MarketScope for Vulnerability Assessment

9 September 2013 ID:G00250956
Analyst(s): Kelly M. Kavanagh

VIEW SUMMARY

Vulnerability assessment vendors compete on price, richness of reporting, and capabilities for application and security configuration assessment. Buyers must consider how a VA technology will fit in their overall vulnerability management process for data center, cloud and virtual environments.

What You Need to Know

This document was revised on 21 October 2013. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.

Vulnerability assessment (VA) is a critical part of a vulnerability management process, and is mandated by several compliance regimes. VA scanning must be used with other security controls for enterprises to realize effective protection from broad-scale attacks and from advanced targeted threats (which typically exploit well-known vulnerabilities), and to operationalize the vulnerability remediation activities as required for general risk reduction and compliance mandates. Deployment flexibility, scope of technologies that can be scanned, rich analysis and reporting, and integration with other technologies and processes should be key criteria when selecting a vulnerability assessment vendor.

MarketScope

VA technology is typically used to support security threat management or compliance use cases, or for both. Security use cases include vulnerability and security configuration assessments for enterprise risk reduction. Enterprises with more mature security programs augment VA and security configuration assessments with more advanced network penetration testing and custom application testing to validate where they are vulnerable to more sophisticated attacks. Compliance use cases include meeting scanning requirements for regulatory or other compliance regimes, such as the Payment Card Industry Data Security Standard (PCI DSS). These requirements can also include application assessment of the infrastructure in scope of the regulatory requirements. Many organizations attempt to lower the cost of meeting compliance requirements by reducing the infrastructure subject to these requirements. As a result, there is downward price pressure on technologies and services for the compliance use cases in comparison with security use cases.

VA products or services have several typical capabilities:

  • Establish a baseline of vulnerability conditions for network-attached devices, applications and databases; identify changes in vulnerability states; and provide current vulnerability status and trends.
  • Identify and report on the security configuration of IT assets.
  • Discover unmanaged assets on enterprise networks.
  • Produce reports with content and format to support specific compliance regimes and control frameworks.
  • Support risk assessment and remediation prioritization with context regarding vulnerability severity and asset criticality.
  • Support remediation by operations groups with information and recommendations for work-arounds, patches, shielding and workflow, and through integration with other technologies, such as an intrusion prevention system (IPS), Web application firewalls (WAFs) and patch management systems.

Organizations differ in how they use VA. Some organizations deploy VA as a stand-alone capability used to provide audit or assessment capabilities independent from the IT operational groups. Others use VA in support of prioritizing IT operations for vulnerability mitigation. Still others use VA for compliance reporting, dashboards, or broader governance and risk monitoring. In general, as organizations' security operations mature, they make use of more analysis, reporting and integration capabilities in their VA deployments. These use cases are not exclusionary, and VA deployments can support multiple use cases.

Gartner's vulnerability management life cycle activities include the secure configuration of IT assets, regular assessment of vulnerabilities and compliance with security configuration policies, remediation of vulnerabilities or security configuration issues, and ongoing monitoring to detect malicious events or activities. The use of VA products or services as a best practice has been incorporated into a number of prescriptive compliance regimes, including the PCI DSS, the U.S. Federal Information Security Management Act (FISMA) and desktop configuration requirements. In particular, the National Institute of Standards and Technology (NIST) 800-53 requirements for "continuous monitoring" serve as an accelerator for the frequency of VA use. The widespread recognition of vulnerability management as a best practice, these compliance requirements and others, as well as pressure from business partners, customers and auditors, have been the primary drivers for using VA technologies and services in recent years.

The VA market is mature, and the addition of new capabilities in VA products has been gradual. These include:

  • Incorporating scanning for vulnerabilities in virtual environments and mobile devices
  • Assessing security configuration settings
  • Improving the management of multiple scanners in large deployments
  • Supporting IT operations with targeted remediation support
  • Richer reporting, threat analysis and asset grouping

Deployment options for VA typically include software, appliance, virtual appliance, and remote hosted or cloud-based services. VA vendors typically compete on these extended features and deployment options, and on price.

