With Microsoft’s Security Analyzer showing its age, it’s time for an alternative
Security these days is a constant battle between rapid patching and malicious individuals attempting to find exploits and vulnerabilities in software. It’s not hyperbole to say that as soon as the last security hole is patched, the next one is found by hackers who produce new malware almost immediately after. These security risks have become the primary threat towards companies both large and small.
Over the course of the last year, countless exploits have been uncovered at both the software and hardware levels. Some of these breaches are so severe they could result in the complete loss of all secure data from infected hosts. This isn’t just a concern for small or medium-sized businesses that may have lighter security than large enterprises. Anyone can be targeted regardless of size. Macy’s had customer’s online data hacked in 2018. A third-party support partner resulted in Sears, Kmart, and Delta Airlines customers’ credit card information being stolen, a breach that affected an undisclosed number of individuals. Panera Bread, Adidas, UnderArmor, the long list of breaches taking place just in 2018 covers every sector of business across the globe.
Some estimates place InfoSec breaches as a result of poor patching and routine vulnerability checks as high as 80% of all breaches. On paper, patching vulnerabilities sounds like a simple task, but when the individual patch count for any given business can reach high into the thousands, the problem becomes readily apparent. Manually managing software, hardware, and configuration vulnerabilities is a nigh impossible task that will inevitably fail.
Enter the MBSA
Even the most bare-bones security setup will include this simple tool developed by Microsoft to ensure Microsoft products are brought up-to-date and provide strong security against the most recent software exploits. Available for over a decade on a range of Microsoft products, Microsoft Baseline Security Analyzer can quickly scan Microsoft hosts on a network and help patch a range of Microsoft products with the latest security releases to mitigate the chance of a breach.
Unfortunately, this tool is extremely limited, and will only assess the status of Microsoft software. Most organizations will be running tools developed by a variety of developers, and relying solely on MBSA for vulnerability assessment is akin to laying out the red carpet for would-be hackers.
Everything from SQL databases to improperly configured switches can be the preferred method of entry for those seeking to steal data or negatively impact a given network. The limited scope of MBSA’s tool kit provides zero protection from far too many potential entry points.
The Need for a More Robust Vulnerability Solution
As a network grows in size, it quickly becomes apparent that manual solutions are going to fall flat at scale. While there’s no replacement for skilled, knowledgeable staff, supplementing personnel with additional tools to help spot potential vulnerabilities goes a long way towards a more secure premise.
Vulnerability scanners come in a wide range of functions, specifications, and design goals. Some may feature detailed configuration scans aimed at spotting weaknesses in device configurations that can be exploited to gain access to a network. Others may take a focused look at known software vulnerabilities, spot potential SQL inject sequences, or identify software versions that have known security windows. Real-time threat intelligence is becoming increasingly important as a tool for intrusion detection and prevention.
What your organization needs will vary from business to business. Certain sectors will require the absolute maximum amount of information security. Every switch, router, and endpoint in the network will need every possible door closed, even at the expense of potential usability. A good example of this is any organization that deals with financial information, or research and design firms that demand the utmost secrecy and security.
Anytime “the absolute maximum” amount of security is needed, there is going to be something of a trade-off in network usability. The easier it is for people within the organization to access information, the potential for intrusion is going to be higher.
Many vulnerability scanners will rate identified vulnerabilities on a scale. While this differs from software to software, the idea is the same. Each vulnerability is given a rank in order to help administrators determine which flaws must be closed and which flaws can potentially be left open. Closing every single hole in a network is almost impossible, and even if it were possible the severely hampered usability of the network is likely not worth “perfect security.”
Making Your Tools Work
The most important, and far too often neglected, step in good security auditing is the proper configuration of scanning profiles and focused vulnerability testing. It’s enough to warrant its own dedicated section in this article as a reminder to administrators. Vulnerability scanners and security software will often come with their own default or preset scanning profiles designed as generic scanning solutions that can be used “out-of-the-box.” Customizing these scanning rules is critical to proper auditing of any network or platform. Likewise, doing your own closed tests on vulnerabilities themselves can help you gain insight into determining which vulnerabilities need immediate attention.
Picking the Right Software
Deciding which vulnerability scanner to use can depend on a range of factors:
Type of Business: As stated above, security needs will vary from business to business. Evaluate what your security goals are based on your organization’s structure, sector(s), and size. Also, address if any specific branches of the organization need heightened security over other branches.
Identify Assets: Make note of how many assets need to be monitored and evaluated for vulnerabilities, their locations, their individual functions, and importance to overall operation. Certain applications are more geared towards specific assets. It’s important to take note of both hardware and software assets, as each may have their own specific security concerns or risks. Public-facing assets, such as a web server are more vulnerable to exploit attacks than well-protected office systems.
Identify Existing Security: Understanding the security practices and implementations already in place is obviously a critical step in adding a new layer of security checks. If you already have a robust security solution from a certain vendor, for example, it may be prudent to use solutions that integrate well with your existing security.
Assess Security Risk and Desired Level of Security: Some organizations will inherently need a higher level of security than others. They may be more likely to be targeted by malicious intrusions, or naturally, have a much more public facing. Assessing both the potential risk of being targeted and the desired level of security needed will be a deciding factor in what kind of vulnerability software to implement.
Once you’ve taken stock of what your organization will need in a security solution, it’s time to start researching the potential options. The list presented here will give a brief overview of trusted solutions in the information security industry, but doing your own in-depth research is critical when selecting the right solution. Even a well-reviewed piece of software with critical acclaim from multiple sources may not be the right fit for your organization. Using the above checklist combined with a careful look at each potential software choice will give you the tools you need to pick the right software.
