At 03:56 PM 1/5/2006, Raffael Marty wrote:
> On the subject of SIMs and vulnerability analysis scans...has anyone
> actually found this feature to be useful?
> 1) I can't even imaging letting my SIM scan the network in such an adhoc
> manner. It doesn't help that none of the vendors seem to bother with
> providing much in the way of documentation of the process. I'm in a wacky
> world where an outtage is almost never trivial;-) I've used Nessus enough
> to know that it WILL eventually cause an outtage.
I think you misunderstand what a SIM does with respect to vulnerability
scans. SIMs import scans from vulnerability scanners that you have
deployed. For example from Nessus. I think I remember that there is one
product (not even sure if it is a SIM) that does ad-hoc scans for events
it gets. That's just not a good idea, introduces a lot of latency (so
doesn't scale) and has the problems you outline. Again. In general, SIMs
import vuln-scans, they don't scan themselves.
One of the reasons we design Tenable's products as a blend of SIM and VM
is because this import function is a leap of faith. Too often, I see great
SIM products loaded with last year's vuln data, or vuln data that didn't
have the proper credentials or vuln data that was only a discovery scan.
With Tenable's products, you can do SIM and VM at the same time with one
product set. If scanning too often is an issue, we can also sniff network
traffic with NeVO to find new hosts, applications and vulnerabilities.
Having accurate vulnerability data makes any SIM process (incident response,
VA/IDS correlation, updated Asset inventory, .etc) much more relevant.
Ron Gula, CTO
Tenable Network Security
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
