December 2010 Managing Vulnerabilities and Threats (No, Anti-Virus

© 2010 Aberdeen Group. Telephone: 617 854 5200

December 2010

Managing Vulnerabilities and Threats (No, Anti-Virus is Not Enough)

Research Brief

Aberdeen’s Research Briefs provide a deeper exploration of the principal findings derived from primary research, including key performance indicators, Best-in-Class insight, and vendor insight.

New malware by the millions. Legitimate web sites compromised with malicious code. Targeted phishing attacks. More than 100 new updates and vulnerabilities identified each week. Growing diversity in the networks, platforms and applications that can potentially be exploited. This is just some of the widely available evidence that your enterprise IT infrastructure is in enemy-occupied territory. Aberdeen's research shows that the top performers excel at managing these vulnerabilities and threats across their entire lifecycle, from assessment to prioritization to successful remediation. Their focus on maximizing efficiency and minimizing total cost also acknowledges the unfortunate but critical necessity of adopting a continuous approach to vulnerability management – and highlights the value of solutions that increase visibility and provide actionable intelligence for remediation. Research Demographics

Between September and October 2010, Aberdeen examined more than 160 enterprises; respondents had the following demographics:

√ Job title: C-level management (27%); Vice President (8%); Director (15%); Manager (24%); Staff / Consultant (23%)

√ Functional responsibility: the largest segment was IT (56%)

√ Industry: the largest segments included financial services (17%); government / aerospace / defense (14%); telecommunications (11%); and education (9%)

√ Geography: Americas (55%), Europe / Middle East / Africa (29%); Asia / Pacific (16%)

√ Company size: Large enterprise (20%); Mid-Size enterprise (39%); Small enterprise (41%)

Business Context: Your IT is Enemy-Occupied Territory Any organization whose business operations involve networks, computers, and application software is at risk due to vulnerabilities in these assets that can potentially be exploited, leading to unauthorized access, loss or exposure of sensitive data, disruption of services, or failure to comply with regulatory requirements. Vulnerabilities in IT infrastructure stem from many sources, including software defects, improper configurations, and simple human error.

Recent Internet-wide statistics from a wide variety of industry sources illustrate the sheer breadth and scale of the vulnerabilities and attacks that your everyday enterprise IT infrastructure must be able to withstand:

• Ten million new pieces of malware were cataloged in the first half of 2010, up from 9 million in the same period last year – making the first six months of 2010 the most active half-year ever for total malware production. Most represent slight variations of previously seen malware, which are in circulation for only a short time: the authors create them, ensure that current anti-virus software doesn’t detect them, and then distribute them via email, drive-by-downloads from infected web sites, or social engineering techniques. This process is repeated continuously and new malware is created – but machines infected with the old malware remain infected (Source: McAfee Labs).

• The number of malicious web sites increased by 110% from 2009 to 2010. Four out of 5 web sites with malicious code were legitimate sites that have been compromised; legitimate web searching on breaking trends and current news actually represented

www.aberdeen.com Fax: 617 723 7897

Managing Vulnerabilities and Threats (No, Anti-Virus is Not Enough) Page 2

© 2010 Aberdeen Group. Telephone: 617 854 5200 www.aberdeen.com Fax: 617 723 7897

a slightly higher risk than searching for known objectionable content. Meanwhile, nearly 85% of all email messages were spam, and 90% of those contained links to malicious web sites (Source: Websense Security Labs).

• More than 16,000 phishing attacks were identified in October 2010 alone, targeting more than 180 corporate brands worldwide. Since May 2010, the countries consistently ranked as having the highest number of targeted brands have been the US, UK, Italy, Canada, India, Australia and South Africa (Source: RSA Anti-Fraud Command Center).

• Vulnerabilities in third-party programs represent an increasing, and often unappreciated, threat – many organizations continue to perceive the Microsoft operating system and other Microsoft products to be the primary attack vector. A typical end-user PC with 50 programs installed (26 Microsoft, 24 third-party) had 3.5-times more vulnerabilities in the third-party programs than in the Microsoft programs, a ratio which is expected to increase in the coming year (Source: Secunia).

Table 1: New Updates / Vulnerabilities Identified (8-week period)

Platform NumberWindows 8

Microsoft Office 5

Other Microsoft Products 8

Windows

Third Party Windows Applications 65

Mac 5

AIX 1

BSD 2

HP-UX 1

Novell 6

Solaris 3

Unix

Unix 3

Linux 24

Cross Platform 203

Web Application - Cross Site Scripting 126

Web Application - SQL Injection 158

Web Applications

Web Application - Other 171

Network Devices 23

Source: Qualys, in cooperation with SANS, for an 8-week period between May-June 2010 Aberdeen Group, December 2010



• In one typical eight-week period between May and June 2010, more than 800 new updates and vulnerabilities were identified – not only for Windows platforms, but also for Mac, Unix, Linux, cross-platform, web applications and network devices (Table 1). There were 3-times more vulnerabilities in third-party Windows applications than in Windows, Microsoft Office and other Microsoft products combined – underscoring the importance of a comprehensive approach to managing vulnerabilities, even for Microsoft-only shops (Source: Qualys, in partnership with SANS).

What Enterprise IT Resources are Being Protected? Aberdeen’s benchmark research underscores the point that the diversity of enterprise IT resources to be protected – in the average organization, literally hundreds of applications and services – contributes significantly to the overall complexity of the vulnerability management problem (Figure 1).

Figure 1: Enterprise IT Resources to be Protected from Vulnerabilities are Many and Diverse

96%

95%

93%

92%

89%

85%

74%

73%

60%

53%

20%

87%

0% 20% 40% 60% 80% 100%

Window s platforms

Email

Remote access (including VPN, SSL VPN, WiFi)

Client-server applications

Web-based applications

Back-off ice applications (e.g., HR, ERP)

Web portals

Custom / in-house applications

Non-Window s platforms (e.g., Unix, Linux, Mac, Java)

Virtual machines

Mainframe applications

Cloud-based - Softw are-as-a-Service Percentage of Respondents, N=157

Source: Aberdeen Group, December 2010

IT Security Risk: Reality vs. Perception IT Security risks are abundant and equal opportunity in nature; in the past 12 months, 94% of all respondents in Aberdeen's study experienced at least one IT Security-related incident. These range from the more common types of incidents (e.g., malware, non-criminal misuse of company systems, loss or theft of IT assets, insider misuse of access privileges) to the less common but potentially crippling (e.g., loss or theft of intellectual property, employee sabotage), with a diverse array of IT Security-related vulnerabilities and threats in between. Over the last 12 months, the average number of IT




Security-related incidents (of any type) experienced by participants in Aberdeen's study was 10.7 – an average of nearly one per month.

Interestingly, the perception of IT Security risk is only moderately correlated with the number of IT Security incidents actually experienced in the last 12 months (Figure 2) – a reminder of the importance the human element can play in making risk management decisions. Respondents generally ranked their current assessment of risk from a wide variety of IT Security-related incidents to be on the low side, i.e., less than 3 on a scale of 1 (lowest) to 5 (highest). The risks that are perceived to be the highest include malware, loss or exposure of sensitive data, loss or theft of IT assets, loss or theft of intellectual property, misuse of access privileges (by insiders), and network or system intrusion and malicious hacking (by outsiders).

Figure 2: IT Security-related Incidents Experienced in the Last 12 Months, versus Perceived Risk

Loss or theft of IP

Loss or exposure of sensitive data Malware

Loss or theft of IT assetsNetwork or system

intrusionMalicious hacking

Targeted phishingMisuse of access priv Non-criminal misuse

Social engineeringDoS attacksEmployee sabotage

Criminal misuse

Cyber-terrorism

Organization ID theftFinancial fraud

2

3

0% 20% 40% 60%

Percentage of Respondents Experiencing Incidents in the Last 12 Months (N=157)

Per

ceiv

ed R

isk

(1=L

owes

t, 5=

Hig

hest

)


The Consequences of IT Security Incidents The consequences of actual IT Security-related incidents are as varied as the types of incidents themselves; the most commonly noted were:

