How to Choose the Best Vulnerability Scanning Tool for Your Business

Any shop with Internet access must scan its network and systems regularly for vulnerabilities

A vulnerability scanner, as its name implies, scans your network or system (such as a computer, server or router) and identifies and reports back on open ports, active Internet Protocol (IP) addresses and log-ons, not to mention operating systems, software and services that are installed and running. The scanner software compares the information it finds against known vulnerabilities in its database or a third-party database such as CVE, OVAL, OSVDB or the SANS Institute/FBI Top 20.

A scanner typically prioritizes known vulnerabilities as critical, major or minor. The beauty of a vulnerability scanner is that it can detect malicious services such as Trojans that are listening in on the ports of a system.

Not all scanners are equal, though. Many low-end and free vulnerability scanners simply scan a network or system and provide remedial reporting; more feature-rich tools incorporate patch management and penetration testing, among other components. However, many scanners low-end or high-end suffer from false-positives and false-negatives. A false-positive generally results in an administrator chasing down information about an issue that doesn't exist. A false-negative is more serious, as it means the scanner failed to identify or report something that poses a serious security risk.

[ Feature: 10 Security Nightmares Revealed at Black Hat and Def Con ]

When researching vulnerability scanners, it's important to find out how they're rated for accuracy (the most important metric) as well as reliability, scalability and reporting. If accuracy is lacking, you'll end up running two different scanners, hoping that one picks up vulnerabilities that the other misses. This adds cost and effort to the scanning process. Not only is an IT staffer spending double the time on the scanning process itself; she's also combing through two sets of scanning results to see what's what.

Software-Based Vulnerability Scanners: Targeted Reports From Various Devices

Some of the best-known and more highly rated commercial vulnerability scanners are Nessus (Tenable Network Security), Secunia CSI and Core Impact (Core Security). Nessus started as a free tool but was eventually converted to a commercial product, with a beefed-up feature set and higher quality tech support. Secunia is free for personal use and affordable for commercial use. Core Impact is pricey ($40,000 and up) but offers terrific value for the money.

These types of scanning products generally include configuration auditing, target profiling, penetration testing and detailed vulnerability analysis. They integrate with Windows products, such as Microsoft System Center, to provide intelligent patch management; some work with mobile device managers. They can scan not only physical network devices, servers and workstations, but extend to virtual machines, BYOD mobile devices and databases. Some products, such as Core Impact, integrate with other existing scanners, enabling you to import and validate scan results.

Software-based scanners also require much less administration than their counterparts from 10 years ago, or low-end tools of today, thanks to greatly improved user interfaces and targeted analysis reports with clear remediation actions. Reporting functionality lets you sort on many different criteria, including vulnerability and host, and see trends in changes over time.

Cloud-Based Vulnerability Scanners: Continuous, On-Demand Monitoring

A newer type of vulnerability scanner is delivered on-demand as Software as a Service (SaaS). Products such as Qualys Vulnerability Management provide continuous, hands-free monitoring of all computers and devices on all network segments (perimeter to internal). They can also scan cloud services such as Amazon EC2. With an on-demand scanner, there's no installation, manual integration or maintenance required just subscribe to the service and configure your scans.

[ Survey: IT Needs to Address Cloud Security ]

"Maintenance-free" means that the scanner service tunes and tweaks the scanning engine, and tests and verifies that definition lists are current, to reduce the occurrence of false-positives and false-negatives.

Like software-based scanners, on-demand scanners incorporate links for downloading vendor patches and updates for identified vulnerabilities, reducing remediation effort. These services also include scanning thresholds to prevent overloading devices during the scanning process, which can cause devices to crash.

For targeted scanning and reporting purposes, the Qualys product in particular lets you group and tag hosts by location or business unit. It also provides a form of risk-based prioritization by correlating a business impact to each asset, so you know which vulnerabilities to tackle first.

Too Many Threats Out There to Avoid Vulnerability Management

Vulnerability scanning is a must for medium-size to enterprise environments, considering the large number of network segments, routers, firewalls, servers and other business devices in use. The attack surface is simply too spacious (and inviting to malicious attackers) not to scan regularly.

[ Reviews: New Security Tools From Tenable, HP, Co3 Attempt the Impossible ]

Compliance is also an important issue. For organizations that must adhere to stringent IT rules to meet regulations such as PCI DSS, HIPAA and GLBA, for example, vulnerability scanning is part and parcel of doing business.

Smaller organizations or environments could have a tough time affording the full-featured vulnerability scanners, which can run from $1,000 to $1,500 at a minimum for an annual license. (The costs run into the tens of thousands for some scanners in an enterprise.) That said, it's a relatively small price to pay for on-demand or hands-free vulnerability management with detailed reporting. It would cost far more to pay a staff member to run regular scans and interpret the volume of generated data the old-fashioned (and labor-intensive) way.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about FBIHPMicrosoftQualysSANS InstituteSecuniaTenable Network Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kim Lindros, Ed Tittel

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts