When Big Blue recently announced the release of a solution that promises to help organizations identify key vulnerabilities in real-time and to reduce total cost of security operations, IS and IT teams likely took notice.
Armonk, New York-based IBM‘s QRadar Vulnerability Manager, an integrated solution, gives security officers a prioritized view across their entire network, helping them to quickly strengthen and fortify their defenses. By aggregating vulnerability information into a single view, security teams can see the results from multiple network, endpoint, database or application scanners—and quickly review and manage any issues.
Jay Bretzmann, IBM market segment manager for security intelligence, stressed that an integrated tool like QRadar Vulnerability Manager is needed in the marketplace.
“If you’re familiar with the National Vulnerability Database or IBM’s own X-Force Threat Intelligence Research, you know that there are some 70,000 reported vulnerabilities today,” he said. “There’s a rate of about 12 to 15 appearing every day.
“Vulnerability management is a task that’s never-ending and something that security teams just struggle with because even though they do the scanning that’s required, that scan may be a week old, may be a month old. It all depends upon how big the network is, how much resource they can put into it. Typically they’re dealing with lists of thousands of vulnerabilities. They’re doing their best to satisfy and remediate the high impact vulnerabilities. They kind of look at the medium and they completely ignore the low-impact vulnerabilities at this point. [It's] just not worth going after.”
InfoSec Institute recently talked with Bretzmann about QRadar Vulnerability Manager not only to get more details about the product, but also to understand why it’s something corporations should consider.
Other companies out there offer vulnerability management tools. What is it about IBM’s QRadar Vulnerability Manager that sets it apart from the pack?
Basically it’s enterprise network context. It’s because we have the security intelligence environment that we can draw…more data from than [can] just about any other vendor in the marketplace today. Not only do we do a scan—and we’ve got a proven, very scalable, PCI-certified scanning technology that’s as good as anybody’s out there in the market today—but it’s what we do with the scan results that really sets us apart. So instead of giving a team this incredibly long list of things to go work with, we have the ability to automatically flag certain very high impact situations as soon as we discover them….
Secondly, we can help you look at other elements of the intelligence environment, of the networking environment, such that you’ll know which vulnerabilities are hidden behind current firewalls. When Microsoft issues a vulnerability, there’s probably several Windows servers that have the vulnerability. Yet the outside world can’t reach them because they’re behind a firewall of a certain point of the network….
Thirdly, we know from our endpoint management solution, and actually anybody’s endpoint management solution for which we have an integration module, which vulnerabilities are scheduled to be patched in the next patching run. And typically companies are going to run these things on a weekly basis. So there’s [an] asset database inside of the security intelligence architecture and in that asset database is where we log the results of scans.
Since we have the ability to do the SIEM [Security Information and Event Management)] capability, we sense when activities happen on the network and we have the ability to sense network flows, which help us identify brand new assets. So if somebody goes and plugs a new asset into the network, be it a router or firewall, a new server, we will immediately sense that through the SIEM technology in our network and that will kick off an option to do an immediate scan. It doesn’t require you to do a whole network scan. You just scan the new asset….Therefore your scans are never out of date, which is a big leg up on a lot of these standalone tools which do once-a-week, once-a-month, once-a-quarter type scans.
IBM says that the solution gives a prioritized view of the entire network. Does this mean that companies could potentially do more with fewer employees?
Conceptually speaking, they could do more with fewer employees….What they’re probably going to do is…a better job of closing more holes, free up time and direct their resources to the biggest holes that sit in front of critical data for critical resources rather than something that’s protecting a website that displays show times or whatever. So it definitely helps streamline the job, direct the resources at the most important vulnerabilities there are. If it’s a smaller network and they have sufficient resources, they may have extra time to do other tasks like deploy new equipment.
Why has it taken this long for a company to come up with this sort of solution?
You need a complete security intelligence architecture to really do it the way we’ve done it. Vulnerability scanning is not new….Why we’re better is because we can pull all this additional data and help shorten that list and really focus people on those top areas. If you don’t have log source data, you’re not seeing new events that are happening on your network. If you can’t analyze network flows, you’re not seeing the traffic that exists. It’s one thing if there’s a vulnerability on a server; it’s another thing if the application has never been turned on and there’s absolutely no traffic being directed against that application. And that’s the sort of thing you get when you have a security intelligence architecture and our risk manager technology as well. So it’s multiple product modules working together to deliver the full richness of the capability.
Can companies integrate QRadar Vulnerability Manager with solutions that they already have or is it a standalone solution?
It was built both to work as a standalone solution and as an integrated component of the security intelligence architecture. As a standalone, it’s still got some benefits, it still is a great scanner, it still will help you sense activities on your network and give you early warning capabilities because we store the history of the scans. And when an alert comes in through a newsfeed or other source, security teams can immediately check if it’s something that exists within their network. We can also run as a virtual appliance within a VMware environment. These are a few of the reasons why we’re a viable standalone product, but it’s really not the central focus of our efforts. We’re trying to sell to our current customer install base and organizations that are at the limits of their current SIEM solutions because they totally get the value proposition. We also have great synergy with other IBM products such as Network Protection (XGS) and IBM Endpoint Manager, and we don’t only integrate with our own intrusion protection and endpoint products. We’ll work with almost any leading solution in the marketplace. Information coming from these products is updating that central asset database, a version of which is also included in the standalone solution. You probably also have two or three scanners running in your environment, and you’re not going to turn them off because they might be network scanners, they might be database scanners, they might be endpoint scanners. You want a number of scanning technologies. What we allow you to do is aggregate all of those different scanner sources to one single dashboard.
What size company is this product for and how much does it cost?
Any company that has critical resources exposed to the network is going to be doing some sort of vulnerability scanning—especially those adhering to payment card industry regulations. We do have an entry price point of about 256 IP addresses, and that’s going to run about $15,000. So that’s very affordable even for small businesses. We have a strong appeal to the mid-to-enterprise type customer environment.