Stop Network Attacks Before They Happen

Welcome to the world of vulnerability management, where solution providers and vendors alike are finding that building a strong proactive program based on mitigating vulnerabilities before they are exploited has transformed from a security-centric process to an operational necessity for business success.

In the last few weeks, this relatively young niche in IT security has taken off like Lance Armstrong up a French Alp, gaining huge ground on traditional security product moneymakers such as firewalls and antivirus software. According to market research firm IDC, the intrusion-detection and vulnerability-assessment market registered $539.5 million in vendor revenue in 2000. IDC expects the market to experience a healthy compound annual growth rate of 26 percent through 2008, reaching $1.8 billion that year. The result? With the growing market, solution providers can earn a bundle simply by doling out expertise.

"As vulnerability management becomes more prevalent on customer's minds, solution providers have a real opportunity to make a buck," said Eric Ogren, senior analyst in the security solutions and services division at Thr Yankee Group in Boston. "With this niche, it's not about selling boxes or programs"it's about putting a process in place so a customer can direct where its IT staff should be spending their time."

If anybody knows about vulnerability management, it's Ogren, who has researched the niche since it burst onto the scene in 2002. Vendors such as eEye Digital Security, Qualys, Skybox Security and nCircle have a pretty good sense of the niche, too"all of these companies sell some form of vulnerability-management services through a business partner channel.

For many of the solution partners, vulnerability-management sales are more about big-picture thinking than nuts and bolts.

"It's not like we can go into a customer and say, 'Here's our catch-all solution for managing your vulnerabilities,' " explained Kurt Clasby, product manager at Integrated Information Systems (IIS), a security integrator in Tempe, Ariz. "The tricky thing about vulnerability management is that every network has different vulnerabilities."

Clasby's company peddles solutions from a variety of vendors. While some of the services tackle security by residing on a customer's network, others are Web-based, requiring customers to regularly leave some ports open for vulnerability- scanning.

Regardless of which vulnerability-management strategy solution providers choose to represent, Jim Dziak, president of Microtek Systems, a solution provider in Milwaukee, Wisc., said that all of the remedies enable solution providers to offer external and internal vulnerability assessments.

"Traditionally, what clients consider good security is a hardened perimeter," he said. "In most cases, before we start, we run a test to show clients the overwhelming list of vulnerabilities that exist within their infrastructure under that strategy."

Vulnerabilities, however, can vary widely. On the surface, the weaknesses can be holes in particular software applications, or an open port. More thorough investigation reveals that vulnerabilities come in three more dangerous forms: missing patches, misconfiguration dilemmas and policy compliance issues.

Firas Raouf, COO of Aliso Viejo, Calif.-based vendor eEye, noted that vulnerability management is as much about assessment and remediation as it is about prevention strategies.

"Gone are the days where [solution providers] have [their] customers running a scan every month," he quipped. "Today, the scanning has to be ongoing, and adaptive to everything."

The Yankee Group's Ogren echoed these sentiments in a recent report, outlining a handful of "best practices" for solution providers to make their vulnerability-management offerings work like a charm. First, he said, they must classify their customers' network assets to prioritize vulnerability-mitigation programs. Next, they must reduce vulnerability exposure quickly to measure the effectiveness of risk-mitigation.

The third step is integrating vulnerability management with other security processes, according to Ogren's report. Finally, he suggested auditing the performance of implementations to build a culture of growth.

"Managing vulnerabilities means nothing if you don't learn from your mistakes," he said. "This is hard work, and resellers aren't going to ace it all overnight."