Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


FoundStone Refines Threat Assessment



 By: Cameron Sturdevant
2003-09-22
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Speed traded for in-depth analysis.

Foundstone Inc.s namesake Foundstone Enterprise 3.0.1 software packs enough punch for even the largest distributed networks, adding threat correlation to Windows host assessments that make shorter work of IT managers vulnerability assessment chores.

EXECUTIVE SUMMARY
Foundstone Enterprise 3.0.1

Using Foundstones updated distributed vulnerability assessment tool, IT managers can now correlate new threats and use customized weighted scores to find security exposures and determine their severity. The initial costs are competitive, and ongoing maintenance is in line with what wed expect for distributed enterprise products.

KEY PERFORMANCE INDICATORS
USABILITY GOOD
CAPABILITY EXCELLENT
PERFORMANCE GOOD
INTEROPERABILITY GOOD
MANAGEABILITY EXCELLENT
SCALABILITY GOOD
SECURITY GOOD
  • PRO: New security exposures can be correlated to infrastructure without additional asset scans.
  • CON: Remediation procedures are sometimes too general to be of use for specific equipment.

    • EVALUATION SHORT LIST
     Internet Security Systems Inc.s Internet Scanner The Nessus Projects Nessus Qualys QualysGuard
    Like competitors such as Qualys Inc.s QualysGuard appliance (see review), it took Foundstone Enterprise 3.0.1 a significant amount of time to scan our test network for vulnerabilities. Although scan time is certainly a factor that IT managers should consider in vulnerability assessment tools, the quality of the scan should weigh far more heavily. In this regard, we believe Foundstone Enterprise, which is based on the companys Foundscan engine, is a top-notch competitor and should be placed on the short list of IT managers at midsize and large enterprises.

    Foundstone Enterprise 3.0.1 with threat correlation capabilities ships early next month and starts at $15,000, which includes the Foundstone FS1000 appliance. The Threat Correlation module is an additional 10 percent of the base software cost.

    Threat correlation is a clever value-add to Foundstone Enterprise, and we used the function to quickly assess systems in the test network. Foundstone takes in security advisories from many sources, including manufacturers such as Microsoft Corp. and Cisco Systems Inc., and creates a bulletin that is made available to Foundstone users. The bulletin explains the vulnerability and, most importantly, allows users to run a check of systems for the exposure.

    In tests, for example, Foundstone Enterprise Threat Correlation found multiple Windows 2000, XP and 2003 systems in our network that were susceptible to a buffer overrun. Microsoft Security Bulletin MS03-039 described the exposure and how to remediate it. Because Foundstone staff had pre-processed the security bulletin and created a threat correlation update to check our systems, it was a snap for us to run a check and identify which systems were at risk.

    Resource Library:

    There are two reasons why the threat correlation function is so appealing. First is that it made easy work of assessing our IT infrastructure for specific weaknesses without straining the network. We got results with little thought to the load that a full vulnerability scan would impose because the threat correlation bulletin runs against the Foundstone Enterprise database, and not against agents installed on the systems or other network infrastructure devices, such as routers and switches.

    The second reason we liked the threat correlation module is that it does away with most of the work involved in figuring out how to ferret out new weaknesses. Foundstone experts put the threat correlation bulletin together, so we were able to get the update from the Foundstone site and search our IT resources with hardly a second thought.

    All this takes time, however. Even a scan against our relatively small collection—about 25 devices including desktops, routers, switches and a variety of servers running Novell Inc., Red Hat Inc. and Sun Microsystems Inc. operating systems—often took between 3 and 10 minutes, depending on what we were looking for.

    That said, we are becoming less concerned with the length of time it takes a vulnerability assessment system tool to run a scan. We advise IT managers to look closely at the quality of the scan—the number of vulnerabilities found, some kind of ranking of the importance of the vulnerabilities and, increasingly, information about how to remediate the vulnerability.

    In this regard, we liked Foundstone Enterprises remediation center. The built-in ticket center is perfectly fine as a stand-alone break/fix tracking system.

    It can also be integrated with most popular trouble-ticket systems, although this will involve a little help from Foundstone professional services.

    Aside from the usual features, such as opening new tickets and tracking ticket status, we liked the remediation centers ability to ensure that items marked as fixed were easy to check. The "click to check" feature is great for quality control in the remediation process or just as a sanity check for security managers.