Customers of all of the products included in this MarketScope give high marks for the speed and accuracy of the scanners — although all report accuracy is notably higher for credentialed scans than for noncredentialed scans. VA users commonly report that their scanning targets include private virtual environments, applications (Web-based and others) and databases. Customers report that the application and database scanning capabilities of their VA tools are typically not as rich or thorough as products specifically designed to assess those technologies. VA is often used as a "just in case" assessment in conjunction with application and database scanning products, or as an alternative where customers cannot deploy application or database scanners.

Users less often report using VA for security configuration assessment, and indicate that this is due to two reasons: lack of internal configuration standards, or use of configuration assessment capabilities included with systems or patch management products. Users also report that the scope of security configuration assessment done is a small portion of their entire IT environment. However, for users that perform security configuration assessment with a VA product, the availability of specific configuration templates and the ease with which users can add or customize templates are important features.

The value of VA scanning results can be increased when combined with elements in the vulnerability management process:

  • VA data can be used to improve the granularity and accuracy of network security technologies, such as IPSs and WAFs, by matching blocking rules with vulnerabilities.
  • VA results can be used to identify targets for exploit validation with penetration testing tools.
  • Assets discovered during scanning can be compared with asset databases and user directories to identify unmanaged assets and provide business and risk context to VA reporting.
  • Vulnerability data provides information about the state of assets and enriches event data acquired by security information and event management (SIEM) monitoring of those assets.
  • Vulnerability data, asset data and risk context support patch management or system management activities by identifying high-value assets and high-risk vulnerabilities for priority attention.

There are three approaches to vulnerability assessment:

  • Active network scanning, the most widely used technique, involves remote scans of network-attached devices. Active scanning can be uncredentialed or credentialed. Credentialed scanning provides a more detailed assessment of the scan targets, resulting in improved accuracy and the ability to determine security configuration. For large deployments, the credential management capabilities may be important criteria for ease of management.
  • Passive observation of network traffic (also called "passive scanning") is based on the assessment of the content and pattern of captured network traffic. Although passive observation can provide information about devices that cannot be actively scanned (for example, systems with endpoint firewalls), this technique alone generally does not provide sufficient data to support remediation activity.
  • Agents reside on the scan targets, either as persistent software or as dissolvable temporary elements, collecting state information in real time. Agents provide information about the target that cannot be determined remotely, such as applications or services that are installed but not running, or of changes in files or configuration. Persistent agents can be used only on devices that are known and managed, and thus, the VA product must be able to discover and report previously unknown, unmanaged devices. When nonpersistent agents are supported by the VA product, they can be deployed to unmanaged devices (or in environments where persistent agent deployment is not feasible, to managed devices) and provide deeper inspection capabilities.

Most organizations deploy VA for active network scanning, and all of the vendors evaluated here provide this capability. There is low demand for products that employ only agent-based or passive detection techniques. However, there are typically areas in larger IT environments that benefit from these techniques, and Gartner recommends that security-conscious enterprises use a combination of at least two of the three described techniques for comprehensive coverage.

Several alternatives to direct spending on commercial VA tools or service include:

  • Open-source tools (such as the Open Vulnerability Assessment System) or commercial vulnerability scanning capabilities embedded in other products, such as endpoint management tools. The Nessus scan engine can be downloaded for free — a commercial subscription is available for vulnerability check updates.
  • Periodic, project-based assessment services from security consultants, which are often delivered via portable versions of commercial products, and consumed on an as-needed basis, often augmented with value-added professional services.
  • VA scanning offerings from numerous external service providers (not necessarily security service providers), often delivered by commercial scanning products licensed by the service providers for subscription-based scanning.

In addition, service providers offering security services suites, such as Alert Logic, offer VA as a component of a broader set of security controls.

Market/Market Segment Description

This MarketScope focuses on vendors that provide active network-scanning capabilities as a product or service to the security buying center. VA providers vary greatly in scale and market focus. Beyond Security, Critical Watch, Rapid7 and Security Administrators Integrated Network Tool (SAINT) solely focus on VA products, sometimes with a service-delivered option. McAfee is a large, multiproduct vendor of VA, SIEM, endpoint security products and network security appliances. Tenable Network Security offers VA and SIEM. Trustwave offers VA, plus a range of services and products for compliance and security requirements. Qualys offers VA as a service, and other security-as-a-service offerings, and Digital Defense offers VA as a cloud service and a managed service. Tripwire acquired nCircle and offers VA and security configuration assessment products.

