Commercial vulnerability management tools
The vulnerability management space is changing frequently due to mergers, acquisitions, and new partnerships. In the remainder of this section, we will discuss some of the vendors that offer solutions in this space.
eEye Digital Security (www.eEye.com)
eEye Digital Security is a leader in vulnerability research. It also develops a suite a tools that can assist you in vulnerability management. The suite consists of the Retina Network Security Scanner (a vulnerability assessment tool), Blink Professional (a host-based security technology), and the REM Security Management Console. The management console provides the centralized management interface for the company's other products. It also handles vulnerability management workflow, asset classification, and threat-level reporting, and it can integrate with CA's UniCenter, IBM's Tivoli, and HP's OpenView.
BindView's Compliance Manager is a software-based solution which allows organizations to evaluate their assets against corporate standards or industry best practices, without the need for agents in most cases. Assets are evaluated against standards and practices based on a pass/fail notion; either an asset is compliant or it's not. Data is then aggregated and assembled to produce reports that the remediation team can leverage to support their efforts, or the internal audit group can use for compliance issues. You also can use the reports generated to support other initiatives.
As mentioned, you can evaluate assets against internal standards or to industry best practices. The industry standards included are CIS Level 1 and Level 2 Benchmarks for Windows, Red Hat Linux, BindView's Security Essentials for Sun Solaris, and NetWare. In addition to these standards, the Compliance Manager also provides Report Views for the following regulations and frameworks: ISO 17799, Sarbanes-Oxley based on COBIT, FISMA based on NIST SP 800-53, HIPAA, Basel II, and GLBA.
The Compliance Manager does not include its own workflow capability, but it does provide an interface that allows users to open incidents in Remedy and HP Service Desk. In addition, leveraging its bvControl technology, BindView is capable of delivering patch and configuration management to Windows hosts.
NetIQ's Compliance suite, a combination of NetIQ's Security Manager and Vulnerability Manager tools, brings together vulnerability scanning, patch management, configuration remediation, and reporting. The NetIQ Vulnerability Manager enables users to define and maintain configuration policy templates, vulnerability bulletins, and automated checks via AutoSync technology. It also has the capability to evaluate systems against those policies. Predefined templates are available for Sarbanes-Oxley, HIPAA, and ISO/IEC 27000.These allow you to report and score your information systems against these standards.
The Compliance suite also supports a classification system that allows you to adjust risk scores based upon the asset's classification.The NetIQ suite also looks for common signs of system compromise, such as modified Registry keys and known malicious files, and it has an OEM relationship with Shavlik to provide integrated patch management.
StillSecure is the manufacturer of VAM, an integrated suite of security products that perform vulnerability management, endpoint compliance monitoring, and intrusion prevention and detection. It also includes a built-in workflow solution (Extensible Vulnerability Repair Workflow) which automatically performs assignment of repairs, scheduling, life cycle tracking, and repair verification, all while maintaining detailed device histories. VAM interoperates with other third-party scanners too, taking input from Nessus, the ISS Internet Scanner, Harris STAT, and others. Enterprises may want to be wary regarding VAM, because its reporting module is not as well refined as the other vendors' and it relies on third-party information and integration for asset management, patch management, and vulnerability resolution.
McAfee's Foundstone Enterprise is an agentless solution that offers asset discovery, inventory, and vulnerability prioritization with threat intelligence, correlation, remediation tracking, and reporting. It integrates with McAfee's IntruSheild network-based intrusion prevention system (IPS), McAfee's Preventsys Compliance Auditor, and other vulnerability and trouble-ticket management systems. One of its more appealing features is its SSH credentialed scans for Red Hat Enterprise, Solaris, AIX, Microsoft Windows, and to the surprise of many, Cisco IOS!
Compliance templates for Sarbanes-Oxley, FISMA, HIPAA, BS7799/ISO17799, and the Payment Card Industry (PCI) standard are included, expediting the preparation of audits. Foundstone Enterprise can also auto-assign tickets, streamlining and simplifying the remediation process.
Open source and free vulnerability management tools
The open source community has created some great security tools over the years. However, none of them represents a complete vulnerability management solution. In some cases, though, the open source tools integrate well together, forming a formable foe to the commercial offerings.
In the following sections, we cover open source tools that you can use to support your vulnerability management program.
Asset management, workflow and knowledgebase
One tool we recommend in this space is Information Resource Manager (IRM), available at http://irm.stackworks.net. IRM is a powerful Web-based asset tracking and trouble-ticket system built for information technology (IT) departments and help desks. All elements are interwoven into a seamless Web application, with a MySQL engine at the back end doing the heavy lifting.
For host discovery, Nmap (www.insecure.org) is a free, open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw Internet Protocol (IP) packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and versions) they are running, what type of packet filters/firewalls are in use, along with dozens of other characteristics. Nmap runs on most types of computers and both command-line and graphical versions are available.
Vulnerability scanning and configuration scanning
Nessus, from Tenable Network Security (www.tennable.com), is a tool for vulnerability scanning and configuration scanning.The Nessus Project was started by Renaud Deraison in 1998 to provide the Internet community with a free, powerful, up-to-date, and easy-to-use remote security scanner. Nessus is the best free network vulnerability scanner available, and the best to run on UNIX at any price. It is constantly updated (more than 11,000 plug-ins are available for as a free feed), but registration and EULA acceptance are required. Key features include remote and local (authenticated) security checks, client/server architecture with a GTK graphical interface, and an embedded scripting language for writing your own plug-ins or understanding the existing ones.
Nessus 3 is now closed source, but it is still free unless you want the very newest plug-ins. If you decide to rely on only Nessus for vulnerability scanning, consider also choosing a product that can manage and schedule scans, such as Tenable Security's Security Center product (www.tenablesecurity.com).
Configuration and patch scanning
Microsoft's Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small and medium-size businesses determine their security state in accordance with Microsoft security recommendations, as well as offers specific remediation guidance. Built on the Windows Update Agent and Microsoft Update infrastructure, MBSA ensures consistency with other Microsoft management products including Microsoft Update (MU),Windows Server Update Services (WSUS), Systems Management Server (SMS), and Microsoft Operations Manager (MOM). MBSA on average scans more than 3 million computers each week! For more information, visit www.microsoft.com.
Advchk (Advisory Check), available at http://advchk.unixgu.ru, reads security advisories so that you don't have to. Advchk gathers security advisories using RSS feeds, compares them to a list of known services, and alerts you if you are vulnerable. Because adding hosts and services by hand would be a boring task, Advchk leverages NMAP for automatic service and version discovery.
Also available in this space is SIGVI (http://sigvi.sourceforge.net).This product is a recent release but could be a promising solution if maintained and developed further. SIGVI downloads vulnerabilities from defined sources, stores them to a database, and then compares them to the products currently installed on the assets (as previously defined in the main application).
The application is flexible in the way that it lets you define your own sources. By default, the application supports the NVD (National Vulnerability Database at http://nvd.nist.gov) format. Periodically, the application will contact the sources, download the vulnerabilities, and store them into the SIGVI database.Those vulnerabilities are then available through the pages of the SIGVI main window.
Security information management
Ossim (www.ossim.org) stands for Open Source Security Information Management. Innately a SIM, OSSIM does incorporate several aspects of vulnerability management and over time should become a more comprehensive and complete vulnerability management tool. OSSIM's goal is to provide a comprehensive compilation of tools which, when working together, grant a network/security administrator a detailed view of the network and devices.
Besides getting the best out of open source tools, some of which are described in the following list, OSSIM provides a strong correlation engine, detailed reporting, and incident management tools. Here is a list of open source tools that integrate with OSSIM:
- Arpwatch. Used for Media Access Control (MAC) address anomaly detection.
- P0f. Used for passive operating system detection and operating system change analysis.
- Pads. Used for service anomaly detection.
- Nessus. Used for vulnerability assessment and cross-correlation (IDS versus Security Scanner).
- Snort. An IDS, used for cross-correlation with Nessus.
- Spade. A statistical packet anomaly detection engine, used to gain knowledge about attacks without a signature.
- Tcptrack. Used to gather session data information that can provide useful information for attack correlation.
- Ntop. A network usage tool that builds an impressive network database from which you can derive aberrant and anomalous behavior.
- Nagios. Monitors host and service availability information.
- Osiris. A great host-based intrusion detection system (HIDS).
Managed vulnerability services
Many organizations have elected to outsource the challenging task of vulnerability management; if not in total, certainly in parts. Outsourcing a vulnerability management program can help you to reduce head count, administrative overhead, and equipment and personnel expenses. However, before you get too excited about the advantages of outsourcing vulnerability management, you need to keep in mind that an effective outsourced solution is going to be based in part on how well you've defined your requirements.
Tired and weary veterans of outsourcing know that clear and concise service- level agreements (SLAs), which have been drafted in conjunction with legal counsel, represent the foundation of all outsourcing relationships and aid in remedying issues that arise during the term of a contract.
When leveraging a third party to support all or part of your vulnerability management program you should consider the following:
- Escalation procedures. Ensure that escalation procedures exist and communication processes are defined. Also ensure that ownership is well documented and agreed upon in writing by both parties.
- Data access. Ensure that you have access to the data that the outsourcer is collecting. Many times an outsourcer will collect data from your assets, but won't provide you with access to the data.You could use this data to better ascertain risk within your environment, and it could help you to make appropriate risk-based decisions. If the outsourcer doesn't allow you access to your data, you should think twice before signing the contract. Also, it is important that you understand how the outsourcer shares your data within its own organization. Is your data privy to everyone who works for the outsourcer?
- The toolset. Before selecting a vendor, you should confirm which products the vendor uses, and why.There may be a conflict between the vendor's tools and yours, or the vendor may simply be using inferior technology to support your operations.
- Metrics. How will the provider be evaluated/measured? It is important that you ensure that these metrics are clearly defined. Depending on the level of service the outsourcer is providing, the metrics used to evaluate the outsourcer may be different; for example, if the provider is providing path management, how long does the provider have before it must patch all of the assets it manages? You should define, understand, and clearly agree upon these metrics up front.
Vulnerability management tools
1: Evaluating vulnerability management tools
2: Commercial and open source network tools
3: Summary/Fast track