Commercial vulnerability management tools
The vulnerability management space is changing frequently due to mergers, acquisitions, and new partnerships. In the remainder of this section, we will discuss some of the vendors that offer solutions in this space.
eEye Digital Security (www.eEye.com)
eEye Digital Security is a leader in vulnerability research. It also develops a suite a tools that can assist you in vulnerability management. The suite consists of the Retina Network Security Scanner (a vulnerability assessment tool), Blink Professional (a host-based security technology), and the REM Security Management Console. The management console provides the centralized management interface for the company's other products. It also handles vulnerability management workflow, asset classification, and threat-level reporting, and it can integrate with CA's UniCenter, IBM's Tivoli, and HP's OpenView.
BindView's Compliance Manager is a software-based solution which allows organizations to evaluate their assets against corporate standards or industry best practices, without the need for agents in most cases. Assets are evaluated against standards and practices based on a pass/fail notion; either an asset is compliant or it's not. Data is then aggregated and assembled to produce reports that the remediation team can leverage to support their efforts, or the internal audit group can use for compliance issues. You also can use the reports generated to support other initiatives.
As mentioned, you can evaluate assets against internal standards or to industry best practices. The industry standards included are CIS Level 1 and Level 2 Benchmarks for Windows, Red Hat Linux, BindView's Security Essentials for Sun Solaris, and NetWare. In addition to these standards, the Compliance Manager also provides Report Views for the following regulations and frameworks: ISO 17799, Sarbanes-Oxley based on COBIT, FISMA based on NIST SP 800-53, HIPAA, Basel II, and GLBA.
The Compliance Manager does not include its own workflow capability, but it does provide an interface that allows users to open incidents in Remedy and HP Service Desk. In addition, leveraging its bvControl technology, BindView is capable of delivering patch and configuration management to Windows hosts.
NetIQ's Compliance suite, a combination of NetIQ's Security Manager and Vulnerability Manager tools, brings together vulnerability scanning, patch management, configuration remediation, and reporting. The NetIQ Vulnerability Manager enables users to define and maintain configuration policy templates, vulnerability bulletins, and automated checks via AutoSync technology. It also has the capability to evaluate systems against those policies. Predefined templates are available for Sarbanes-Oxley, HIPAA, and ISO/IEC 27000.These allow you to report and score your information systems against these standards.
The Compliance suite also supports a classification system that allows you to adjust risk scores based upon the asset's classification.The NetIQ suite also looks for common signs of system compromise, such as modified Registry keys and known malicious files, and it has an OEM relationship with Shavlik to provide integrated patch management.
StillSecure is the manufacturer of VAM, an integrated suite of security products that perform vulnerability management, endpoint compliance monitoring, and intrusion prevention and detection. It also includes a built-in workflow solution (Extensible Vulnerability Repair Workflow) which automatically performs assignment of repairs, scheduling, life cycle tracking, and repair verification, all while maintaining detailed device histories. VAM interoperates with other third-party scanners too, taking input from Nessus, the ISS Internet Scanner, Harris STAT, and others. Enterprises may want to be wary regarding VAM, because its reporting module is not as well refined as the other vendors' and it relies on third-party information and integration for asset management, patch management, and vulnerability resolution.
McAfee's Foundstone Enterprise is an agentless solution that offers asset discovery, inventory, and vulnerability prioritization with threat intelligence, correlation, remediation tracking, and reporting. It integrates with McAfee's IntruSheild network-based intrusion prevention system (IPS), McAfee's Preventsys Compliance Auditor, and other vulnerability and trouble-ticket management systems. One of its more appealing features is its SSH credentialed scans for Red Hat Enterprise, Solaris, AIX, Microsoft Windows, and to the surprise of many, Cisco IOS!
Compliance templates for Sarbanes-Oxley, FISMA, HIPAA, BS7799/ISO17799, and the Payment Card Industry (PCI) standard are included, expediting the preparation of audits. Foundstone Enterprise can also auto-assign tickets, streamlining and simplifying the remediation process.
Open source and free vulnerability management tools
The open source community has created some great security tools over the years. However, none of them represents a complete vulnerability management solution. In some cases, though, the open source tools integrate well together, forming a formable foe to the commercial offerings.
In the following sections, we cover open source tools that you can use to support your vulnerability management program.
