Vulnerability analysis tools add compliance features

Compliance is a natural extension of a vulnerability analysis tool. Normal vulnerability scanning includes searching for unpatched systems, unprotected directories and other errors in configuration.

Compliance typically adds a set of arbitrary checks that are specific to a particular regulatory regime. For example, a compliance policy might require that a DVD-ROM on a system can only be used by someone logged in locally. That's not really a vulnerability; it's just someone's idea of a particular security policy.

Do you know where your security holes are?

All of the products we tested except for Lumension Scan have a significant compliance component. For some, compliance scanning is also an extra cost or separately licensed option.

In vulnerability analyzers, "compliance" has two main parts: one is defining compliance policies and checks, and the second is generating reports with the specific checks that are called for by the regulatory regime. Because compliance is an entirely separate vulnerability analysis discipline with very different requirements, you should carefully consider the role of compliance testing and reporting before picking a vulnerability analyzer.

The requirements for compliance testing will change depending on the regime you're trying to support, and the feature set is usually more focused on policy auditing and less on getting individual systems securely configured. For example, everyone knows that patching production systems doesn't happen within a few hours of Microsoft's latest update. Compliance reporting is more about reporting on how long it took for you to bring systems back up to specification, than it is helping you figure out which systems need those patches.

If compliance is on your mind as part of a vulnerability analyzer acquisition, we think you should look carefully at eEye, McAfee, Qualys, and SAINT. In our quick look, we were most impressed by McAfee's compliance policy creation tools, and SAINT's ability to quickly import and edit standardized compliance policies based on the three "standard" formats.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags complianceLumensionsecurityendpoint securityvulnerability analyzersIT managementregulatory compliance

More about LANLumensionMcAfee AustraliaMicrosoftQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joel Snyder

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place