While the security and compliance world is fast maturing, the promise of fully-automated security solutions remains far out on the horizon. Even today, with the creation of standards like Open Vulnerability and Assessment Language (OVAL) and Security Content Automation Protocol (SCAP), the vulnerability management process is a challenging one, often involving manual efforts with less than perfect information on which to prioritize effort. This means the fundamental process of assessing risk and compliance against policies will not go away anytime soon.
In today's environment, vulnerability management is often a separate, isolated task within the security operations landscape. Vulnerability management tasks typically comprise scanning the computing environment or otherwise collecting asset risk information, identifying vulnerabilities, and then attempting to remediate discovered risk or documenting exceptions when risks are accepted or cannot be directly addressed via applying software patches (or so-called “patching”). Vulnerability assessment still largely revolves around this scan-and-patch paradigm, although there are numerous operational and business obstacles that make it difficult to simply patch or otherwise directly mitigate every discovered issue. Indeed, this process is expensive and time-consuming and therefore often left incomplete, which creates exposure for the enterprise.
A typical enterprise security infrastructure comprises tools and technologies at multiple OSI layers (namely, transport, data, application, network, and the like) that—at least theoretically—combine to provide an overall level of protection for an enterprise. In practice, however, it is very difficult to drive a consistent, complete risk assessment process spanning network, application and web layers from pre-production software development through to standard operating systems, off-the-shelf software and network devices. This is because these tools operate in different worlds and involve differing mitigation strategies. Although some converged security solutions are emerging, most enterprises have numerous security products deployed that address varying types of risks and threats operating at a specific layer throughout their defense in depth model. As a result, most enterprises typically have layer-specific data resulting in siloed processes and information. Moreover, the individual(s) conducting vulnerability management do not always have seamless visibility and operational control of the multiple layers of security available that might already be addressing a discovered risk. Therefore, in the absence of better information and processes, the only course for protection is to patch the vulnerability. While this approach appears simple, patching often is a complex operational process that is not easily carried out in large organizations. In addition, patching a particular vulnerability often is not the best security option given the context of the business requirements and other operational constraints.
Security and operations functions are still in the process of converging. Those responsible for performing a remediation task and those in the security organization have information needs that differ. This causes challenges when trying to facilitate a security process across functional areas. It is also very difficult to compare an already complex and challenging risk assessment process with the existing security countermeasures that are in place so that the optimal mitigation strategy is deployed. These tasks must also be carried out under the umbrella of corporate security policy. This gap creates exposure, duplication of effort, non-compliance and overall inefficiency and higher costs to secure the environment and comply with regulations.
Accordingly, there remains a need in the art to provide a solution that identifies risks and intelligently maps the attributes of those risks to the most effective countermeasures. These techniques and methods should make enterprise wide intelligence immediately actionable to mitigate risk while at the same time protecting against evolving threat vectors within a computing environment.