GOLD | QualysGuard Enterprise
Price: $2,995 for an annual subscription
Readers applauded vulnerability management gold medal winner QualysGuard Enterprise's ability to identify vulnerabilities quickly and accurately.
QualysGuard--which identifies potential network exploits and audits networks for compliance--also received high marks for being easy to install, configure and administer. Respondents praised QualysGuard Enterprise for the breadth of applications and devices with which it works; vendor service and support; and ROI, which most respondents rated "excellent" or "good."
Readers weren't as effusive about QualysGuard's ability to integrate with threat management systems, with many rating that feature "good" or "fair."
QualysGuard Enterprise 5.0, which was announced in February at RSA Conference 2007 and went into general release last month, boasts a revamped GUI; accelerated scanning through parallelization of scanner appliances; enhanced reporting features; and the ability to track scanning usage by business unit, according to company officials.
CISOs inundated with information about the array of threats and potential threats want a product that can pare down the onslaught, Deeba says. "The new release filters out that overload of data and narrows it down to what is most important based on your role within the organization," he says. Rather than Qualys indicating "12 million problems, you only see what is relevant to you, based on your privileges."
While noting that Qualys management has been "thinking a lot" about the juncture between scanning for weaknesses and remediating them, Deeba says the company prefers "to remain a third-party auditor, where we can come in and audit you and give you full configuration and vulnerability information."
Qualys' other offerings include a product designed to measure PCI compliance, one aimed at security consultants, and several others.
SILVER | IBM Internet Scanner
IBM Internet Security Systems
Price: $7,250 for the appliance
IBM Internet Scanner earned the silver medal on equal merit for its ability to find vulnerabilities, ease of use and reporting capabilities. Internet Scanner, which IBM acquired with its purchase of Internet Security Systems last year, offers unlimited asset identification to help CISOs keep an accurate inventory of their networks' electronic assets; an intelligent scanning feature that identifies the operating systems of target hosts and runs appropriate OS-specific checks against them; and a Common Policy Editor with 20 predefined policies that provides greater control over corporate scanning.
BRONZE | GFI LANguard NSS
Price: $495 (up to 32 IP addresses)
GFI LANguard Network Security Scanner (NSS), which identifies vulnerabilities and can also deploy necessary patches, won the gold medal in vulnerability management. The product scans a network IP by IP to provide information on missing security patches, open ports, service pack level of a machine, USB devices, and more. Companies can set GFI LANguard NSS to perform scheduled, customized scans and the product compares the results with previous scans and issues email alerts of new security holes. After a scan, it provides recommendations on remediation. Users can use the tool to deploy service packs and patches in operating systems and applications, as well as to install custom software.
In the trenches
VM a sound policy foundation
Vulnerability management tools help your organization build and enforce security policy.
A vulnerability management (VM) strategy offers not only the means to generate a security policy for your enterprise, but the technology to enforce it.
The myriad offerings under the VM umbrella--from scanners and patch-management tools to penetration-testing services and asset-management software--"provide the tools to build and maintain a security program or policy," says Dave Bixler, CISO for Siemens Business Services. In turn, the policy guides how and when such products are used.
Although products that occupy the VM space are becoming increasingly feature-rich, one tidy product addressing all of an organization's VM needs does not exist, in part because security managers don't want to cede control of fixes to automation.
"CISOs have been burned in the past when they put in [an automated solution] that blocked legitimate network traffic," says Khalid Kark, a senior analyst with Forrester Research.
Bixler, who launched an overhaul of his organization's security policy several years ago, says that at the time he not only wanted to keep his hand on remediation, but he wanted easy-to-use reporting to help him plan fixes. "It didn't matter what the tool was, as long as we could understand the reports," he says, noting that Siemens then deployed Internet Security Systems' scanner (now known as IBM Internet Scanner).
While Bixler characterizes the former ISS product as a "fantastic tool for addressing OS-related issues," the organization ultimately moved to products from Qualys, with PatchLink for some remediation. "It was starting to be obvious that the places attackers were attacking weren't necessarily the operating systems," he says. "They were going after Oracle, SQL--all our applications." Furthermore, Qualys' hierarchical permissions model let Bixler delegate responsibility for aspects of VM to different members of his team.
Joe Adams, IT director at Nuclear Fuels Corp., also is a fan of building a VM strategy around a well-delineated policy. NFC's policy dictates how StillSecure's VAM, integrated with Shavlik for patch management, is used.
Judicious application of technology is paramount, Adams says: "We don't treat all of our devices the same. We've got one process for our servers, another for our network backbone technology, and so on." Scans are conducted according to guidelines that determine when they occur, what vulnerabilities are being sought and how remediation should be handled.
These days, given the plethora of products in the VM space, security managers with one eye on the budget must guard against feature redundancy.
"I'm not interested in spending money on a remediation tool when I can remediate some things with my asset-management tool," says Bixler. Expect more products with more bang for the buck as the VM space progresses.