Blog post

Our Vulnerability Assessment Vulnerability Management Research Publishes

By Anton Chuvakin | November 24, 2015 | 0 Comments

vulnerability managementsecurityannouncement

It is with much excitement that I announce that our (Augusto’s and mine) batch of three VA/VM papers have published. The documents are linked below (Gartner GTP access required):

In more detail:

“How to Implement Enterprise Vulnerability Assessment” has these juicy quotes:

  • “VA is a critical part of the VM process, and integrating VA with the next steps in the VM cycle is as important as operationalizing the scanning process.“
  • “The very first step in any VA effort is defining what is expected from the process and what the process will cover (which networks and assets, and which types of vulnerabilities and applications).”
  • “Less mature organizations […] may start with a “let’s start scanning first” approach, only to find out that sorting through the massive output of the scans, identifying asset owners, recognizing false positives and dealing with reporting idiosyncrasies require time and resources.”

“A Guidance Framework for Developing and Implementing Vulnerability Management” contains these gems:

  • “The most critical point in a VM process is the handover of identified vulnerabilities to the team responsible for remediating them.”
  • “No matter how hard you try, you cannot go to a store and purchase vulnerability management (VM). Security processes, unlike appliances, software and services, cannot be acquired in exchange for cash. They can only be established by an organization and then matured to an appropriate level.”

”A Comparison of Vulnerability and Security Configuration Assessment Solutions” features bits such as:

  • “The VA market comprises a clear set of enterprise-ready products that compete for enterprise security budgets. The vendors of those products mostly compete with each other and not with the “long tail” of the remaining VA players.”
  • “Although VA tools have existed for nearly 20 years, selecting the one that will work for your particular environment remains a challenge. Aspects such as architecture, assessment methods, technologies covered and integration options vary from vendor to vendor, and selecting one that fits organization requirements is critical to implementation success.”

Augusto’s blog on these is here.

Now, back to SIEM research! 🙂

Past posts on vulnerability management:

Blogs posts with recent paper publications:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed