a provocative new approach to integrated security ... introduces qradar... · it & data...

IT & DATA MANAGEMENT RESEARCH,INDUSTRY ANALYSIS & CONSULTING

A Provocative New Approach to Integrated Security Intelligence: IBM Introduces QRadar Vulnerability ManagerAn ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper Prepared for IBM

July 2013

Table of Contents

©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

A Provocative New Approach to Integrated Security Intelligence: IBM Introduces QRadar Vulnerability Manager

Executive Summary .......................................................................................................................... 1

Tackling the Unfulfilled Promise of Vulnerability Management ....................................................... 1

Among the Biggest Challenges .................................................................................................... 2

Vulnerability Prioritization .................................................................................................. 2

Failure to Incorporate Real-Time Data ............................................................................... 3

Fragmented Tactics Keep Gaps Exposed ............................................................................. 3

Needed Today: Actionable Integration of Vulnerability Intelligence ........................................... 4

The IBM Security Approach ............................................................................................................. 5

Introducing IBM Security QRadar Vulnerability Manager ......................................................... 5

A More Comprehensive Approach .............................................................................................. 5

Key Advantages ........................................................................................................................... 6

A Truly Integrated Approach ............................................................................................... 7

Improved Performance ........................................................................................................ 7

Centralized and Efficient Management and Intelligence ..................................................... 8

Example Use Cases ...................................................................................................................... 8

Today’s More Sophisticated Threats .................................................................................... 8

Improved Compliance ........................................................................................................ 9

EMA Perspective ............................................................................................................................... 9

About IBM ..................................................................................................................................... 10

http://www.enterprisemanagement.com

©2013 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com1


Executive SummaryVulnerability management activities have long been a core requirement of every organization’s security practices, helping them fully understand the extent of their exposures and the overall security state of their networks. Yet many security teams continue to struggle against the inherent operational limitations – and resulting manual processes – of the available solutions typically deployed as isolated silos. Scan results are presented apart from other depictions of the security infrastructure, limiting the effective context of these reports, and complicating the development of a comprehensive and actionable security management plan. Excluding vital insight from the tools required to maintain vigilance over the security posture and mitigate risk exposures further reduces the effectiveness of their security strategies while also driving up costs – yet few technologies and the intelligence they transmit are more critical to the organization’s defense.

With the introduction of QRadar Vulnerability Manager, IBM tackles these limitations of legacy approaches to vulnerability management head-on. This offering is not just another commodity vulnerability scanner. By delivering vulnerability assessment as part of the QRadar Security Intelligence Platform, IBM integrates vulnerability intelligence directly into the same system widely adopted by many enterprises for actionable, easy-to-deploy Security Information and Event Management (SIEM). This reduces the proliferation of fragmented security tools that hamper security effectiveness – and associated costs – while enriching vulnerability insight and improving the efficiency of vulnerability remediation.

In this ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) report, EMA explores these values of IBM Security QRadar Vulnerability Manager, the need for better integrated security architecture expressed by enterprises worldwide, and example use cases that highlight the value of the IBM approach. Enterprises that seek to reduce their total security costs while improving their security posture – and who recognize the value of comprehensive, integrated security intelligence – should be drawn to this distinctively different approach to a fundamental security practice.

Tackling the Unfulfilled Promise of Vulnerability ManagementVulnerability management is an essential aspect of enterprise security. It is on the front lines of defense against attacks, from sophisticated exploits of software and configuration defects by highly skilled adversaries to industrialized threats that target common exposures. The principle is fundamentally sound: Information on known exploitable vulnerabilities is collected and correlated to IT systems in the environment. Techniques include on-host inventory, often through means of an endpoint or server agent, or through an off-host scan that explores systems for indicators of a known or recognized exposure. The intent is to enable focused remediation and prevent exploit of those exposures, which could lead to the compromise of sensitive information, or even of the business itself. For these reasons, vulnerability scanning has become a fundamental enterprise security practice, and one that is often required to meet regulatory compliance mandates such as the Payment Card Industry Data Security Standard (PCI DSS), among others.

In practice, however, vulnerability management can be extraordinarily difficult. There may be a number of exploitable software and configuration defects on any one host – and tens, hundreds or thousands of hosts in the environment. The sheer volume of exposures often slows down even the most methodical resolution efforts – and far too often, this is a matter of evaluating what are assumed to be the most




significant vulnerabilities on a case-by-case basis. Remediation poses further hurdles, since software updates, patches and reconfigurations typically must be evaluated before deployment to head off any possible disruptions they could cause.

The result is that many vulnerabilities – even when acknowledged to be critical – can go unresolved for far too long, if they are ever addressed at all. The years-long trajectory of Conficker is a discouraging example. At its peak, variants of the Conficker worm had compromised as many as 7 million unique IP addresses.1 This is more than twice the size of SETI@Home, one of the largest legitimate distributed computing efforts to date, which currently numbers approximately 3.4 million hosts.2

Conficker command-and-control was effectively decapitated by concerted industry efforts between 2008 and 2010 – yet variants of the Conficker worm continue to spread. In late 2011, Microsoft was still detecting 1.6 million instances of Conficker-compromised systems.3 By the end of 2012, Microsoft researchers found that Conficker was still number two among malware detected on domain-joined computers – a figure that actually increased from the previous quarter.4 And as recently as spring 2013, media reports documented the travails of the ministry of education in Schwerin, Germany, which had determined that it would be cheaper simply to discard Conficker-infested computers than to restore them.5

Perhaps the most disturbing aspect of this story is that Microsoft had provided resolution for Conficker-exploited vulnerabilities as early as October 2008, with the publication of a security bulletin documenting a key vulnerability and patches for a number of Microsoft systems,6 as well as workarounds to mitigate additional exposures exploited by Conficker variants.7 The fact that Conficker remains a prevalent concern speaks to the challenges that so many face worldwide in taming their vulnerability exposures.

Among the Biggest ChallengesWhat keeps organizations from realizing more effective vulnerability management?

Vulnerability PrioritizationWith potentially hundreds or thousands of exploitable vulnerabilities in an enterprise environment – and only so many resources to spend on remediation in terms of time and expertise – how does an organization determine which exposures deserve the most attention? Which should be resolved first, and which can wait?

Vulnerability prioritization has been one of the greatest challenges to effective management. Efforts have attempted to address this concern, such as the Common Vulnerability Scoring System (CVSS) that rates the severity of documented issues. But it may not be feasible to address every high-severity exposure – and not every host with one or more such issues merits remediation. Business-critical systems or hosts facing publicly accessible external networks may require greater attention for the same exposure than a low-priority, isolated host on a protected internal network.

1 Conficker Working Group Lessons Learned document (http://confickerworkinggroup.org/wiki/uploads Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf)

2 http://boincstats.com/en/stats/0/project/detailas of May 9, 20133 Microsoft Security Intelligence Report, Vol. 124 Microsoft Security Intelligence Report, Vol. 145 http://heise.de/newsticker/meldung/Schwerin-Virus-verseuchter-Rechner-Ab-auf-den-Muell-damit-1851718.html6 Microsoft Security Bulletin MS08-67 – Critical, http://technet.microsoft.com/en-us/security/bulletin/ms08-0677 http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3aWin32%2fConficker.B


http://confickerworkinggroup.org/wiki/uploads%20Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf

http://confickerworkinggroup.org/wiki/uploads%20Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf

http://boincstats.com/en/stats/0/project/detail

http://heise.de/newsticker/meldung/Schwerin-Virus-verseuchter-Rechner-Ab-auf-den-Muell-damit-1851718.html

http://technet.microsoft.com/en-us/security/bulletin/ms08-067

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3aWin32%2fConficker.B



False positives generated by vulnerability assessment tools compound the issue. Just because a certain vulnerability is associated with a given version of software, for example, does not necessarily mean that it will be found on a specific host, if the affected functionality is absent or disabled on that system. Exploitability is another factor that adds to false positives. Even if a vulnerability is present, the exposure may not be exploitable if the system cannot be accessed by an attacker.

The correlation of vulnerabilities with asset criticality is one method often advocated for prioritizing remediation. But criticality may be difficult to determine – or worse, the determination may be unrealistic if based on too little information, or on data of little relevance. How does the organization verify that a host serves the functions assumed? Does activity data justify the priority given to an asset? More to the point: Does a judgment of asset critically even take asset activity into account?

