Review: McAfee Vulnerability Manager

Transcription

1 Review: McAfee Vulnerability Manager S3KUR3, Inc. Communicating Complex Concepts in Simple Terms Tony Bradley, CISSP, Microsoft MVP September 2010

2 Threats and vulnerabilities are a way of life for IT admins. With the continued rise of computer and network attacks, the threat is virtually constant. And, with complex software it is all but guaranteed that there will be vulnerabilities for the threats to exploit. McAfee Vulnerability Manager--especially when used within the McAfee epolicy Orchestrator security management platform--provides IT admins with a powerful and effective tool for identifying and remediating vulnerable systems, and managing risk to protect the network. McAfee Vulnerability Manager enables an organization to identify vulnerabilities and policy violations and prioritize them based on the risk they represent within its unique infrastructure. McAfee Vulnerability Manager also helps IT departments monitor and maintain compliance with regulatory and industry security requirements. Installation McAfee offers Vulnerability Manager as software you can install on your own physical or virtualized servers, or as a hardened appliance. Each has pros and cons, but you get the same underlying McAfee Vulnerability Manager either way. It s also available as SaaS or through several companies as a managed service. The hardware and operating system requirements for the software version of McAfee Vulnerability Manager are fairly minimal and shouldn't require any special investment in servers. All you need is a server with at least dual 2GHz Xeon processors, 2Gb of RAM, 80Gb of hard drive space, and Windows 2003 SP2 or higher. It also requires a Microsoft SQL Server database built on SQL Server 2005 SP2 or later. I worked with the McAfee Vulnerability Manager appliance, so McAfee Vulnerability Manager was essentially plug and play and I was ready to get down to business. Discovery One of the biggest problems with most efforts at vulnerability scanning is that few organizations have an accurate accounting of asset inventory. A vulnerability scan that doesn't include all assets could miss vulnerable systems and expose the network to unknown risk. McAfee Vulnerability Manager provides unique ability to run continuous scans to identify new systems on the network. It can detect systems using four protocols: TCP, UDP, ICMP and even ARP. Most vulnerability scanners will rely solely on a single ICMP echo request test result where as McAfee Vulnerability Scanner accurately identifies all the assets on the network with variety of discovery methods across four different protocols. McAfee Vulnerability Manager integrates with common asset management systems such as LDAP, and Microsoft Active Directory, as well as McAfee epolicy Orchestrator (epo). McAfee Vulnerability Manager

3 conducts network discovery to map every asset on the network and helps identify and inventory virtual computers, rogue devices, and other connected systems to maintain an accurate inventory. Most importantly it creates the soft assets like SAP applications or internal portals in the asset inventory which allows better tracking of the applications and asset/application lifecycle management. Scanning With my network assets inventoried, it was time to conduct a scan and see what McAfee Vulnerability Manager is capable of. McAfee Vulnerability Manager uses a combination of authenticated scans, agentless scans, and penetration testing to ensure that all assets are scanned--including networkconnected printers and smartphones. Over 22,000 vulnerability checks and capability to identify 450+ operating systems provides razor sharp accuracy and efficiency in scanning with the fewest false positives. Over 400 researchers and McAfee s Global Threat Intelligence cloud provide the latest vulnerability checks to protect against new or evolving threats. Credential scanning of the target system provides more granular comprehensive scanning. McAfee Vulnerability Manager allows the IT admin to provide credentials on a per-asset basis, or use centralized credentials for simplified authentication. McAfee Vulnerability Manager also lets IT admins segregate scans by IP range, organizational unit, system types, or other custom tags, providing flexibility for how invasive and how frequent scans should be conducted for a given asset or group of assets. McAfee Vulnerability Manager goes beyond simply scanning for open ports to comprehensively scan database banners, policy settings, file and folder permissions, running services, and registry keys. McAfee provides scanning for third-party products that comply with OVAL, SCAP, and other standards, and custom checks can be created to test proprietary applications. Attackers and malware developers have come to expect that port 80 will be open through the firewall, and that many targets have a publicly accessible Web application server. Because the Web server is typically less protected than other internal servers, it represents a potential Achilles heel. McAfee conducts deep Web application scanning--checking against vulnerabilities identified in the latest OWASP Top 10 and CWE/SANS Top 25 lists of pervasive weaknesses and program security concerns.

