Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

12/30/2019 Gartner Reprint https://www.gartner.com/doc/reprints?id=1-1XWO60AS&c

12/30/2019 Gartner Reprint https://www.gartner.com/doc/reprints?id=1-1XWO60AS&ct=191211&st=sb 1/23 Licensed for Distribution Market Guide for Vulnerability Assessment Published 20 November 2019 - ID G00367737 - 39 min read By Analysts Craig Lawson, Mitchell Schneider, Prateek Bhajanka, Dale Gardner Security and risk management leaders evaluating VA products and services need to understand the important role they play in risk-based vulnerability management. VA identiﬁes and assesses vulnerabilities proactively to establish the security and risk posture, not just to meet compliance mandates. Overview Key Findings Recommendations Security and risk management leaders responsible for security operations and vulnerability management who are selecting and operating these solutions should: Vulnerability assessment buyers are shifting from tools that only identify vulnerabilities, to those that proactively assess and manage the risks posed by those weaknesses. This is primarily being addressed by new vendors offering vendor-agnostic products, prompting companies offering solutions to update their offerings. ■ The three VA solutions that dominate the market (Qualys, Tenable and Rapid7) are most often shortlisted by Gartner clients. ■ Vendors in adjacent markets, such as endpoint detection and response, security information and event management, IT systems, and conﬁguration management, are adding VA capabilities. ■ The assessment of standard IT assets across a network is universally supported by VA vendors. Support for less-common technologies — such as containers, operational technology/supervisory control and data acquisition, cloud services, and mobile — varies widely. ■ Evaluate VA solutions’ capabilities for aiding in the prioritization of vulnerabilities and how the assessment phase is performed, so they can be more-efﬁciently managed in the organization. ■ Assess the workﬂow, enterprise management and third-party technology integrations VA solutions provide with compensating controls. These include intrusion prevention systems, web application ﬁrewalls, patch management solutions and ticketing systems, as well as risk ■ We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy. By continuing to use this site, or closing this box, you consent to our use of cookies. 12/30/2019 Gartner Reprint https://www.gartner.com/doc/reprints?id=1-1XWO60AS&ct=191211&st=sb 2/23 Market Definition This document was revised on 25 November 2019. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com. The VA market is made up of vendors that provide capabilities that identify, categorize, prioritize and orchestrate the remediation or mitigation of vulnerabilities. These include unsecured system conﬁgurations or missing patches, as well as other security-related updates in the systems connected to the enterprise network directly, remotely or in the cloud. Whether delivered on- premises, in the cloud or in virtual environments, VA products or services have several common capabilities: Gartner has deliberately not called this market “vulnerability management.” We believe the management of vulnerabilities has always involved additional people and processes, not just prioritization tools, such as vulnerability prioritization tools, to support general IT and security operations with better insight and efﬁciency possibilities. Select VA solutions with consideration for asset demographics and coverage of emerging technologies and approaches that you are planning to use, such as cloud and virtualization, DevOps and software containers. More than one provider may be required. ■ Discovery, identiﬁcation and reporting on device, OS and software vulnerabilities ■ The ability to report the secure conﬁguration of IT assets ■ A baseline of conditions for systems, the applications on those systems, and databases to identify and track changes in state over multiple periods of time (days, weeks, months, etc.) ■ Compliance reporting with content and format to support speciﬁc compliance regimes, control frameworks and multiple roles in the organization ■ Support for pragmatic risk assessment and remediation prioritization provided by the ability to correlate vulnerability severity, asset criticality and prevailing usage by attackers, using threat intelligence and various ﬂavors of analytics and machine learning (ML) ■ The ability to understand how a threat actor may pivot or move throughout an environment, and which systems/techniques will be successful ■ Support for IT operations teams with information, prioritization guidance and recommendations for remediation and conﬁguring compensating controls ■ Management and administration of decentralized and distributed scanner instances and architectures ■ The ability to deliver some level of, or plug into, other workﬂow management tools, such as ticketing systems, to discover, act on and conﬁrm the resolution of vulnerabilities ■ We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy. By continuing to use this site, or closing this box, you consent to our use of cookies. 