    We tested the feature by running a report that showed resolved trouble tickets. After opening an individual ticket, we clicked on the "verify" button, which checked the individual system.

    The ticket system worked reasonably well, but the information about vulnerabilities could stand some improvement.

    For example, the Foundscan vulnerability detection engine correctly identified an SNMP default community name on our WatchGuard Technologies Inc. Firebox V80 firewall appliance. Although the trouble ticket correctly identified the WatchGuard Firebox system in the header, all the remediation information was geared toward correcting the problem if it occurred in a Microsoft operating system.

    Next page: Scoring Points

    Scoring Points

    Clearly laid-out foundstone scores in the refined dashboard made identifying overall trends much easier than in previous versions. These scores can be configured by IT managers to more accurately reflect the importance of specific IT assets by assigning what Foundstone officials call a "criticality multiplier."

    We think Foundstone has done something good here for IT managers, but the company has also opened the product up for a little mischief, too. During tests, it was possible to doctor the criticality multipliers to make our Foundstone score go down. (In this case, a lower number is better.)

    Fortunately for non-IT executives, Foundstone Enterprise keeps two sets of Foundstone scores: the default set and the customized set.

    In the interest of getting the most accurate assessment, its a good idea to ask for both sets of scores, reflecting a period of at least six months, when evaluating the health of the network.

    Its also a very good idea to base performance pay on the default Foundstone score. Even though a customized Foundstone score is susceptible to being doctored to reflect positively on IT staff, we still think this is a good addition to the product because it allows IT managers to ensure that really critical vulnerabilities get forced to the top of the fix-it list.

    Senior Analyst Cameron Sturdevant can be contacted at cameron_sturdevant@ziffdavis.com.





      Reader Comments: FoundStone Refines Threat Assessment
    >>> Be the FIRST to comment on this article!
     

     
     
    >>> More Network Security & Hardware Articles          >>> More By Cameron Sturdevant
     