The focus on servers highlights yet another gap in a realistic approach. Any vulnerable point in the infrastructure between an attacker and their target can be exploited to gain a foothold and advance toward a greater opportunity. Even “advanced” threats can capitalize on a compromised user endpoint to target a higher-value objective, if the endpoint or its user has access to more sensitive resources. Without understanding these attack pathways and sequences, vulnerability prioritization is effectively disconnected from reality.

Failure to Incorporate Real-Time DataThese examples suggest the lack of real-time data in many approaches that could sharpen vulnerability awareness. Surprisingly, many fail to recognize the impact of this oversight. If asset criticality is based on static data such as some measure of value associated with an asset, it is effectively frozen in time and may no longer be current.

Keeping vulnerability data fresh is typically understood as keeping databases of Common Vulnerabilities and Exposures (CVE) records or CVSS scores up to date. But this narrow focus is in sharp contrast to the methods of the attacker, who is often far more dynamic and systematic than the defender. When a change is made to a host that introduces a vulnerability, an attacker may discover it within minutes, particularly if the host has wide network exposure. This may be far sooner than enterprise systems management tools can update a management database. When new hosts are introduced on a network, their unresolved security exposures are introduced as well, which may expose the network as a whole.

One of the most fertile sources of real-time vulnerability intelligence can be found in systems that monitor and recognize potentially malicious activity. The nature of suspicious behavior, such as the form or frequency of interaction with a specific service, can directly indicate an attacker’s discovery of an exploitable vulnerability – and calling attention to where the need for remediation may be immediate. Many organizations, however, have yet to recognize the power of this insight, let alone put it to work directly in vulnerability awareness and resolution.

Fragmented Tactics Keep Gaps ExposedAnother factor that often confounds effective vulnerability management is the sheer fragmentation of the toolset. A variety of assessment technologies exist, from host-based techniques that depend on the visibility of an agent or other component of the target system, to network-based assessments. Network-based techniques may be either active or passive. Active approaches interact with the target to determine the presence of a vulnerability, using techniques that vary from probing the target for exposures to collecting system inventory data such as software updates or version information. Passive approaches




may monitor network traffic for evidence of vulnerable hosts based on information observable from network content. These techniques primarily collect data on system-level vulnerabilities; those that focus on applications represent yet another category of assessment, with technologies primarily divided between dynamic runtime or “black box” analysis and static evaluation of exposures in source code.

As this brief summary suggests, there may be a number of potential overlaps as well as gaps in these various techniques. Gaps may go beyond assessment alone. Vulnerability management tools must, on the one hand, maintain a wide scope of external vulnerability data such as CVEs, CVSS scores, and vendor-published bulletins; and on the other, they must maintain an equally large or larger volume of internal data, such as asset inventories and configuration data from systems management tools, activity records from monitoring systems, and the results of vulnerability scans. The approach is only as comprehensive and complete as the ability of vulnerability assessment tools to incorporate this wider scope of data.

An unfortunate consequence of these fragmented techniques is that they may not be well-aligned or well-integrated with existing security infrastructure, which can lead to numerous “blind spots” in the environment. Security defenses, both host- and network-based, have considerable ability to recognize a potential vulnerability exploit, from the presence or movement of malware to an unauthorized access attempt. Sadly, these detection capabilities may be underutilized in vulnerability management.

As a result, much valuable insight simply gets lost in the noise, if not overlooked altogether. For example, the correlation of vulnerability scan data to monitored network activity via flows and packet capture can reveal an actual exploit or malicious probe of a vulnerability discovered by an attacker. When vendors or other intelligence sources issue vulnerability bulletins, historical activity data can be reviewed to determine if the presence of the vulnerability has been discovered or exploited previously. Evidence of such activity may also be useful in revealing a “zero-day” vulnerability yet to be reported by intelligence sources. Insight into the actual topology of a given environment, meanwhile, can be used to rule out false positives or vulnerabilities inaccessible to an attacker, such as those affecting assets on isolated or segmented network zones or inaccessible behind a firewall.

