MarketScope for Vulnerability Assessment

Transcription

1 MarketScope for Vulnerability Assessment 5 April 2011 Kelly M. Kavanagh, Mark Nicolett Gartner Research Note G Vulnerability assessment vendors compete on price, scan and asset management, configuration compliance, and integration with other security products. Buyers must consider how VA will fit with their overall security process when evaluating VA technologies. What You Need to Know This document was revised on 19 April For more information, see the Corrections page on gartner.com. Vulnerability scanning is a necessary part of a vulnerability management process, but must be augmented with other methods to be effective against advanced targeted threats. Service delivery options and integration with other security management products and processes should be key criteria when selecting a vulnerability assessment vendor. MarketScope Detecting vulnerabilities before they are exploited is a key part of a proactive security strategy, and is required by many compliance regimes as part of due diligence. However, most compliance regimes only require simple forms of vulnerability scanning, causing strong downward price pressure when compliance (versus proactive security) is the driving requirement. Deeper methods of vulnerability discovery, such as penetration testing and static/dynamic application security testing, are being deployed by Type A organizations at higher price points to take more proactive steps against targeted threats that go beyond simply exploiting missing patches or misconfigured operating systems. Vulnerability assessment (VA) includes the secure configuration of IT assets, regular assessment of vulnerabilities and compliance with security configuration policies, remediation of vulnerabilities or security configuration issues, and ongoing monitoring to detect malicious activity. VA's status as a best practice has been incorporated into a number of prescriptive compliance regimes, including the Payment Card Industry (PCI) Data Security Standard, and the U.S. Federal Information Security Management Vendors Added or Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor. Gartner MarketScope Defined Gartner's MarketScope provides specific guidance for users who are deploying, or have deployed, products or services. A Gartner MarketScope rating does not imply that the vendor meets all, few or none of the evaluation criteria. The Gartner MarketScope evaluation is based on a weighted evaluation of a vendor's products in comparison with the evaluation criteria. Consider Gartner's criteria as they apply to your specific requirements. Contact Gartner to discuss how this evaluation may affect your specific needs. In the below table, the various ratings are defined: MarketScope Rating Framework Strong Positive Is viewed as a provider of strategic products, services or solutions: Customers: Continue with planned investments.

2 Act (FISMA) and Federal Desktop Core Configuration (FDCC) requirements. These compliance requirements and others, as well as pressure from business partners, customers and auditors for enterprises to have a complete vulnerability management process, have been the primary drivers for VA projects in recent years. The VA market is mature, but there have been a gradual evolution and extension of VA capabilities, such as an expansion in the scope of scanning, extension to include security configuration assessment, and improvements to management features. Multiple deployment options for VA have grown, including customer premises deployment via appliance, virtual appliance, software image, remote delivery as a service delivery, and hybrid deployments that incorporate multiple delivery modes. Vendors compete on these extended features, and on price, rather than the speed or accuracy of network vulnerability scans. Based on regulatory drivers, the scope of assessments has expanded beyond network scanning to include applications (Web-based and others) as well as databases. Reporting capabilities have been added to meet the requirements of specific compliance regimes, and to support IT operations in remediation or mitigation work. Features to support large deployments, including flexible asset grouping and easier scan configuration and management, are now more common. Security configuration assessment capabilities that include tunable configuration templates and granular access to scan results are emerging in leading products. Scanning capabilities for virtual and cloud-based environments are also emerging, and Gartner anticipates fast progress in this area. Vulnerability assessment data can be integrated with: Network security technologies such as intrusion prevention systems (IPSs) and Web application firewalls (WAFs) to improve the accuracy and granularity of blocking Penetration testing tools to focus exploit testing on vulnerable components Internal information sources, such as asset databases and user directories, to provide business context to VA reporting Security information and event management (SIEM) to provide vulnerability context to security monitoring Operations tools such as patch management or system management products Potential customers: Consider this vendor a strong choice for strategic investments. Positive Demonstrates strength in specific areas, but execution in one or more areas may still be developing or inconsistent with other areas of performance: Customers: Continue planned investments. Potential customers: Consider this vendor a viable choice for strategic or tactical investments, while planning for known limitations. Promising Shows potential in specific areas; however, execution is inconsistent: Customers: Consider the short- and long-term impact of possible changes in status. Potential customers: Plan for and be aware of issues and opportunities related to the evolution and maturity of this vendor. Caution Faces challenges in one or more areas: Customers: Understand challenges in relevant areas, and develop contingency plans based on risk tolerance and possible business impact. Potential customers: Account for the vendor's challenges as part of due diligence. Strong Negative Has difficulty responding to problems in multiple areas: Customers: Execute risk mitigation plans and contingency options. Potential customers: Consider this vendor only for tactical investment with short-term, rapid payback. VA technologies typically will: Establish a baseline of, and changes to, vulnerability conditions for network-attached devices, applications and databases, and provide ongoing vulnerability status and trending over time Report on compliance with security configuration policy Generate reports with content and format to support specific compliance regimes and control frameworks Discover unmanaged devices or applications on enterprise networks Support vulnerability remediation by operations groups with information and recommendations for work-arounds, patches and workflow, and through integration with patch management systems Prioritize remediation activities through risk ratings of vulnerabilities and assets Support shielding or mitigation activities through integration with protection technologies such as IPS or WAF.