    x}V㸲fyM oH' lnܳ[I<89Y%3*I ==4lK*IRT*!{I"f\:Ԣ$;qOuޛIjy6`Qo2p&Ӂc)yx`p*jTP4GL'fK>!`:x ]3~ݢq!_CpדB 8=/'C;)۱<-3YV֯|4n9S8$S|Eؘ* =q74LaHO LE3ؖCY֌LaF-S4u뮖WK|UQjJ|j;Q!`چ[=}4q*sܜLϿv/+e}~!􏂸,;Vඔ켦 M9푫·[yиm  B'Fb}" @D%\.j$^c:-'v}j]"tyZj9(J/(H.՚1S$hICF/XTU9@b9jz'򋩥uk\ߴ-kݴ[H>߈ecby 1J>PFbKW:K!㽩S==}m_tnsCNZǭ.Gg:PLm3H/*}mupu6O|nkx8=|`k2`;;RZ:;$O:ǽ-21H|[8 wyA y(-4K[WI2}!x#w#?", G)HaU|`A`6 2XeMv@So__jS E/|@#X\1P3Z$o KkLru&Sk~$U cƪb.L2o4+}/`I[/d`(O/g uM֧TwIQa#{<͈ _\@ 2 p1SEҭTW7s ۩[t48;.EuLVd];7y֏zZTpx=j7ҽ\u;tvg-xXntRMMqsuS\uW{H r"TT[XQt 2hbXvP7PZANw`A!i vڄz?j'0@א QmP>87MiH'j0i} ͣPo]>&ujo7LAb@c`N3PC'A :\TRmd;>4)PhSP<xw0ܛ@[h%]Ҽ[:? a'0. Z- BeV~m ̢PsԧmMrA=9ڽfZ@c@ k2 'yv_<&.У\8$/4뼜2?pGҶLoy@>J|zS.ZqαrB&5b$ӠCY3b-y20筶 d挦M,31r@y?T9eXScXNϠD Lz?v&u/$1L`VjabE3 wC-j)+ګY5wld xAqFFdH >[ eҊtp ku;.`CϱȇKu='c-`scW@~AQ9S棄ZXpܱ880TM2 akTժLM>a@/ı``s7s:pJ.k6qM͞_.⺰#]5ޅ9GME8` Dz>2FáiH5ߴfic#b hE}T5F,D ȸla,Ca9ڴ*3t,yX>QȚ=#+JuѦȥiO@ @MnN3pPQ@1"N:M4/#埯:һOQ*# 7ko` 2l3q&/jt9Ȣ4Q} (Mڄi&.}yX㼭pF |"]il% m"T0|& :VH070l) hRUԒxZB@^nzJEڶhdTzh>R7͏P)gh9d*YZ J il˪ZԊjR =62z4Ebw};!о< _q˹cm/7QoN?*}zK]UM+\k3f>#]\aQacFTF 4co0+fW#s@)WFHi1 .+NjZ0=3KV{=;ibGHڹ8?́<[6A)ctxLǚ8)с,HrUɫ-Mޝl/F'hFA\=| `Q4E*JiNwy犚\>bRjELRG ?bqm@`T WD ⺪T_[Ig7{}h#R @ k J{ZC!t*{ꋕjJ~vSVUy9kZ%f+Fyݛjz|}F!EX9l3iq}2s-_g>0%[ȑSwz&RĴR,[V-03+VH]'~4NլQ tM"g\K Fb&*T~\{)3p320Ow/}Tc!:\$t'M]U۶A%Xhb9DJ9ޥP͜ P7@yz-'A&'t%p?( `FOWo}HlLK >嶷T0$wOJI) zVER\ HÖ1L}M}YzN46J>䕗ю"eʴɢ7(CiB+%{N1 Vz}b;_I|SeȓV)Ki-TXEZx,(U\ӃP~ tyA1p Jnhmb򑤟{ȕ?"ⓨ:m2TBE-) Co_7xў2G+++i-^2y~n)[ 4wҨK3[Y>)ӔWϰ:3dRb kȣ^h-iBsEj`1S? 4$ڎ_VpDc? )k03?2TijzJ0RP-HjExf:PɈُG[upM\&=muJM_L7 xG8?ws̾f3N2t |{ضR3vfc"a@qC@a H\}TKD(s,~w9Yo9 |\V* d:Cd`| !A-a#d1~V?Jv" }MXޟUv٩Gd# ;?J7!)>i'6/>?kٿt۽v00y}vދj}cr 4 mUj_~9$Ug7W'Ryga÷[h K^]0~M=/bk''3醗a ]N{孀 uzΥsټ9k_t;~F.W-)^s-o=R#!5/gW, Y#tB_7 獦fpR`^Qԃct_3l&ʯH!/ 'ttOR!m&ۚg | AYk+<]wZ V`!PH?(WI;0R{B,2q^_4?FG2sE6VSF(?DrAFzRF>eo'Mf}+bt8Dmn 4~ y.~y>~?7~h 0bAdnKF+9ǭԓNHb5+.Tx㿜i^5szQxe|&A.HWкJ=$c0QJ"[3pq*h wᬖ^}+ ɏhqZ]) U9$9 W9U*۾Ll3ztm=O$ ؑqD42ThiX'SX3]ahbrх[enߦYvU%3m]'ڌرDM~zv`gh o.3'}g-;oCĆ#wBR ("Ξ[ef0SunW gL4.