The unification of these capabilities would do more than close many of these gaps. It would also help to eliminate redundancies in security management tools, breaking down silos while simultaneously improving the efficiency of security management and reducing its costs.

Needed Today: Actionable Integration of Vulnerability IntelligenceIf today’s advances in security intelligence can resolve many of these gaps and oversights while reducing costs, then perhaps the time has come to consider a different approach to vulnerability management.

Security operations professionals have long recognized the central role played by security information management systems. Historically, however, these systems have largely focused on correlating log or event data to raise alerts or produce reports that describe the security or compliance posture.

Today, security intelligence systems can do much more. Modern information management technologies are handling larger volumes of a wider variety of data than ever – and security can benefit from this trend. Organizations should therefore consider vulnerability management techniques and the practices that follow:

•Today’s techniques should unify the correlation and rationalization of vulnerability data from a variety of sources – from a range of scan techniques to external vulnerability intelligence, internal activity, and environment topology.




•They should be comprehensive, incorporating visibility across the entire landscape of systems, networks, applications, and resources that integrate complex environments – including security and IT operations management infrastructure.

•They should clearly identify actionable items, based on more realistic and comprehensive insight going beyond static or less comprehensive approaches to include activity and topology data.

•They should centralize visibility and analysis, reducing or eliminating the need for multiple management consoles for vulnerability assessment, activity insight, reporting or other related capabilities.

The IBM Security ApproachAs businesses emphasize the role of data management and analytics, IBM has earned a leadership stake in these fields, and security is no exception. The company’s QRadar platform for Security Information and Event Management (SIEM) has become a highly popular offering for security teams worldwide, capitalizing on efficient techniques for delivering performance at scale from a wide variety of security-relevant information. QRadar provides centralized, actionable insight into real-time activity, with comprehensive visibility across people, hosts, networks and applications throughout virtual and physical environments. Today, IBM is extending this dynamic, efficient, real-time approach to vulnerability intelligence in a creative way.

Introducing IBM Security QRadar Vulnerability ManagerWith IBM Security QRadar Vulnerability Manager, IBM introduces a new and distinctly different response to an important need: a truly integrated approach to security management that helps to reduce the total cost of security operations and closes a number of gaps in many existing approaches.

The integration of IBM Security QRadar Vulnerability Manager with the existing QRadar SIEM platform is seamless – the new offering is being delivered to QRadar customers as a standard part of the QRadar SIEM architecture. Because the solution will already exist within the customer’s environment, it can be quickly and simply activated with a licensing key, eliminating the need for the procurement and deployment of additional systems to support a separate technology silo of vulnerability management. This added functionality combines the real-time visibility of QRadar with vulnerability scan intelligence, and augments the QRadar SIEM asset database with a richer depth of vulnerability information.

A More Comprehensive ApproachThe potential of this combination is compelling. Consider, for example, the range of intelligence that QRadar Vulnerability Manager can incorporate and correlate:

• Vulnerability scandata: The integrated scanner included with QRadar Vulnerability Manager provides widely adopted assessment capabilities that enable customers to combine two technologies – vulnerability assessment and SIEM – within a single unified platform. This eliminates the need for redundant techniques and simplifies the deployment of vulnerability management, which together may reduce total security management costs. Further augmenting this value is QRadar Vulnerability Manager’s ability to incorporate vulnerability data from a wide variety of sources – from IBM as well as from third parties – including Web application scanners, database vulnerability assessments, endpoint management systems, and other technologies. Inputs may include external as well as internal scans from both on-premise and hosted sources, enabling QRadar customers to take advantage of the view that the adversary has from the outside, as well as from within.




• Activity data: By uniting vulnerability assessment with the core capability of QRadar SIEM, QRadar Vulnerability Manager brings the added dimension of activity to vulnerability analysis. This highlights where vulnerabilities may affect highly active or important assets, or where reduced or less sensitive activity may indicate that remediation may be less of a priority, further enhancing efficiencies through added insight.

• Environmentanalysis: QRadar Vulnerability Manager is compatible with QRadar Risk Manager, which analyzes the topology of the environment to discover exploitable pathways, identify real exposures and reduce or eliminate false positives in vulnerability assessment. QRadar Risk Manager enriches this awareness with network activity data collected over time from the QRadar platform. These capabilities further aid QRadar Vulnerability Manager in identifying high-priority issues and making the most of limited vulnerability mitigation resources.