3 Not all VA deployments support all of these activities. In some deployments, VA is a stand-alone capability used to provide audit or checking capabilities separate from the operational groups in the IT environment. In others, the focus is on supporting operational workflow and priorities, and, in still others, VA supports compliance reporting, dashboards, or broader governance and risk monitoring. There are three basic VA approaches to assessment: Active network scanning, the most widely used technique, involves remote scans of network-attached devices. Active scanning does not require the presence of agents on the scan targets, but can use credentialed access to targets to enable a deeper inspection. Passive observation of network traffic is based on the assessment of the content and pattern of captured network traffic. Although passive observation can provide information about devices that cannot be actively scanned (for example, systems with endpoint firewalls), this technique alone generally does not provide sufficient data to support remediation activity. Agents reside on the devices, either as persistent software or as dissolvable temporary elements, collecting state information in real time. Agents provide information about the endpoint that cannot be determined remotely, such as applications or services that are installed but not running, or of changes in files or configuration. Persistent agents can be used only on devices that are known and managed, and, thus, the VA product must be able to discover and report previously unknown, unmanaged devices. When nonpersistent agents are supported by the VA product, they can be deployed to discovered unmanaged devices (or in environments where persistent agent deployment is not feasible, to managed devices) and provide deeper inspection capabilities. Most VA deployments rely on active network scanning, and all of the vendors evaluated here provide this capability. Demand for products that employ only agent-based or passive techniques is low. However, there are typically areas in larger IT environments that benefit from these techniques, and Gartner recommends that security-conscious enterprises use a combination of two of the three described techniques for comprehensive coverage. Several alternatives to direct spending on commercial VA tools or service include: Open-source tools (such as the Open Vulnerability Assessment System; OpenVAS) or very low-cost scanning engines with limited reporting/management capability from commercial vendors, such as the Nessus scanner with Nessus ProfessionalFeed Assessment services from security consultants, which are often delivered via portable versions of commercial products, and consumed on an as-needed basis, often augmented with value-added professional services VA scanning offerings from numerous external service providers (not necessarily security service providers), often delivered by commercial scanning products licensed by the service providers for subscriptionbased scanning Market/Market Segment Description VA providers vary greatly in size and market focus. McAfee (now a wholly

4 owned subsidiary of Intel) is a large, multiproduct vendor of VA, endpoint security products and network security appliances. Lumension, StillSecure and Tenable Network Security offer VA combined with other technologies (patch management, IPS and SIEM, respectively). Qualys, Trustwave and Digital Defense are solely focused on VA as a service offering. This MarketScope focuses on vendors that provide active network-scanning capabilities to the security buying center. Revenue in the VA market has been concentrated among a few vendors, with 80% of the revenue going to five vendors, and 20% spread across the remainder. In addition to competing with other VA point solutions, product and scanning-as-a-service, vendors must compete with consultants, with open-source scanning tools, and with other security and IT operations products that include scanning capability. With many options vying for customer mind share and wallet share, smaller vendors in the market face a viability risk. Inclusion and Exclusion Criteria Vendors included in this MarketScope: Use their own VA engines Perform active network VA Provide vulnerability information and reference multiple vulnerability IDs, including common vulnerabilities and exposures, SANS Top 20, Bugtraq ID and vendor-specific IDs Provide remediation guidance Offer an enterprise-level product that supports central administration of multiple distributed scanners and consolidated reporting Focus on the security organization Provide asset classification capabilities Vendors excluded from this MarketScope: Redistribute a third-party VA scanner or rely on one to be enterprisedeployed Sell primarily to the operations group or lack security context Embed VA function in broader products and suites For an analysis of the important emerging capabilities of VA products and services, see "Evaluating Vulnerability Assessment Capabilities." Vendors Added to the MarketScope Digital Defense has been added to the MarketScope for Vulnerability Assessment based on the availability of its VA scanning service. Vendors Dropped From This MarketScope Gartner has not included IBM in this MarketScope. Internet Scanner and Enterprise Scanner remain supported products; however, IBM development investment will be focused on its Vulnerability Management Service (a software as a service [SaaS] offering). The IBM Vulnerability Management Service uses the Rapid7 scan engine, rather than an IBM scan engine, so it does not meet the inclusion criteria for this MarketScope.

5 Rating for Overall Market/Market Segment Overall Market Rating: Positive VA remains a steady growth market, with revenue estimated at $280 million in 2009 and an estimated $327 million in The 2009 revenue is lower than earlier reports based on updated information from vendors. The market is characterized by a large number of vendors competing for available business, the existence of multiple alternative forms of delivery, and a longer-term trend of incorporating VA functions into broader technology trends that all cause price pressure. Gartner expects stable, long-term demand for security VA capabilities, and the effect of the incorporation of the VA function into broader product and service offerings will soften the demand for stand-alone VA functions. This will continue to increase pressure on pricing and margins. Nonetheless, VA capabilities will continue to evolve, driven by changing threat demands, compliance requirements and enterprise efforts to reduce the cost of vulnerability management processes. Evaluation Criteria Table 1. Evaluation Criteria Evaluation Criteria Market Responsiveness and Track Record Sales Execution/Pricing Offering (Product) Strategy Product/Service Overall Viability (Business Unit, Financial, Strategy, Organization) Comment Market responsiveness and track record evaluate the match of the VA offering to the functional requirements stated by buyers at acquisition time, and the vendor's track record in delivering new functionality when it is needed by the market. Also considered is how the vendor differentiates its offerings from those of its major competitors. Sales execution focuses on the success and mind share of the product or service in the VA market. The evaluation includes revenue and installed base for VA products and services. The maturity and breadth of the organization's distribution channels and the level of interest from Gartner clients are also considered. An offering (product) strategy is the vendor's approach to product development and delivery that emphasizes differentiation, functionality and feature set as they map to current and future requirements. Development plans during the next 12 to 18 months are evaluated. Product or service evaluates current product function in areas such as base scanning methods, the scope of VA, workflow and remediation support, and reporting capabilities. Overall viability includes an assessment of the overall financial health of the organization, along with the financial and practical success of the business unit. Also evaluated is the ability of the organization/business unit to continue investing in the VA market and to continue developing innovative products to meet the requirements of several different types of customers. Weighting High Standard Standard High Standard Customer Customer experience is an evaluation of product High

6 Experience function or service in production environments. The evaluation includes ease of deployment, operation, administration, stability, scalability and vendor support capabilities. This criterion was assessed by conducting qualitative interviews of vendor-provided reference customers and feedback from Gartner clients that are currently using or have completed competitive evaluations of the VA offering. Source: Gartner (April 2011) Figure 1. MarketScope for Vulnerability Assessment Source: Gartner (April 2011) Vendor Product/Service Analysis Beyond Security Beyond Security delivers scanning via an appliance scan engine and as a service. For on-premises deployments, the Automated Vulnerability Detection System management appliance provides control over multiple scanners, role-based access and vulnerability scoring. Beyond Security also has a vulnerability information portal branded as SecuriTeam. Strengths: Beyond Security provides good coverage of basic VA scanning capabilities, including customization, asset classification, reporting and integration with third-party products. These features are present in both the scanning product and the services offering. The scan engine includes Web application and database assessment capability, as well as Payment Card Industry (PCI) testing certification. Challenges: Beyond Security provides limited capability for security configuration assessment compared with other VA products. Although Beyond Security has added several European and North American channel partners, it must continue to invest in sales capabilities to expand market share. Optimal Use Case: Security and compliance organizations that want a VA scanning capability with appliance or service-based delivery should evaluate

7 Beyond Security. Rating: Positive Critical Watch FusionVM Enterprise is delivered as a virtual appliance or physical appliance, and FusionVM SaaS is available as a managed service. The company also has partnerships for service delivery with global providers such as Xerox (via the acquisition of ACS) and Dell. Critical Watch is also part of the HP AllianceONE Partner program. Strengths: Critical Watch continues to focus development on reports and features to support vulnerability management workflow. FusionVM's integration with HP TippingPoint IPS has continued, and customers highlight the value of that relationship in assessing FusionVM. FusionVM provides security configuration assessment based on Center for Internet Security (CIS) Windows Benchmarks, and the product can compare new vulnerability feeds with configurations to provide a form of passive vulnerability discovery. Critical Watch gets good marks for strong technical support. Challenges: FusionVM's capabilities for reporting against multiple control standards, and providing application and database assessment have not matured as rapidly as those of competing VA products, although additional capabilities are planned. Critical Watch must continue to develop core assessment and report capabilities even as it enriches features such as remediation support that can provide differentiation from competitors. Critical Watch needs to expand its service delivery partnerships. Optimal Use Case: Organizations that require strong remediation-focused workflow and reporting, and those seeking multiple delivery options for VA, including SaaS, should evaluate Critical Watch. Rating: Positive Digital Defense Digital Defense has two vulnerability management service offerings, Vulnerability Lifecycle Management (VLM) and Vulnerability Lifecycle Management-Professional (VLM-Pro). With both services, customers can deploy an on-premises scan appliance for internal network scanning, and use hosted scan engines for external scanning. Scanning configuration and reporting are available through the Frontline Solutions Platform (FSP), a Web-based portal hosted by Digital Defense. The VLM service offering was evaluated for this MarketScope. The VLM-Pro service includes the features of the VLM service, plus professional support from Digital Defense security analysts. The VLM-Pro service is not evaluated in this MarketScope. Digital Defense markets VLM to small and midsize businesses, with current customers consisting mainly of midsize-to-large financial institutions and midmarket companies in other verticals, plus smaller institutions. The VLM- Pro service is marketed to enterprise buyers. Strengths: The scan appliance and FSP Web-based portal are easy to deploy, and the administration functions allow for role-based access. FSP has eight built-in filterable reports available in three different reporting formats, and the portal's Active View screens provide flexibility in presenting and filtering scan results. Customers have the option of allowing Digital Defense access to their scan results for interpretation or additional support. Challenges: The VLM scanning capability lacks several features common in