Revenue in the VA market has been concentrated among a few vendors, with approximately 80% of the revenue going to five vendors, and 20% spread across the remainder. In addition to competing with other VA product and service vendors, VA vendors must compete with consultants, open-source scanning tools, and other security and IT operations products that provide scanning and configuration assessment capability. Smaller VA providers are likely acquisition targets for security technology and system management firms seeking to add scanning capabilities to their offerings. Smaller vendors also face viability risks as they compete with larger competitors.

Inclusion and Exclusion Criteria

Vendors included in this MarketScope:

  • Use their own VA engines
  • Perform active network VA
  • Provide vulnerability information and reference multiple vulnerability IDs, including common vulnerabilities and exposures, Bugtraq ID and vendor-specific IDs
  • Provide remediation guidance
  • Offer an enterprise-level product that supports central administration of multiple distributed scanners and consolidated reporting
  • Focus on the security organization
  • Provide asset classification capabilities

Vendors excluded from this MarketScope:

  • Redistribute a third-party VA scanner or rely on one to be enterprise-deployed
  • Sell primarily to the operations group or lack security context
  • Embed VA function only in broader products and suites

Vendors Added to the MarketScope

No vendors were added to the MarketScope in 2013. Since publication of the 2012 MarketScope, nCircle was acquired by Tripwire, and the resulting entity is called Tripwire.

Vendors Dropped From This MarketScope

None.

Rating for Overall Market/Market Segment

Overall Market Rating: Positive

Gartner estimates VA revenue for 2012 at $415 million, just under 20% growth over 2011's revenue of $346 million. Gartner expects stable, long-term demand for security VA capabilities, supported by the incorporation of VA, application and security configuration assessment capabilities in vulnerability management best practice and explicit compliance requirements. The inclusion of these capabilities in broader product and service offerings from security vendors and adjacent markets offers competition for stand-alone VA products. This will continue to increase pressure on pricing and margins. VA capabilities, and their availability across different products and markets, will continue to evolve, driven by changing threat demands, compliance requirements and enterprise efforts to reduce the cost of vulnerability management processes.

Evaluation Criteria

Table 1. Evaluation Criteria

Evaluation Criteria

Comment

Weighting

Market Responsiveness and Track Record

Market responsiveness and track record evaluate the match of the VA offering to the functional requirements stated by buyers at acquisition time, and the vendor's track record in delivering new functionality when it is needed by the market. Also considered is how the vendor differentiates its offerings from those of its major competitors.

High

Sales Execution/Pricing

Sales execution focuses on the success and "mind share" of the product or service in the VA market. The evaluation includes the revenue and installed base for VA products and services. The maturity and breadth of the organization's distribution channels and the level of interest from Gartner clients are also considered.

Standard

Offering (Product) Strategy

An offering (product) strategy is the vendor's approach to product development and delivery that emphasizes differentiation, functionality and feature set as they map to current and future requirements. Development plans during the next 12 to 18 months are evaluated.

Standard

Product/Service

Product or service evaluates current product function in areas such as base scanning methods, scope of VA, workflow and remediation support, and reporting capabilities.

High

Overall Viability (Business Unit, Financial, Strategy, Organization)

Overall viability includes an assessment of the overall financial health of the organization, along with the financial and practical success of the business unit. Also evaluated is the ability of the organization/business unit to continue investing in the VA market and to continue developing innovative products to meet the requirements of several different types of customers.

Standard

Customer Experience

Customer experience is an evaluation of product function or service in production environments. The evaluation includes ease of deployment, operation, administration, stability, scalability and vendor support capabilities. This criterion was assessed by conducting qualitative interviews of vendor-provided reference customers and feedback from Gartner clients that are currently using or have completed competitive evaluations of the VA offering.

High

Source: Gartner (September 2013)

Figure 1. MarketScope for Vulnerability Assessment
Figure 1.MarketScope for Vulnerability Assessment

Source: Gartner (September 2013)

Vendor Product/Service Analysis

Beyond Security

Beyond Security, a privately held vendor based in California, delivers scanning via appliance, via virtual appliance and as a managed service. For on-premises deployments, the Automated Vulnerability Detection System (AVDS) Linux-based management appliance manages multiple scanners, and provides role-based access and vulnerability scoring. AVDS includes security configuration assessment and application scanning as well as active VA scanning. Beyond Security's SecuriTeam vulnerability information portal provides research on vulnerabilities and remediation advice to customers. AVDS provides integration with several WAF, SIEM and patch management technologies. AVDS supports multiple configuration assessment templates, and provides basic customization of templates via a graphical user interface (GUI) and more advanced customization via SQL statements. Beyond Security is a PCI Approved Scanning Vendor (ASV), and PCI scanning is included with AVDS.

