When selecting a vendor and product, be sure to consider enterprise support and scalability, Wang says.
Networks are likely to grow in terms of size and usage, and vulnerability scanning capability must be able to keep pace with that growth. Wang says other factors to consider when evaluating products include reporting capabilities, support for trending analysis and support for regulatory compliance.
Among the factors that German-based bank WestLB tested and evaluated before selecting a scanning product from eEye Digital Security were patch-level accuracy, operating system identification accuracy, scan performance and ability to check both file versions and registry. The bank then used a scorecard rating system to grade the products available, says Kenneth Pfeil, executive director and head of information security for the Americas region.
For County Bank in Fresno, Calif., ease of use was a major consideration. Among the questions the company asked before selecting a product from Qualys was how much work it would take to generate reports, how easy it is to customize reports and what the learning curve is for setting up the system.
"Some of these systems are great conceptually but they're so complex that the implementation never gets done," says Charles McClain, vice president of information security at County Bank. McClain says it's important to include the people who will be using the system in the product selection process. They can weigh in on what features might be most useful.
2. Analyze risk before analyzing network traffic. Prior to installing a vulnerability scanning system, security managers should conduct a thorough risk analysis to determine where they need to be most diligent when it comes to scanning.
Other steps to take before plunging ahead with scanning, Pfeil says, include being prepared to spend a significant amount of time getting everything running properly. Getting scans running and configured properly can take weeks.
Establish patch baselines, have scans coordinated around maintenance schedules and run small test scans on isolated systems on disparate subnets.
3. Be prepared for disruptions. "The thing to remember with [vulnerability] scanning is that it's an activity that potentially can touch and disrupt every corner of your network," Roberts says.
The tendency is to fire up a scan and see what you find, Roberts says. "That is a bad idea for a whole bunch of reasons. First of all, vulnerability scanning is a high-bandwidth kind of activity that has the potential to bring areas of your network to [its] knees, if not carried out thoughtfully."
Also, some of the tests carried out by automated or manual vulnerability scans can create denial of service or "blue screen" conditions on network hosts, application servers and the like, Roberts says. It's a good idea to get input and buy-in not just from senior management but from the various network administrators, application administrators, help desk people, etc., Roberts says.
Sign up for Computerworld eNewsletters.