&I\uzykݐ9arԂs JA5`wfw^TT~eFx?HPݛ#-p8!L[ wv+ר+-hKw+g~OY)n[ icPKSϑ$ɘNFBAS|.ߩYdU)IW]YDG㳑)C8{xHߴ.Ao觥4/ ZȥGnvٽdsxB%?h_2n%~W>L>]\ZϲԒH>rs\5"nǸZ8W90N=9$/@fm ,D~f?vȿLĴhg4ka!C8OX] @@ ˣipLyxr4jazwzyzY? ~0M2ܥi( rtM޻t&,gYq-yGm6>WrkEBsu|rT 1c"elQ6Ƅ1.a>Zԛa,kf ӝ1C.:p<,#s < x0>l3:j~?2"L ZA+e,C~0oh@Vfڏΐ҄^̎t4>nL8oeH^ w}%4|11t\{q DA#c lule 2sǚ +ĸ P SAd9ñsÃcb=P 5(yl?[ˌ"L:͟V6eAEW~[=ɀb6foKR!E/`O Ķ@x Z<ͮb1IQtOXf#TLj(U !텽xKv]An!7-XKvf̑xRE>hPuБt 5nKbR8PKUYp ~>+?D>A g8"eIX}b HX\dGIϼ?rXHm6]*Jj$a1iLX[X E թI,ztL)ƚ*J Ċ,OB$ MW >4 B4^V~{BU˛jZo x44W潠^p4Hn@];{3\GJ:ȥ6>'jCn)Ip 6.|.L( [eߊʒRҦDW|-Ro)n6qcJ7ӳտcKW A8 !1T*dsQ~7ʾ- U%) OCδ݋0bI5:4`SA|R0N(Da^C4% Ж>YU$Z5a76ʶ %UoS* c%C6Y?U *=|$ H@ LmHmƖH@PMU)n(ZXbԊ>"suX=q`D[w#&_)JBllf$`543 r+8f,38383838ys^(cyv9#;@mcQ2҄8N'Jfs3*s kT nIX~$zdQcD_FA{ 3fnluCJx5*.?[\8:HxgPpl CdA $찀DRPpC/I砡BRM 7+wg fDݗN(u8>wBI[3?Z9qHBYD0#KҚa&a͈[uU IMq|f;4txUbP5׵#@'a7bś ~M %3ؾ̗6E6}\LW|b$j*A!Ҟ)>B"mQ7kcӜߒ1~y+: rAW(7byaU,lؼQo,e1Ԓt)E,:E%_f K*$!ፕ >=.B4lƶ%>=I;/ԓ4{U Wab_ޣƪ/mKf7 /pdLub?-1U"ndPY dOo}a~1"BlƆ47^ق:3J}SZK,_iXtv,h sMF3 ˗x!v/ b;$ckHZ=+ <]ފ匜~/U+r.~B[Bg tφO}ajͽTF\,OkB*ф/|ӑyܿMX ayeLMoՃ QQ=:[ݽ1\Z_tyn&]$5M 3{50I%뀿 c =(V=.i ȲWί/=ytӅg{RY0#|~}?c>N{͢h݇[ =MЬD5fX+%"Q0MGpƊ8aYƃ@◱K,j}zrAGg0nPAftve lE#զl1 ?@~ uM|y%o饬?$.&cu 4!Nt% ޜ`?j턗¤t'O,7 v2.Eכ>~\t (U֎@kٽ)g|#8AYZSʑu2#V}mc9\hXY$<Mt,H?YRǝ s(/TeQO㻝%M's.J(aZώ'Ʈ$%5zH JH 0KAX^q+S<0"u0CuX]3?`[aX@į;_&GB8AXJߘD P` r⡏7X`8ĒAuc{(p#(4o&vf-t= 9h*b4 M;c+mL1|E9Ps.}K\Cb/ZdqK4/ #|kPWsƄwFSJ9=`ɣ.jU-# JD::VS./u d1m˖Ca̷k>F]M5 `B6JWmqڕ"a,0s{IF^Y0ޱ3LpЉF;VwܤR7S>^Bjߛc33{^n.9z.z̎s3 66mIU+ 6g%۹caiL0G1tF5[Mm@ئrKuSig~R?mUXyЯϡg僸g=-VU,߻îֿ-'|ɈVs !MvEk )Zx|D#b,3P3SC7uZmIr&khЃм`7{yB |U[Z>__t2gjGtMx8+ ާ%7A6po4-(ʾ/_q?:{m@"3? I:F9L[lFLNGwSn:ݏܓydcZuC@a-^#3(r 9 w+D:Ab)q(bE$7@/4'4(lB6DuSJTn$|s/Z,a&4;Fטej s3mւwe~tt25Kq:YstT(ʾ2<򽉁0uS93SRC¤vxX->=& .yHcI ^iNTxPXb!㯛ҿ} >܇>Rh̘TՊR *uU} 2,-VR" <>۠A~kfY3[8~\Kr%-2uVнA=#3dhhz߇B= L]'*O=FLfg`y}}vnH޴Z{|Ӿ;WuѹWXג_ۣn՜U}4NMfbv>LU9ЖV/ vI/P^5/[LORʉwri.