8 competing products, such as fine-grain scan configuration, directory integration, configuration assessment, and extensive database and application vulnerability assessment. Other features available in competitors' products, particularly flexible reporting, are delivered via Digital Defense's VLM-Pro offering, which adds analyst support for scan management, interpretation of results, and custom reporting. Digital Defense is a small vendor, and faces numerous VA product and services competitors that target compliance-oriented buyers. Digital Defense must increase its limited sales and channel resources and address capability gaps in order to gain share in the VA market. Optimal Use Case: Organizations seeking basic VA scanning and reporting capabilities delivered as a service to meet compliance requirements should consider the Digital Defense VLM service. Rating: Caution eeye Digital Security eeye Digital Security has enhanced the components of its VA offering, which now consists of the Retina Network Security Scanner (scan engine), Retina CS (management and reporting console) and Retina Insight (data warehouse). The components are available as software images or appliances, and can be deployed in combinations of both modes. The solution includes an optional host-based agent that provides deeper scanning capability and endpoint protection functions. External scanning for PCI compliance is available via Retina Cloud, which is delivered with a partner. Strengths: eeye has recently added product development and research resources, as well as sales channel partners. Customers report improvements in technical support. Retina's remediation capabilities include an integrated patch management module. eeye supports multiple configuration compliance templates, including National Institute of Standards and Technology (NIST), Microsoft, Federal Desktop Core Configuration (FDCC), and Defense Information System Agency (DISA) Security Technical Implementation Guides (STIGs). Regulatory and framework reports for PCI, Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Federal Energy Regulatory Commission/North American Electric Reliability Council (FERC/NERC), NIST , the International Organization for Standardization (ISO), and others are available. Retina Network Security Scanner includes basic application and DBMS assessment, and a separate Retina Web Security Scanner product is available for deeper application scanning. Challenges: eeye has added some sales resources, but must continue to do so to grow market share. eeye must continue to focus on customer support and maintain the recent improvements made in that area as customers make the transition to the new versions of eeye's VA solution. Optimal Use Case: Organizations looking for flexible software and appliance deployment with optional agent-based scanning and endpoint protection should evaluate eeye. Rating: Positive Lumension Security Lumension Scan is available as a stand-alone component in a suite of VM products (Patch and Remediation, Risk Manager, and Security Configuration

9 Management). Scan provides active, credentialed vulnerability scanning. The Scan product is typically sold with these other Lumension products, which provide additional risk rating, configuration and reporting options to the Scan product capabilities. Strengths: For organizations that can support agent-based scanning, Lumension Patch and Remediation adds that capability. Lumension has several original equipment manufacturer (OEM) deals that incorporate its capabilities into third-party products, and has integrated with several Network Access Control (NAC), SIEM, WAF and IPS products. Scan provides FDCC Security Content Automation Protocol (SCAP) support, and includes NIST, DISA STIG, National Security Agency (NSA) and FDCC configurations. Challenges: Lumension does not provide integrated support for Web application scanning or database scanning (Web assessment is provided via integration with Core Security Technologies' Core Impact product), and several core scanning and reporting capabilities are available only through the other products in the suite. Lumension offers scanning as a service only through service provider partners or custom arrangement. Optimal Use Case: Current users of Lumension's products (Patch and Remediation, Security Configuration Management and Risk Manager), as well as government agencies that have contract vehicle access to the Scan product, should consider Lumension Scan for VA. Rating: Promising McAfee McAfee had been a pure-play security vendor with a large product portfolio across network and desktop security. Intel announced the planned acquisition of McAfee in 2010, and completed the acquisition in February McAfee is now a wholly owned subsidiary of Intel, and will continue developing security products under the McAfee brand. McAfee Vulnerability Manager (MVM) is available as software, an appliance or a managed service. MVM can be integrated with other McAfee products such as epolicy Orchestrator (epo) management console. Strengths: McAfee is a large vendor with security research capabilities and a suite of enterprise security products. MVM integration with other McAfee products for network service provider (NSP), NAC, epo or host IPS, as well as a wide range of security from other vendors' products, makes it a good shortlist entry for enterprises using those products. MVM provides agentless security configuration assessment, plus integration with the agent-based McAfee Policy Auditor, with coverage of DISA STIG, NSA, FDCC and CIS controls. MVM has flexible asset management, remediation reporting and workflow capabilities. Application and database assessment are included in the MVM product. Challenges: McAfee's acquisition by Intel could disrupt the security product and services road map. If the arm's-length relationship is maintained, in the short term, McAfee could be spared the disruptions that have happened in many acquisitions of security companies by broad IT companies. McAfee must continue to refine and expand MVM's stand-alone vulnerability assessment capabilities as it continues integration efforts with its suite of security products and with those of other vendors. Optimal Use Case: Organizations that want effective scanning and flexible reporting with integration support for McAfee security technologies as well as those of other vendors should evaluate McAfee Vulnerability Manager. Rating: Strong Positive

