{"id":130232,"date":"2009-12-09T15:27:00","date_gmt":"2009-12-09T19:27:00","guid":{"rendered":"tag:blogger.com,1999:blog-7196788127833928948.post-7380701419575226513"},"modified":"2009-12-09T15:27:00","modified_gmt":"2009-12-09T19:27:00","slug":"vulnerability-management-from-the-cloud-overview-of-the-services","status":"publish","type":"post","link":"https:\/\/mereja.media\/index\/130232","title":{"rendered":"Vulnerability Management from the Cloud &#8211; Overview of the services"},"content":{"rendered":"<p>Vulnerability and Compliance Management as Software as a Service (SaaS) are springing up like mushrooms. The SaaS model enabled companies which focused on vulnerability management to extend their reach, and offer the services to more and more potential clients.<br \/>Most companies in this market name their SaaS service the<span style=\"font-weight: bold; font-style: italic;\"> &#8220;on-demand solutions for security risk and compliance management&#8221;.<\/span><\/p>\n<p><a onblur=\"try {parent.deselectBloggerImageGracefully();} catch(e) {}\" href=\"http:\/\/2.bp.blogspot.com\/_Hu1rpxRsqcU\/SyK1DPQFnkI\/AAAAAAAAAcM\/xVKkKD179Fw\/s1600-h\/network-security-scanning.jpg\"><img decoding=\"async\" style=\"margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 212px; height: 320px;\" src=\"http:\/\/2.bp.blogspot.com\/_Hu1rpxRsqcU\/SyK1DPQFnkI\/AAAAAAAAAcM\/xVKkKD179Fw\/s320\/network-security-scanning.jpg\" alt=\"\" id=\"BLOGGER_PHOTO_ID_5414088769291001410\" border=\"0\" \/><\/a><br \/><span style=\"font-weight: bold;\">The players<\/span><br \/>Here is the list of potential vendors that you should look at, in no particular order:<\/p>\n<ul>\n<li><a href=\"http:\/\/www.randomstorm.com\/\">Random Storm<\/a><\/li>\n<li><a href=\"http:\/\/www.outpost24.com\/\">OutPost24<\/a><\/li>\n<li><a href=\"http:\/\/www.mcafee.com\/us\/enterprise\/products\/hosted_security\/vulnerability_management_service.html\">McAfee<\/a><\/li>\n<li><a href=\"http:\/\/www.tippingpoint.com\/\">Tipping Point<\/a><\/li>\n<li><a href=\"http:\/\/www.qualys.com\/\">Qualys<\/a><\/li>\n<\/ul>\n<p> Bear in mind that this list does not include all relevant vendors, so you may want to extend your search. But it&#8217;s a representative sample that will help you to review what is the offering of the competition.<\/p>\n<p><span style=\"font-weight: bold;\">The offering<\/span><br \/>The services are usually delivered as a dedicated Black Box appliances that are placed within your infrastructure. They perform the scanning or IPS\/IDS, but the results are then sent to the &#8216;cloud&#8217; where reports are generated. Most companies are offering the usual set of services:<\/p>\n<ul>\n<li><span style=\"font-weight: bold;\">Vulnerability Scanning<\/span> &#8211; the basic offer of vulnerability scanning, with more or less success but definitely comparable to your local vulnerability scanner.<\/li>\n<li><span style=\"font-weight: bold;\">PCI DSS Scanning<\/span> &#8211; Payment Card Industry Data Security Standard (PCI DSS) was the important &#8216;differentiators&#8217; of the SaaS vulnerability scanning. PCI DSS requires for a scan that is certified by the PCI group and performed by a certified company. So the SaaS Vulnerability Management companies got certified and created the PCI DSS scans. But for all everyday intents and purposes, your local vulnerability scanners have the same PCI DSS scans &#8211; all you need is to commission the scan 4 times a year for the PCI DSS audit<\/li>\n<li><span style=\"font-weight: bold;\">Managed Intrusion Detection\/Prevention <\/span>&#8211; much like the vulnerability scanning, this is more or less what your local IPS\/IDS does, only the results go out and get analyzed and compared in the cloud.<\/li>\n<li><span style=\"font-weight: bold;\">Reporting and Fix Tracking<\/span> &#8211; this element may be one of the differentiators, but local vulnerability scanners are catching up. In a SaaS solution, all results are kept as reports, and you can easily create comparative baseline reports, or even assign tasks to persons for fixing some vulnerabilities. The system will automatically send reminder e-mails to those persons and re-scan after the configured deadline for fixing.