• Loss of end-user productivity (70% of all respondents)

• Unplanned downtime (64%)

• Internal disciplinary process (51%); employee termination (36%)

• Loss or exposure of sensitive data (32%)

• Damage to brand or reputation (20%)

For the participants in Aberdeen's study, the average financial impact per actual IT Security-related incident was estimated at $120,000. Note that this figure represents a blended amount for all of the incident types listed in Figure 2. Previous Aberdeen research has found, for example, that the average financial impact for a data loss or data exposure incident ranges between $500,000 and $640,000; for remediating an application security




vulnerability, it was $300,000. For the purposes of this Research Brief, Aberdeen's analysis will use the blended figure of $120,000.

Given an average of 10.7 incidents experienced in the last 12 months, and an average financial impact of $120,000 per incident, the total cost of IT Security-related incidents not avoided is $1,280,000 per year, in spite of an average expenditure of $870,000 on IT Security initiatives. That is, the average respondent in Aberdeen's study invests a total of $2,150,000 per year in IT Security-related activities. This total works out to approximately $220 per employee per year, or roughly 0.2% of annual revenue. Many companies spend more than this on complimentary tea and coffee!

Managing Vulnerabilities: Market Trends, Best Practices For the purposes of Aberdeen’s research, vulnerability management (VM) refers to the process of detecting, prioritizing, and eliminating the vulnerabilities that put an organization's IT infrastructure at risk. A simplified vulnerability management lifecycle includes three basic stages:

• Assess: identification of all vulnerabilities and threats that are relevant to the organization's IT assets

• Prioritize: determination of which vulnerabilities and threats should be addressed first, based on the level of risk and the business value of the IT assets in question

• Remediate: deployment of software patches, configuration updates, or compensating controls

Unfortunately, each new day brings a new wave of threats and vulnerabilities to be managed, so these steps must be repeated on a continuous basis to manage vulnerability-related risks within acceptable limits. The top performers at vulnerability management are able to accomplish this while maximizing efficiency and minimizing total cost. Even this simplified lifecycle illustrates the continuous nature of vulnerability management (Table 2).

Table 2: The Vulnerability Management Lifecycle: Assess, Prioritize, Remediate, Repeat

Assess Prioritize Remediate Repeat

Identify all IT assets (including platforms, operating systems, applications, network services) Monitor external sources for vulnerabilities, threats and intelligence regarding remediation Scan all IT assets on a regular schedule for vulnerabilities, patches and configurations

Maintain an inventory of IT assets Maintain a database of remediation intelligence Prioritize the order of remediation as a function of risk, compliance, audit and business value Distribute relevant vulnerability intelligence and recommendations to all affected teams

Model / stage / test remediation before deployment Deploy remediation (automated, or manually) Train administrators and end-users in vulnerability management best practices

Scan to verify success of previous remediation Report for audit and compliance Continue to assess, prioritize, and remediate




Aberdeen's research shows that the current state of IT Security is in truth a state of insecurity; among all respondents, only 9% are “completely confident” in their ability to detect IT Security-related vulnerabilities and threats. On average, companies rate their confidence at a very slightly positive 3.2 on a scale of 1 (not confident at all) to 5 (completely confident). The good news is that the most common means of detection are proactive – deployment of IT Security products and services, proactive scanning and testing, and internal audits – as opposed to being informed by customers, business partners, law enforcement, or public media.

Current, Planned Use of Selected IT Security Technologies Aberdeen asked respondents about their current use of a wide range of IT Security technologies, as well as their planned use of those technologies in the next 12 months (Figure 3). For example, nearly all companies (96%) have deployed network firewalls, and 4 out of 5 (79%) have deployed intrusion detection / prevention solutions to defend their network infrastructures. In addition, current deployments of network vulnerability scanning (71%) and penetration testing (48%) provide evidence of a generally proactive approach to managing and securing enterprise networks. A majority of companies have also invested to protect themselves against vulnerabilities in their email, web access and web-based applications: email security (84%) and web security (79%) are well-established as baseline technologies.