10 ncircle The Suite360 vulnerability management products include the IP360 vulnerability scan engine, the WebApp360 application scanner, the Intelligence Hub, the Configuration Compliance Manager and the File Integrity Monitor. Service offerings include a PCI external scan and a perimeter scanning service. ncircle suite components are available in a variety of software, appliance, virtual appliance and service-based configurations that may be deployed together. Strengths: IP360 provides active scanning and passive observation for vulnerability detection, with flexible support for scan management and workflow. Security configuration compliance assessment and reporting are supported for NERC Critical Infrastructure Protection (CIP), SCAP, FDCC, DISA STIGs and NIST standards, as well as others. Suite360 provides compliance-specific reporting for a wide variety of regimes. Challenges: ncircle must continue its efforts to offer options for midsize and smaller VA buyers that need simplified management and reporting options at lower cost and lower resource requirements. ncircle's competitors are also targeting this market segment, and ncircle will need to develop distinct approaches to address competitors in both the enterprise and midsize segments. Optimal Use Case: Organizations that require full-featured VA with flexible deployment options, strong configuration assessment and reporting capabilities should evaluate ncircle. Rating: Strong Positive Qualys The QualysGuard Security and Compliance Suite is entirely service-based, with perimeter scans generated by Qualys-hosted scan engines, and interior scans generated by on-premises appliances. Content updates for vulnerabilities, reports, standard configuration templates, all software and scan engine updates, and so forth are managed by Qualys automatically. Customers manage their own scans, reports and workflow via a Web-based portal. In August 2010, Qualys acquired Nemean Networks to augment its real-time threat research capabilities. Strengths: Qualys gets high marks for ease of deployment, including very large deployments, and generally good marks for scan accuracy. Application scanning capabilities have improved from prior versions, as has security configuration assessment. QualysGuard now supports configuration templates and reporting for CIS, NIST, Federal Financial Institutions Examination Council (FFIEC), HIPAA, NERC, FDCC and several other policies. Qualys has extensive sales channel partnerships, and often appears in Gartner customer evaluations of VA providers. Challenges: Qualys continue to improve QualysGuard's application scanning capabilities. Qualys must ensure that customer support and promised feature enhancements remain a strong focus, even as it introduces new service offerings and migrates existing VA offerings to its upgraded service delivery infrastructure. Optimal Use Case: Organizations seeking service-based VA with application and database scanning and security configuration assessment should evaluate Qualys. Rating: Strong Positive

11 Rapid7 The NeXpose VA scan product is available in several forms: software, appliance, virtual appliance, laptop/mobile and managed service. Customers can mix these product and service components together in deployment. Rapid7 acquired the open-source Metasploit framework penetration testing engine in 2009, and released a commercial version of it in Rapid7 was an early provider of application and database vulnerability assessment, with a focus on validating and qualifying vulnerabilities, and the addition of the Metasploit technology fits that approach. Strengths: NeXpose gets very good marks for deployment flexibility, for scan accuracy especially for database and application scanning and for scan management features. Rapid7 continues to gain visibility among enterprise VA buyers, including those with large, complex scanning requirements. Integration with Metasploit penetration testing was reported as a strength by experienced users. Rapid7 has implemented channel and OEM relationships, and has an aggressive inside sales capability. Challenges: Configuration compliance features are still maturing. NeXpose does not currently support the U.S. Government Configuration Baseline (USGCB), DISA STIG or CIS configuration templates, although these are planned for 2011, and current support for NIST and NSA templates is via custom scan configuration. The reporting features do not support the same degree of customization and flexibility as those of its leading competitors' products. Rapid7 must balance the demands of fast growth and customer acquisition with those of technical support and product development. Customers report their general satisfaction with Rapid7 technical and customer support, despite the company showing some growing pains. Optimal Use Case: Organizations seeking network and application vulnerability assessment, with options for extensive exploit validation and impact assessment, and flexible deployment options should evaluate Rapid7. Rating: Strong Positive Saint Saint is offered as a software download, preconfigured hardware, virtual appliance and SaaS. Customers can mix software and appliances in a single deployment. The WebSAINT Pro SaaS offering includes penetration testing. Saint provides the SAINTscanner to Enterasys, which bundles it with the Enterasys NAC appliance. Strengths: Saint provides good coverage for government compliance reporting, and supports mapping to Common Vulnerabilities and Exposures (CVE), SANS, NIST and FDCC/USGCG standards. Both the product and the services offerings support database and Web-based application vulnerability scanning. Saint's self-developed penetration-testing product works with the SAINTscanner. Saint continues to receive high marks for its technicalsupport responsiveness. Challenges: Saint's enterprise-relevant features are not as rich as those of competing products. Although several new capabilities are planned as product enhancements, Saint will be playing catch-up as these enhancements appear in upcoming versions of the product. The enterprise management console is not available as part of the SaaS offering. Although Saint has recently added to its sales capability and started an effort to increase channel sales, its sales operation, customer base and revenue remain small, relative to competitors.

