Secunia Vulnerability Intelligence Manager

Transcription

1 TECHNOLOGY AUDIT Secunia Vulnerability Intelligence Manager Secunia Reference Code: OI Publication Date: July 2011 Author: Andy Kellett SUMMARY Catalyst Secunia Vulnerability Intelligence Manager (Secunia VIM) is a security management system that supplies the latest intelligence on vulnerability threats while acting as an early warning tool. It is used by the IT departments and security teams of organizations worldwide to take pre-emptive action. One of the key features of the VIM is the automated security ticketing system, which also maintains user-generated application and software asset lists. These are used to automatically generate vulnerability notifications, in the form of security advisories, each time the solution detects that an asset is at risk. Most organizations have elements of vulnerability management in place. Some make use of security information and event management (SIEM) technology or follow public vulnerability newsgroups and information feeds from their software. However, many find it difficult to keep pace with the constant disclosure of vulnerabilities that are putting their operational systems at risk. Fundamentally, they would benefit from a more controlled and structured approach. In this context, Secunia VIM can be used to build a vulnerability intelligence system from scratch or support existing security management processes. Key findings Secunia VIM provides accurate, up-to-date, vulnerability intelligence. Ovum (Published 07/2011) Page 1

2 The information provided is easily accessible and relevant to security managers. Secunia intelligence determines how critical each vulnerability is, and reports on the likely impact. VIM can interact with other security management tools, but is not designed to deliver patch updates (if required, Secunia CSI can fulfill the patch update role). Due to the VIM relationship with other security tools, the company plans to provide improved integration with third-party SIEM and governance risk and compliance (GRC) products. The primary target audience is the government sector and enterprise organizations with their own security teams. Ovum recommends Businesses must be proactive in the management of their operational software, applications, and infrastructure systems. Keeping up with security vulnerabilities as they are published is challenging for most security teams. They need to be better informed about the raft of potential vulnerabilities and threats that they face, so that required actions can be taken. However, even the effectiveness of this type of approach relies heavily on the accuracy of the information provided and the reliability of their sources. For organizations operating diverse and wide-ranging systems, vulnerability management challenges cannot be solved using ad hoc tools. There needs to be an integrated and inclusive approach that makes use of security intelligence to highlight vulnerabilities and their severity as they occur. The information needs to be used effectively alongside software update and patch management services (Secunia offers both scanning and patch management services using its Corporate Software Inspector product). The start point involves the use of reliable information, which is where the Secunia VIM product comes into the picture. Value proposition Secunia is an established security management company. It is a trusted source of vulnerability intelligence and has become the preferred supplier for many enterprises and government agencies across Europe and the US. The vulnerability recommendations that Secunia makes to clients through its Secunia VIM services have a reputation for their accuracy and timeliness. Ovum (Published 07/2011) Page 2

3 By setting itself up as a trusted source of vulnerability intelligence, the company is not seen as a threat to other mainstream security vendors. In fact just the opposite; it collaborates with other security vendors, information and event providers, and open source projects to ensure that where vulnerabilities are identified they can be rectified as expediently as possible. Other vendors that play in this space and offer vulnerability information include Symantec (DeepSight), IBM (X-force), idefense, and Trend Micro. Secunia VIM is mainly targeted at the enterprise and government sectors. These are typically the types of organizations that have a large number of databases, applications, and operating systems to support. Having made that definition, the company does not completely ignore the small to medium-sized enterprise (SME) market. It provides a small business version for SMEs that operate complex infrastructures. Any business that operates a range of IT-based systems and services and regularly needs to perform vulnerability updates and patches would benefit from the intelligence-led vulnerability management services of the Secunia VIM product set. The solution is normally offered using a software-as-a-service (SaaS) approach, but a serverbased offering is available for those organizations that prefer not to go down the services route. A try-before-you-commit approach is available, so that new customers can evaluate the effectiveness of the product with a 30-day trial approval license before agreeing to a longer-term commitment. Ovum (Published 07/2011) Page 3