Strengths: AVDS users report excellent scanning accuracy and satisfaction with its flexible pricing model, which is based on active IP addresses. Beyond Security continues to receive very positive feedback for customer support and technical support.

Challenges: Report customization features continue to lag those in competitor products, and some users find the GUI nonintuitive. Users performing advanced modifications to configuration assessment templates will not have access to that capability via a native GUI.

Optimal Use Case: Organizations using VA to address security and compliance requirements seeking appliance- or service-based VA scanning priced on active nodes should evaluate AVDS.

Rating: Positive

BeyondTrust

BeyondTrust offers the Retina Network Security Scanner as a stand-alone product, and offers the scanner, Retina Insight data warehouse and Retina CS Threat Management console as a bundled solution. Vulnerability assessment products are available as software or appliances that can be deployed in combination. BeyondTrust offers PCI scanning services via a service partner. BeyondTrust has developed integrations for Retina and its PowerBroker products that enhance scan management and collate asset and user data. BeyondTrust offers optional dissolvable agents, as well as permanent agents (PowerBroker or Retina) that provide deeper assessment capability, including file integrity monitoring, data discovery, session monitoring and endpoint protection functions. BeyondTrust includes a built-in patch management capability and integrates with third-party patch management products. Reports for specific compliance requirements, such as PCI DSS, Health Insurance Portability and Accountability Act (HIPAA), NIST or Sarbanes-Oxley Act (SOX), are available is add-on reporting packs. BeyondTrust plans to release a scanning service capability in September 2013. BeyondTrust is a certified PCI ASV.

Strengths: Users offer strong praise for Retina Insight for flexible and easy-to-use data manipulation and presentation. Users report that the console provides flexible scan scheduling and management, and easy credential management features. BeyondTrust provides mobile device assessment via mobile device management (MDM) interfaces. There is a VMware interface to support ESX configuration assessment, as well as connectors to Amazon, GoGrid, Rackspace, SmartCloud and vCenter.

Challenges: Retina does not include a native editor for OVAL content, and customers wishing to modify configuration templates must use an external editor. The planned VA scanning as a service will include PCI and other capabilities, but will not provide full Retina functionality before 2014.

Optimal Use Case: Organizations that require easy-to-use, flexible analytics and reporting to support VA in software and appliance deployments, with optional, rich agent-based assessment, privileged identity management and endpoint protection, should evaluate BeyondTrust.

Rating: Positive

Critical Watch

Critical Watch is a private firm located in Texas. FusionVM Enterprise is available as an appliance or virtual appliance, and FusionVM SaaS is available as a managed service. Critical Watch's focus has been on risk scoring and mitigation via workflow integration with other security controls. FusionVM's integrations include IPS from HP TippingPoint, McAfee and Sourcefire (being acquired by Cisco). Other integrations include SIEM products from IBM (QRadar); RSA, The Security Division of EMC; and McAfee. FusionVM provides security configuration assessment based on Center for Internet Security (CIS) Windows Benchmarks (Linux and Unix benchmarks are under development), and the product can compare new vulnerability feeds with configurations to provide a form of passive vulnerability discovery. FusionVM supports authenticated patch scanning for VMware ESX and ESXi. Critical Watch is a PCI ASV.

Strengths: Role-based access for reporting and management is very granular and useful for allowing multiple operations groups access to the FusionVM portal. Critical Watch customers continue to give the vendor excellent grades for quickly implementing feature requests and providing strong technical and customer support.

Challenges: Configuration assessment support remains limited to CIS Windows Benchmarks. FusionVM's control standards reporting, application and database assessment continue to lag behind those of competing VA products. There are no integrations with patch management systems. Critical Watch infrequently appears on shortlists for VA among Gartner customers.

Optimal Use Case: Organizations that seek a product or service-based VA capability that emphasizes remediation workflow and reporting with integrations with SIEM, IPS, WAF and other security technologies should evaluate Critical Watch.

