Where to start: a Vulnerability Assessment or a Pentest?
Vulnerability assessment is often confused with penetration test. In fact, the two terms are often used one for the other. They are two types of vulnerability testings with different strengths.
Which is the right one for you?
You need a Vulnerability Assessment:
- When your Maturity Level is Low to Medium, you already know you have issues, and need help getting started.
- When your Goal is to get a prioritized vulnerability list in the environment so that remediation can occur.
- When your Focus is Breadth over depth.
You need a Penetration Test:
- When your Maturity Level is High. You believe your defenses to be strong, and want to test that assertion.
- When your Goal is to determine if that a mature security posture can withstand an intrusion attempt from an advanced attacker with a specific goal.
- When your Focus is Depth over breadth.
Vulnerability Assessment and Penetration Testing are often combined to achieve a more complete vulnerability analysis.
What to choose: Commercial or Opensource Security Assessment Solution?
Some facts to begin with:
- The open source community has created some great security tools over the years. However, none of them represents a complete vulnerability management solution.
- Open-source tools are not always cheaper than their commercial counterparts. Teams will need to integrate those free tools into something that is reliable so the enterprise can secure its resources and strengthen its overall security posture. But don’t forget about the cost of maintaining the custom code, dealing with tool accuracy, and fixing problems that may arise from upgrading as new versions of the tools get released.
- Vendor lock-in is not a new concern in technology, and it is a reality in the security market. The Leader in Vulnerability Assessments solution, has a main solution for scanning devices, but when you need more valuable information like risk, or compliances you have to pay for another’s products.
At SecludIT, we choose to simplify the work for you. But our solution is not a frontend or a graphical user interface for open source tools. We take the best and more relevant open source solution, we add our own code and tools, we manage their integrations, interactions and updates, we automate and simplify their use in an unique and easy to use solution.
Our engineers work with the communities, each contribution and fixes are discussed and committed to open source repositories.
How to Deploy: Virtual Appliance or SaaS?
The short answer is it depends.
The long answer is it depends on the goals you are trying to achieve:
- If you need to test your infrastructure from the external threat and have an external hacker view, then SaaS (sometimes called Cloud) is the easiest and cheaper option. You need to handle nothing and you can launch in 5 minutes with a subscription model.
An external vulnerability scan looks for flaws in your network firewall(s), where malicious outsiders can break in and attack your network. It can be done through internet using SAAS solution.
- If you need to test your infrastructure against the internal threat or you think your perimeter will be compromised anyhow by BYOD or malware installed by one of your great employees then the virtual appliance on premise is a better shot.
An internal vulnerability scan operates inside your business’s firewall(s) to identify real and potential vulnerabilities inside your business network.
So, it depends if your priority is to take into account the perimeter or if your priority is to not trust the perimeter. In practice, you should to both and a comparison of the results gives you a great indicator of the efficacy of your perimeter.
How often: One shot or continuous monitoring?
What is Continuous Monitoring? Security Experts define continuous monitoring as ongoing awareness of information security, vulnerabilities, and threats to facilitate risk-based decision making.
The importance of continuous monitoring has been highlighted in NIST Special Publication 800-37 which identified continuous monitoring as one of the six steps in the Risk Management Framework. NIST Draft SP 800-137 went further to outline a continuous monitoring process flow.
A scan is a snapshot view of vulnerabilities existing in an organization environment.
However, the scans only tell you what happened in that moment, not what happened in the intervening days between scans. By scanning more frequently, organizations will get more accurate metrics that show how long a detected vulnerability was present and when it was mitigated.
In a constantly changing network environment where new zero-day exploits appear almost every couple of days, continuous monitoring of your IT is essential and will keep your security team constantly aware of newly detected vulnerabilities, weaknesses, missing patches and configuration flaws that appear to be exploitable.
Continuous monitoring not only has a role to play in preventing large-scale data breaches but it can also help compliance-sensitive organizations to save money by facilitating long-term compliance continuity.
Using Key Risk Indicator as control point is a need to manage security day to day.
Continuous monitoring give you the opportunity to collect accurate metrics at a much higher frequency than audits.
To learn more about continuous monitoring and its implementation, we invite you to try our product for free for 14 days in SaaS mode or to contact us to use it in Virtual Appliance mode.
Internet users interested in vulnerability analysis and continuous monitoring also read our white paper “Continuous Security“.