[SecurityRatty] tag: vam

Are current vulnerability and compliance testing tools like answering the phone at 3am?

Mon, 19 May 2008 19:16:18 +0000

I was at a meeting for a potentially large customer engagement for vulnerability assessment and compliance testing last week. The requirements for this customer was not unusual. They wanted to test for conventional CVE type vulnerabilities. Additionally, they also wanted to test for configuration compliance. Hotfixes, patch level, AV, etc. This direction is where a lot of the traditional vulnerability management solutions have been heading. Whether adding a separate compliance module or audit and local check capability, most of the traditional vulnerability scanning solutions offer some coverage in this area. However, in speaking to this potential customer and in thinking about their needs, an inherent problem with this solution is that it is only as good as the devices that are available on the network when the scan takes place.

In traditional vulnerability scanning, when the scan takes place was not as much of an issue, usually you are scanning servers and other devices that are on the network 24/7. In fact doing the scans during off hours was usually preferred. Too many of the network based vulnerability scanners took up too much bandwidth and other resources to accomplish during the prime time hours of the day. In compliance scanning though, you need the status of laptops, desktops and other devices that may not be connected to the network 24/7. Therefore it is important to reach and test these devices when they are on the network. That is the rub. How do you really make sure the devices connecting to your network are compliant if you are only testing them at a point in time and that usually at an off hour?

This problem reminded me of the Clinton-Obama flap over who answers the phone at the White House at 3am. That is an important question for who is president, but for compliance answering the phone when someone is there to talk to is more important. I think this is where NAC provides an advantage. By utilizing NAC to detect devices coming on the network and than using a low impact compliance test as well as traditional vulnerability scanning, you get a picture of vulnerability posture and compliance status as of the last time they accessed the network. You can still do follow on tests at any time you desire, but at least when a device is logging on you are sure of a test.

Will NAC supplement vulnerability testing in this manner? I think so. Many customers we have spoken to about this like the idea of "scan on connect" and we have already enabled our own NAC product Safe Access and vulnerability management platform VAM to do this. What do you think?

Matt Asay again shows that he doesn't know much about open source security

Thu, 15 May 2008 18:43:17 +0000

I often comment or blog disagreeing with Matt Asay and his views on open source and security. Frankly from the comments Matt leaves back, I think he views me as a pain in his butt and why if I don't agree with him do I read his blog. I read Matt's blog because I often do agree with him, but I also read it because I think it important that just because you don't agree with someones views, doesn't mean they have nothing to say. However, I also feel that I have the right to call BS when I see it. Matt's article yesterday on Tenable's new licensing is one of those times. Matt you don't know what you are talking about on this one. If you are not going to take the time to dig in than just stay out.

First a little background. Tenable announced the other day a change in their licensing of their NASL feed. For those who don't know, Tenable is the owner of the formerly open sourced Nessus vulnerability scanner. They also develop and publish a feed of NASL scripts which run in Nessus, which are likewise no longer and some say never were open sourced. I know Ron Gula pretty well and understand perfectly why Nessus is no longer under a GPL license for a few years now. I also understand the economics and reasons why they would charge for their NASL feed. I think it is good business and more power to Ron, Jack, Renaud and the rest of the Tenable gang. The change in their license is that now commercial customers will have to pay for the NASL feed, whereas before only people who resold the feed or otherwise profited from it would have to pay for the "registered feed". Now schools and charities can still get the feed for free, but others have to pay. Again, I don't have the slightest problem with this and wish them well.

Matt sticks his two cents here and at the same time sticks his foot in his mouth. For some reason Matt has not realized that Nessus has not been open sourced since the release of the 3.x version some time ago. It is not like this is a secret, Tenable is very "open" about it and there has been much written about it. Because they are still open in Matt's eyes, they can do little wrong. Matt this is just plain negligence on your part, go beyond the press release before writing! Matt talks about and links to Pierre Teilhard de Chardin's blog article about Tenable closing the source to Nessus and still doesn't take notice that it is no longer open source. Matt did you read the article you linked to?

Matt than goes on to try and claim that it is OK for Tenable to charge for the NASL scripts because "the code is free, but the information that flows through it (Up-to-date vulnerability information, for example) is not". Matt, NASL scripts are scripts. I would think the word scripts in the name would be a dead give away. Don't you think that implies some code?

Yes, you can "drill your own wells" as Matt says and write your own NASL scripts. We do it at StillSecure for our own VAM vulnerability product. But we also use our own customized version of Nessus based off of the old 2.x open source code.

The fact is there is nothing open sourced about the current version of Nessus and NASL scripts and Ron and company don't make any bones about it. Matt your readers expect more from you. Do a little homework before you spout off!

What's new in vulnerability management?

Sun, 13 Apr 2008 18:58:13 +0000

For too long the vulnerability management vendors have been quiet. In fact the whole sector has taken on the "mature" label which seems to indicate there is no new innovation happening. Recently though we have seen some new announcements in this area. Also, Gartner should have a new marketscope due out soon. Here is a recap of some recent developments:

1. Qualys - I had a chance to speak with Philippe and his son at RSA. After riding high on the PCI wave and pioneering the SaaS in security movement, Qualys is now clearly moving into the compliance arena. This release details what Qualys is doing but clearly they see compliance and risk management as a new driver for the business.

2. McAfee- Say goodbye to Foundstone. Years after buying the company McAfee is finally getting rid of the Foundstone name for the vulnerability product and renaming it Vulnerability Manager 6.5 (I think I like the Foundstone name better), as part of the new business unit they have started around GRC. Foundstone founder George Kurtz is heading that unit up. They indicate they will supplement the old Foundstone scanner with abilities to scan applications, web sites and data and databases.