Defining three Maturity Classes

To distinguish Best-in-Class companies (top 20%) from Industry Average (middle 50%) and Laggard organizations (bottom 30%) in IT Security-related topics, Aberdeen generally uses the following performance criteria:

√ Number of actual security-related incidents

√ Number of audit deficiencies (incidents of non-compliance)

√ Operational costs

Companies with top performance based on these criteria earn Best-in-Class status.

Full details are available in each respective benchmark report (see Related Research).

Figure 3: Use of Enabling Technologies (Current, Planned)

96%

71%

79%

48%

96%

74%

65%

84%

79%

17%

20%

14%

10%

2%

29%

12%

13%

1%

0% 20% 40% 60% 80% 100%

Network firewall

Network vulnerability scanner

Intrusion detection / prevention

Penetration testing

Anti-virus / anti-malware

Patch management

Configuration and change management

Email security

Web security

Percentage of Respondents (N=157) Currently Implemented Planned < 12 Months


Similarly, nearly all companies (96%) have deployed anti-virus / anti-malware solutions, and a majority has deployed patch management (74%) and configuration and change management (65%) – more evidence of a generally proactive approach for managing the vulnerabilities and threats related to their endpoints.




Examination of current use of these enabling technologies by maturity class, however, shows that some technologies are more strongly correlated with top performance (Figure 4) – for example, the current use of patch management and configuration and change management. This is not to say that deployment of technologies such as network firewalls and anti-virus / malware is not important – quite the contrary, it demonstrates that deployment of these technologies alone is necessary, but not sufficient. In other words, Aberdeen's research confirms that deployment of technologies such as network firewalls and anti-virus / anti-malware alone does not distinguish top performance.

Figure 4: Current Use of Enabling Technologies, by Maturity Class

100%

82%

97%

61%

100%

93%

83% 90

% 93%96%

75% 78%

51%

97%

77%

65%

84%

76%

96%

64% 73

%

42%

93%

64%

61%

80%

73%

0%

20%

40%

60%

80%

100%

Networkfirewall

Networkvulnerability

scanner

Intrusiondetection /prevention

Penetrationtesting

Anti-virus /anti-malware

Patchmanagement

Configurationand change

management

Email security Web security

Perc

enta

ge o

f Res

pond

ents

(N=1

57)

Best-in-Class (top 20%) Industry Average (middle 50%) Laggards (bottom 30%)


In Figure 5, the absolute adoption of these technologies by the top performers is plotted against the relative adoption by the leaders in comparison to that of the laggards to provide a quadrant-style view. Examination of Figure 5 makes it easy to visualize why Aberdeen refers to network firewalls, network vulnerability scanners, email security, web security, and anti-virus / anti-malware as baseline technologies: they are absolutely necessary, but by themselves they do not differentiate top performance. On the other hand, patch management and configuration / change management technologies are found to be stronger differentiators of Best-in-Class performance. In other words, again: no, firewalls and anti-virus is not enough – and for companies who have already deployed those solutions, incremental investments in solutions to assess, prioritize and remediate patches and configuration changes are likely to drive improvements in both the efficiency and effectiveness of their vulnerability management initiatives.




Figure 5: Best-in-Class Current Use of Enabling Technologies (Absolute, Relative to Laggards)

IDP

Netw ork vuln scanner

Pen testing

Netw ork firew all

Patch mgmt

Config/change mgmt

A/V

Email security

Web security

1.0

1.4

1.8

0% 50% 100%

Absolute Adoption (% of Best-in-Class indicating current use)

Rel

ativ

e Ad

optio

n (r

atio

of a

dopt

ion

by th

e Be

st-in

-Cla

ss

com

pare

d to

that

of L

agga

rds)

Netw ork

Endpoint

Content

New / Emerging Baseline

Best-in-Class Early Adoption Best-in-Class Differentiators


More than Technologies Alone: Other Current Capabilities In addition to asking respondents about their current and planned use of IT Security technologies, Aberdeen regularly investigates current capabilities related to process (the approaches taken to execute daily operations), organization (corporate focus and collaboration among stakeholders) knowledge management (putting business intelligence in context and exposing it to relevant stakeholders), and performance management (measurement of results to improve the business). In study after study, Aberdeen's unique benchmarking approach to market research demonstrates the truth in the well-worn phrase "People, Process and Technology" as the cornerstones of successful enterprise-wide initiatives.

