Comments on: Vulnerability Management Without Asset Management, Isn’t

By: raymond

raymond — Fri, 08 Jun 2007 23:58:23 +0000

Johnathan: arcsight has a few products which product contains the asset discovery tool?

thank you, raymond

By: Daniel Miessler

Daniel Miessler — Tue, 15 May 2007 03:55:29 +0000

Heh, yeah…I’m a big fan of that tool. My buddy loves it.

By: Jonathan S.

Jonathan S. — Mon, 14 May 2007 20:56:11 +0000

There is a product that does just what you want Daniel, it’s called ArcSight. It’s got a pretty cool Asset Discovery tool and can run all the reports and queries you were using as examples (ie. All Solaris machines with SSH running as of x/x/x)

Check it out if you want/can: http://www.arcsight.com.

Disclaimer: Not cheap at all and sometimes feels “heavy” or bloated as it’s all Java based. YMMV.

By: Daniel Miessler

Daniel Miessler — Wed, 09 May 2007 16:14:07 +0000

Steven, I agree with that, but I think I’d rather deal with that than having one of these unknown systems spewing spam and/or bot traffic and embarrassing the company.

By: Steven G. Harms

Steven G. Harms — Wed, 09 May 2007 16:09:34 +0000

You talk about security risk in these systems, but it bears underscoring that there is some compelling disaster looming around unknown assets using unlicensed software.

We're true up on our photoshop licenses.....

( until you discover that your Windows shop actually has a hidden department of Macs running CS 3 that one guy got from a Spammy Re-seller? )

By: craig

craig — Wed, 09 May 2007 14:41:48 +0000

I've actually been involved in both ends - IT Asset Management engagements (mostly using CA products) and vulnerability management/assessments, and I definitely agree that this would be useful!

I have seen Qualys used at a lot of clients, and I'm pretty sure it has an asset discovery feature - but I dont think this works well as an enterprise wide Asset Management tool.

And on the other side, something like CA's asset management products can tell you what systems are where, but I don't think it has the capabilities to launch a qualys or other scan, or alert you to vulnerabilities, etc.. Although if it could tie in to another CA product like their security products, they'd probably be on to something.

disclaimer: I know I focused on one vendor there, but it's just what I'm familiar with from a deployment perspective and I'm FAR from a CA fan-boy/spammer/whatever so please point me in the direction of other similar products (I know they're out there).

The biggest thing about ITAM is, like security, the supporting processes around it are what make or break it. If the organization doesn't follow the framework/policies you work with them to develop, then the software is just going to sit on a shelf and collect dust and not be useful for reporting on your assets and thus, your vulnerabilities. But I'm sure I'm only preaching to the choir here!