StillSecure, After All These Years

Vulnerability management is still one of the most important things you can do to increase your security posture.  To many people vulnerability management means scanning for vulnerabilities or applying the latest patch Tuesday updates.  Of course there is much more to it than that.  Managing the complete lifecycle of vulnerabilities is the key to successful risk management in this area.  Whether PCI, HIPAA, SOX or just good old fashioned common sense is driving you to do it, vulnerability management is the right thing to do.

This week StillSecure announced the latest addition to our line up of free security tools.  VAM Lite is a freeware edition of our award winning, enterprise class VAM vulnerability management platform.  VAM Lite has most of the features of the full VAM product but is limited to scanning just 100 devices and offers only our basic reporting package.  Because you can only scan 100 devices, it does not support the distributed scanner architecture that full VAM does either. 

If your organization can be scanned with just 100 devices or if you just want to give it a try and if you see the value possibly upgrade to full VAM, download it from our site. It can run on a dedicated server or in a VMware environment as well. 

If you like, try some of the other StillSecure freeware products like Strata Guard Free and Safe Access Lite as well.

Fortinet has been making noise about moving beyond the UTM space for some time. Today they took a very tangible step in that direction with the announcement that they have acquired Secure Elements. For those of you not familiar with Secure Elements, they were a DC-area based vulnerability management solutions provider. Their C5 platform started out as a run of the mill vulnerability scanning tool. I think they used the Nessus scanner and than started importing other scanner data.  Over time they morphed more to configuration management solution.

Secure Elements was virtually unknown outside of the Federal Government space.  I would bet 90+% of their customer base was in the Fed space.  They were one of the leaders in the FDCC and S-CAP requirements that NIST recently put out.  Their founders and pedigree had a long history of working in friendly confines of the DC Beltway. 

Fortinet on the other hand, while trying hard did not have a ton of success in the Federal space.  Is the fact that much of their development and design happens in Asia and China specifically represent a reason for this? Perhaps it did. Also beyond UTM what technology did they have. They recently announced an endpoint based agent for security that sounded suspiciously like a McAfee or Symantec type of play.  They had been making noises around doing vulnerability scanning and management as well.  Now the other shoe drops and we see where that comes from.

So what is Fortinet's end game.  Well certainly if the public markets were not in the sad state they are in, they would be a good candidate for an IPO. But beyond financial goals, what do they want to be when they grow up?  I think it is becoming clear.  They want to take on Symantec, McAfee, Checkpoint and others as providers of a full spectrum of security solutions. They want to use their base as an ASIC based UTM and move to the endpoint and beyond.  With the kinds of units they sell in UTM they certainly have the revenue to fund it.

My final question is:  How long until Fortinet offers a NAC solution?  If they are interested I know a company that is pretty good at OEM'ing their NAC solution to others.  You know how to reach me ;-)

Related articles by Zemanta

• Fortinet toasts sales success

Linus Torvalds complains to Ellen Messmer about the "security circus" he sees. Linus is talking about the constant friction between the disclose immediately versus "responsible disclosure" crowd.  While I agree that the when to disclose arguments get tiresome, the long pole in the tent of this circus are the clowns who do a lot of the coding for the products that we use.

With the pressure of getting out code on time and on budget, there are just too many vulnerabilities in the products we rely on.  Racing to get the next greatest feature in this release or that must have functionality that was promised to the customer, too often pushes security and bullet proof code into the shadows.  Then when someone finds the all too often holes in the code, somehow the people finding it are wrong? 

Yes, it would be much better if the whole disclosure timing thing went away. I don't think that will ever happen. But if we had more quality control around code, perhaps it would not be so acute.  So, when talking about the circus, instead of blaming the security people, maybe take a good look at the clowns.

A few weekes ago I wrote about the current state of vulnerability assessment being like a parody of an Obama/Hillary commerical.  Who answers the phone at 3am?  For vulnerability assessment, the results are only as good as who answers the scan.  This has been a problem for security managers and vulnerability assessors for some time.  Balancing scanning during prime time and impacting network performance versus scanning during down times when the devices you need to scan may not be available.

Today StillSecure announced our reponse to ending this problem. We call it Dynamic Vulnerability Assessment (DVA).  With DVA you will have vulnerability and compliance data as of at least the last time a device logged on the network.  This closes the loophole and gives organizations a much more comprehensive and secure assessment of who is on the network and what they look like.

To accomplish this we are using some of our NAC technology from Safe Access. This allows us to detect devices as they come on the network. We can also use the purpose built Safe Access testing engine to deep compliance checks to supplement the tradtional vulnerability checks.  We think this is a big step up in vulnerability assessment and management.  Am interested in what others think.

I was at a meeting for a potentially large customer engagement for vulnerability assessment and compliance testing last week.  The requirements for this customer were not unusual. They wanted to test for conventional CVE type vulnerabilities. Additionally, they also wanted to test for configuration compliance. Hotfixes, patch level, AV, etc.  This direction is where a lot of the traditional vulnerability management solutions have been heading.  Whether adding a separate compliance module or audit and local check capability, most of the traditional vulnerability scanning solutions offer some coverage in this area.  However, in speaking to this potential customer and in thinking about their needs, an inherent problem with this solution is that it is only as good as the devices that are available on the network when the scan takes place.

In traditional vulnerability scanning, when the scan takes place was not as much of an issue.  Usually you are scanning servers and other devices that are on the network 24/7. In fact doing the scans during off hours was usually preferred. Too many of the network based vulnerability scanners took up too much bandwidth and other resources to accomplish during the prime time hours of the day. In compliance scanning though, you need the status of laptops, desktops and other devices that may not be connected to the network 24/7.  Therefore it is important to reach and test these devices when they are on the network.  That is the rub.  How do you really make sure the devices connecting to your network are compliant if you are only testing them at a point in time that usually they would not be on at?

This problem reminded me of the Clinton-Obama flap over who answers the phone at the White House at 3am.  That is an important question for who is president, but for compliance, nswering the phone when someone is there to talk to is more important.  I think this is where NAC provides an advantage.  By utilizing NAC to detect devices coming on the network and than using a low impact NAC/compliance test as well as traditional vulnerability scanning, you get a picture of vulnerability posture and compliance status as of the last time they accessed the network. You can still do follow on tests at any time you desire, but at least when a device is logging on you are sure of a test.

Will NAC supplement vulnerability testing in this manner? I think so.  Many customers we have spoken to about this like the idea of "scan on connect" and we have already enabled our own NAC product Safe Access and vulnerability management platform VAM to do this.  What do you think?

For too long the vulnerability management vendors have been quiet. In fact the whole sector has taken on the "mature" label which seems to indicate there is no new innovation happening.  Recently though we have seen some new announcements in this area.  Also, Gartner should have a new marketscope due out soon.  Here is a recap of some recent developments:

1. Qualys - I had a chance to speak with Philippe and his son at RSA. After riding high on the PCI wave and pioneering the SaaS in security movement, Qualys is now clearly moving into the compliance arena. This release details what Qualys is doing but clearly they see compliance and risk management as a new driver for the business.

2. McAfee- Say goodbye to Foundstone. Years after buying the company McAfee is finally getting rid of the Foundstone name for the vulnerability product and renaming it Vulnerability Manager 6.5 (I think I like the Foundstone name better), as part of the new business unit they have started around GRC. Foundstone founder George Kurtz is heading that unit up. They indicate they will supplement the old Foundstone scanner with abilities to scan applications, web sites and data and databases.

3,. nCircle - I spoke with Andrew Storms and Elizabeth Ireland at RSA. nCircle has been touting their compliance and risk management capabilities for a while now.  They also are showing off web application scanning as well. Though they don't get the press that Qualys does, they appear to be holding their own.  The question in my mind is how do they break out to the next level (see my post on shimmy's theory of relativity).5.

4. eEye - After many of us including me raised doubts about their viability, eEye has announced the addition of web application scanning to their Retina product. I understand this is an OEM of another companies product and does not represent a lot of investment on eEye's point.  I think at the end of the day they are trying to be an endpoint company but can't afford to jettison the scanner business.  Their long term viability according to my relativity theory is still in doubt if you ask me.

5. ISS/IBM - I hear nothing on this one, do you?  You have to question what is the game plan from Big Blue on this.  Do they buy an update or put the money into actually taking this dinosaur out of the Jurassic?  I guess we will have to see.

So I am sure some of you ask, OK Shimmy enough about the competition what is StillSecure doing with its VAM product?  Well the purpose of this blog post was to set the stage for that. I will post an update on some of the cool stuff we have planned with VAM shortly.

I had an Austin Powers moment today when I opened an email from eSecurityPlanet.com and saw a link to an article called, Feel Vulnerable? Time for Vulnerability Management Tools.  I felt like I had been in suspended animation for years and just woke up. I have not seen an article on vulnerability management in forever and ever. There was nothing earth shattering in this article.  Meat and potatoes VM. That is vulnerability management, not virtual machines.  The fact that VM is more commonly associated with virtualization than vulnerability management in and of itself probably speaks volumes.

Just last week at the Infosec World conference I had remarked to some folks that walking the show floor I did not see one vendor using the term vulnerability management in their signage.  Even some companies that are plainly in the VM space such a nCircle and Qualys, are using risk management and similar terms to describe what they do. So why has vulnerabiity management fallen out of disfavor?  Is it any less important?  In the words of "The Shagadillic One", do they think it ain't sexy? That may be it.  It is not sexy or trendy anymore.  I remember going to RSA a few years ago and every vendor had some strategy around vulnerability management.  I will be looking at this years show and report how many times I see the VM word.

So what is it about the security world.  Do we collectivley have the attention span of a flea. Do security tools go from golden to rust that quickly?  Why are we constantly searching for the next great thing but seemingly at the expense of the last great thing.  Wouldn't it be nice to see something through and make it really work before we rush on to the next one.

Not to insinuate he is a rat, Marc Maiffret is not a bad guy (once you get past the hair and metal), but Kelly Jackson Higgins over at DarkReading reports that eEye co-founder, CTO and Chief Hacking Officer, Marc Maiffret has left eEye. This comes on the heels of several other executives that have left the company over the last months including former CEO, Ross Brown.  Also, rumors of trouble at eEye have been swirling for months.  I had heard they let go most of their vulnerability management team a while back, as they shift from Retina being the flagship product to host-based Blink.  Maiffret says he actually left in September but didn't want to go public until now.

I don't know about you, but usually where there is smoke, there is fire.  I can identify with Marc leaving though.  With Mitchell Ashley leaving StillSecure recently, I am sure people may have asked the same questions.  However, in our case Mitchell and our company announced his leaving almost to the day he left.  We felt hiding that kind of news only draws negative connotations. Not sure why eEye and Marc waited this long, unless there was something else at play here.  Of course Marc puts on a good corporate face and says how great things are over at eEye now, but my gut tells me there is more amiss there.  Here is the first of Shimel the Soothsayers predictions for 2008, eEye will be acquired for bargain basement money in 2008.  Remember, you read it here first.

When I first read the headline of the Shavlik-Sophos deal, I thought it made a lot of sense.  Sophos (who bought the Endforce NAC product), was going to use Shavlik to deliver automated patching and remediation to out of policy endpoints.  To me this is one of the 4 pillars of NAC going forward, along with pre-connect testing, post-connect monitoring and identity based access control.  As a matter of fact, I think we are going to see more and more built in auto-remediation as NAC products mature.  Self-remediation is just really not an option for many customers.

A closer read of the Shavlik press release seems to indicate something different.  The release states, "If customers then require an automated method to remediate discovered problems, Sophos will recommend Shavlik’s advanced deployment solutions, which provide simple, automated and configurable methods to test and deploy patches onto vulnerable systems."  This would indicate that Sophos is going to "recommend" Shavlik but it sounds like it is not integrated.  Also, Mark Shavlik says, "... this integration will make it very easy for Sophos’ customers and partners to come to Shavlik in order to simplify and automate the next step of deploying of critical security patches across their network." Again clearly the plan is if you want actual patching you come to Shavlik, it is not integrated into Sophos.