Rating: Positive

Digital Defense

Digital Defense is a small private firm located in Texas. The Vulnerability Lifecycle Management (VLM) service is delivered through Reconnaissance Network Appliances and managed through the cloud-based Frontline Solutions Platform (FSP). There are two service options: a self-managed VLM and a managed service (VLM-Pro) using Digital Defense security operations center analysts to configure scans and analyze results. Vulnerability assessment and Web-application assessment (and optional integration with Veracode application analysis) are available through VLM. Security configuration assessment capabilities are planned.

The role-based FSP portal allows extensive interactive filtering and viewing options for scan results and has workflow features. Integrations with CA Unicenter for external workflow support, RedSeal for risk visualization, and IBM QRadar SIEM are provided. The basic VLM service has limited built-in report options. Custom reports and compliance-specific reports are available with the VLM-Pro service. Digital Defense markets VLM to small and midsize businesses, with current customers consisting mainly of midsize to large financial institutions and midmarket companies in other verticals, plus smaller institutions. The VLM-Pro service is marketed to enterprise buyers. Digital Defense provides support for the deployment of both services options. In addition to VLM, Digital Defense offers other security services, such as Web application analysis, penetration testing and social engineering, and is a PCI ASV.

Strengths: Digital Defense gets good marks for value — good capabilities at low cost. FSP provides portal-based views of current vulnerability results and trends. The VLM-Pro service includes extended support for analysis and remediation advice, and custom reports and scan data extracts.

Challenges: VLM does not provide support for CIS, NIST or other configuration templates. There are no integrations with enterprise directories or asset management of configuration management database technologies. Compared with competing products, VLM reporting capabilities are less feature-rich and customizable.

Optimal Use Case: Small and midsize organizations seeking basic VA scanning and reports from a SaaS delivery model, with the option for extended security operation center support, or midsize or larger organizations seeking customized reporting and analytic support in a managed service model, should consider the Digital Defense VLM services.

Rating: Caution

McAfee

McAfee is a subsidiary of Intel, a public firm located in California. McAfee Vulnerability Manager (MVM) is available as a software image, an appliance or a managed service for external perimeter scans. MVM includes VA scanning, security configuration assessment and application assessment (Web application scanning is available for an additional license fee). McAfee has a range of enterprise security products. MVM can be integrated with other McAfee products, such as ePolicy Orchestrator (ePO), McAfee Network Access Control, IPS and SIEM. MVM also integrates with a large number of third-party security products.

In addition to active scanning, MVM provides passive asset detection (via the included McAfee Asset Manager technology) and agentless security configuration assessment. Configuration coverage includes Defense Information System Agency (DISA) Security Technical Implementation Guides (STIGs), National Security Agency (NSA), United States Government Configuration Baseline (USGCB; was Federal Desktop Core Configuration, FDCC) and CIS controls.

MVM supports authenticated database scanning and credentialed Web app scanning. Recent updates have improved asset tagging, management and workflow/ticketing capabilities, and added management features for large deployments of remote scan engines. MVM integrates with CyberArk for credentials management, and with Active Directory and other directory technologies. MVM can assess targets with IPv4 addresses, IPv6 addresses or both. McAfee is a PCI ASV, with PCI scanning delivered via the McAfee Secure product.

Strengths: MVM's integration with other McAfee technologies gets high marks, and is a buying driver for customers with large enterprise deployments of McAfee products. MVM appears often in VA evaluations among Gartner customers with extensive McAfee product deployments.

Challenges: Customers report mixed reviews on the MVM user interface, noting some recent improvements, but also the need for greater investment by McAfee in this area. The continued rationalization of product features among SIEM, ePO and MVM may affect plans to improve the capabilities of MVM. Customers or potential buyers anticipating integration of MVM into their own system management infrastructures should carefully assess McAfee's commitments to support their plans.

Optimal Use Case: Organizations that want VA integration with McAfee and third-party security technologies that are part of McAfee Security Innovation Alliance should evaluate MVM.

Rating: Strong Positive

Qualys

Qualys is now a publicly held vendor, located in California. Qualys offerings are available as SaaS, delivered via hosted and on-premises scan engines. Qualys vulnerability, configuration and application scanning offerings are available as distinct or bundled offerings. Qualys offers a virtualized version of its scan engine for deployment in customer data centers, private cloud or public clouds. Customers manage their own scans, reports and workflow via a Web-based portal. Several control standards, including COBIT, International Organization for Standardization (ISO) 27001 and NIST SP-800 are supported in the Vulnerability Management service, the Policy Compliance service or across both.

Qualys includes preconfigured integration with several leading SIEM products and with enterprise directories. Customers can use an API to share scan or asset data with other products where prebuilt integration is unavailable. In addition to Vulnerability Management, Qualys offers policy compliance, PCI compliance, Web application scanning and the new Web application firewall using the same service model via a cloud platform that can also be delivered to customers on-premises as a private instance, and a unified portal for management and reporting across services. Qualys is a PCI ASV.

Strengths: Users have consistently cited ease of deployment and the absence of technology maintenance requirements as Qualys differentiators. Customers with complex reporting and workflow requirements indicate the Qualys API supports effective integration with their internal reporting and workflow technologies. Qualys often appears in Gartner customer shortlists of VA vendors.

Challenges: Qualys reporting receives mixed reviews. Potential customers with large, complex environments and similarly complex reporting requirements should evaluate whether the access to data available via API will support their needs. Those with simpler reporting requirements should determine whether the report customization capabilities will enable inclusion or exclusion of data to the degree required.

Optimal Use Case: Organizations seeking VA as a service characterized by ease of deployment and management, good integration via API, and with add-on services for PCI compliance, security configuration, application and database scanning should evaluate Qualys.

Rating: Strong Positive

Rapid7

Rapid7 is a private company headquartered in Massachusetts. The Nexpose VA scanner is available as software, appliance, virtual appliance, laptop/mobile and managed service, which can be deployed in any combination. Nexpose includes security configuration assessment and application security assessment in addition to VA. Rapid7 also owns Metasploit (the open-source penetration testing framework) and the commercial Metasploit Pro, and integrates Nexpose and Metasploit for risk validation.

Rapid7 offers mobile technology vulnerability assessment via its MobiliSafe product, which is not currently integrated with Nexpose, as well as security controls assessment with Rapid7 ControlsInsight and end-user risk monitoring with Rapid7 UserInsight. In addition to USGCB configuration support, Nexpose supports CIS templates for Windows and has recently added support for Red Hat Linux. Nexpose has integrations with several IT governance, risk and compliance products and with SIEM or managed security service providers, including HP ArcSight, SolarWinds (TriGeo), Symantec, RSA, Dell SecureWorks, IBM QRadar, NetIQ (Novell), Prism Microsystems, McAfee, Splunk and LogRhythm. Rapid7 is a PCI ASV.

Strengths: The Nexpose API gets very good marks from customers that require access to scan data to meet unique workflow and reporting requirements. Technical support also gets positive feedback from customers, and those with sufficient expertise and experience indicate that Metasploit integration adds value. Rapid7 often appears on shortlists of Gartner customers evaluating VA scanning technologies.

Challenges: Customers continue to report that feature improvements, including those related to reporting, are slower than expected, and staff changes have had an effect on the continuity of customer account management. Nexpose users that need customization of configuration assessment templates must do so using an external XML editor.

Optimal Use Case: Organizations that require VA for networks, applications and virtual environments with exploit validation and impact assessment, and extensive integration capability with security technologies, should evaluate Rapid7.

Rating: Strong Positive

Security Administrators Integrated Network Tool (SAINT)

SAINT is a small private company located in Maryland. SAINT scanner is available as a software image (VM-deployable), preconfigured appliance and Linux virtual appliance. A service-based version is available as WebSAINT for basic scans and reports, and WebSAINT Pro, which includes scanning, exploit testing and full-featured reporting. SAINTmanager console includes role-based management, reporting/dashboards, distributed scanner deployment and workflow. The products are priced on an annual subscription basis. The product and the services include VA, security configuration assessment, and database and Web-based application scanning.

SAINT provides an optional dissolvable agent capability for configuration checking. It also provides good coverage for compliance reporting for HIPAA, North American Electric Reliability critical infrastructure protection, SOX, PCI, FISMA, USGCB and DISA standards. SAINT offers integration with several SIEM and governance, risk and compliance (GRC) products. Recent feature improvements include richer role-based support and ticketing. SAINT is a PCI ASV, Security Content Automation Protocol (SCAP)-compliant and Cyberscope approved.

Strengths: Customers continue to report excellent technical and customer support from SAINT. Predefined reporting capabilities get good marks for being useful without extensive modification.

Challenges: SAINT lacks integration with several technologies, such as enterprise directories, credential management products, system management products or intrusion detection system/IPS/WAF controls. SAINT lacks support for CIS configuration templates, and current asset management and tagging capabilities lag behind competing products. SAINT does not typically appear in VA evaluations shared by Gartner customers.

Optimal Use Case: Organizations requiring VA with several deployment options and subscription-based licensing, with support for USGCB reporting and well-regarded integrated penetration testing, should evaluate SAINT.

Rating: Promising

Tenable Network Security

Tenable is a private company located in Maryland. In September 2012, Tenable received $50 million in investor funding. The Nessus Vulnerability Scanner provides active VA scanning, and SecurityCenter (SC) provides consolidated management, real-time dashboards and reporting for compliance and control standards. In addition, Passive Vulnerability Scanner (PVS) provides passive detection, and the Log Correlation Engine correlates log and event information with vulnerability information. The Nessus Vulnerability Scanner, PVS and SC are available as software images or virtual and hardware appliances. Tenable also offers a hosted service for external scans. The Tenable suite provides compliance and security configuration assessment in addition to active and passive VA. Integrations are provided with MDM and patch management systems (Microsoft Exchange, Apple Profile Manager and Good for Enterprise Windows Server Update Services, software change and configuration management, Red Hat, VMware and IBM). SC supports configuration auditing with DISA STIG, USGCB, CIS, PCI and vendor templates, as well as providing analytics and alerting based on active scans, PVS results and log data. Tenable is a PCI ASV.

Strengths: Tenable gets good marks for the quality of its technical and customer support, and for addressing customer feature requests. The Nessus scan engine has wide exposure (it is not unusual to encounter it in organizations that have other VA products) as a stand-alone scanning tool, and the management, reporting and user interface features of SecurityCenter offer enterprises the option to deploy enterprisewide or to centralize and extend isolated or ad hoc Nessus deployments. The passive scan add-on capability is a differentiator, especially for IT environments, such as healthcare and those with process control technologies where active scanning may be prohibited.

Challenges: Users report that Tenable must continue to improve its product management capabilities and more effectively communicate development plans to customers. Tenable has made recent staff additions to address this. Security configuration policy templates must be modified with an external editor.

Optimal Use Case: Organizations adopting "continuous monitoring" strategies, and those seeking to support vulnerability management through integration of VA scanning, security configuration assessment, log collection and passive detection, should consider SC. Security organizations that have deployed Nessus scanners and require enhanced management and reporting capabilities should also consider Tenable.

Rating: Strong Positive

Tripwire

In April 2013, nCircle was acquired by Tripwire, whose products include security configuration management, event and log management, file integrity monitoring, and risk reporting and visualization. Tripwire has incorporated nCircle's vulnerability management products into its product portfolio, and plans greater technology integration for reporting and management among the products. The Suite360 vulnerability management products include the IP360 vulnerability management solution, the WebApp360 application scanner, the Suite360 Intelligence Hub (SIH), the Configuration Compliance Manager (CCM) and the File Integrity Monitoring. Suite360 is available as software image, appliance, virtual appliance and service-based formats that may be deployed in combinations. Suite360 has integration with several other security technologies, including SIEM (third-party and Tripwire Log Center), IPS and network access control (NAC). The PureCloud vulnerability scanning technology offers browser-based scanning, and will be updated and focused on enterprise use for remote and branch locations. Tripwire maintains nCircle's status as a PCI ASV.

Strengths: IP360 provides both active VA scanning and passive observation to discover new systems/ports/services and applications. The Tripwire portfolio now has a range of agentless and agent-based security configuration assessment options, and provides compliance-specific checks and reporting for a wide variety of regimes, including DISA STIGs, USGCB, PCI DSS and CIS audits.

Challenges: Customers with IP360, SIH and CCM must closely monitor Tripwire for timely and successful delivery of long-expected performance, feature and reporting enhancements. Current and prospective customers must evaluate whether planned integration between the existing Tripwire product portfolio and nCircle products will meet their requirements.

Optimal Use Case: Organizations that require full-featured VA that includes passive monitoring, integration with multiple other security technologies, as well as extensive add-on security configuration, log, file integrity monitoring, and risk reporting and visualization, should evaluate Tripwire.

