Re: Vulnerability Assessment Scanner qualysguard

["Beechey, Jim" <beechey () NORTHWOOD EDU>]

Jason

Sure, no problem we are using Qradar from Q1Labs.  Certainly not open source, but we are very pleased with the product. 
 Qradar can either be a SIM/SIEM or just log management, but we went the full blown route.  We view it as our security 
console for most of what we do and try to integrate everything we possibly can.

One thing to mention about VA integration is there are several different levels from what we saw during our evaluation. 
 Sure, importing an xml results file is nice, but having the ability to schedule scans from the SIM, have them 
automatically login to the VA system, run the scan, return the results and populate the data into the asset profiles is 
really nice.  The only caveat with Qualys is since they are constantly updating their product (good thing), the 
integration can break so having a responsive vendor is important.

Budget justification wasn't easy, but not terrible.  I definitely had to sell it though.  Our institution is tends to 
favor commercial solutions rather than open source, depending upon the support/installation requirements.  Spending 
money on technology over head count is definitely preferred.  While I didn't say I wouldn't come for head count in the 
future, I did feel this would delay requests.  We had no centralized logging and no flow collection either so this took 
care of both needs.  I illustrated the time/effort required to track down a few incidents from the previous year vs. 
what "could have been" with a SIM.  The other area where you can help yourself in justification is getting the 
operations folks involved.  These tools have so much to offer network and server admins beyond the obvious security 
benefits, even some reports/dashboards for execs.  Pretty charts and graphs never hurt right?

Hope that helps
Jim

From: Youngquist, Jason R. [mailto:jryoungquist () ccis edu]
Sent: Thursday, February 05, 2009 3:21 PM
To: Beechey, Jim
Subject: RE: [SECURITY] Vulnerability Assessment Scanner qualysguard

Jim,

We have Qualys as well, and I've been quite satisfied with it.  It definitely is a lot better than running Nessus 
scans.  I like the reporting and ticket system.


If I may ask, what SIM solution are you using?  I've been looking for a centralized log management solution, and 
ideally, a SEIM.  I'd like to get a SEIM because it would be able to normalize and correlate items and it would provide 
more context than a log management solution and also provide actionable items based on log data, but don't know how I 
can justify the cost of good commercial log management system much less a full blown SEIM.   For the SIM solution you 
purchased, did you have to sell the solution to management, or were they already on board?

Did you investigate any open source solutions?  My CIO is big on me looking into open source solutions, but the only 
one I've found is OSSIM, which was hard to configure and I didn't find it useful.  I have Splunk installed on a Linux 
box, but haven't had a chance to evaluate it.  Splunk seems to be good for centralizing and searching through logs, but 
I would like more of the alerting and normalization/correlation capability found in SEIM solutions.


Thanks.
Jason Youngquist