Certain people and process capabilities are more strongly correlated with the achievement of top results than others. For example, consistent policies; standardized responses to incidents, exceptions or events; and centralized visibility and intelligence related to the IT infrastructure are especially noteworthy as differentiators of Best-in-Class performance in the area of vulnerability management, as illustrated in Figure 6. Standardized responses (as opposed to ad hoc, individual heroics) tend to start out as manual and less efficient, but are optimized by the top performers through




increasing use of automation, distribution of relevant intelligence for remediation, and consistent management across the enterprise.

Figure 6: Current Capabilities, by Maturity Class

63%

61%

40%

65%

52%

41%

57%

44%

37%

59%

29% 38

%45%

40%

30%

55%

22%

32%

0%

20%

40%

60%

Consistent policiesfor IT security

Standardizedresponse to

security-relatedincidents,

exceptions, orevents

Systematicelimination of root

causes forsecurity-related

incidents,exceptions, or

events

Responsibleexecutive or team

w ith primaryow nership and

accountability for ITsecurity

Centralizedcollection,

normalization andcorrelation of

security-relatedinformation and

events

Managementvisibility into the

number, frequencyand details ofsecurity andcomplianceincidents

Perc

enta

ge o

f Res

pond

ents

(N=1

57)

Best-in-Class (top 20%) Industry Average (middle 50%) Laggards (bottom 30%)


On the important topic of visibility and intelligence, Aberdeen's research shows that higher confidence in accurate visibility at the endpoints generally correlates with lower perception of current risk (Figure 7).

Figure 7: Confidence in Accurate Visibility vs. Perceived Risk

User-managed endpoints

Enterprise-managed endpoints

PatchesConfigurations

Anti-virus, anti-malwareVirtual desktops Endpoint

encryption

2.5

3.0

3.5

2.75 3.50 4.25Confidence in Accurate Visibility (1=Lowest, 5=Highest)

Cur

rent

Ass

essm

ent o

f Ris

k (1

=Low

est,

5=H

ighe

st)

Low

Low

High

High





That is, having the visibility that agents and software for anti-virus / anti-malware, patch management and configuration and change management solutions are installed, running and up-to-date on the endpoints that are connecting to the enterprise network generally corresponds to a lower assessment of current risk. Note that viral growth in user-managed endpoints that many organizations are currently experiencing only intensifies the visibility problem for vulnerability management, especially in comparison to traditional enterprise-managed endpoints. One critical difference is that the mature enterprise views vulnerability management as an essential function to be optimized, while the less mature enterprise typically views it as an unattractive burden to be done as time allows.

Striking the Right Balance: A Risk-Based Approach As discussed above, for companies in Aberdeen's study the total cost of IT Security-related incidents not avoided is $1,280,000 per year, in spite of an average annual expenditure of $870,000 on their IT Security initiatives – in other words, for every $100 invested to reduce or prevent security incidents from happening, they are spending an additional $147 as a result of incidents that happened anyway. There may be no such thing as "perfect" security – that is, one could invest an infinite amount on prevention, and yet an incident may still occur – but does the ratio of "total cost of IT Security initiatives" versus "total cost of IT Security-related incidents not avoided" reflect the optimal balance? Optimization of the tradeoffs between higher or lower annual investments in IT Security initiatives, versus the additional costs of IT Security-related incidents avoided or not avoided, is the very essence of a risk-based approach.

Aberdeen's analysis of the responses as a function of company size and as a function of geographic headquarters provides some interesting additional insights to this question (Table 3).