$ "G}Yb *wl"8nUg|ݻxS"fmY1/ F>;!MͯVk!h>>#tɱc:o}jYnZj-!XT8j,7Waq4Snu#VԼTۼrX3&WHuM ߬N?n6פw &):ppZ~ ǫO?ks?[~uy;8oNod5о}}&^5! >v5s \K>r ~/?ks \K5y y>GX~kX~ ka|֌Z3~hgM; :kOKg|^CPzM5Ӆw 请z@/}_C_ út߇5~.v Bk]CɹNC\gk\8RI/eGkTy|i]:,Nפ@yVV } JYCeX^sisMˀ~/>{+sg#q$^a\銲[W^&iTz+inp_/ΣD+ sV業IE =$xEqZ&a 3l>VLY[,Oмz' Jܓs+Z`O逷\]9d}+er6VD-V_bbMx{y% }]pz5sұ YQg ݦqŗת@@rĶ̓ ?1}};ΤKIdb b0Oty'Jh~9Ln`[>/ty _q)^v 6.} #ÄLERcm^#%aBe I} @:s@{SN`>x(8byאy$*J ZsJdBM'KYǞcӄ0_:bV# j {hdzԢرQ#u56v nM"mG4 (F(z16Aϐϔt ,K^av;M,g*Y{6^ )4M˪ѝy![I%#9r\鱽$0\"ez\;%bv R,?a+ )/ Fzz7o [#[1Q9֜6Ogзc/[MZK9j۲"/H& ]asь.KpIФɠ_[=$sDc݅ ۠(b/3YJ>= T@| %.X$">l'6cC~fxٲq1abZ!qmFhӧ75Z@y`w4aehDS /Tvy( *>ܠK6A/1-ixaExq!AY}_vs[G 3hh G6$߂*04o G+7~.?OJ F /ɮy(بo @FWD0;"6*菓YD hWa+e;6KLPϰ3 EΡ)jy G"9BU(]ۉ7]Qs/>yO]nGat`x)kF:5§.!gi[#ʅ.-mSlܞ~׮ i[;],ϱ{QFbfq::hنGO0ޏYwP)@ 2=*Nv&利6r)2l XCڢJMa[;~j`=yk=e-{@3V0* <-@~=,lp+>oS7q`h2u'^>'KY'}d&'XI@ qs-.,wvBUn4Mb1"[\^IidžaжX53},@a)5BO7sQo30RO +y/|[P<>v,Sqߢq9v3E~ᱦ% +D;:++chޘ'֬=LE—1u1GNsg-Zk|9TMhc{bp8 te0QJ m!裋ȃgz`>^cW X-1!Dt9)ҡCAؚBTfF) 5P&Xn-'B@ ZqΓ#|撟 元>WNyNE=Sf}+s)SL_џ]̐?[Z=H>|E]Τg'>=sHv7x 'uG?Nqw tﲗx@,&P —z'V&p.{&2켡\ $E` hOSÁh@3x~3v!AiF!{{TB?8/K럢e'm]s=0Z{ľ9ͺR3[(jO?c]w?cqq5]e^ϒϕÀA.Q9vP3#:QoԳSy  K䷧Ő'Pf괯Rf?5Gct%CIb#w*Zۑ&'A+jm'|Uд@]Tb?`~}ߙtf*ތ}ÅyxAZ x_Pž%v?O|enӂVC+C V`6M$CBT1P"ĭ=Sd0[⍏,"c~Ux7Y4}vչiM]^5K1(nJ+[xGXp|-q4JWuNZdL?<$|2A %z;PL= %aZX p_tZ j8V '@ ݭ*NE[A=@kT\n~dA@Ɓ"0ܧ=< /^3%_TRr1an@jI|%f"͂KڲSeȁB1B%Va2>kO'e /A,_9nqm/<.7#l4!6cK /|W$Ss oSDsiH'Ta>y[t\g7iB7j*0ѕ~ZDY|Wn]Z#:hw2ׯ405M'wvĔw$ˮSfQe&:f=mv3<^ /apC5iΠeWCY6S )}M:7C5MĄap#"ckOcu/A>+ڙ`] 6G sEz](6,F>W8Ż͎AҀ]@ `75ᔊ_dOf RaKi9Npx-dH}DTYoׄ\[v cO?]R4v7lDʕTIhNܶ4iGPCBnMͭs\ ` 4zj^v<Ԇ$Bsu1X:8>S3:[p/C6u8'pMi7m^nL)ac⭹8& N穘%.2^ #^H,ucxsJH6."MR$dtoAg9Xc_֐߬DiJ wy&֞1>plv_/>r}]qJlDb=kllD%6Б 4+y_HFQIθQ#0Qτ#4nF@sٰd'"hc)IаΞkZe/:+?_+EQ?#4j/pKw%qQxp^}s%І=F~%Hr|YBVa6;6.iNGax;2!Iu,G *x,8Q[ o%(i'6/>v&vF%_[FO$bQK=Nm{K;Ô#xNJ%JZ+cJDv 8rn&&v3)U[2#sU-NBLz!m&r"1v},pQN76l&WEqy7{Y$VX?