Figure 2. Where QVM fits into the QRadar lineup
Where QVM fits into the QRadar lineup
Adding QRadar Vulnerability Manager to the QRadar lineup provides these additional features:
Two new deployable components:
QVM Console, which delivers scan definitions, a scan scheduling engine, and organizes scan results
QVM Scanner, which performs scan tasks as part of an overall scan
Hosted Scanner, a component hosted by IBM that lets you scan a customer's DMZ from the Internet
QVM already exists within most QRadar SIEM environments as standard code that can be quickly activated using a licensing key. And once installed, it just shows up as a new tab on your IBM Security QRadar SIEM console window.
The capabilities QRadar Vulnerability Manager adds are:
An embedded, well-proven, scalable PCI-certified scanner
The ability to detect 70,000+ vulnerabilities
Tracking through the National Vulnerability Database (CVE)
An integrated external scanner
A complete vulnerability view supporting third-party vulnerability system data feeds
Support for the exception and remediation processes of virtual machines with seamlessly integrated reporting and dash boarding
These features and capabilities add the following attributes to your security system:
Proactivity: Helps prevent damaging attacks by discovering and highlighting high-risk vulnerabilities
Actionability: Helps prioritize remediation and mitigation activities by providing advanced filtering and quick search capabilities leveraging network context
Awareness: Quickly conducts network scans either periodically or dynamically whenever new devices appear or in response to suspicious behaviors, helping maintain an accurate and updated view of all network assets
The major attribute of QRadar Vulnerability Manager is that it allows you to combine automated vulnerability scanning with a superior understanding of device configurations, network topology, and traffic patterns. This makes it much easier to enable proactive protective measures. It also means that QVM's real value isn't in the fact that it performs network scans, but that it helps you intelligently interpret the results.
Back to top
Functional overview
QRadar Vulnerability Manager works by categorizing your vulnerabilities into workable groups and functions:
Not Active: By leveraging QFlow Collector, QVM can tell if the vulnerable application is active. QFlow Collector provides Layer 7 application visibility and flow analysis to help you understand and respond to activities throughout your network.
Patched: By leveraging Endpoint Manager, QVM understands what vulnerabilities will be patched. IBM Endpoint Manager manages and secures mobile devices, laptops, desktops, and servers.
Blocked: By leveraging QRadar Risk Manager, QVM can understand what vulnerabilities are blocked by firewalls and IPSs. QRadar Risk Manager monitors network topology, switch, router, firewall, and Intrusion Prevention System (IPS) configurations to reduce risk and increase compliance.
Critical: By leveraging its vulnerability knowledge base, remediation flow, and QRM policies, QVM can identify business critical vulnerabilities.
At Risk: By utilizing X-Force threat and SIEM security incident data, coupled with QFlow network traffic visibility, QVM can tell if vulnerable assets are communicating with potential threats.
Exploited: By leveraging SIEM correlation and IPS data, QVM can reveal what vulnerabilities have been exploited.
QRadar Vulnerability Manager meets the challenges of the three security areas that are currently trending—advanced persistent threats, increasing IT security monitoring complexity, and the limits of compliance as a security tool.
Defense for advanced persistent threats
These stealthy attacks continue until the perpetrators succeed by exploiting all available opportunities. Organizations can improve defenses by patching, blocking, or monitoring as many high-impact vulnerabilities as they can. QRadar Vulnerability Manager meets this challenge by:
Leveraging the existing appliance infrastructure and security intelligence data to seamlessly conduct automated scans for network vulnerabilities.
Sensing when new assets are added to the network and perform immediate scans to keep the asset database and network topology current.
Preserving security team bandwidth by eliminating false positives and reducing unnecessary activities by correlating results with IPS/IPD blocking capabilities.
Fight complexity with a single point of view
Most IT security systems have multiple sources of vulnerability assessment data coming from different scanning solutions, but not a coherent method to view the total network security picture. QVM helps organizations reduce this complex dance of data and makes faster and better decisions by:
Using a familiar interface to review log events, network flows, offenses, risks, and vulnerabilities
Collecting all available scan data within a dedicated and customizable dashboard view
Making it easier to coordinate patching, virtual patching, and blocking activities
Going beyond compliance mandates
Industry data and system compliance mandates prod organizations to meet the security requirements of sensitive IT assets in those industries by instituting policies and programs. That is a good thing. QVM helps organizations meet their compliance mandates by:
Conducting regular network scans, maintaining a full history and audit trail of completed scans
Categorizing each discovered vulnerability with an appropriate severity rating and vulnerability score
Maintaining a history of vulnerability posture on a daily, weekly, and monthly basis
Enabling scanning of assets, both internally and externally
Creating tickets (set severity, due dates, comments) to manage remediation activities
Supporting an exception process with a full audit trail
But it can also make a security officer become complacent. QVM adds a significant amount of automation to the scanning and scanning-analysis to make it easier and cost-effective for the security professional to explore even larger datasets than compliance requires—and, consequently, use that analysis to make better decisions. QVM lets clients:
Orchestrate a high volume of concurrent assessments without disturbing normal network operations while allowing multiple stakeholders to scan and rescan as needed for remediation verification
Summarize vulnerability status by day, week, and month, enabling organizations to effectively provide long-term reports and trend graphs while providing efficient day-to-day operational views
Capture an audit trail associated with all activities (discovery, assignments, notes, exceptions, and remediation) represented by disparate data types
No comments:
Post a Comment