Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.
Risk-based vulnerability management (VM) tools provide IT security teams with a continuous, automated ability to identify, prioritize and remediate cyber-based vulnerabilities according to the relative risk they pose to a specific organization.
According to NIST, vulnerability management is an “Information Security Continuous Monitoring (ISCM) capability that identifies vulnerabilities [common vulnerabilities and exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network.”
With so many vulnerabilities present in large, complex and interconnected computing environments, enterprises cannot practically implement all software patches and other remediations on a timely basis, if at all.
A complex process of triage that quickly identifies and escalates the vulnerabilities that present the most risk in an organization’s particular circumstances is required. This takes automated tools with machine learning (ML) capabilities. The leading vulnerability management software providers are adapting by incorporating risk-based solutions into their products.
Intelligent Security Summit
Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.
These providers include both larger vendors that provide risk-based VM as modules within broad cyber platforms (e.g., for cloud security and/or endpoint/extended detection and response), and specialists in the VM area.
Gartner has projected the risk-based VM market sector to reach $639 million through 2022. Other analyst firms have estimated the broader VM market, depending on how it is defined, as having passed the $2 billion mark in that timeframe. IDC estimated the device-based VM market at $1.7 billion in 2020, with a growth rate of 16% per year to bring that to approximately $2.2 billion for 2022.
See also: What is risk-based vulnerability management (VM)?
Since the IDC made its growth estimate in 2020, analyst firms have shifted their terminology and focus. Some lump security information and event management (SIEM) and vulnerability management together. Others have expanded the scope of vulnerability management and coined the term “attack surface management” (ASM). Still others concentrate purely on endpoint management as opposed to vulnerabilities as a whole. But it is safe to say the market is worth around $2 billion annually today.
8 key features of vulnerability management software in 2022
Balbix lists the following eight “must have” features for risk-based vulnerability management:
- Automatic discovery and inventorying of all IT assets, applications, and users
- Visibility on all types of assets including BYOD, IoT, cloud and third-party
- Coverage of attack vectors beyond just scanning for vulnerabilities in unpatched software
- Continuous and real-time monitoring of all assets across all attack vectors
- Understanding of context and business risk for each asset
- Ability to create a complete picture using artificial intelligence (AI) and ML to analyze the volume of data collected from thousands of observations
- Prioritized list of security actions based on comprehensive assessment of business risk
- Prescriptive fixes to address
Robust reporting that incorporates an organization’s compliance profile could be considered another requirement of modern risk-based VM.
Top 10 risk-based vulnerability management tools
VentureBeat has compiled this list of top risk-based VM tools based on the rankings and peer reviews in several credible sources: Gartner Peer Insights, IDC, G2, Ponemon Institute, Capterra and TrustRadius.
All products below are rated highly by one or more of these sources. Most are rated well on several. We have considered standalone products from specialty firms as well as risk-based VM modules from larger vendors’ more comprehensive security platforms.
>>Don’t miss our new special issue: Zero trust: The new security paradigm.<<
Selections, let alone rankings, of a “top 10” nature should always be used with caution. Different products may be better fits for specific enterprises, and online peer reviews may not always be the most objective, informed or current for each product covered.
Still, this list offers a good sense of the market and a starting point for potential further evaluation.
1. Rapid7 InsightVM
Rapid7 provides real-time scanning of the entire network via its cloud-based InsightVM product. InsightVM is one module of the larger Insight platform, which includes cloud security, application security, XDR, SIEM, threat intelligence, orchestration and automation.
As well as integration with the larger platform, InsightVM’s differentiators include prioritization of vulnerabilities and granular risk scoring from 1 to 1,000 instead of the usual 1 to 10. The solution also includes automatic pen-testing. It is probably best for those needing a full-featured security program rather than vulnerability management alone. But it performs the vulnerability function well.
Accordingly, Rapid7 InsightVM gets high marks from IDC and TrustRadius. IDC numbers show the company with a 15% share of the device VM market. Users like the way it presents results, its scanning consistency and its ease of use. On the downside, some users comment on integration and deployment challenges, as well as concerns about support responsiveness, slowness in providing updates, and scans sometimes taking longer than they should.