Table 3: Comparing Total Annual Investments in IT Security, by Company Size and by Geography

Annual Averages All Large

Mid-Size

Small Americas EMEA Asia/Pacific

Ratio of total costs not avoided to total annual cost of initiatives 1.47 0.64 2.00 3.57 1.35 1.59 2.74

Total (as a % of annual revenue) 0.2% 0.1% 0.6% 3.8% 0.2% 0.2% 0.2%

Total (as $ per employee per year) $220 $140 $590 $1,200 $230 $170 $250


By company size, Aberdeen's analysis shows that Large organizations are currently winning the game in this regard:

• For every $100 invested annually to reduce or prevent IT Security-related incidents from happening, the additional annual expense as a result of incidents that happened anyway is $64 for Large, $200 for Mid-Size, and $357 for Small.



Sector Definitions / Fast Facts

For the purposes of this Research Brief, the following terms are defined by an organization's revenue in the most recent 12-month reporting period:

√ Large: $1B or higher

√ Mid-Size: less than $1B and more than $50M

√ Small: $50M or lower

Current deployments of selected technologies, by company size:

√ Anti-virus / anti-malware: Large 100%; Mid-size 98%; Small 93%

√ Patch management: Large 96%; Mid-Size 77%; Small 64%

√ Configuration / change management: Large 93%; Mid-Size 65%; Small 52%

• The total annual investment in IT Security is 0.1% of annual revenue for Large, 0.6% of annual revenue for Mid-Size, and 3.8% of annual revenue for Small. For the Small enterprise in particular, this is a material amount; what small business would not be interested to increase its bottom line by nearly 4%?

• The total annual investment in IT Security is $140 per employee for Large, $590 per employee for Mid-Size, and $1,200 per employee for Small.

Not surprisingly, current deployments of vulnerability management technologies such as anti-virus, patch management, and configuration and change management are strongly correlated with larger company size (see Fast Facts at right). Current capabilities that also correlate strongly with larger company size include consistent policies; standardized responses to security-related incidents, exceptions, or events; documentation, awareness and training programs for end-users; and a responsible executive or team with primary ownership and accountability for the initiatives. On this last point, the CEO in Small enterprises is 3-times more likely to own IT Security than in Large enterprises; Large enterprises are 3-times more likely than Small enterprises to have a C-level officer (CSO or CISO) dedicated to IT Security. Claiming IT Security as one of the chief executive's many responsibilities, as opposed to being the security executive's primary responsibility, is arguably a cornerstone for all of the other key differences between Large, Mid-Size and Small organizations identified in this analysis.

By geography, the results of Aberdeen's analysis are less distinct:

• For every $100 invested annually to reduce or prevent IT Security-related incidents from happening, the additional annual expense as a result of incidents that happened anyway is $135 for Americas, $159 for EMEA, and $274 for Asia/Pacific based organizations who are the outliers in this regard.

Sector Definitions

For the purposes of this Research Brief, the following terms are defined by the geographic location of the firm's headquarters:

√ Americas: North, South and Central America

√ EMEA: Europe, the Middle East, and Africa

√ Asia / Pacific: all others

• Total annual investments in IT Security are consistent on a worldwide basis, at about 0.2% of annual revenue.

• The total annual investment in IT Security is $230 per employee for Americas, $170 per employee for EMEA, and $250 per employee for Asia/Pacific.

In looking for material differences by geography, Aberdeen found that Americas-based organizations are 2-times more likely to have a C-level position dedicated to IT Security, whereas EMEA-based and A/P-based organizations are more likely to incorporate security as an element of the CIO’s role. There were no material differences between geographies in terms of current capabilities or current use of enabling technologies. Asia/Pacific-based organizations are, however, nearly 2-times more likely than Americas-based companies to be motivated by internal policies than by regulatory compliance as the leading drivers for their current investments. Strategically, Asia/Pacific-based organizations are more likely to establish




consistent policies, and to invest in technologies to enforce them – although unfortunately the research indicates that at this time they are less effective in their actual results.

Case in Point: Allianz Group (Munich, Germany) From its beginnings in 1890 as a transport and accident insurer with operations in Berlin, the Allianz Group today is one of the world's leading integrated financial services providers. Revenue in fiscal year 2009 totaled nearly 100 billion Euros, and the company serves approximately 75 million customers in about 70 countries with its portfolio of insurance, banking, and asset management products and services. Allianz Group has approximately 152,000 employees worldwide.

