FoundStone Refines Threat Assessment

By Cameron Sturdevant  |  Posted 2003-09-22 Print this article Print

Speed traded for in-depth analysis.

Foundstone Inc.s namesake Foundstone Enterprise 3.0.1 software packs enough punch for even the largest distributed networks, adding threat correlation to Windows host assessments that make shorter work of IT managers vulnerability assessment chores.

Foundstone Enterprise 3.0.1
Using Foundstones updated distributed vulnerability assessment tool, IT managers can now correlate new threats and use customized weighted scores to find security exposures and determine their severity. The initial costs are competitive, and ongoing maintenance is in line with what wed expect for distributed enterprise products.

  • PRO: New security exposures can be correlated to infrastructure without additional asset scans.
  • CON: Remediation procedures are sometimes too general to be of use for specific equipment.

    Internet Security Systems Inc.s Internet Scanner The Nessus Projects Nessus Qualys QualysGuard
    Like competitors such as Qualys Inc.s QualysGuard appliance (see review), it took Foundstone Enterprise 3.0.1 a significant amount of time to scan our test network for vulnerabilities. Although scan time is certainly a factor that IT managers should consider in vulnerability assessment tools, the quality of the scan should weigh far more heavily. In this regard, we believe Foundstone Enterprise, which is based on the companys Foundscan engine, is a top-notch competitor and should be placed on the short list of IT managers at midsize and large enterprises.

    Foundstone Enterprise 3.0.1 with threat correlation capabilities ships early next month and starts at $15,000, which includes the Foundstone FS1000 appliance. The Threat Correlation module is an additional 10 percent of the base software cost.

    Threat correlation is a clever value-add to Foundstone Enterprise, and we used the function to quickly assess systems in the test network. Foundstone takes in security advisories from many sources, including manufacturers such as Microsoft Corp. and Cisco Systems Inc., and creates a bulletin that is made available to Foundstone users. The bulletin explains the vulnerability and, most importantly, allows users to run a check of systems for the exposure.

    In tests, for example, Foundstone Enterprise Threat Correlation found multiple Windows 2000, XP and 2003 systems in our network that were susceptible to a buffer overrun. Microsoft Security Bulletin MS03-039 described the exposure and how to remediate it. Because Foundstone staff had pre-processed the security bulletin and created a threat correlation update to check our systems, it was a snap for us to run a check and identify which systems were at risk.

    There are two reasons why the threat correlation function is so appealing. First is that it made easy work of assessing our IT infrastructure for specific weaknesses without straining the network. We got results with little thought to the load that a full vulnerability scan would impose because the threat correlation bulletin runs against the Foundstone Enterprise database, and not against agents installed on the systems or other network infrastructure devices, such as routers and switches.

    The second reason we liked the threat correlation module is that it does away with most of the work involved in figuring out how to ferret out new weaknesses. Foundstone experts put the threat correlation bulletin together, so we were able to get the update from the Foundstone site and search our IT resources with hardly a second thought.

    All this takes time, however. Even a scan against our relatively small collection—about 25 devices including desktops, routers, switches and a variety of servers running Novell Inc., Red Hat Inc. and Sun Microsystems Inc. operating systems—often took between 3 and 10 minutes, depending on what we were looking for.

    That said, we are becoming less concerned with the length of time it takes a vulnerability assessment system tool to run a scan. We advise IT managers to look closely at the quality of the scan—the number of vulnerabilities found, some kind of ranking of the importance of the vulnerabilities and, increasingly, information about how to remediate the vulnerability.

    In this regard, we liked Foundstone Enterprises remediation center. The built-in ticket center is perfectly fine as a stand-alone break/fix tracking system.

    It can also be integrated with most popular trouble-ticket systems, although this will involve a little help from Foundstone professional services.

    Aside from the usual features, such as opening new tickets and tracking ticket status, we liked the remediation centers ability to ensure that items marked as fixed were easy to check. The "click to check" feature is great for quality control in the remediation process or just as a sanity check for security managers.

    We tested the feature by running a report that showed resolved trouble tickets. After opening an individual ticket, we clicked on the "verify" button, which checked the individual system.

    The ticket system worked reasonably well, but the information about vulnerabilities could stand some improvement.

    For example, the Foundscan vulnerability detection engine correctly identified an SNMP default community name on our WatchGuard Technologies Inc. Firebox V80 firewall appliance. Although the trouble ticket correctly identified the WatchGuard Firebox system in the header, all the remediation information was geared toward correcting the problem if it occurred in a Microsoft operating system.

    Next page: Scoring Points