2. Arctic Wolf Managed Risk
Arctic Wolf Managed Risk helps organizations discover, assess and harden environments against digital risks. It contextualizes attack surface coverage across networks, endpoints and the cloud. It is aimed squarely at organizations, particularly mid-sized ones, that want to hand off large portions of security management to external providers.
Differentiators include its Concierge Security Team, which provides instant access to the kind of security professionals whom organizations may find hard to recruit and hold on to themselves. Each customer is assigned a security engineer who helps prioritize vulnerabilities, areas of credential exposure and system misconfiguration issues.
Arctic Wolf Managed Risk received the second-highest user rating for vulnerability management tools on Gartner Peer Insights. G2 gave it a high rating too. Users spoke highly of support responsiveness and the value of access to the Concierge Security Team. However, some complained that they didn’t get enough feedback on specific reasons for vulnerabilities — the team went ahead and resolved them without IT understanding what was done.
3. CrowdStrike Falcon Spotlight
CrowdStrike Falcon Spotlight is part of a larger Falcon suite that includes EDR, antivirus, threat hunting/intelligence and more. The Spotlight portion offers:
- Automated assessment for vulnerabilities, whether on or off the network
- Shortened time-to-respond, with real-time visibility into vulnerabilities and threats
- The ability to prioritize and predict which vulnerabilities are most likely to affect the organization, with Falcon Spotlight’s ExPRT.AI rating
- Vulnerability and patching orchestration
Differentiators include its integration within the CrowdStrike Security Cloud and its built-in AI, which ties threat intelligence and vulnerability assessment together in real time. The company also boasts a single lightweight-agent architecture.
Its Gartner Peer Insights ratings are higher than most other products on this list. Falcon Spotlight also scored well on TrustRadius’s list. Overall, users find it easy to use and install, and like that it offers clear direction and highlights issues rapidly. In addition, they appreciate how it ties in to other CrowdStrike tools and requires relatively low overhead. But some complained about limitations with regard to scanning for misconfigurations in security applications.
Tenable.io covers the entire attack surface, including insight into all assets and vulnerabilities. Tenable has built a stable of products via acquisition that include on premises- and Active Directory-specific offerings to go along with its umbrella Tenable One exposure-management platform.
Tenable.io is a cloud-delivered solution that helps IT increase the effectiveness of vulnerability management actions. Tenable provides additional vulnerability tools such as the Nessus vulnerability assessment tool. The company boasts 40,000 user organizations worldwide including 60% of the Fortune 500.
Differentiators include the Tenable Community, where users assist each other in addressing problems; and active and passive scanning and visibility for on-prem and the cloud (including virtual machines, cloud instances and mobile devices). In addition, its Cloud Connectors give continuous visibility and assessment into public cloud environments like Microsoft Azure, Google Cloud Platform and Amazon Web Services (AWS).
Tenable is the market leader, according to IDC, with a 25% market share. Users agree that its scanning engines are powerful and effective, with granular site capabilities. Tenable.io also gets high marks for how it calculates risk scores. However, support leaves something to be desired, scanning speed is sometimes problematic and the interface can be difficult to use for some.
5. Qualys VMDR
Qualys VMDR (Vulnerability Management, Detection and Response) automatically discovers and inventories all software and hardware assets wherever they are in an environment. This cloud-based app continuously assesses vulnerabilities and applies threat intelligence to prioritize and fix actively exploitable vulnerabilities. The company recently acquired AI and ML capabilities from Blue Hexagon, as well as upgraded risk assessment capabilities and attack surface management features.
Key differentiators include real-time threat intelligence linked to machine learning to control and respond to evolving threats and prevent breaches. The solution also automatically detects and deploys the latest superseding patch for the vulnerable asset. In addition to vulnerabilities, it lists critical misconfigurations. It covers mobile devices as well as operating systems and applications. It offers virtual scanners, network analysis and other tools in a single app unified by orchestration workflows.