With such a large and geographically diverse enterprise, Allianz Group needed prompt information about vulnerabilities and threats to their IT infrastructure – and actionable intelligence about their elimination. Additional high-priority selection criteria for a vulnerability management solution included ease of use and a clear cost-benefit business case. After investigating solutions from multiple vendors, including Secunia and dCERT, the Security Risk and Business Continuity team decided to implement the Secunia solution. Other factors favoring the selection of Secunia included easy-to-use web-based functionality, alarm notification by email and SMS, and flexibility in the selection of hardware and software.

Mr. Bernhard Weller, from Allianz Managed Operations and Services, particularly noted the importance of good reporting capabilities in a successful vulnerability management initiative. "We can now support the possibility for reporting on a monthly, weekly and daily basis if needed," explained Mr. Weller. "Having the specific vulnerability information we require for prioritization, along with the ability to communicate relevant vulnerability intelligence to the appropriate resources for remediation, for us was especially convincing."

Solutions Landscape (illustrative) The solutions in the Table 4 – highlighted based on their capabilities for integration of intelligence for prioritization and automated remediation – are illustrative of those that address the full vulnerability management lifecycle.

Table 4: Solutions Landscape for the Vulnerability Management Lifecycle (illustrative)

Company Web Site Solution(s) eEye Digital Security www.eeye.com Retina Unified Vulnerability Management, Blink Endpoint

Protection, Iris Network Traffic Analyzer

IBM (BigFix) www.bigfix.com BigFix Asset Discovery, Patch Management, Security Configuration Management, Vulnerability Management, Anti-Virus / Anti-Malware

Lumension www.lumension.com Lumension Application Control, AntiVirus, Device Control, Patch and Remediation, Scan, Security Configuration Management, Risk Manager, Enterprise Reporting

http://www.eeye.com/

http://www.bigfix.com/

http://www.lumension.com/



Company Web Site Solution(s) Novell www.novell.com ZENworks Configuration Management, Asset Management,

Endpoint Security Management, Patch Management

Secunia www.secunia.com Secunia Corporate Software Inspector, Vulnerability Intelligence Manager

Shavlik www.shavlik.com Shavlik NetChk Protect, NetChk Configure, Security Intelligence


Solution providers such as Qualys, Rapid7, SAINT, nCircle, Tenable and Core Security focus primarily on the assessment aspect of the vulnerability management lifecycle.

Summary and Recommendations Any organization whose business operations involve networks, computers and application software is at risk due to vulnerabilities in these assets that can potentially be exploited. Aberdeen's research shows that characteristics of organizations with top performance in vulnerability management include:

• A comprehensive approach – the top performers excel across the entire vulnerability management lifecycle, from assessment to prioritization to remediation. Their focus on maximizing efficiency and minimizing total cost also acknowledges the necessity of a continuous approach to vulnerability management. A multi-application approach is critical, especially since on the typical Windows-based PC there are more than 3-times more vulnerabilities in third-party applications than in all installed Microsoft programs combined. For most organizations a multi-platform approach is also important. Speed and accuracy are key solution selection criteria.

• A risk-based approach – the top performers quickly determine which vulnerabilities and threats should be addressed first, based on the level of risk and the business value of the IT assets in question. Selection criteria for vulnerability management solutions should include the visibility and intelligence that can be gleaned to provide insights, rankings, and recommended priorities for remediation.

• An optimized approach – the top performers tend to focus on being secure, compliant and well-managed … in that order. Well-managed includes both greater efficiency (i.e., lower total cost) and greater effectiveness (e.g., automation to reduce cost and reduce windows of vulnerability); this has the additional benefit of freeing up precious resources from working on unrewarded risks (such as vulnerabilities and compliance) to focus on rewarded risks (such as innovation, growth).

Aberdeen's research shows that network firewalls, network vulnerability scanners, email security, web security, and anti-virus / anti-malware are baseline technologies: they are absolutely necessary, but by themselves they

http://www.novell.com/

http://www.secunia.com/

http://www.shavlik.com/



do not differentiate top performance. Solution providers whose vulnerability management offerings include patch management and configuration / change management technologies – along with the capabilities for integration of vulnerability intelligence for prioritization and automated remediation – are found to be strongest differentiators of the companies achieving Best-in-Class results.