12/30/2019 Gartner Reprint https://www.gartner.com/doc/reprints?id=1-1XWO60AS&ct=191211&st=sb 3/23 technology. These people, processes and additional technologies are also represented by teams outside the cybersecurity group in almost all cases, especially when it comes to critical vulnerability management processes, such as patching. There is also a large, existing market for professional and managed services that are looking to help end-user organizations with VA and, sometimes, management. Outsourcers, managed security service providers (MSSPs) and now some managed detection and response (MDR) providers have options to deliver VA “as a service” for a long time. It remains a popular choice for many organizations to have this capability delivered this way. Even on the technology front, no single solution does full end-to-end management of vulnerabilities. There is a mix of security compensating controls — intrusion detection and prevention systems (IDPSs), web application ﬁrewalls (WAFs), network segmentation, privileged access management/identity and access management (PAM/IAM), and security orchestration, automation and response (SOAR). Other critical technologies include IT operations tooling for patching, as well as items such as ticketing systems in this mix to perform the full life cycle of modern vulnerability management. Simply put, vulnerability management is a process underpinned by VA technology that triggers other processes, such as IT operations performing patch management. This Market Guide focuses on the assessment and prioritization of this function in a security program. Market Description VA can be delivered via an on-premises solution based on software, appliances, the cloud, hosted solutions and/or a hybrid of these options. Moreover, it is widely available from almost all MSSPs, consultants, outsourcers and is emerging to be delivered by some MDR providers. VA technology typically supports security operations, network asset visibility and/or compliance use cases. Security use cases include vulnerability and security conﬁguration assessments (SCAs) for enterprise risk identiﬁcation, reduction and reporting against various compliance standards. Vulnerability prioritization technology (VPT) as a capability is a welcome evolution in an organization’s ability to assess vulnerabilities. VPT solutions — formerly described by the term “threat and vulnerability management” (TVM) — use the utility of VA telemetry, asset criticality context and multiple, preintegrated threat intelligence sources, while augmenting this data via advanced analytics. This combination enables organizations to have fundamentally different views of their speciﬁc cyber risks. This can then save signiﬁcant time, because acting on these prioritized results will substantially reduce your organization’s attack surface with the least amount of time with the most efﬁcient use of staff resources. The leading disruptors are startups. However, VPT concurrently exists as a feature in all the major vulnerability scanning vendor offerings natively or as an add-on subscription. Compliance use cases are still strong drivers and include meeting scanning requirements for regulatory or other compliance regimes, such as the Payment Card Industry Data Security Standard (PCI DSS) or the National Institute of Standards and Technology (NIST). These We use cookies to deliver the best possible experience on our website. To learn more, visit our Privacy Policy. By continuing to use this site, or closing this box, you consent to our use of cookies. 12/30/2019 Gartner Reprint https://www.gartner.com/doc/reprints?id=1-1XWO60AS&ct=191211&st=sb 4/23 requirements can also include application assessment of the infrastructure in scope of the compliance standard. The VA market is characterized by small or midsize security vendors, compared with the large network security and anti-malware vendors. Some are privately held, primarily with offerings around VA, with vendors marketing VA as one component of a broader uniﬁed security management portfolio of technologies or services, such as CrowdStrike, F-Secure and Microsoft, etc. Large vendors (e.g., McAfee, IBM and Symantec) that offer VA often OEM this technology from one of these pure-play providers. One interesting dynamic in recent years is how many new startups have entered or are gaining mind share in this market around vulnerability visibility and prioritization. Risk Based Security, Kenna Security, RiskSense, Skybox Security, NopSec and Balbix are other examples of this development. Market Direction VA is a mature market, and VA is regularly deﬁned as a standard component of information security management and regulatory frameworks as a mandatory process. The adoption of MSSPs, outsourcers and, recently, MDRs to execute VA for end-user organizations continues to be popular and is experiencing growth. Revenue in the VA market is concentrated among a few providers, with a large percentage going to three vendors (Qualys, Rapid7 and Tenable). Based on Gartner inquiries, these three also dominate vendor visibility on enterprise shortlists. However they have credible competition, and, although they lead on overall size of client base, they do not substantially lead on feature capabilities. In addition to competing with other VA product and service vendors, VA vendors must compete with consultants, MSSPs/MDR service providers, open-source uploads/Management/ vulnerability-assessment-guide.pdf