The product is highly rated by IDC, TrustRadius and G2. IDC numbers show that Qualys boasts about a 20% share of the market. Users speak well of the quality and range of coverage of its vulnerability signature databases. Users also cite its ability to detect vulnerabilities and configuration issues and react in real time; its ability to organize security policy; and its good reporting and alerting mechanisms.
Some, however, feel its cloud and hypervisor assessment support could be better. Documentation and technical support are also areas of concern for some users who felt that it had a steep learning curve.
6. Cisco’s Kenna Security
Cisco completed its acquisition of Kenna Security in mid-2021, adding the risk-based security management product to its stable of security offerings that includes its SecureX platform.
Kenna provides full-stack, risk-based VM that is most often used in an enterprise-level environment. It offers significant integrations for a cross-platform environment, and detailed reporting capabilities.
G2 and Gartner reviewers give Kenna high marks for the platform’s power and for the service and support provided. In keeping with its larger-environment emphasis, some find it less than intuitive and not the easiest software to learn, although its visualization capabilities get high marks.
7. Frontline Vulnerability Manager
Frontline Vulnerability Manager by Digital Defense (owned by Fortra, formerly Help Systems) is an SaaS-based vulnerability and threat management platform. It includes discovery and analysis as well as scanning technology based on fingerprinting, and cross-context auditing to detect trends in vulnerabilities. As it is hosted on AWS, those already using that platform may find convenience and integration advantages.
Differentiators include the use of agreed-upon criteria to sort, filter and prioritize responses and remediation, and the ability to scale to hundreds of thousands of assets on a single subscription.
Frontline is well rated on Gartner Peer Insights and G2. Users like the many features it offers and the integration with Frontline.Cloud which brings many additional security tools into play. But some find the scope of its feature set challenging. It may be best for midsize and large organizations as opposed to SMBs.
The Tanium Core Platform does a lot more than vulnerability management. It includes 11 modules that cover just about every aspect of endpoint management and protection. But we include it here because it does a good job specifically in management of vulnerabilities. It is particularly suited to large enterprises and mid-market organizations.
Differentiators include the overall platform’s breadth and its real-time visibility into all assets on the network. Queries can be done in plain English so there is no need to get involved in scripting.
It received good ratings on Gartner Peer Insights and G2. Users sometimes call it the Swiss Army knife of endpoint management and security. They like how they can use it to rapidly deploy patches and other remediation measures across the enterprise. Others, though, find it complex, requiring too much customization and lacking in comprehensive reporting capabilities. As it packs so much into the package, though, it can be expensive. It may be beyond the price point of some organizations, especially those looking for just the vulnerability management function.
9. Microsoft Defender Vulnerability Management
Microsoft Defender Vulnerability Management is a relatively new offering, part of the Microsoft Defender line. It includes discovery, inventory and vulnerability assessments of Windows and non-Windows assets.
Differentiators include coverage for network shares and browser extensions, as well as CIS security assessments. It gains value through integration with Microsoft’s extensive threat intelligence network as well as from proprietary algorithms that calculate exposure scores to help with remediation schedules.
Forrester Research touted it as a solution well-suited to environments focused on Windows and Microsoft tools. Users like the tight integration with other Microsoft tools. Microsoft shops tend to receive heavy discounts when they add Defender to their security arsenal.
Note, though, that the product targets the biggest vulnerabilities and most critical assets. That may not be enough when you consider that the bad guys now attack multiple vulnerabilities simultaneously, not just the high-priority ones that receive the most attention from security personnel.
Syxsense began life as a patch management tool. It added vulnerability scanning and IT management capabilities, and has gradually expanded from there into more of a full-featured VM platform. Most recently, it has added integrated remediation features and mobile device management (MDM). Everything is now combined into one console via Syxsense Enterprise.
Differentiators include the ability to automate discovery and remediation workflows, patch supersedence and patch rollback, and encompass mobile devices as well as PCs, laptops and servers.
Its expansion from patching into comprehensive vulnerability management is too new for it to receive much attention on Gartner Peer Insights. But Capterra recently gave it a high rating, calling it an emerging favorite and a noteworthy product. On the downside, the company has been slower than some other vendors to roll out Windows 11 capabilities.