vulnerability scanning is just one part of the picture. This article explains what vulnerability scanning is, including its pros and cons. We also outline how IT teams can augment vulnerability scanning tools to reduce the attack surface to the absolute minimum while consuming fewer staff hours and at a lower cost.
What is a vulnerability, and what does a vulnerability scan do?
Many components work together to make a technology solution work. Any one of these components may have a weakness that an attacker can exploit – in other words, a vulnerability.
Applications, networks, and endpoints routinely have inherent weaknesses that allow criminals to gain control, or intrude and disrupt your business. Typical vulnerabilities include unnecessary communication ports that are left open, unpatched software bugs, or incorrect configuration.
Sometimes the vulnerability is down to the manufacturer or developer. Often, though, it results from stressed-out IT teams whose ever-increasing to-do lists result in patching never getting done, or they’re misconfigured.
Managing vulnerabilities
Even modest technology deployments entail thousands of applications and devices, all of which are likely to have multiple vulnerabilities. Good cyber hygiene will mitigate the scope of vulnerabilities to some extent, but scanning and testing are essential.
Not all vulnerabilities are critical. Some pose a high risk to your organization; others may not pose much of a threat. According to severity, Grading vulnerabilities helps teams address the most critical problems first. Of course, your team needs to know where these vulnerabilities are in the first place.
Scanning to detect vulnerabilities
A vulnerability scanner is an automated tool that probes and tests your applications, devices, and networks for known vulnerabilities. A scan can also check that configurations are airtight.
Some tools perform continuous around-the-clock scanning for the most dangerous vulnerabilities, but a comprehensive scan is often run at a set interval – once a week, say.
Your vulnerability management tool generates a report that flags the most critical vulnerabilities, grading the remainder according to severity. It helps your team prioritize patching and remediating – a process that can consume tons of IT resources, especially if you’re starting your vulnerability management process from scratch.
Strengths and weaknesses of a vulnerability scan
Vulnerability scanning is an established part of the cybersecurity arsenal. It delivers consistent benefits, but a vulnerability scan is not a comprehensive cybersecurity solution, and it is just one tool in the security toolset.
There’s no arguing against the benefits of vulnerability scanning, of course. The best vulnerability scanners are easy to set up and continue delivering reports month after month with just minor tweaks. Set up a vulnerability scanner, and you keep the same benefits year in, year out
Vulnerability Scan Benefits
- Quick action. Scanning occurs quickly, and teams get their feedback reasonably fast. Are you worried about vulnerabilities in your network or endpoints? A scanning tool can rapidly re-assure you or prompt your team into action.
- Easy to use. A good vulnerability scanning tool is easy to set up and gives you repeated results at whatever interval you prefer. Vulnerability reports are equally easy to interpret at a glance – your team gets actionable data that they can move on.
- Continuous monitoring. Vulnerability scanning alerts you when new issues come up. Whether it’s a new exploit or a new device on your network, regular reports help you keep vulnerabilities to a minimum – assuming your team has the time and resources to do so.
Just like all automated security tools, there is a danger that vulnerability scanning is seen as a comprehensive, end-to-end solution when it is not.
Vulnerability scan weaknesses
- Fixing and patching is a manual process, and your vulnerability report is just a starting point. Fixing issues still requires action from your team, and that can take up a significant amount of time. While a prioritized report helps, in reality, many teams fix the most critical vulnerabilities – never addressing the moderate risks.
- Vulnerability patching can be highly technical, and it is easy to underestimate the expertise required to fully and consistently repair a vulnerability. Even if a vulnerability is identified, your team may not have the expertise to remediate it successfully.
- Some vulnerabilities won’t be detected. Exploits that are complex or that haven’t yet emerged won’t be detected by an automated tool. Some of these might be critical and lead to significant damage if left unaddressed.
So, while vulnerability scanning will help your team get on top of the most dangerous exploits, it rarely results in comprehensive protection. In fact, a 2019 survey by Ponemon Institute found that 60 percent of breaches involved unpatched vulnerabilities.
The chances are that your scanning tool will miss essential vulnerabilities. Besides, your team may never get around to addressing that moderate vulnerability that opens the door to a successful intrusion.
Why you need to augment a vulnerability scan
It should be clear by now that patching every single vulnerability across your business environment just isn’t practical. But there are a few other tools you can use that can provide far more rounded protection.
Automated patching
Patching is a time-consuming process, and teams rarely get down to comprehensive patching. Vulnerability scanners will point to the most significant risks, but as we suggested, IT teams don’t always get the time to mitigate critical risks, never mind the countless moderate risks. An automated patching regime can help.
For example, Aiden’s automated endpoint management capabilities will automatically patch endpoint applications using intelligent packages, addressing many known vulnerabilities. It also saves time so that your team can mitigate further down the vulnerability list. Besides, your team can demonstrate its effectiveness after running Aiden by simply producing a much-shortened vulnerability report.
Network and application firewalls
Another good way to stop the exploitation of vulnerabilities is to restrict the traffic in your network – and access to your applications. Network and application firewalls can dynamically monitor traffic to identify suspicious patterns – and suspicious sources of traffic.
Yes, it would be best if you always addressed critical vulnerabilities, but your firewall can help reduce the attack surface across low-risk and moderate-risk vulnerabilities.
Strategic IT practices
Vulnerabilities are not always related to individual apps and devices. Sometimes vulnerabilities emerge due to poor planning or due to time-pressured teams that don’t apply good practice. Ringfencing critical application is one example: time-consuming but helpful when a vulnerability goes unmitigated.
Similarly, correctly configuring networks and apps – by closing non-essential ports, for example – is good practice that sometimes gets skipped in a rush. Dedicating more time to strategic IT and best practice IT is a crucial route to minimizing the potential harm behind a vulnerability.
Vulnerability scanning is essential – but not a comprehensive solution
Attaining the best security posture always relies on a multi-pronged approach. Each element has its purpose: vulnerability scanning is a fast way to find critical holes in your defenses. But it’s just one element.
Your team must understand the pros and cons of using a vulnerability scanning tool and augment the cons with other approaches.
Vulnerability scanning highlights how IT automation delivers improved protection while also freeing up time for IT teams. And tech teams with the space to think strategically stand a much better chance at sustaining business continuity in the long run.