Horizontal Solution or Point Solution for IT Vulnerability Management?

When IBM Security announced availability of its QRadar Vulnerability Manager earlier this year, vulnerability risk management was solidified as an important and developing category in the information security market. Moreover, it got me thinking about a common dilemma faced by our customers. What are the benefits of horizontal solutions versus point solutions and is there a middle ground?

Horizontal, vertical, and point solutions?

Rick Holland, a Security and Risk Analyst at Forrester Research posted some thoughts about this topic in, “Point Solutions Must Die”. His viewpoint is that purchasing “best of breed” point solutions has left many companies in the unenviable position of having introduced operational confusion. By isolating information in point solutions, it has the effect of missing the forest for the trees.

On the other end of the spectrum, horizontal vulnerability management solutions offered by companies such as IBM and Qualys purport to provide transparency across multiple aspects of the enterprise. However, this single vendor approach introduces the disadvantage of a “whitewashed” solution that may not be tailored to the companies’ specific environment. It also means that specific needs may not be met due to feature limitations.

These challenges affect large and mid-size companies alike. In our experience, the goal should be to maximize operational efficiencies and leverage existing technology investments to the fullest extent.

Only invest in security controls that you actually need.

It is surprising to discover how many security tools are “shelfware”. One of the pain points that we uncover with our customers is that many existing security solutions are under-utilized. This is often the result of purchases that were made prior to outlining a clear and consistent security strategy and policy. NopSec published a white paper titled, “SANS 20 Critical Security Controls” which can serve as a blueprint and a very effective approach to determining what security controls should be a priority. In our software-as-a-service, Unified VRM, we have a Security Configuration Module that allows organizations to baseline their current security controls and benchmark against industry standards and best practices.

Integration capabilities should be a key vendor selection criterion.

Unfortunately it is common to witness some security tools that actually create more issues than they solve. Largely this is because, while the information provided is valuable, organizational barriers prevent the benefits from being realized. Companies need to evaluate how well new solutions will integrate with and complement existing tools.

Achieve operational efficiencies and leverage existing investments

Unified VRM targets the challenge of operational efficiency head on. On the input side, vulnerability scanner results from Nessus, Nexpose, and Qualys can be imported. We also have a similar feature for web applications, allowing W3af, Burp and Skipfish results to be imported. Our philosophy at NopSec is that the more data that can be aggregated, the better the results can be delivered as output.

Once the vulnerability data has been aggregated and prioritized for what matters most, we facilitate more efficient remediation by integrating with existing asset classification systems, SIEM and patch management systems through our API. Moreover, Unified VRM allows you to generate external issue-tracking tickets for popular applications like Jira and Remedy with a single click of the mouse.

So the short answer to the question of horizontal solution or point solution? Yes. You can experience the best of both worlds.

You can learn more about NopSec’s approach in “White paper: SANS 20 Critical Security Controls“. The information in this white paper is intended for a technical reader and should help you understand each control, and how features in Unified VRM map to the respective control.