Other surveys point to much higher losses due to insider exploits.
According to the U.S. Commerce Department, intellectual property theft alone costs U.S. businesses approximately $250 billion each year. IBM reports that cybercrime is now more of a problem for U.S. businesses than traditional physical crimes, while also saying that more than 70% of businesses theyve studied believe that insider attacks are a more significant threat than those from hackers.
A common enterprise report may find 30,000 vulnerabilities, said Alan Paller, director of research for the SANS Institute. In fact, a number that high is by no means uncommon.
Understanding the too-much information curse, most vulnerability management vendors classify vulnerabilities by risk. Vulnerabilities that have known exploits in the wild are rated much higher than those for which no known attack exists.
The key is to focus on the most significant risks , and vendors like CoreSecurity, eEye, and nCircle, Qualys understand this. After all, the slew of false positives and alarms set of by minor problems bedeviled the intrusion detection space for years, and those in the vulnerability management space learned from those mistakes.
The space has also learned that point products often have short life spans so theyve rolled vulnerability assessment in with other value-added security services. Traditional vulnerability assessment simply tells you where you are vulnerable, said Ross Brown of eEye. Vulnerability management, on the other hand, not only tells you where you are vulnerable, but also what to do about it.
After surveying the market, Mercy Hospital in Miami chose eEyes vulnerability management suite partly because of its remediation abilities. Since eEye ties into BigFixs patch and configuration management platform, Mercy can streamline its remediation process.
Mercy was also drawn to eEyes extensive vulnerability database and their research team, which has uncovered such serious flaws as the Microsoft DCOM RPC Memory Leak and the remote code execution flaw in McAfees ePolicy Orchestrator.
A final consideration for Mercy was the importance of protecting legacy applications. As much as youd like to be running a homogenous network with one operating system and current applications, what happens in a hospital is that you have many homegrown applications that fill niche needs. Hospitals are almost forced to run very obscure applications, Hernandez said.
As a result, the final piece of the vulnerability puzzle is linking with related security offering that protect against no-signature and zero-day attacks, as well as providing protection for legacy products for which no patches exist. After all, what good is a system that points out a flaw but then tells you that there is nothing you can do about it?