From: DWreck (dwr3ck@yahoo.com)
Date: Tue Aug 31 2004 - 09:26:35 EDT
When implementing a vulnerability management tool I
believe it is important to consider the following:
TCO - automate as much as possible to keep your FTE
count down
The ability to delegate remediation and potentially
scanning
The ability to track remediation
Historical reporting over multiple scans
The ability to diff port scans of DMZs and server
segments
Accuracy
Having a product that does not crash systems
Reporting
The ability to customize and automate scans and
reports
I have used the following products to try to implement
the above in an environment of 2000+ servers and
35,000+ workstations:
ISS - been a while since I've used ISS ... I hear they
integrate it with Fusion now
Retina - their back end dbase had issues last time I
ran it...the issues may be fixed
QualysGuard - My favorite at this time...(they didn't
used to be 1.5 years ago)
Ran a Foundscan demo - looked good at the time but way
too expensive
Nessus/fscan (used fscan for the DMZ difs...via a
batch file)/other open source tools - I still use
these for point solutions and to verify/check up on my
primary solution
LanGuard - nice little scanner
MBSA - using batch files you can scan for rogue
services easily...even before the Q came out with the
MS scripts
A couple of other sub 10k scanners - all nice but
labor intensive
QualysGuard has definitely stood out as a great
vulnerability management solution, but it is a bit
pricey. All the other solutions (except Foundscan)
have a high TCO and take too much time from an FTE to
accomplish what you can with QualysGuard.
Qualys listens to their customers and updates their
product/service regularly. They give you a fully
functional demo. I highly suggest that you try it no
matter what solution you are using now.
Another advantage of Qualys is that they are a third
party so you can use them for B2B audits. (There's an
article in this month's Information Security magazine
that talks a little about this.)
As for 'owning' your solution, compromize by an
insider with a solution owned and maintained by an
internal IT Security department (or an employee that
gains access) is an issue. Same as it's an issue to
trust another company to maintain your vulneranility
data.
I have seen other people bring up the fact that you
can have complete control of your data if you
own/build your own vulnerability management solution.
My experience in corporate IT environments has
convinced me that total control of data is an
illusion, one I still chase anyway :-)
If you have a budget, and you are looking to
implement a full vulnerability management program, you
should definately demo Qualys as well as some of the
other solutions mentioned above.
One last note: I do not fully rely on any one
solution. I still use the freebies and scripts to
make sure my primary solution is doing what I want it
to.
=====
Thanks,
DWreck
CONFIDENTIALITY NOTICE: This e-mail and any attachments thereto may contain information which is privileged and confidential, and is intended for the sole use of the recipient(s) named above. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by persons other than the designated recipient(s) is strictly prohibited. If you have received this e-mail in error, please notify the sender either by telephone or by e-mail and delete the material from any computer. Thank you for your cooperation.
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:02 EDT