Solid Security In Vulnerability Management

In a recent report from the Yankee Group and security vendor Qualys, experts tabbed security solutions that focus on vulnerability management as vastly superior to those that do not.

The report, titled "Dynamic Best Principles of Vulnerability Management," issued a number of recommendations for resellers to keep in mind when incorporating vulnerability management into an implementation. Some of the recommendations included the following:

• Identifying and categorizing all network resources

• Integrating vulnerability management with other security functions

• Measuring networks against the 30-day half-life of most vulnerabilities

• Auditing networks to test regularly for weaknesses

Eric Ogren, senior analyst at the Yankee Group, said that approaching vulnerability management as an equivalent part of an overall security strategy would allow resellers to sell customers on a "more solid" solution.

"Performing regular security audits is a vital step companies must take to keep up with the changing security landscape," he said. "With each new breed of attack, it is clear that best practices in IT security must be achieved for organizations to effectively protect critical network assets."

Some resellers already have found success in pairing vulnerability management services with some of their traditional offerings. Rick Dacin, president of Coalfire Systems, Superior, Colo., said he resells solutions from Louisville, Colo.-based StillSecure and noted that once he notches an initial sale, he frequently can upsell his customers StillSecure VAM 3.5, a vulnerability tool.

When customers won't invest in a dedicated vulnerability management tool, Dacin said he will run the tool and offer services based on the vulnerabilities that it identifies.

"I bet 30 percent of our revenue comes from vulnerability management, in one form or another," he said.