Asset management, workflow and knowledgebase
One tool we recommend in this space is Information Resource Manager (IRM), available at http://irm.stackworks.net. IRM is a powerful Web-based asset tracking and trouble-ticket system built for information technology (IT) departments and help desks. All elements are interwoven into a seamless Web application, with a MySQL engine at the back end doing the heavy lifting.
For host discovery, Nmap (www.insecure.org) is a free, open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw Internet Protocol (IP) packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and versions) they are running, what type of packet filters/firewalls are in use, along with dozens of other characteristics. Nmap runs on most types of computers and both command-line and graphical versions are available.
Vulnerability scanning and configuration scanning
Nessus, from Tenable Network Security (www.tennable.com), is a tool for vulnerability scanning and configuration scanning.The Nessus Project was started by Renaud Deraison in 1998 to provide the Internet community with a free, powerful, up-to-date, and easy-to-use remote security scanner. Nessus is the best free network vulnerability scanner available, and the best to run on UNIX at any price. It is constantly updated (more than 11,000 plug-ins are available for as a free feed), but registration and EULA acceptance are required. Key features include remote and local (authenticated) security checks, client/server architecture with a GTK graphical interface, and an embedded scripting language for writing your own plug-ins or understanding the existing ones.
Nessus 3 is now closed source, but it is still free unless you want the very newest plug-ins. If you decide to rely on only Nessus for vulnerability scanning, consider also choosing a product that can manage and schedule scans, such as Tenable Security's Security Center product (www.tenablesecurity.com).
Configuration and patch scanning
Microsoft's Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small and medium-size businesses determine their security state in accordance with Microsoft security recommendations, as well as offers specific remediation guidance. Built on the Windows Update Agent and Microsoft Update infrastructure, MBSA ensures consistency with other Microsoft management products including Microsoft Update (MU),Windows Server Update Services (WSUS), Systems Management Server (SMS), and Microsoft Operations Manager (MOM). MBSA on average scans more than 3 million computers each week! For more information, visit www.microsoft.com.
Advchk (Advisory Check), available at http://advchk.unixgu.ru, reads security advisories so that you don't have to. Advchk gathers security advisories using RSS feeds, compares them to a list of known services, and alerts you if you are vulnerable. Because adding hosts and services by hand would be a boring task, Advchk leverages NMAP for automatic service and version discovery.
Also available in this space is SIGVI (http://sigvi.sourceforge.net).This product is a recent release but could be a promising solution if maintained and developed further. SIGVI downloads vulnerabilities from defined sources, stores them to a database, and then compares them to the products currently installed on the assets (as previously defined in the main application).
The application is flexible in the way that it lets you define your own sources. By default, the application supports the NVD (National Vulnerability Database at http://nvd.nist.gov) format. Periodically, the application will contact the sources, download the vulnerabilities, and store them into the SIGVI database.Those vulnerabilities are then available through the pages of the SIGVI main window.
Security information management
Ossim (www.ossim.org) stands for Open Source Security Information Management. Innately a SIM, OSSIM does incorporate several aspects of vulnerability management and over time should become a more comprehensive and complete vulnerability management tool. OSSIM's goal is to provide a comprehensive compilation of tools which, when working together, grant a network/security administrator a detailed view of the network and devices.
Besides getting the best out of open source tools, some of which are described in the following list, OSSIM provides a strong correlation engine, detailed reporting, and incident management tools. Here is a list of open source tools that integrate with OSSIM:
Managed vulnerability services
Many organizations have elected to outsource the challenging task of vulnerability management; if not in total, certainly in parts. Outsourcing a vulnerability management program can help you to reduce head count, administrative overhead, and equipment and personnel expenses. However, before you get too excited about the advantages of outsourcing vulnerability management, you need to keep in mind that an effective outsourced solution is going to be based in part on how well you've defined your requirements.
Tired and weary veterans of outsourcing know that clear and concise service- level agreements (SLAs), which have been drafted in conjunction with legal counsel, represent the foundation of all outsourcing relationships and aid in remedying issues that arise during the term of a contract.
When leveraging a third party to support all or part of your vulnerability management program you should consider the following:
Vulnerability management tools
1: Evaluating vulnerability management tools
2: Commercial and open source network tools
3: Summary/Fast track
Dig deeper on Introductory Security Services