<\/li>\n<\/ul>\n<p><span style=\"font-weight: bold;\">Vulnerability Management &#8211; Local or Managed?<\/span><br \/>In conclusion, both the local and the managed solutions are living quite well at the moment. And function wise they are comparable. So which one to go for?<\/p>\n<ul>\n<li><span style=\"font-weight: bold;\">The local solution <\/span>can easily be reconfigured and directed at different targets. It us very flexible and because it is usually installed on a laptop, very portable. It is an excellent choice for anyone that needs to perform scans from different positions in the corporate network. This would include IT security teams, penetration testers, external auditors and consultants .<\/li>\n<li><span style=\"font-weight: bold;\">The managed (SaaS) solution <\/span>is stationary, fixed and quite cumbersome to move around. It usually lives in the data center as a black box probe, or in the manager service provider as an external scan. It can be configured with the required targets, scheduled to run at regular intervals and perform regular controls. It is a good choice for internal auditors, security officers and compliance officers &#8211; no need for maintenance, it is all handled by the managed service provider.<\/li>\n<li><span style=\"font-weight: bold;\">Calculate the optimal price\/performance <\/span>&#8211; the SaaS versions are usually as yearly subscription charged per number of IP addresses to scan. This price may be quite significant, and you are fixed to the block of IP addresses. On the other hand, the local scanners require a hardware to run on, and you still pay a subscription for the updates of vulnerabilities. So you need to calculate your optimal cost based on your requirements and expectations.<\/li>\n<\/ul>\n<p>Talkback and comments are most welcome<\/p>\n<p>Related posts<br \/><a href=\"http:\/\/www.shortinfosec.net\/2009\/10\/vulnerability-scanning-tools-evaluation.html\">Nessus vs Retina &#8211; Vulnerability Scanning Tools Evaluation<\/a><br \/><a href=\"http:\/\/www.shortinfosec.net\/2009\/12\/nexpose-community-edition-first-look.html\">NeXpose Community Edition &#8211; Our First Look<\/a><br \/><a href=\"http:\/\/www.shortinfosec.net\/2008\/07\/tutorial-using-ratproxy-for-analysis.html\">Tutorial &#8211; Using Ratproxy for Web Site Vulnerability Analysis<\/a><\/p>\n<div class=\"blogger-post-footer\"><img width='1' height='1' src='https:\/\/blogger.googleusercontent.com\/tracker\/7196788127833928948-7380701419575226513?l=www.shortinfosec.net' alt='' \/><\/div>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/feeds.feedburner.com\/~r\/shortinfosec\/~4\/zSsD5g08wgU\" height=\"1\" width=\"1\"\/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Vulnerability and Compliance Management as Software as a Service (SaaS) are springing up like mushrooms. The SaaS model enabled companies which focused on vulnerability management to extend their reach, and offer the services to more and more potential clients.Most companies in this market name their SaaS service the &#8220;on-demand solutions for security risk and compliance [&hellip;]<\/p>\n","protected":false},"author":5679,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-130232","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/130232","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/users\/5679"}],"replies":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/comments?post=130232"}],"version-history":[{"count":0,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/130232\/revisions"}],"wp:attachment":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/media?parent=130232"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/categories?post=130232"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/tags?post=130232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}