Pitching patch: Citadel Software Security

Citadel could have done a much better job crafting its response as a solution for us. While it addressed our company's requirements, we were left with an incomplete picture of its Hercules product architecture/technology and how it could be applied to this deployment. We got five pages of brochure-caliber material before the response got down to brass tacks.

Alone among the seven vendors, Citadel uses third-party VA scanners (supporting all major commercial scanners and Nessus) to assess device vulnerabilities, in combination with agents that communicate between clients and the server and deliver remediation. Hercules can aggregate and analyze data from multiple scanners, addressing the problem of different—sometimes inaccurate—reports from particular scanners.

This raises the obvious question of whether a scanner-dependent product is the right answer for our company, particularly given its numerous branch and tiny satellite offices. Citadel suggested scans of remote offices, which is impractical for this situation. Citadel also did a poor job explaining its agent functionality—client software is first mentioned (very briefly) seven pages into their response. It was only in follow-up questions that we understood "compliance checking" is a script-based check that determines whether remediation is needed.

Citadel offers an attractive endpoint security component, ConnectGuard, for an additional cost. But it's absolutely essential for our scenario because it would assure that our remote and satellite office users are compliant before they're allowed on the network. Products like BigFix, for example, rely on the agent to report missing patches to the server when users connect, triggering automated remediation.

Like BigFix's BES and Configuresoft's Enterprise Configuration Manager, Hercules offers a wide range of non-patch remediations, such as configuration settings, unauthorized services and unsecured accounts, but relies heavily on AssetGuard, an optional inventory tool that detects devices and gathers and stores remediation data.

<< Return to Pitching patch

This was last published in May 2005

Dig Deeper on Emerging cyberattacks and threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.