•Threat Awareness: A particularly valuable sharpening of vulnerability awareness offered by QRadar Vulnerability Manager is its ability to capitalize on QRadar’s SIEM insight into both the internal and external threat environment. Recognizing when vulnerable hosts communicate with known or potential threat sites provides a significant distinction for this approach to vulnerability management – a realization of when vulnerabilities may, in fact, be targeted or exploited directly by an attacker. This capability is in line with some of today’s most successful technologies for advanced threat defense. When applied to vulnerability management, it heightens the value of activity awareness for comprehensive defense, accentuating hosts where the need for vulnerability mitigation may be most urgent.

• Remediationawareness: QRadar Vulnerability Manager further capitalizes on the integration of QRadar SIEM with security point products such as Intrusion Prevention systems (IPSs) to expand awareness of threats that target vulnerabilities in the environment. This insight can be further leveraged to identify how and where defenses can be engaged to block exposures and defend against attacks. QRadar Vulnerability Manager can also incorporate data from endpoint management systems essential to vulnerability remediation such as IBM Endpoint Manager. This enables users to correlate the results of vulnerability analysis in a number of productivity-enhancing ways. For example, QRadar Vulnerability Manager can filter out exposures that IBM Endpoint Manager can patch automatically, leaving the user with a view of vulnerabilities requiring alternative mitigation techniques.

This expansive capability is delivered through the centralized user experience already familiar to QRadar users, easing the impact of adoption and further enhancing the efficiency of an integrated approach that reduces or eliminates the need for redundant vulnerability management tools.

Key AdvantagesThe primary value of the IBM QRadar Vulnerability Manager approach lies not so much within the added ability simply to scan the network, which is already widely available. Rather, what QRadar Vulnerability Manager provides is the ability to bring deeper, more directly actionable intelligence to the interpretation of vulnerability assessment, unifying the approach with existing security management at a reduced operational cost.




A Truly Integrated ApproachQRadar Vulnerability Manager leverages the deployment of existing security infrastructure and intelligence data to deliver more comprehensive assessment of vulnerabilities throughout the environment. This is not only an integrated approach, but also introduces a “near-zero” installation footprint for maximum efficiency – an approach rare among security infrastructure products, where legacy tools are typically deployed as standalone products. QRadar Vulnerability Manager attacks this fragmentation directly, integrating vulnerability assessment with dynamic activity monitoring.

Cost-reduction potential goes beyond infrastructure, however. Savings in terms of reduced personnel effort may be just as significant – and with enterprises estimating fully-loaded personnel costs for security analysts at approximately $80 per hour according to EMA interviews, this savings may be significant.

Consider, for example, that security technicians must often consult multiple tools to understand:

•Which hosts are vulnerable (which may require the use of multiple assessment technologies);

• If those vulnerabilities are exploitable based on accessible topology;

• If activity indicates an immediate risk; and

•What remediation options are available.

This multiplies the level of effort required to identify and prioritize the most significant vulnerabilities for remediation. By integrating and correlating this information in a single console, QRadar Vulnerability Manager offers substantial reduction to the level of effort required to discover and resolve the most significant concerns.

EMA research indicates that more than one-third of enterprises do not have sufficient time or expertise to deal with the security information they already collect.8 Finding and retaining personnel with the necessary skillset is yet another roadblock to success. Reducing personnel costs through improving efficiencies in vulnerability assessment can help make the best use of this valuable and highly sought-after expertise.

Interoperability and support for standardized specifications also enables better automation for large-scale vulnerability assessment – a high priority in vulnerability management, as well as for integration with vulnerability remediation. QRadar Vulnerability Manager supports such initiatives by leveraging the National Vulnerability Database, supporting the CVE (Common Vulnerabilities and Exposures) enumeration and CVSS (Common Vulnerability Scoring System) severity assessment specifications. QRadar Vulnerability Manager can conduct discovery, authenticated and non-authenticated scans using the Open Vulnerability and Assessment Language (OVAL). These specifications are often key enablers for correlating asset information with vulnerability data and provide support for wider interoperability with third-party products or where these specifications may be required, as in many government facilities.