4 SOLUTION ANALYSIS Functionality The Secunia VIM product is a vulnerability intelligence and security management toolset. It delivers the information that security managers and analysts need to understand the vulnerabilities that could have a security impact on their operational systems. The product consists of a ticketing system that contains detailed information about the IT systems and applications of the business in the form of asset lists. These lists can be added to or amended as operational requirements change and new facilities are brought on stream. Secunia covers all commercial and open source off-the-shelf programs to ensure that it provides its clients with access to a comprehensive range of vulnerability intelligence. Security information that identifies and reports on emerging and historic threats can be targeted down to the individual application and release version to ensure that the information is relevant to the client. The information provided is actionable and covers the criticality, attack vector, and potential impact of each vulnerability. New vulnerabilities can be identified from the moment a system or application is added to the VIM asset list. New vulnerability tickets are automatically opened as soon as a Secunia advisory is issued that relates to a listed asset. When asset lists are set up, the client also nominates security managers who are responsible for taking action each time one of their areas comes under threat. These members of the company's security team are the frontline users of the Secunia VIM system. As shown in the Figure 1 architecture diagram, each nominated user can receive realtime vulnerability warnings and ticket alerts using their communications channel of choice. Normally this is done via or SMS message, while at the same time the VIM reporting module creates detailed reports for remediation and compliance purposes. Ovum (Published 07/2011) Page 4

5 Figure 1: The Secunia VIM approach Secunia Vulnerability Intelligence Management (VIM) INPUT USE & CORRELATE OUTPUT Asset list Windows Security 7 Policy Adobe Reader MozillaFirefox Critical patches Cisco Pix should be RedHat installed within 24 hours. Secunia Tickets Vulnerability Database Secunia RSS & XML Intelligence Feeds SMS/Text Message Alerts Reports Advisory Tickets Compliance Statistics 2011 Secunia VIM 2 Source: Ovum O V U M Within the Secunia VIM system, customized filters are used to control the flow of vulnerability information, to ensure that the right people are informed at the right time and that segregation of duties from a responsibility and compliance perspective is addressed. The client's security team can work directly with the vulnerability information provided by the VIM system, its asset lists, ticketing system, and alerts to provide remediation services. Alternatively, it can feed the intelligence into an existing third-party product such as SIEM tools, GRC systems, and third-party ticketing systems. To support this, Secunia provides XML feeds that allow data to be fed into other solutions. Secunia can also advise on any additional work that may be necessary to configure and use the vulnerability input data. The Secunia VIM systems offer several core benefits: Ovum (Published 07/2011) Page 5

6 Unified access to vulnerability intelligence is available, which helps organizations to make the right business decisions while supporting operational efficiency. Access to vulnerability intelligence is via a single customizable dashboard interface. This provides a common one-click approach to information, advisories, open tickets, and associated tasks. Secunia covers all commercial and open source off-the-shelf programs, making Secunia VIM one of the most comprehensive vulnerability intelligence systems available to handle emerging and historical threats. An inclusive set of reporting facilities are provided to inform on the current state of an organization s IT infrastructure for both risk management and compliance purposes. Access to the Secunia Research team is available to discuss issues pertaining to incidents or vulnerabilities. The Secunia VIM product conforms to various implementation standards for Common Vulnerabilities and Exposures (CVE), Common Platform Enumeration (CPE), Common Vulnerability Scoring System (CVSS), and the National Institute of Standards and Technology (NIST) Security Content Automation Protocol (SCAP). The product has been certified as CVE compatible by The Mitre Corporation. It is compliant with the Vulnerability Database Requirements set out in the NIST Interagency Report 7511 Revision 1 (Draft), SCAP Version 1.0, and Validation Program Test Requirements (Draft), dated April Go-to-market strategy Many organizations struggle to keep pace with the changes required to ensure that their systems and applications can remain operational and safe. Depending on their level of maturity, most will have adopted some kind of informal vulnerability management process such as following public newsgroups or relying on vendor update information. The Secunia VIM approach formalizes these ad hoc information gathering processes and is sold to market on the basis of the completeness, timeliness, and efficiency of its verified and accurate information intelligence processes. The product is mainly marketed using a direct sales approach. Secunia's solution specialists support the approach by providing help to customers during implementation and then delivering a range of post-implementation maintenance and support services during the entire licensing period. The Secunia VIM product is normally sold using a SaaS licensing approach. Therefore the prices given are for annual use. Typical pricing for an entry-level solution starts at around 20,000; mid- Ovum (Published 07/2011) Page 6