4 Assessing Risk Figure 1. System Details provide a quick overview of the current state of a given machine and the actions necessary to protect it. There are a variety of applications available capable of conducting a vulnerability scan. What sets McAfee Vulnerability Manager apart from competing solutions is the intelligence and intuition McAfee has built in to analyze the results of the scans and assess the overall risk. McAfee s Patented FoundScore employs a unique algorithm--based on asset criticality, resource type, identified vulnerabilities and their associated risk, and other variables--to assign a risk grade. Vulnerability Manager also supports the Common Vulnerability Scoring System (CVSS) and provides base, temporal and environmental scores for each vulnerability to help prioritize them. In addition, McAfee Vulnerability Manager takes other security controls into account in determining the actual exposure of a vulnerable asset to a given threat. With a more precise understanding of the exposure to risk based on the layers of defense in place for the unique network environment, IT admins can address issues more efficiently. The risk prioritization done by McAfee Vulnerability Manager, provides IT admins with an intuitive method for determining which assets are the most urgent to address. Upon further review, I discovered McAfee Risk Advisor utilizes this information from Vulnerability Manager and correlates it with known McAfee countermeasures already in place as well as real-time threat intelligence to give users a full risk profile of their environment. Remediating Weaknesses As new threats are identified, McAfee Vulnerability Manager quickly and easily identifies which assets are impacted without the need for any additional scanning. This is particularly helpful for times like Microsoft's monthly Patch Tuesday release of new updates, or Adobe's quarterly security updates which are scheduled to coincide with Patch Tuesday.

5 Based on information previously gathered by McAfee Vulnerability Manager, the software lets IT admins see which assets are affected, and which assets represent the most urgent priority for remediation, or which assets are most exposed to new vulnerabilities or emerging threats. Compliance The regulatory and industry compliance aspects stood out to me as valuable benefits of McAfee Vulnerability Manager. Many organizations fall under multiple compliance frameworks--perhaps compelled to meet the requirements of Sarbanes-Oxley (SOX), HIPAA, and PCI-DSS (PCI) simultaneously. State and local laws often overlap these regulatory requirements, and government and municipal agencies may also fall under information disclosure rules requiring certain systems and data to be protected. Compliance efforts are often treated as competing one-off projects which are implemented and maintained separately and inefficiently. Compliance audits represent only a snapshot in time, but passing is often the only goal and on-going monitoring is not conducted to ensure compliance between audits. Figure 2. McAfee Vulnerability Manager provides a variety of built-in compliance templates. McAfee Vulnerability Manager includes vulnerability scanning templates for all of the most common compliance frameworks, including SOX, HIPAA, PCI, FISMA, BASEL II, GLBA, and more. The scans and reports from McAfee Vulnerability Manager provide IT admins with critical information that can be used

6 to maintain compliance more effectively and efficiently--especially in organizations burdened by multiple compliance mandates. Filling the Holes One of the coolest reports I found was the ability to identify what could be fixed or avoided if the right tools were in place. With a few clicks, IT admins can generate a report spelling out the number of impacted systems, and/or the number of applicable threats that might be addressed if another solution were in place. Quantifiable, real-world data such as this is an invaluable tool for making the case to executives to allocate funds for additional security purchases or validate existing investments. Figure 3. McAfee Vulnerability Manager lets you see at a glance which measures or tools will provide better protection. Summary No other solution combines the flexibility, comprehensive scanning, and powerful remediation capabilities in a single package. For organizations that already rely on a McAfee epolicy Orchestrator infrastructure for managing security, McAfee Vulnerability Manager is virtually a no-brainer. For organizations that don't currently use McAfee security products, McAfee Vulnerability Manager makes a compelling case for switching. With or without epo--or any other additional McAfee security products, McAfee Vulnerability Manager is an exceptional platform for assessing and managing risk in any network environment. Starting around $12,000 for the appliance, McAfee Vulnerability Manager is a cost-effective solution that will simultaneously help IT operate more proactively and efficiently, and ensure a more secure network for organizations of all sizes.