What is Unified Vulnerability Management?
What does unified vulnerability management mean? Is it just a buzzword vendors are trying to use to sell you something – or can it actually do something for you? It’s a fair question. When I was strictly a practitioner, it was something of a holy grail. I actually turned vendors away because they could not provide unified vulnerability management when that was what I needed, especially when I had to dabble in application security. Let’s look at the advantages a unified approach to vulnerability management provides, whether you are a security analyst or the CISO.
No Matter What Tools You Buy, You’re Covered
When I’m watching an instructional video on YouTube, one of the things I pay close attention to is the tools the speaker is using. I expect a professional to mix and match tools. If a person has matching sets of all new tools, that’s a red flag for me. If nothing else, that’s a strong indication the person is sponsored, and less likely to be objective in their recommendations.
In my experience, a professional will mix and match tools, if only as a matter of practicality. Here is one common example. Two popular brands of tools among professional carpenters are DeWalt and Milwaukee. A carpenter will typically buy tools of the same brand so they can use the same batteries in all of their tools. But you will see a professional carpenter set down their bright yellow DeWalt drill and grab a bright red Milwaukee permanent marker, mark something, then go back to using their DeWalt tools. Why is that? DeWalt does not sell a permanent marker, and Milwaukee sells a really good one.
When it comes to vulnerability management, I have always found myself mixing and matching tools from more than one vendor, just like that carpenter that buys the permanent marker from their second-favorite tool company. The three leading network scanning vendors all have an application security tool. It’s been a while since I’ve had to evaluate all three of them, but just because one of them makes the best network scanner for my needs doesn’t always mean the same one has the best application scanner of the three. More than once, I’ve recommended one network scanner and a different application scanner.
And you don’t really lose anything by mixing and matching those products. You have to juggle one more login account, but none of the big three scanner vendors provide a unified view of your application and network vulnerabilities. While there is some indication they are starting to move in that direction, their products weren’t originally designed with that in mind.
But it goes beyond that. For the type of application security scanning that I can do, the tools from the network scanner vendors are fine. Some of my teammates find those tools too limiting – they need something more powerful, from a company that specializes in application security. And that’s fine. It’s really best to buy the tools that match the skill set of the staff you have available to you. And while I’ve always argued that second opinions in network scanning are overrated, that’s different in application security. In application security, I have always tried to get two opinions. Being able to pull those opinions into a single tool to look for overlap saves a lot of time. It’s not that a finding is more severe when two tools agree, it’s that it’s less likely to be a false positive.
And so far, all we’ve talked about is gathering CWEs and network CVEs under one roof. We haven’t even talked about container scanning or policy compliance.
As technology changes, and companies evolve, vulnerability management is getting harder, not easier, if only because you’re juggling so many more technologies. You need a unified vulnerability management solution to bring all of that information together so you can normalize it, prioritize it, and find gaps in your coverage.
The Only Complete Solution for Unified Vulnerability Management
Even when one scanner vendor meets all of your needs, and your entire team can agree on that single vendor, you are still likely to occasionally have to import data from some other scanning tool, such as an outsourced data center’s own internal scans, or in merger and acquisition situations.
But even in that ideal situation, where you have one single tool stack, you still cannot get a complete view of your risk. You click in one place to see your network vulnerabilities, you click another place to see how you stack up against CIS, ISO 27001, or whatever policy standard you’re held to, yet another place for container scanning, and a fourth place for application security.
Your attackers don’t divide your attack surface that way. Your org chart probably isn’t laid out that way. You need unified vulnerability management to bring all of that scan data together, correlate it, enrich it, give you a complete view of your risk based on what matters to you, and then divide that work back out to the people in your organization best able to fix it.
To make matters worse, with other solutions, prioritizing across different finding types is difficult or impossible. Virtually everyone provides a score that you can use to prioritize your network vulnerabilities. Most of them do not extend that model to application security or policy compliance. And this creates a blind spot. Your biggest problem in your network could be an application security or policy compliance finding. If that’s the case, Nucleus, the only true unified vulnerability management solution, is the only tool that is going to tell you that. It’s one thing to give you a single pane of glass, but it’s another to present that data in such a way that you can actually see what your priority needs to be.
Granted, you can’t simply reassign system administrators to fixing application security problems. But if an organization is really good at fixing one kind of vulnerability but not another, management needs to know that so they can make some hiring decisions. Many organizations do not realize they have a problem until they see all of the data presented in a unified view within Nucleus for the first time.
As you can see, Nucleus provides asset management functionality well beyond that of a traditional vulnerability management tool. In fact, many organizations are using Nucleus as their centralized asset inventory and management database! But don’t take our word for it, request a trial today to see how Nucleus asset management functionality can help to take your vulnerability management program to the next level!