Improved PerformanceAmong the more significant challenges organizations report with vulnerability assessment are the time required to collect and manage vulnerability data, and the impact on sensitive infrastructure. EMA interviews with security organizations suggest that vulnerability scan data may often be one to four

8 The Rise of Data-Driven Security, EMA Research Report, May 2012, p. 7


http://www.enterprisemanagement.com/research/asset.php/2278/The-Rise-of-Data-Driven-Security



weeks old or older, exacerbating exposure and threatening the timeliness of remediation. Coverage may be as low as half (or less) of an enterprise network in some cases, due not only to the time required to complete vulnerability scans, but also to limit the impact of scanning on resources that may be sensitive to disruption.

QRadar Vulnerability Manager addresses these concerns by offering high-speed scanning capabilities using a “do no harm” approach to network performance and availability. This includes the ability to leverage the insight of QRadar SIEM to launch more frequent or more focused scans as a result of detected network behavior – whenever a new asset is detected on the network from log events or network flow data, for example. This not only improves performance by reducing network impact through scanning high-priority targets on an as-needed basis, it also helps eliminate gaps in vulnerability awareness due to dynamic network activity which may be missed in between scans. Scans can also be programmed to run at regularly scheduled intervals, using QRadar to identify appropriate targets: against all targets in the environment known to QRadar, a specified subset, or a QRadar SIEM reference set.

Centralized and Efficient Management and IntelligenceBecause QRadar Vulnerability Manager is part of the QRadar Security Intelligence Platform, it can aggregate vulnerability data collected from a wide variety of security and IT operations management products and third-party tools, and centralize the delivery of this insight in a security information management system already widely adopted.

QRadar Vulnerability Manager adds a new tab to the single-console QRadar Security Intelligence Platform interface, an environment already familiar to existing QRadar users for reviewing log events, network flows and security alerts. It collects all available scan data within a dedicated and customizable dashboard view helping not only to prioritize actionable vulnerability intelligence, but also to coordinate patching, “virtual” patching (emulation of the behavior of patched systems enabled by security defenses) and blocking activities of security and IT systems management infrastructure.

This approach is both flexible and deep. At a strategic level, it provides trending of vulnerabilities and vulnerability management essential to understanding performance and prioritizing risk mitigation resources, maintaining daily, weekly and monthly views. It can suppress false positives and permissible exceptions, or tailor the focus of analysis to specific assets, vulnerabilities, or other criteria to refine views as necessary. At an operational level, QRadar Vulnerability Manager provides a graphical interface for visualizing and exploring detected vulnerabilities. Forensic capabilities provide deep visibility into vulnerability analysis by host, service or vulnerability type.

Example Use CasesThese benefits can be seen in a number of QRadar Vulnerability Manager use cases:

Today’s More Sophisticated ThreatsOrganizations today are aware as never before of the ability of modern attacks to penetrate defenses. In a 2012 EMA survey of 200 organizations worldwide,9 the majority of respondents (52%) indicated that they were no more than “somewhat” confident they could detect an important security issue before it has an impact. Nearly one-third (32%) of self-identified security professionals in this study felt that security technologies were too easily overcome by targeted threats.






Modern attacks often succeed because attackers are often far more systematic than defenders. Attackers will often conduct initial reconnaissance to discover exploitable opportunities and combine user coercion with technical exploits to gain initial penetration. Once initial success is achieved, automated attacks may spread in a “wormlike” fashion, while intelligent adversaries can assess additional opportunities for further gains. Command-and-control (“C2”) may be established, and the exfiltration of data may result in real damage to the business.

QRadar Vulnerability Manager can detect suspicious activity and trigger scans as warranted. It can sense when new assets are added to the network and perform immediate scans to keep the asset database and network topology current. Activity such as anomalous deviations from routine behavior can reveal vulnerabilities other techniques may miss, which supports better prioritization of remediation. QRadar Vulnerability Manager can also highlight vulnerabilities on assets that have communicated with recognized external threat sites, automatically scanning those assets and providing up-to-date vulnerability visibility where it is most needed.