3,. nCircle - I spoke with Andrew Storms and Elizabeth Ireland at RSA. nCircle has been touting their compliance and risk management capabilities for a while now. They also are showing off web application scanning as well. Though they don't get the press that Qualys does, they appear to be holding their own. The question in my mind is how do they break out to the next level (see my post on shimmy's theory of relativity).5.

4. eEye - After many of us including me raised doubts about their viability, eEye has announced the addition of web application scanning to their Retina product. I understand this is an OEM of another companies product and does not represent a lot of investment on eEye's point. I think at the end of the day they are trying to be an endpoint company but can't afford to jettison the scanner business. Their long term viability according to my relativity theory is still in doubt if you ask me.

5. ISS/IBM - I hear nothing on this one, do you? You have to question what is the game plan from Big Blue on this. Do they buy an update or put the money into actually taking this dinosaur out of the Jurassic? I guess we will have to see.

So I am sure some of you ask, OK Shimmy enough about the competition what is StillSecure doing with its VAM product? Well the purpose of this blog post was to set the stage for that. I will post an update on some of the cool stuff we have planned with VAM shortly.

What's new in vulnerability management?

Sun, 13 Apr 2008 17:58:13 +0000

NAC is a battlefield - Only the strong survive

Tue, 18 Mar 2008 22:48:33 +0000

First it was Caymas Systems, then it was Vernier Networks, now Lockdown Networks appears to be exiting the NAC market. Of course the obvious reaction as a competitor is to say good riddance, one less competitor to deal with. But to turn a quote on its ear, I write today not to bury Lockdown Networks, but to praise them. More than the other two NAC companies that have exited the market, I was personally in the loop on Lockdown Networks. I first heard about them when a VC friend of ours asked us about them years ago. This was when we were still planning Safe Access and Lockdown's business plan was vulnerability management. They had not raised money yet and were still in stealth mode. We thought of them as competition for our VAM product, but wanted to see what they would come up with. I stayed abreast watching their progress from afar. Some time later, when I was looking to put together a group of companies to form a coalition to develop an independent NASL script library, knowing that they used Nessus, I reached out to them.

This is when I first met Rob Gilde. Subsequently I also met Brett and most of the rest of the team there. I like Rob, he ran their product team, was knowledgeable and a nice guy in a west coast laid back kind of way. In short time it became apparent to me that Lockdown was looking to move out of the VM business. Rob realized that just scanning and reporting was not going to make it. He had the notion of adding enforcement to his vulnerability scanning. If you failed a vulnerability scan, you should be denied access to the network. My initial reaction was vulnerability scans are done mostly on servers, but Rob wanted to do vulnerability scans on endpoints. That is when I told him about our own product which we were about to release. Rob and the team re-tooled and released their Enforcer product some time later.

I personally always thought that doing SANS TOP 20 scans on endpoints was not where it was at in NAC, but Lockdown raised money from Intel and a bunch of other folks and was making a big splash in the heady, gold rush days of NAC. We ran into them on deals from time to time, especially in many of our major partner/OEM deals. The good news for us, is that just about all of the time, our product was picked over theirs.

Soon rumors were everywhere that Lockdown was on the block. Brett and team were looking to grab 20 or so major customers and quickly flip the company for a big win. Than we began hearing that they were looking for less and less money. Also, their PR began becoming more and more desperate. That is when I began calling them on it in my blogging. Evidently that got their attention. A few Interop shows ago, Rob called me over and said he and especially Brett were really upset I called them out. I apologized and said hey I call them as I see them. At RSA or another show after that Brett walked right by me and tried his best to diss me. People from NY don't get dissed that easy though. I just laughed it off, but it was the last time I spoke to anyone at Lockdown.

Recently we have begun to see a few customers that were choosing our Safe Access product to replace Lockdown's. I thought this was ominous for them, but hey good for us! I truly expected to hear any day of someone picking them up at a decent price. I didn't think it would just implode. In many ways a company shutting down is a death of a thousand dreams. The soaring aspirations of the founders, the individual sugar plum fantasies of the early hires, the VC's thinking this could be the big hit. Perhaps most sad of all, the customers who looked at the market and for whatever reasons decided that Lockdown offered them the best product for providing NAC and solving their problems. Those people made a bet that Lockdown would be there to solve the issues and provide a great solution. They as much as anyone lost that bet.

As they do on Ebay, here is a second chance for Lockdown customers. We will have on our web site a special offer to upgrade you to Safe Access and leverage your investment in Lockdown. Lockdown's misfortune does not have to be yours. We are here to help and are here to stay. So to all of Lockdown's customers, I am sorry you are left in a hard place here, but there is help.

To Brett, Dan Clark and the rest of the Lockdown crew, most especially to Rob Gilde, I offer my sympathies that this did not turn out better for you. You all made a great effort and you made us try harder which resulted in our product being developed faster than it would have otherwise. For that I thank you and wish you all the best of luck in your future endeavors. This song is for you:

NAC is a battlefield - Only the strong survive

Tue, 18 Mar 2008 21:48:50 +0000

To Brett, Dan Clark and the rest of the Lockdown crew, most especially to Rob Gilde, I offer my sympathies that this did not turn out better for you. You all made a great effort and you made us try harder which resulted in our product being developing faster than it would have otherwise. For that I thank you and wish you all the best of luck in your future endeavors. This song is for you: