MarketScope for Vulnerability Assessment

Vulnerability scanning is a critical part of a vulnerability management process, but vulnerability assessment (VA) scanning must be augmented with other technologies and analytics for enterprises to realize effective protection from advanced targeted threats. Deployment options, assessment of virtual and mobile technologies, flexible analysis and reporting, and integration with other security technologies and IT management products and processes should be key criteria when selecting a vulnerability assessment vendor.

VA technology is typically deployed for security or compliance use cases, or for both. Proactive security use cases include vulnerability and configuration assessments to support enterprise risk reduction. Enterprises with more mature security programs augment VA and configuration assessments with more advanced network penetration testing and custom application testing to identify areas vulnerable to more sophisticated attacks. Compliance use cases include meeting assessment requirements for regulatory or other compliance regimes, such as the Payment Card Industry Data Security Standard (PCI DSS). These requirements can also include some penetration testing and application assessment of the infrastructure in scope of the regulatory requirements. Many organizations attempt to minimize the infrastructure, subject to these requirements and, thus, limit the costs associated with being compliant. As a result, there is downward price pressure on technologies and services for the compliance use cases in comparison with security use cases.

VA products or services have several typical capabilities:

• Establish a baseline of vulnerability conditions for network-attached devices, applications and databases, identify changes in vulnerability states, and provide current vulnerability status and trends.
• Identify and report on security configuration of IT assets.
• Discover unmanaged devices or applications on enterprise networks.
• Generate reports with content and format to support specific compliance regimes and control frameworks.
• Support risk assessment and remediation prioritization with context regarding vulnerability severity and asset criticality.
• Support remediation by operations groups with information and recommendations for work-arounds, patches and workflow, and through integration with other technologies such as an intrusion prevention system (IPS), Web application firewalls (WAFs) and patch management systems.

Organizations differ in how they use VA. Some organizations deploy VA as a stand-alone capability used to provide audit or assessment capabilities separate from the IT operational groups. Others use VA in support of IT operations workflow. Still others use VA for compliance reporting, dashboards, or broader governance and risk monitoring. In general, as organizations' security operations mature, they make use of more analysis, reporting and integration capabilities in their VA deployments.

Vulnerability management activities include the secure configuration of IT assets, regular assessment of vulnerabilities and compliance with security configuration policies, remediation of vulnerabilities or security configuration issues, and ongoing monitoring to detect malicious activity. The use of VA products or services as a best practice has been incorporated into a number of prescriptive compliance regimes, including the PCI DSS, and the U.S. Federal Information Security Management Act (FISMA) and desktop configuration requirements. In particular, the NIST 800-53 requirements for "continuous monitoring" serve as an accelerator for the frequency of VA use. The widespread recognition of vulnerability management as a best practice, these compliance requirements and others, as well as pressure from business partners, customers and auditors, have been the primary drivers for VA projects in recent years.

The VA market is mature, and the inclusion of new capabilities in VA products has been gradual. These include incorporating scanning for vulnerabilities in virtual environments and mobile devices, assessing security configuration settings, improving the management of multiple scanners in large deployments, targeted remediation support, and richer reporting, threat analysis and asset identification. Deployment options for VA typically include software, appliance, virtual appliance and remote hosted or cloud-based services. VA vendors increasingly compete on these extended features, and on price, rather than on claims for the speed or accuracy of network vulnerability scans.

Customers of all of the products included in this research give high marks for the accuracy of the scanners — although accuracy is notably higher for credentialed scans than for noncredentialed scans. VA users commonly report that their scanning targets include private virtual environments, applications (Web-based and others) and databases. Customers report that application and database scanning capabilities of their VA tools are typically not as thorough as custom-made scanning and testing products for those technologies. VA is often used as a "just in case" assessment in conjunction with application and database scanning products, or as an alternative where customers cannot deploy application or database scanners. User less often report using VA for security configuration scanning, and indicate that this is due to lack of internal standards, rather than lack of functionality in the VA tools. However, for users that perform security configuration assessment, the VA product's inclusion of specific configuration templates and the ease with which users can add or customize templates is an important feature.

VA data can provide additive value when available to other elements in the vulnerability management process:

• VA data can be used to improve the granularity and accuracy of network security technologies such as IPSs and WAFs by matching blocking rules with vulnerabilities.
• VA results can be used to identify targets for exploit validation with penetration testing tools.
• Assets discovered during scanning can be compared with asset databases and user directories, to identify unmanaged assets and provide business and risk context to VA reporting.
• Asset vulnerability data enriches security information and event management (SIEM) monitoring by providing asset state data.
• Vulnerability data, asset data and risk context support patch management or system management activities by identifying high-value assets and high-risk vulnerabilities for priority attention.

There are three approaches to vulnerability assessment:

• Active network scanning, the most widely used technique, involves remote scans of network-attached devices. Active scanning can be uncredentialed or credentialed. Credentialed scanning provides a more detailed assessment of the scan targets, resulting in improved accuracy and the ability to determine security configuration. For large deployments, the credential management capabilities may be important criteria for ease of management.
• Passive observation of network traffic is based on the assessment of the content and pattern of captured network traffic. Although passive observation can provide information about devices that cannot be actively scanned (for example, systems with endpoint firewalls), this technique alone generally does not provide sufficient data to support remediation activity.
• Agents reside on the scan targets, either as persistent software or as dissolvable temporary elements, collecting state information in real time. Agents provide information about the target that cannot be determined remotely, such as applications or services that are installed but not running, or of changes in files or configuration. Persistent agents can be used only on devices that are known and managed, and, thus, the VA product must be able to discover and report previously unknown, unmanaged devices. When nonpersistent agents are supported by the VA product, they can be deployed to discover unmanaged devices (or in environments where persistent agent deployment is not feasible, to managed devices) and provide deeper inspection capabilities.

Most VA deployments rely on active network scanning, and all of the vendors evaluated here provide this capability. Demand for products that employ only agent-based or passive techniques is low. However, there are typically areas in larger IT environments that benefit from these techniques, and Gartner recommends that security-conscious enterprises use a combination of two of the three described techniques for comprehensive coverage.

Several alternatives to direct spending on commercial VA tools or service include:

• Open-source tools (such as the Open Vulnerability Assessment System [OpenVAS]) or vulnerability scanning capabilities embedded in other products, such as endpoint management tools. The Nessus scan engine can be downloaded for free — a commercial subscription is available for vulnerability check updates.
• Periodic assessment services from security consultants, which are often delivered via portable versions of commercial products, and consumed on an as-needed basis, often augmented with value-added professional services.
• VA scanning offerings from numerous external service providers (not necessarily security service providers), often delivered by commercial scanning products licensed by the service providers for subscription-based scanning.

In addition, service providers offering security services suites, such as Alert Logic, focus on VA as a component of a broader group of security controls.

Market/Market Segment Description

VA providers vary greatly in scale and market focus. Beyond Security, Critical Watch, nCircle, Rapid7 and Saint solely focus on VA products, sometimes with a service-delivered option. McAfee (now a wholly owned subsidiary of Intel) is a large, multiproduct vendor of VA, SIEM, endpoint security products and network security appliances. Tenable Network Security offers VA and SIEM. Trustwave offers VA plus a range of services and products for compliance and security requirements. Qualys offers VA as a service, and related security-as-a-service offerings, and Digital Defense offers VA as a cloud service and a managed service. This MarketScope focuses on vendors that provide active network-scanning capabilities as a product or service to the security buying center.

Revenue in the VA market has been concentrated among a few vendors, with approximately 80% of the revenue going to five vendors, and 20% spread across the remainder. In addition to competing with other VA product and service vendors, VA vendors must compete with consultants, with open-source scanning tools, and with other security and IT operations products that include scanning capability. Smaller VA providers are likely acquisition targets for security technology and system management firms seeking to add scanning capabilities to their offerings. Smaller vendors also face viability risks as they compete with larger competitors.

Inclusion and Exclusion Criteria

Vendors included in this MarketScope:

• Use their own VA engines
• Perform active network VA
• Provide vulnerability information and reference multiple vulnerability IDs, including common vulnerabilities and exposures (CVE), Bugtraq ID and vendor-specific IDs
• Provide remediation guidance
• Offer an enterprise-level product that supports central administration of multiple distributed scanners and consolidated reporting
• Focus on the security organization
• Provide asset classification capabilities

Vendors excluded from this MarketScope:

• Redistribute a third-party VA scanner or rely on one to be enterprise-deployed
• Sell primarily to the operations group or lack security context
• Embed VA function in broader products and suites

Vendors Added to the MarketScope

None.

Vendors Dropped From This MarketScope

StillSecure is not included in this MarketScope because its VAM is sold as an embedded capability of its Safe Access product, and thus it no longer meets the inclusion criteria. Lumension Security is not included in this MarketScope due to its focus on the endpoint protection platform (EPP) and ITGRC markets, with Lumension Scan serving an ancillary role in the latter, and therefore it does not meet the inclusion criteria.

Rating for Overall Market/Market Segment

Overall Market Rating: Positive

VA remains a steady growth market, with revenue estimated at $390 million in 2011, growing from $327 million in 2010. The market is characterized by a number of VA-specific and other vendors competing for scanning business, and the existence of multiple alternative forms of delivery including products, software as a service (SaaS) and managed services.

Gartner expects stable, long-term demand for security VA capabilities, and the effect of the incorporation of some VA function into broader product and service offerings will soften the demand for stand-alone VA products. This will continue to increase pressure on pricing and margins. Based on this, Garner estimates VA revenue of $435 million in 2012. VA capabilities will continue to evolve, driven by changing threat demands, compliance requirements and enterprise efforts to reduce the cost of vulnerability management processes.

Evaluation Criteria

Source: Gartner (August 2012)

Source: Gartner (August 2012)

Vendor Product/Service Analysis

Beyond Security

Beyond Security, a privately held vendor based in California, delivers scanning via appliance, via virtual appliance and as a managed service. For on-premises deployments, the Automated Vulnerability Detection System (AVDS) management appliance manages multiple scanners, provides role-based access and vulnerability scoring. Beyond Security also has a vulnerability information portal branded as SecuriTeam, and provides customer-accessible research on vulnerabilities and remediation advice. AVDS includes integration with several WAF, SIEM and patch management technologies. AVDS supports multiple configuration assessment templates, and provides basic customization of templates via a graphical user interface (GUI) and more advanced customization via SQL statements. Beyond Security is a PCI Approved Scanning Vendor (ASV), and PCI scanning is included with AVDS.

Strengths: AVDS receives strong feedback on excellent scanning accuracy. Beyond Security gets good marks for its aggressive pricing and pricing model, which is based on active IP addresses. Customers report this is easy to manage and can result in significantly lower pricing than competitors. AVDS keeps scan history of inactive scan targets for trending and reporting as active IPs change. Beyond Security gets very positive feedback for customer support and technical support, including custom integrations.

Challenges: Notwithstanding strong technical support, AVDS feature/capability updates are slower than desired by some customers. AVDS users indicate report customization features are not as rich as those in competitor products. Users performing advanced modifications to configuration assessment templates will not have access to that capability via a GUI.

Optimal Use Case: Security and compliance organizations with frequently changing numbers of scan targets seeking appliance- or service-based VA scanning priced on active nodes should evaluate AVDS.

Rating: Positive

BeyondTrust (eEye Digital Security)

In May 2012, BeyondTrust announced it acquired eEye Digital Security. Both firms are privately owned. BeyondTrust plans to continue to develop Retina Network Security Scanner, Insight Data Warehouse and CS management console, and is exploring integration or data exchange with its PowerBroker product line. Vulnerability assessment products are available as software images or appliances that can be deployed in combination. A PCI-scanning service is available via a service partner. BeyondTrust offers an optional host-based agent that provides deeper scanning capability and endpoint protection functions. BeyondTrust includes a built-in patch management capability, and integrates with third-party patch management products. BeyondTrust is a PCI ASV.

Strengths: The Retina Insight data warehouse provides flexible reporting and risk-modeling capability, with an interface similar to spreadsheet pivot tables. Users report the console provides flexible scan scheduling and management and easy credential management features. eEye provides mobile device assessment via mobile device management (MDM) interfaces. There is a VMware interface to support ESX configuration assessment as well as connectors to Amazon and vCenter.

Challenges: VA as a service is currently only available for PCI compliance scanning. Current and potential eEye customers should get detailed updates from BeyondTrust on Retina and Insight development road maps, and be alert for indications that product integration efforts are delaying VA features.

Optimal Use Case: Organizations that require easy-to-use, flexible analytics and reporting to support VA in software and appliance deployments, with optional agent-based scanning and endpoint protection, should evaluate BeyondTrust.

Rating: Positive

Critical Watch

Critical Watch is a private firm located in Texas. FusionVM Enterprise is available as an appliance or virtual appliance, and FusionVM SaaS is available as a managed service. The company also has partnerships for service delivery with global providers, including Xerox-ACS, Experis and Dell. Critical Watch continues to focus product features on risk mitigation and vulnerability management workflow. FusionVM's integration with HP TippingPoint IPS now includes IPS input to FusionVM. Other integrations include SIEM products from RSA, the Security Division of EMC, IBM (QRadar), and McAfee (Nitro), and with Sourcefire and McAfee IPS (Nitro). FusionVM provides security configuration assessment based on Center for Internet Security (CIS) Windows Benchmarks, and the product can compare new vulnerability feeds with configurations to provide a form of passive vulnerability discovery. FusionVM supports authenticated patch scanning for VMware ESX and ESXi. Critical Watch is a PCI ASV.

Strengths: Customers report the integration of IPS with FusionVM was an important factor in selecting FusionVM. Critical Watch customers continue to give the vendor good marks for strong technical and customer support.

Challenges: Configuration assessment support is limited to CIS Windows Benchmarks. FusionVM's control standards reporting, application and database assessment are not as extensive as those of competing VA products.

Optimal Use Case: Organizations that seek a product or service-based VA capability that emphasizes remediation workflow and reporting and can enable VA and IPS integration should evaluate Critical Watch.

Rating: Positive

Digital Defense

Digital Defense is a small private firm located in Texas. Digital Defense Vulnerability Lifecycle Management (VLM) is available as a service, delivered with service-enabling devices called Reconnaissance Network Appliances (RNAs), and managed through the cloud-based Frontline Solutions Platform (FSP). Service options include a self-managed (SaaS) VLM and a managed service (VLM-Pro) using Digital Defense security operations center (SOC) analysts to configure scans and analyze results. The role-based FSP portal allows extensive interactive filtering and viewing options for scan results and serves as a workflow system. Integration with CA Unicenter is provided for external workflow support. The basic VLM service has limited built-in report options. The VLM-Pro service has custom report development, including compliance reports, and support for interpretation of scan results and remediation approaches. Digital Defense markets VLM to small and midsize businesses, with current customers consisting mainly of midsize-to-large financial institutions and midmarket companies in other verticals, plus smaller institutions. The VLM-Pro service is marketed to enterprise buyers. Digital Defense provides customer support for the deployment of both VLM services. In addition to VLM, Digital Defense offers other security services such as Web application analysis, penetration testing and social engineering, and is a PCI ASV.

Strengths: Digital Defense gets good marks for value — good capabilities at low cost. FSP provides assessment reconciliation, enabling analysis of trends through prior and current scan results. Integration with Veracode enables the mapping of code flaws to production assets. The VLM-Pro service includes custom report creation, data extracts and on-demand access to Digital Defense security analysts for interpretation of scan results and remediation advice.

Challenges: Customers have indicated that, when VLM is configured for aggressive scanning, scan targets have been disabled on occasion. The VLM services do not include several features commonly used in enterprise VA deployments. These include security configuration assessment, built-in integration with enterprise directories or other IT infrastructure, and user-configurable reporting. The basic VLM service provides very limited reporting capabilities.

Optimal Use Case: Small and midsize organizations seeking basic VA scanning and reports from a SaaS delivery model, or midsize or larger organizations seeking customized reporting and analytic support in a managed services model, should consider the Digital Defense VLM services.

Rating: Caution

McAfee

McAfee is a subsidiary of Intel, a public firm located in California. McAfee Vulnerability Manager (MVM) is available as a software download, an appliance or a managed service for perimeter scans. McAfee is a large and established vendor, with security research capabilities that support a range of enterprise security products. MVM can be integrated with other McAfee products such as ePolicy Orchestrator (ePO), McAfee Network Access Control, IPS and Nitro SIEM, and the BSA Visibility system acquired from Insightix. MVM also integrates with a large number of third-party security products. In addition to active scanning, MVM provides agentless security configuration assessment. With ePO agents, configuration coverage includes Defense Information System Agency (DISA) Security Technical Implementation Guides (STIGs), National Security Agency (NSA), Federal Desktop Core Configuration (FDCC) and CIS controls. MVM supports authenticated database scanning and credentialed Web app scanning. Recent updates have improved asset tagging and management and workflow/ticketing capabilities, and added management features for large deployments of remote scan engines. MVM integrates with CyberArk for credentials management, and with Active Directory (AD) and other directory technologies. MVM can assess targets with IPv4 addresses, IPv6 addresses or both. McAfee is a PCI ASV, with PCI scanning delivered via the McAfee Secure product.

Strengths: MVM's integration with other McAfee technologies gets high marks from customers with large enterprise deployments of McAfee products. Large customers also gave high marks for customer and technical support, including support for custom dashboard and reporting capabilities. MVM appears often in VA evaluations among larger Gartner customers, and those with extensive McAfee product deployments.

Challenges: Customers report issues with lack of scanner fault tolerance. Technical support received mixed reviews based on the amount of time it takes to get to upper-tier resources, with some customers reporting delays, and others reporting fast-track access due to their size. Some customers indicated McAfee does not provide them the same degree of access to MVM development resources or road maps as do several smaller vendors. The acquisition by Intel, and the rationalization of product features among SIEM, ePO and MVM, may dilute McAfee attention to the VA market. Customers or potential buyers anticipating integration of MVM into their own system management infrastructure should carefully assess McAfee's commitments to support their plans.

Optimal Use Case: Organizations that want VA integration with McAfee and third-party security technologies that are part of McAfee Security Innovation Alliance should evaluate McAfee Vulnerability Manager.

Rating: Strong Positive

nCircle

nCircle is a privately owned vendor based in California. The Suite360 vulnerability management products include the IP360 vulnerability scan engine, the WebApp360 application scanner, the Suite360 Intelligence Hub (SIH), the Configuration Compliance Manager (CCM) and the File Integrity Monitor. nCircle Suite360 is available as software images, appliance, virtual appliance and service-based formats that may be deployed together. Suite360 includes integration with multiple security technologies, including several SIEM products, as well as IPS and NAC. nCircle's offerings have been primarily oriented at the enterprise, but in 2011, it released its PureCloud services offering directed at small to midsize business. PureCloud provides browser-based vulnerability scanning to the network exterior and interior with a minimal software deployment. Last year, nCircle introduced the nCircle Benchmark service for reporting security and compliance metrics to internal standards, peers and industry benchmarks. nCircle is a PCI ASV.

Strengths: IP360 provides active VA scanning for vulnerability detection and passive observation of network traffic to discover new systems/ports/services and applications. IP360 users report the agentless security configuration assessment provides a great deal of customization capability, but requires scripting expertise to take advantage of it. The CCM product provides a graphical interface for configuration policy management. Suite360 provides compliance-specific checks and reporting for a wide variety of regimes, including DISA STIGs, FDCC and CIS audits, among others.

Challenges: Potential customers should evaluate the possible effect of IP360's lack of load balancing capabilities across a large number of scan engines. Customers have also reported recent improvements in code quality or stability of product upgrades, but challenges remain in these areas. Scalability improvements to SIH and integration of IP360 and CCM have been slower than expected. Users indicate that slow product development led them to use service providers to develop custom reporting capabilities to meet near-term requirements.

Optimal Use Case: Organizations that require full-featured VA that includes passive monitoring, integrations with multiple other security technologies, and add-on security configuration and file integrity monitoring with flexible deployment options should evaluate nCircle.

Rating: Positive

Qualys

Qualys is a privately held vendor located in California. The QualysGuard Security and Compliance Suite is a SaaS offering. Customers scan their network perimeters with Qualys-hosted scan engines, and use Qualys-managed scan appliances deployed on-site to scan interior networks. The Qualys scan engine can be virtualized to enable deployment in customer data centers, private cloud or public cloud environments. Customers manage their own scans, reports and workflow via a Web-based portal. QualysGuard now includes dynamic asset-tagging capabilities and IPv6 support. Several control standards, including COBIT, ISO 27001 and NIST SP-800 are supported in either the Vulnerability Management service, or the Policy Compliance service, or across both. Qualys includes preconfigured integration with several leading SIEM products, and with enterprise directories. Customers can use an API to share scan or asset data with other products where prebuilt integration is unavailable. In addition to Vulnerability Management, Qualys offers policy compliance, PCI compliance and Web application scanning, using the same services model, and a unified portal for management and reporting across services. Qualys is a PCI ASV.

Strengths: Ease of deployment and the absence of technology maintenance requirements, even with large global deployments, are frequently cited by customers as Qualys differentiators. Qualys also gets good marks for frequent feature enhancements. Qualys often appears in Gartner customer evaluations of VA providers, and Qualys VA scanning is available as an option in managed security services engagements from several managed security services providers.

Challenges: Qualys customers report some frustrations with the lack of flexibility in current exception-handling capabilities. Users indicate predefined reports are too long and detailed, and want more flexible and simpler reporting options. Qualys has a mixed track record for new feature introduction. In the past, major features have been delivered after the initial promise date.

Optimal Use Case: Organizations seeking VA as a service characterized by ease of deployment with add-on capabilities for compliance, configuration, application and database scanning requirements should evaluate Qualys.

Rating: Strong Positive

Rapid7

Rapid7 is a private company headquartered in Massachusetts. The Nexpose VA scanner is available as software, appliance, virtual appliance, laptop/mobile and managed service, which can be deployed in any combination. Rapid7 also owns the Metasploit penetration testing solution (the open-source framework and the commercial Metasploit Pro), and offers integration between the Nexpose scanner and Metasploit for risk validation. Nexpose added full support for U.S. Government Configuration Baseline (USCGB) in January 2012, and other configuration assessment enhancements include workflow for assessing and reviewing configuration policy compliance. Nexpose has integrations with several IT governance, risk and compliance (ITGRC) products and with SIEM or managed security service providers (MSSPs), including HP ArcSight, SolarWinds (TriGeo), Symantec, RSA, Dell SecureWorks, IBM QRadar, NetIQ (Novell), Prism Microsystems, McAfee, Splunk and LogRhythm. Rapid7 is a PCI ASV.

Strengths: Nexpose gets very good marks for deployment flexibility, for scan accuracy and for scanning VMware virtual environments. Integration with Metasploit penetration testing was reported as a strength by experienced users. Nexpose integrates with several network security technologies, including Sourcefire RNA, RedSeal and FireMon. Rapid7 often appears on shortlists of Gartner customers evaluating VA scanning technologies.

Challenges: Customers report Rapid7 feature improvements slowed, and technical support showed signs of strain as the vendor grew in 2011. Nexpose support for control standards is still in progress. Nexpose does not currently support the DISA STIG or CIS configuration templates, and current support for NSA templates is via custom manual scan configuration. Customers requiring extensive data manipulation in support of reporting indicate exporting data from Nexpose is the easiest way to accomplish that.

Optimal Use Case: Organizations that require VA for network, applications, and virtual environments, with exploit validation and impact assessment, and extensive integration capability with security technologies should evaluate Rapid7.

Rating: Strong Positive

Saint

Saint is a small private company located in Maryland. Saint is available in several formats: software download (VM deployable), preconfigured appliance and Linux virtual appliance. A services-based version is available as WebSAINT for basic scan and report, and WebSAINT Pro, which includes scanning, exploit-testing and full-featured reporting. Deployment options include mixing software and appliances, with a SAINTmanager console providing role-based management, reporting/dashboards, distributed scanner deployment and workflow. Saint provides good coverage for compliance reporting for Health Insurance Portability and Accountability Act (HIPAA), North American Electric Reliability Corp. (NERC) CIP, FISMA and Federal Desktop Core Configuration (FDCC)/United States Government Configuration Baseline (USGCB)/Defense Information Systems Agency (DISA) standards. The product and the services offerings support database and Web-based application vulnerability scanning. Saint has added or enhanced several features, including a configuration policy editor, scan scheduling and compliance-specific reporting. Saint is undertaking a redesign and development effort to support better scalability and management capabilities to support enterprise deployments. Saint is a PCI ASV.

Strengths: The Saint scan engine will fingerprint mobile devices running iOS. The scanner now supports an optional dissolvable agent for more detailed OS configuration checks, without the need to manage agents. Saint continues to expand the capabilities of its self-developed penetration-testing product integrated with the SAINTscanner. Customers with sufficient technical expertise can access Saint internals for custom configuration. As in prior years, Saint receives very positive marks for technical support and customer care.

Challenges: Several enterprise-oriented features remain on the Saint near-term road map, including enterprise directories integration, asset management features, support for CIS configuration templates, and role-based management and ticketing for WebSAINT services. Saint scan lacks integrations with patch management products. Saint does not typically appear in VA evaluations shared by Gartner customers.

Optimal Use Case: Organizations requiring VA with several deployment options, and strong support for USGCB reporting and integrated exploit penetration testing should evaluate Saint.

Rating: Promising

Tenable Network Security

Tenable is a private company located in Maryland. Tenable created and distributes as a free download its Nessus scan engine, with vulnerability check updates available via subscription. The Nessus Vulnerability Scanner provides active VA scanning, the Passive Vulnerability Scanner (PVS) assessment provides passive detection, the Log Correlation Engine correlates log and event information with vulnerability information, and the Tenable Security Center provides consolidated reporting and management. The Tenable suite also provides compliance and security configuration assessment. Support for configuration auditing based on DISA STIG, FDCC/USGCB, CIS, PCI and vendor templates, as well as reporting for extensive compliance and control standards, is also supported in Security Center. Nessus active scan results, vulnerabilities discovered from real-time PVS network monitoring and log feeds are consolidated for analysis and reporting in Security Center. Recently added features include detection of mobile devices (such as iOS), malicious process detection, and integration with VMware ESX and ESXi. Tenable is a PCI ASV.

Strengths: The widespread use of the Nessus scan engine (even in organizations that have other VA products) means that enterprises will have ready access to operational knowledge of the scanner and scripting language. UI, and management and reporting capabilities, available through Security Center have improved steadily over several product releases. Tenable gets good marks for the quality of its technical and customer support, and for addressing customer feature requests. The passive scan add-on capability is a differentiator, especially for IT environments such as those with process control technologies where active scanning may be prohibited.

Challenges: Policy configuration template modification lacks a GUI — users must edit text files. Customers report some growth challenges with customer support workflow, and with the complexity and documentation of recent product upgrades. Integrations with SIEM or GRC tools from other vendors have proved challenging, although an imminent product release seeks to address this area.

Optimal Use Case: Organizations seeking tight integration of VA scanning, security configuration assessment and optional log collection should consider Tenable Security Center. Security organizations requiring management and reporting capabilities to support their Nessus scanner deployments, as well as those requiring passive scanning capabilities, should also consider Tenable.

Rating: Strong Positive

Trustwave

Trustwave is a private firm located in Illinois. Trustwave scanning services are delivered as remote-hosted scans and via on-premises appliances. In 2Q12, Trustwave released a new scanning product, Vulnerability Manager, for vulnerability scanning and management as a stand-alone technology and as part of its SMB compliance offering, PCI Manager, and its Compliance Manager for Enterprises. Vulnerability Manager integrates with the TrustKeeper suite of security products, and endpoint security configuration assessment and patch validation are available through TrustKeeper Agent. Trustwave provides a unified portal for Vulnerability Manager, Compliance Validation Services, TrustKeeper Agent and managed security and penetration testing services. Integration of WAF and SIEM into the portal are planned. Trustwave SpiderLabs vulnerability and threat research and penetration testing capabilities support Vulnerability Manager and other TrustKeeper products. Trustwave is a PCI ASV.

Strengths: Trustwave's core capabilities are focused on supporting PCI and other compliance requirements, and TrustKeeper gets good marks from customers using it to meet those requirements. Trustwave also receives praise for responsive sales operations, competitive pricing and good customer support.

Challenges: Vulnerability Manager's capabilities do not include several required by most enterprisewide scanning deployments, such as credentialed scanning, flexible asset classification, security configuration assessment and flexible reporting. Although Trustwave has integrations across several of its security products, TrustKeeper lacks integrations with other security technologies and directories common in enterprise IT environments.

Optimal Use Case: Organizations requiring VA scanning of their PCI environments should consider Trustwave.

Rating: Caution