In a report on vulnerability-management trends, eEye discovered that, for many IT staffers, regulatory compliance initiatives can take up as much as half their work week.
Compliance mandates are eating up as much as half of the work week for many
security pros, according to a survey from eEye Digital Security.
For its "2011 Vulnerability
Management Trends Report," eEye surveyed 1,963 IT security pros. More than
85 percent of respondents have compliance mandates, such as the Payment Card
Industry Data Security Standard (PCI DSS),
to contend with. But perhaps most interesting is that half of those
surveyed reported that compliance initiatives take up to 50 percent of their
This includes configuring applications so they are in line with various
internal and external regulations and making sure the organization is in line
with the various compliance rules.
"The big thing I was hearing from a lot of folks is, number one, they feel
like they are doing a lot of work [that just involves checking] a box, but they
don't really know if this is going to truly help them from a security
perspective at the end of the day," said Marc Maiffret, chief technology
officer at eEye.
With the recent release of its Retina CS 2.0 Management Console, eEye has
turned its gaze toward addressing this issue with a new Configuration
Compliance and Regulatory Reporting Packs modules. The reporting packs feature
compliance reports that map vulnerability and configuration audits to
compliance mandates, while the configuration module can be used to define and
manage security policies related to regulatory and internal benchmarks.
"We've very much simplified the task of making sure you have the proper
configuration," Maiffret said.
The product also includes a new Patch Management module designed to provide
automated and agentless Windows patch management, as well as the ability for
users to integrate information from the other modules to prioritize patch
"The company's Patch Management module could likely become a key
differentiator for eEye-especially within the midmarket," opined Andrew Hay, an
analyst with the 451 Group. "We believe the ability to both identify and patch
vulnerable systems will appeal to cash-strapped SMB [small to midsized business]
customers that are looking for easy ways to relieve both security- and
compliance-driven pain points. Tightly integrating patching into the company's
flagship product serves to address these pains for a relatively low cost."
Still, organizations face other challenges that are not technology-driven.
According to eEye's survey, 31 percent of respondents said that the leading cause
of unpatched vulnerabilities in their organization is a lack of staff,
something Hay said he believes actually represents the "bulk of the problems"
around organizations failing to patch their systems efficiently-or at all.
"It may be a question of not having the time to download the patches or that
the system is far too critical to take down to patch correctly," he said. "In
organizations with small operational security and systems teams, patching
sometimes falls to the bottom of the pile while [seemingly] larger fires are
Maiffret said that company's goal is to ease the process of vulnerability
management for its customers. He noted that 18 percent of the people said they
were unable to get patching done because they lacked a vulnerability-scanning
solution that was integrated into a patch-management engine. Another 16 percent
said they were unable to scan or patch remote devices or distributed
networks on a regularly. "A lot of folks in IT I talk to feel like
they just don't know what's out there anymore," he said.