7 range deployments will cost around 30,000; and deployments at the larger end of the scale will cost around 100,000. The licensing charges include all maintenance and support costs and cover the enterprise support model, which includes unlimited telephone support. The latest release of Secunia VIM is version 3.1. A product roadmap has been defined and the current areas of focus address further integration between VIM and the company's vulnerability scanning and patch management product, the Secunia Corporate Software Inspector (CSI). At the same time, Secunia will continue to work to provide easier integration with other third-party vendor products. Deployment The product is set up to be easy to deploy and use. Deployment times are measured in hours rather than days. Typically this involves between four and 16 hours. To support the process, Secunia uses a setup call approach; one of its solution specialists will help the customer through setup and configuration requirements. The main user requirement is to provide basic browser skills and a good knowledge of the particular IT infrastructure involved. General support and maintenance is provided by the Secunia team over the complete product lifecycle and, although not normally required, training services can also be provided. There are currently around 500 customer organizations using the VIM product, and two examples of its use are shown below. Customer deployment examples Example one is an enterprise organization with a security team that handles vulnerability management. It also employs other operational teams that deal with patch management issues. The company uses the Secunia VIM product to enable its security team to create asset lists containing all applications and operating systems deployed across their endpoint hosts, central systems, and networks (PCs and servers). Each time a new vulnerability is identified, a ticket is automatically raised and opened for the relevant application. Then, depending on the criticality of what Secunia has found, the process owner is notified via or SMS. When the responsible person has taken the required action, which can include the delivery of software patches, the ticket status is changed from open to handled. Process owners can also set compliance rules, for example specifying that all vulnerabilities with a criticality level of High or above must be patched within 30 days. Based on this, the user creates a compliance report, which can then be used to prove the existence of a vulnerability management program and alignment with Payment Card Ovum (Published 07/2011) Page 7

8 Industry Data Security Standard (PCI-DSS) or North American Electric Reliability Corporation Critical Infrastructure Protection (NERC-CIP) compliance. Example two is an organization that already had an SIEM product in place before it deployed the Secunia VIM product. It now uses the SIEM tool alongside the vulnerability intelligence of VIM to provide security and compliance reporting. In this particular use case, intelligence provided by the Secunia VIM is automatically fed into the SIEM tool using Secunia's XML feed. The approach enables the company's authorized security managers to harness the vulnerability intelligence of VIM to the reporting services of its SIEM tool without the need to involve other third-party products or data feeds. Key facts about the solution Table 1: Secunia Vulnerability Intelligence Manager: data sheet Product name Secunia Vulnerability Intelligence Manager (VIM) Product classification Version number Version 3.1 Release date April 2011 Industries covered Financial services, government, education, energy, healthcare, and others Geographies covered Vulnerability Intelligence Europe and North America Relevant company sizes Small, medium, and large Platforms supported Normally delivered using a SaaS approach Languages supported Deployment options English (vulnerabilities also available in German) Normally SaaS, also available on-premise, onpremise (managed), and hosted Licensing options Route(s) to market URL Company headquarters Secunia European headquarters As company headquarters North America headquarters Asia-Pacific headquarters Perpetual term SaaS Usually direct sales, also partner sales, and OEM Weidekampsgade 14 A DK-2300 Copenhagen S Denmark sales@secunia.com Source: Secunia O V U M Ovum (Published 07/2011) Page 8

9 APPENDIX Author Andy Kellett, Senior Analyst Ovum Consulting We hope that this analysis will help you make informed and imaginative business decisions. If you have further requirements, Ovum s consulting team may be able to help you. For more information about Ovum s consulting capabilities, please contact us directly at consulting@ovum.com. Disclaimer All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the publisher, Ovum (a subsidiary company of Datamonitor plc). The facts of this report are believed to be correct at the time of publication but cannot be guaranteed. Please note that the findings, conclusions and recommendations that Ovum delivers will be based on information gathered in good faith from both primary and secondary sources, whose accuracy we are not always in a position to guarantee. As such Ovum can accept no liability whatever for actions taken based on any information that may subsequently prove to be incorrect. Ovum (Published 07/2011) Page 9