Improved ComplianceOne of the banes of security management is the burden that compliance often imposes on organizations to collect “audit-worthy” reporting across a disparate range of point products and management tools. This adds to the cost of compliance efforts – but outdated approaches to compliance may have an even more dire impact.

Despite the emphasis many regulators place today on “continuous” compliance, many approaches still take a static, point-in-time approach to assessment. Adversaries, however, are not so bound, which may leave the business susceptible to attackers who find exposures the business may not recognize until the next assessment. Nor do compliance requirements necessarily address all potential security exposures in any specific case.

With the addition of Vulnerability Manager, QRadar combines vulnerability scanning, both scheduled and on-demand, with real-time activity awareness that supports improved compliance through more comprehensive vulnerability intelligence. QRadar Vulnerability Manager delivers a full history and audit trail of completed scans – including authorized exceptions when warranted – categorizing each discovered vulnerability with an appropriate severity rating and vulnerability score. QRadar Vulnerability Manager also supports demonstrations of remediation, through interoperability with security defenses, incorporation of systems management data, and the tracking of remediation activities through service desk ticketing, including severity, due dates and additional commentary as needed.

EMA PerspectiveWith its novel approach to integration with an established security intelligence platform, QRadar Vulnerability Manager is a provocative departure from many existing approaches, which are often focused solely on vulnerability awareness based on vulnerability data and scans. The coupling of vulnerability assessment with real-time activity insight does more than improve efficiency by combining these technologies in a single form factor. It introduces a new dimension to vulnerability management, further supplemented by topology awareness and vulnerability mitigation capabilities from endpoint management to security defenses.




This approach directly addresses some of the most frequently cited frustrations with security technologies voiced by 200 organizations worldwide in recent EMA research.10 Among the most significant complaints: “poor integration among security tools” (43%), “slow to respond to emerging threats” (39%) and “inadequate visibility into malicious or high-risk activity” (32%). With QRadar Vulnerability Manager, IBM seeks to close a number of these gaps:

• Enhancing vulnerability awareness through integrating vulnerability assessment with the activity monitoring of SIEM.

• Improving the prioritization of vulnerability remediation through topology insight and intelligence into both the internal and external threat environments.

•Optimizing the use of precious resources through interoperability with remediation, from security defenses to systems management resources.

These benefits emphasize a primary value of this new offering: the unification of vulnerability assessment and SIEM in the same technology platform, which helps to reduce total security infrastructure costs while providing more intelligent interpretation of vulnerability analysis. Enterprises that seek to reduce their total security costs while improving their security posture – and who recognize the value of comprehensive, integrated security intelligence – should evaluate this approach for its potential to satisfy some of vulnerability management’s most elusive promises in a new and different way.

About IBMIBM Security offers an advanced and integrated portfolio of enterprise security products and services. The portfolio, supported by widely recognized X-Force research and development, provides security intelligence to help organizations holistically protect their people, infrastructures, data and applications, offering solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. These solutions enable organizations to manage risk and implement integrated security for mobile, cloud, social media and other enterprise business architectures. IBM operates one of the world’s broadest security research, development and delivery organizations, monitors 13 billion security events per day in more than 130 countries, and holds more than 3,000 security patents. For more information, visit www.ibm.com/security




About Enterprise Management Associates, Inc.Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that provides deep insight across the full spectrum of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help its clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise line of business users, IT professionals and IT vendors at www.enterprisemanagement.com or blogs.enterprisemanagement.com. You can also follow EMA on Twitter or Facebook.

This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. “EMA” and “Enterprise Management Associates” are trademarks of Enterprise Management Associates, Inc. in the United States and other countries.

©2013 Enterprise Management Associates, Inc. All Rights Reserved. EMA™, ENTERPRISE MANAGEMENT ASSOCIATES®, and the mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc.

CorporateHeadquarters:1995 North 57th Court, Suite 120 Boulder, CO 80301 Phone: +1 303.543.9500 Fax: +1 303.543.7687 www.enterprisemanagement.com2698.070813


blogs.enterprisemanagement.com

http://twitter.com/ema_research

http://www.facebook.com/pages/Enterprise-Management-Associates-EMA/232626436757941


a provocative new approach to integrated security ... introduces qradar... · it & data...

Documents