For more information on this or other research topics, please visit www.aberdeen.com.

Related Research The State of IT (In)Security, and How to Avoid Costs by Investing More; November 2010 National Cybersecurity Awareness Month: Anti-Virus and Personal Firewalls; October 2010 National Cybersecurity Awareness Month: Patches, Configurations and Changes; October 2010 Five Key Capabilities for Gaining Visibility and Control over Your Network Devices, Endpoints and End-Users; September 2010

Securing Your Applications: Three Ways to Play; August 2010 Web Security in the Cloud; May 2010 Email Security in the Cloud; April 2010 When Less is More: Why Small Companies Should Think Outside the (Red / Yellow) Box for Protecting Their Endpoints; March 2009 Secure, Compliant, and Well-Managed: The IT Security Approach to GRC; February 2009 Vulnerability Management: Assess, Prioritize, Remediate, Repeat; July 2008

Author: Derek E. Brink, Vice President and Research Fellow, IT Security ([email protected])

Since 1988, Aberdeen's research has been helping corporations worldwide become Best-in-Class. Having benchmarked the performance of more than 644,000 companies, Aberdeen is uniquely positioned to provide organizations with the facts that matter — the facts that enable companies to get ahead and drive results. That's why our research is relied on by more than 2.2 million readers in over 40 countries, 90% of the Fortune 1,000, and 93% of the Technology 500.

As a Harte-Hanks Company, Aberdeen plays a key role of putting content in context for the global direct and targeted marketing company. Aberdeen's analytical and independent view of the "customer optimization" process of Harte-Hanks (Information – Opportunity – Insight – Engagement – Interaction) extends the client value and accentuates the strategic role Harte-Hanks brings to the market. For additional information, visit Aberdeen http://www.aberdeen.com or call (617) 723-7890, or to learn more about Harte-Hanks, call (800) 456-9748 or go to http://www.harte-hanks.com

This document is the result of primary research performed by Aberdeen Group. Aberdeen Group's methodologies provide for objective fact-based research and represent the best analysis available at the time of publication. Unless otherwise noted, the entire contents of this publication are copyrighted by Aberdeen Group, Inc. and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Aberdeen Group, Inc. (010110)

http://www.aberdeen.com/

http://www.aberdeen.com/Aberdeen-Library/6941/SI-information-technology-security.aspx

http://www.aberdeen.com/Aberdeen-Library/6941/SI-information-technology-security.aspx

http://www.aberdeen.com/Aberdeen-Library/6893/AI-anti-virus-personal-firewall.aspx



http://www.aberdeen.com/Aberdeen-Library/6894/AI-patch-configuration-management.aspx



http://www.aberdeen.com/Aberdeen-Library/6875/RA-network-device-security.aspx




http://www.aberdeen.com/aberdeen-library/6580/RA-web-application-security.aspx

http://www.aberdeen.com/aberdeen-library/6580/RA-web-application-security.aspx

http://www.aberdeen.com/aberdeen-library/6572/RA-web-cloud-security-compliance.aspx

http://www.aberdeen.com/aberdeen-library/6573/RA-email-cloud-security.aspx

http://www.aberdeen.com/summary/report/sector_insights/5917-SI-protecting-endpoint-security.asp





http://www.aberdeen.com/Aberdeen-Library/5916/AI-security-compliance-governance.aspx

http://www.aberdeen.com/Aberdeen-Library/5916/AI-security-compliance-governance.aspx

http://www.aberdeen.com/summary/report/benchmark/5231-RA-vulnerability-management-assess.asp

http://www.aberdeen.com/summary/report/benchmark/5231-RA-vulnerability-management-assess.asp

mailto:[email protected]?subject=Vulnerability%20Management%20research%20brief

http://www.aberdeen.com/

http://www.harte-hanks.com/

Documents

December 2010 Managing Vulnerabilities and Threats (No, Anti-Virus