So if it is not patching, what is this deal about?  I don't know for sure, but my reading of it is that Sophos is replacing the Nessus engine they used, for a Shavlik vulnerability assessment engine.  However, this is more I think than just replacing one vulnerability scanner with another one.  As I have written many times depending on how you use Nessus, it may not be the right product for NAC.  You have to make sure you are on the right side of the license, including the plug ins you use to scan.  Also, because of the nature of local versus network scans, banners, etc., speed/scalability can be an issue.  Many NAC vendors actually use Nessus (some admit it and others try to hide it), but generally those that do use Nessus, only use it with a handful of plug in scripts.  Maybe a dozen and a half at most.  In this way, they only check for a small sample of what a full blown vulnerability scanner like Nessus can check for.  However, this has been enough for most NAC products until now.  At StillSecure because we use our own custom testing engine optimized for NAC, we never had that issue and so have been able to check for a wider range of configurations and policies than most other NAC products.  With the Shavlik product will Sophos be able to match this? I think not.

The reason I think not is that to the best of my knowledge, Shavlik is no better at this type of scan than Nessus is.  It remains to be seen whether Sophos will actually check for anywhere near the 22,000 patches that Shavlik claims to support.  In fact I would bet the actual number is no where near that.  But, there is another reason that I think this is an apple to oranges comparison.  Shavlik only checks for patches and vulnerabilities.  NAC is just not another pretty name for a vulnerability scanner.  NAC checks should look for the presence or absence of applications, services and settings that do not require a patch, but are a security policy. 

Ultimately the market has to decide if NAC checks and enforces for violations of security policies including vulnerabilities or is it just another form of vulnerability scanner and VM.  I don't think the world needs more vulnerability scanners, but it does need NAC.

Not sure if this article in Dark Reading by Kelly Jackson Higgins is some sort of joke or if Pat Clawson thinks the security business is a big Texas Hold'em tournament. But it could get real embarrassing if someone calls him and he has to show his cards. It seems the spark for this story is the long rumored name change of the former Patchlink Security to Lumension Security.  They have been threatening to change their name for months, if not years now and have finally gone and done it.  They really had no choice.  It really gave their sales team a lack of creditability when they would try to sell the fact that they were not a patch company with a name like Patchlink. Of course the fact that Big Fix says they are secure configuration management drove the Patchlink guys crazy, as they didn't want Big Fix to be anything Patchlink wasn't.  Where they came up with a name like Lumension though is anyone's guess.  I have two - One they ran a new name contest and someone's 13 year old daughter came up with it. Two, they paid a small fortune to one of those boutique naming shops to come up with that one.  I don't know but it sounds like last years new Chevy model to me.

Anyway, Pat Clawson takes the opportunity to spin a yarn that Kelly dutifully reports (come on Kelly, how about some more up close and personal features like this one on Thomas Ptacek).  Clawson tells us that the reason for the name change is the company is "retrenching" for an IPO in mid-2008.  Retrenching?  As if we don't know that an IPO would mean cool hand Pat would have to file an S-1 that would show us all what he is really holding.  I suspect that when those cards see the cold, hard light of day, Lumina-Patchlink would not exactly be a Wall Street darling as an IPO candidate.  A reverse merger-pink sheet candidate maybe, but getting a top bank to underwrite this one would be like trying to get a sub-prime mortgage with no money down right now.  In any event, my bet is Pat is way to cagey a poker player to ever let anyone have a peek at the numbers behind him here.

Next Pat tells us that with his two acquisitions he has now risen above the likes of Big Fix and Shavlik and is more like McAfee and CA. He throws in all of the good buzz words, "cloud", "agentless", "SaaS", etc. and we are supposed to take it all in. While he is at it, he claims to also have policy compliance and NAC too.  Pat has it all, or so says he.  You can almost see Nick Selby of 451 choking down the laughs in his quote in the article when he calls Pats claims "an overstatement".

I am starting a little tournament of my own. I am taking odds that patchlink or whatever they are called never IPO's in its present state and will instead be shopped hard.  Anyone want to take any action on that one?