Rating: Positive

Trustwave

Trustwave is a private firm located in Illinois. Trustwave Vulnerability Manager scanning services are delivered through on-premises appliances. Vulnerability Manager provides basic application scanning capabilities, integrates with the TrustKeeper suite of security products, and provides limited endpoint security configuration assessment and patch validation through the optional TrustKeeper Agent. Trustwave provides a unified portal for Vulnerability Manager, compliance validation services, TrustKeeper Agent, and managed security and penetration testing services. Vulnerability Manager integrates with other Trustwave products for NAC, SIEM, WAF and GRC. Trustwave SpiderLabs vulnerability, threat research and penetration testing capabilities support Vulnerability Manager and other TrustKeeper products. Trustwave is a PCI ASV.

Strengths: Customers report high satisfaction with TrustKeeper for maintaining PCI compliance. Trustwave also gets good marks for customer support.

Challenges: Vulnerability Manager lacks the capabilities of competing products used in enterprise wide-scanning deployments, such as credentialed scanning, flexible asset classification, security configuration assessment using common standards and user-configurable reporting. Vulnerability Manager does not integrate with asset management, directories and non-Trustwave security technologies for NAC, IPS and SIEM.

Optimal Use Case: Organizations requiring VA scanning of their PCI environments should consider Trustwave.

Rating: Caution

Acronym Key and Glossary Terms

ASV Approved Scanning Vendor
AVDS Automated Vulnerability Detection System
CCM Configuration Compliance Manager
CIS Center for Internet Security
DISA Defense Information System Agency
ePO ePolicy Orchestrator
FDCC Federal Desktop Core Configuration
FISMA Federal Information Security Management Act
FSP Frontline Solutions Platform
GUI graphical user interface
HIPAA Health Insurance Portability and Accountability Act
IPS intrusion prevention system
ISO International Organization for Standardization
MDM mobile device management
MVM McAfee Vulnerability Manager
NAC network access control
NIST National Institute of Standards and Technology
NSA National Security Agency
PCI Payment Card Industry
PCI DSS Payment Card Industry Data Security Standard
PVS Passive Vulnerability Scanner
SC SecurityCenter
SCAP Security Content Automation Protocol
SIEM security information and event management
SIH Suite360 Intelligence Hub
SOX Sarbanes-Oxley Act
STIG Security Technical Implementation Guide
USGCB United States Government Configuration Baseline
VA vulnerability assessment
VLM Vulnerability Lifecycle Management
WAF Web application firewall

Evidence

Gartner customer feedback regarding evaluation, acquisition, deployment and operations of VA products and services. Data collection from VA vendors via surveys and briefings, and teleconference interviews with vendor-supplied reference contacts.

Vendors Added or Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.

Gartner MarketScope Defined

Gartner's MarketScope provides specific guidance for users who are deploying, or have deployed, products or services. A Gartner MarketScope rating does not imply that the vendor meets all, few or none of the evaluation criteria. The Gartner MarketScope evaluation is based on a weighted evaluation of a vendor's products in comparison with the evaluation criteria. Consider Gartner's criteria as they apply to your specific requirements. Contact Gartner to discuss how this evaluation may affect your specific needs.

MarketScope Rating Framework

Strong Positive
Is viewed as a provider of strategic products, services or solutions:

  • Customers: Continue with planned investments.
  • Potential customers: Consider this vendor a strong choice for strategic investments.

Positive
Demonstrates strength in specific areas, but execution in one or more areas may still be developing or inconsistent with other areas of performance:

  • Customers: Continue planned investments.
  • Potential customers: Consider this vendor a viable choice for strategic or tactical investments, while planning for known limitations.

Promising
Shows potential in specific areas; however, execution is inconsistent:

  • Customers: Consider the short- and long-term impact of possible changes in status.
  • Potential customers: Plan for and be aware of issues and opportunities related to the evolution and maturity of this vendor.

Caution
Faces challenges in one or more areas.

  • Customers: Understand challenges in relevant areas, and develop contingency plans based on risk tolerance and possible business impact.
  • Potential customers: Account for the vendor's challenges as part of due diligence.

Strong Negative
Has difficulty responding to problems in multiple areas.

  • Customers: Execute risk mitigation plans and contingency options.
  • Potential customers: Consider this vendor only for tactical investment with short-term, rapid payback.