12 Optimal Use Case: Organizations looking for active scanning VA with exploit testing features and flexible deployment options should evaluate Saint. Rating: Promising StillSecure StillSecure's VAM solution can be delivered as an appliance, virtual appliance, software image or managed service for PCI. StillSecure also provides IDS/IPS and NAC technology, as well as a WAF service that can be integrated with vulnerability assessment. Strengths: With a suite of vulnerability assessment and protection technologies, StillSecure is targeting buyers seeking to address multiple vulnerability management areas with limited resources. Users with experience with Nessus will have familiarity with VAM. Challenges: VAM's compliance reporting is a weak point compared with competing products. Application scanning is not available, and database scanning capabilities are less extensive than many competing products. StillSecure must improve these capabilities in order to compete effectively against other VA products and services. StillSecure relies on the scan technology from competitor Saint for its PCI scanning service. Optimal Use Case: Organizations that want to leverage their Nessus expertise for VA with the option of adding other vulnerability management products such as NAC and IDS/IPS should evaluate StillSecure. Rating: Caution Tenable Network Security Tenable Security Center, the Nessus Vulnerability Scanner, and Passive Vulnerability Scanner, which provide consolidated reporting and management, active scanning, and passive monitoring, respectively, make up Tenable's vulnerability management suite. The suite also provides compliance and security configuration assessment. Tenable is the creator, developer and distributor of the popular Nessus, which is widely used and available as a free download, with vulnerability check updates available via a fee-based commercial subscription or a free home-use subscription. Strengths: Tenable has improved Security Center's user interface and reporting/dashboard capabilities. Support for configuration auditing based on DISA STIG, FDCC, CIS, PCI and vendor templates, as well as reporting for extensive compliance and control standards, is also supported in Security Center. Passive scanning results as well as active scans from Nessus scanner and log feeds are consolidated for analysis and reporting in Security Center. Adding the integrated Log Correlation Engine brings additional analysis and reporting capabilities to the suite. Challenges: Tenable needs to be able to provide the balance of features and pricing appropriate to VA-focused buyers, along with those for enterprises seeking to address more-comprehensive scanning plus SIEM capabilities. Optimal Use Case: Security organizations seeking to add reporting and management capabilities to their existing Nessus scanners, or those looking to deploy a combination of active and passive scanning capabilities, along with extensive compliance, configuration capabilities and log collection, should consider Tenable.

13 Rating: Positive Trustwave TrustKeeper scanning is available as a managed service delivered via externally hosted scan and through on-premises appliances for internal scanning. Trustwave has acquired several technologies to augment its PCI compliance-related services, including Breach Security (WAF) and Intellitactics (SIEM) in Trustwave intends to integrate the capabilities of these products into its suite of services. Strengths: Trustwave remains a leading provider of PCI compliance services, and its scanning services support customers subject to PCI compliance requirements. The TrustKeeper portal features flexible scan scheduling and role-based administration, and Trustwave receives good marks for responsive technical support. Challenges: TrustKeeper's capabilities remain centered on PCI assessment. TrustKeeper does not have many features related to asset management, workflow, configuration compliance or reporting that are available with other VA products. Trustwave's recent acquisitions offer some opportunity to add to TrustKeeper capabilities, but potential customers should determine whether Trustwave's service development road map will meet their requirements. Optimal Use Case: Organizations requiring VA of their PCI environments should consider Trustwave. Rating: Promising 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on its website,