Here is our list of the best alternatives to Microsoft Baseline Security Analyzer:
- SolarWinds Network Security Tools (FREE TRIAL)
- PRTG Network Monitor (FREE TRIAL)
- Retina CS
A combination of tools designed by SolarWinds to provide a comprehensive networking solution, SolarWinds products each has a specific focus that, when used in conjunction with other SolarWinds tools, give an overarching and cohesive approach to networking management as a whole.
Log and Event Manager provides compliance reporting and helps ensure networks receive fast remediation and real-time event correlation. A one-stop shop for detailed event monitoring that excels at identifying potential security threats, Log and Event Manager offers an advanced search and forensic analysis to assess the impact of security incidents.
Patch Manager is designed specifically to be a comprehensive patch management solution for connected network devices, shoring up potential vulnerabilities caused by out-of-date software. Used in conjunction with Network Configuration Manager, these two programs can provide the function of a traditional vulnerability scanner, spotting assets that need updates and identifying configuration errors that could lead to an intrusion.
Lastly, SolarWinds User Device Tracker provides an additional layer of security via careful asset tracking and identification.
When used together, these products give a powerful network management and security solution. Even when taken individually they excel at their prescribed functions.
Another network management solution with security feature options, PRTG has a unique take on both pricing and deployment. PRTG monitors networks on a “per-sensor” basis, with each component of a given asset representing a single sensor. Monitoring the port on a switch for traffic, for example, would be a single sensor. Pricing for PRTG is based on the total number of sensors deployed, giving a flexible amount of scalability to those who use PRTG.
These sensors can provide a range of functions, and when deployed in the right locations can give administrators a solution for a number of different networking areas. Sensors can be deployed on a given asset that track application updates, for example, to ensure up-to-date patch status on the asset.
These sensors can also be deployed on network ports to monitor traffic. The software can actively track for unusual traffic or system behavior and report this back to the system’s administrator, helping to stop intrusions in their tracks.
This impressive flexibility makes PRTG a good solution for small or medium-sized businesses that want a versatile network vulnerability service that does more than just look for holes in the network. PRTG Network Monitor is available on a 30 day free trial.
One of the premiere open-source vulnerability scanning applications currently available, OpenVAS has a strong track record for vulnerability detection that goes through constant improvement and community testing. As an open-source project the source code is freely available and can be tweaked by ambitious administrator’s to fit their needs.
As is common with other open-source softwares, the free nature of the product means that official product support is lacking. There is something of a learning curve when using OpenVAS, and getting the most from the software will require some time to learn how it works. There’s an extensive knowledgebase and significant community support that can help new users tailor scanning profiles to fit their needs and ensure a high degree of vulnerability identification and reduce the number of false positives. Even with this community support, the lack of any official training or product support can be a frustrating downside for some users.
That being said, OpenVAS does have a good track record as a vulnerability scanner, and is used by a number of organizations as their primary means of securing their networks.
Developed by Tenable and the original code base for OpenVAS, Nessus is another software with a long track record of vulnerability identification. It offers strong product support and many of the strengths of its cousin OpenVAS.
Nessus features both active and passive network scanning and can be used to scan both cloud and local assets. It has a long list of standard scanning profiles while still offering a breadth of customization in scanning rules. Vulnerability prioritization gives administrator’s the information they need to quickly assess security risks and take the appropriate steps to fix them.
The Nessus licensing model is flexible and allows for deployment based on assets instead of individual IPs. Tenable offers both a cloud based SaaS scanning solution and an on-premise software deployment, giving administrators welcome deployment options. Further customization in the software’s dashboard gives Nessus the flexibility to fit wherever it needs to.
For those who like the features found in OpenVAS, but are seeking a more professionally supplemented solution with full product support, Tenable’s Nessus provides an attractive choice.
Nexpose is a vulnerability scanner developed by Rapid7, the makers of the Metasploit framework. The software’s main selling point is its ability to easily integrate with Metasploit for real, live vulnerability testing within a closed framework. This gives Nexpose users a powerful way to accurately test their systems for risk exposure and helps identify rapid solutions to potential exploits.
Nexpose features its own contextualized risk scoring system aimed at giving administrators a fast way to assess risk levels of identified vulnerabilities. These contextualized scores provide risk priorities for identified problems and help users address the deficiencies that need immediate attention.
Live and active monitoring combined with detailed remediation reporting gives a short list of actionable steps to shoring up network security. Unlike some software that simply lists vulnerabilities and their associated risk, Nexpose smartly provides a list of actual steps administrators can take to secure their systems.
Nexpose’s unique take on remediation reporting and easy integration with Metasploit make Nexpose a flexible option for both new and experienced security professionals.
Designed by BeyondTrust, Retina CS claims to be the only vulnerability management software engineered “from the ground up” with contextual vulnerability analysis in mind. Retina’s easy network discovery tool can identify everything from traditional network assets to IoT devices and cloud infrastructure.
Customized asset configuration and risk potential let users help Retina CS determine their own context sensitive security priorities. Threat analysis on these assets provides real remediation steps and potential return. Integrated patch management and vulnerability scanning gives Retina CS the toolkit it needs to protect networks.
Intended to scale all the way up to the enterprise level, Retina CS features both cloud-based SaaS and on-site deployments. It also features configuration compliance to help ensure large organizations meet compliance standards.
A powerful tool designed with the enterprise business in mind, Retina CS is a good option for large organizations that need contextualized security analysis.