Security in a modern enterprise is a complicated multi-headed beast. Many organizations have multiple layers of tools to keep the beast at bay by detecting vulnerabilities, but few have tools to manage the entire process.
IBM is aiming to fill that void with its new QRadar Vulnerability Manager, a solution that collects data from multiple sources within an enterprise to identify vulnerabilities, which can then be prioritized, remediated and fixed.
Steve Robinson, vice president, Security Development, Product Management and Strategy at IBM, explained that QRadar's base is a security information and event management (SIEM) platform that IBM gained in its late 2011 acquisition of Q1, the vendor behind QRadar. IBM has since reformed its IBM Security Systems operations around QRadar's technology.
The QRadar Vulnerability Manager goes beyond traditional SIEM functionality by aggregating vulnerability data, instead of just events and log file data.https://o1.qnsr.com/log/p.gif?;n=203;c=204660770;s=9477;x=7936;f=201812281321530;u=j;z=TIMESTAMP;a=20396194;e=i
Sandy Bird, CTO at IBM, explained to eSecurity Planet that Vulnerability Manager gets its data from a number of sources, including vulnerability scanners from IBM or other vendors as well as patch management solutions. The Vulnerability Manager also ranks and prioritizes vulnerabilities based on how a given network is actually configured.
Determining severity and priority for issues is no easy task. But the process of fully understanding the network topology and associated security controls is not one that requires an army of IBM consultants on site in order to get up and running. Bird noted that IBM pulls data from its own X-Force research as well as the National Vulnerabilities Database to help determine vulnerability risk and impact. The QRadar system also understands what is on a network.
"We leverage the information out of the QRadar Risk Manager so we understand the configuration of the other security products an enterprise might have in place," Bird said.
Additionally, the QRadar system collects flow data from the network that alerts the system when a new device comes online.
So for example, if there is an IPS appliance sitting in front of an application server that has a highly exploitable vulnerability on it, the IPS might already be blocking access to the application from untrusted networks. In another case, a vulnerability on a box for which there is no security perimeter or controls is a higher priority to get fixed than vulnerabilities with more existing security controls in place.
For BYOD on a network, IBM'S system also prioritizes client-side vulnerabilities. So for example, the QRadar system tracking a laptop with Java and Adobe PDF installed would prioritize any vulnerabilities associated with that configuration.
The QRadar Vulnerability Manager also includes a workflow feature that can assign vulnerability remediations to the appropriate personnel. All the work is tracked in the system, including reporting for compliance-related purposes.
The QRadar Vulnerability Manager has been in beta at IBM for the last six months with customers.
"This was a project that was underway when IBM did the acquisition of Q1. At that point it was in an early stage of development," Robinson said. "We've spent the past year putting more resources into it, hardening it and getting all the integration points right."
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.