by Ed Tittel, Kim Lindros

How to Choose the Best Vulnerability Scanning Tool for Your Business

Sep 16, 20145 mins
Cloud SecurityData and Information SecurityPatch Management Software

Any shop with Internet access must scan its network and systems regularly for vulnerabilities, but old-fangled tools made this a painful and time-consuming effort. Find out how new and improved vulnerability scanners make life easier for network admins.

security target
Credit: Thinkstock

A vulnerability scanner, as its name implies, scans your network or system (such as a computer, server or router) and identifies and reports back on open ports, active Internet Protocol (IP) addresses and log-ons, not to mention operating systems, software and services that are installed and running. The scanner software compares the information it finds against known vulnerabilities in its database or a third-party database such as CVE, OVAL, OSVDB or the SANS Institute/FBI Top 20.

A scanner typically prioritizes known vulnerabilities as critical, major or minor. The beauty of a vulnerability scanner is that it can detect malicious services such as Trojans that are listening in on the ports of a system.

Not all scanners are equal, though. Many low-end and free vulnerability scanners simply scan a network or system and provide remedial reporting; more feature-rich tools incorporate patch management and penetration testing, among other components. However, many scanners – low-end or high-end – suffer from false-positives and false-negatives. A false-positive generally results in an administrator chasing down information about an issue that doesn’t exist. A false-negative is more serious, as it means the scanner failed to identify or report something that poses a serious security risk.

[ Feature: 10 Security Nightmares Revealed at Black Hat and Def Con ]

When researching vulnerability scanners, it’s important to find out how they’re rated for accuracy (the most important metric) as well as reliability, scalability and reporting. If accuracy is lacking, you’ll end up running two different scanners, hoping that one picks up vulnerabilities that the other misses. This adds cost and effort to the scanning process. Not only is an IT staffer spending double the time on the scanning process itself; she’s also combing through two sets of scanning results to see what’s what.

Software-Based Vulnerability Scanners: Targeted Reports From Various Devices

Some of the best-known and more highly rated commercial vulnerability scanners are Nessus (Tenable Network Security), Secunia CSI and Core Impact (Core Security). Nessus started as a free tool but was eventually converted to a commercial product, with a beefed-up feature set and higher quality tech support. Secunia is free for personal use and affordable for commercial use. Core Impact is pricey ($40,000 and up) but offers terrific value for the money.

These types of scanning products generally include configuration auditing, target profiling, penetration testing and detailed vulnerability analysis. They integrate with Windows products, such as Microsoft System Center, to provide intelligent patch management; some work with mobile device managers. They can scan not only physical network devices, servers and workstations, but extend to virtual machines, BYOD mobile devices and databases. Some products, such as Core Impact, integrate with other existing scanners, enabling you to import and validate scan results.

Software-based scanners also require much less administration than their counterparts from 10 years ago, or low-end tools of today, thanks to greatly improved user interfaces and targeted analysis reports with clear remediation actions. Reporting functionality lets you sort on many different criteria, including vulnerability and host, and see trends in changes over time.

Cloud-Based Vulnerability Scanners: Continuous, On-Demand Monitoring

A newer type of vulnerability scanner is delivered on-demand as Software as a Service (SaaS). Products such as Qualys Vulnerability Management provide continuous, hands-free monitoring of all computers and devices on all network segments (perimeter to internal). They can also scan cloud services such as Amazon EC2. With an on-demand scanner, there’s no installation, manual integration or maintenance required – just subscribe to the service and configure your scans.

[ Survey: IT Needs to Address Cloud Security ]

“Maintenance-free” means that the scanner service tunes and tweaks the scanning engine, and tests and verifies that definition lists are current, to reduce the occurrence of false-positives and false-negatives.

Like software-based scanners, on-demand scanners incorporate links for downloading vendor patches and updates for identified vulnerabilities, reducing remediation effort. These services also include scanning thresholds to prevent overloading devices during the scanning process, which can cause devices to crash.

For targeted scanning and reporting purposes, the Qualys product in particular lets you group and tag hosts by location or business unit. It also provides a form of risk-based prioritization by correlating a business impact to each asset, so you know which vulnerabilities to tackle first.

Too Many Threats Out There to Avoid Vulnerability Management

Vulnerability scanning is a must for medium-size to enterprise environments, considering the large number of network segments, routers, firewalls, servers and other business devices in use. The attack surface is simply too spacious (and inviting to malicious attackers) not to scan regularly.

[ Reviews: New Security Tools From Tenable, HP, Co3 Attempt the Impossible ]

Compliance is also an important issue. For organizations that must adhere to stringent IT rules to meet regulations such as PCI DSS, HIPAA and GLBA, for example, vulnerability scanning is part and parcel of doing business.

Smaller organizations or environments could have a tough time affording the full-featured vulnerability scanners, which can run from $1,000 to $1,500 at a minimum for an annual license. (The costs run into the tens of thousands for some scanners in an enterprise.) That said, it’s a relatively small price to pay for on-demand or hands-free vulnerability management with detailed reporting. It would cost far more to pay a staff member to run regular scans and interpret the volume of generated data the old-fashioned (and labor-intensive) way.