FoundStone Refines Threat Assessment
September 22, 2003
By Cameron Sturdevant

Foundstone Inc.'s namesake Foundstone Enterprise 3.0.1 software packs enough punch for even the largest distributed networks, adding threat correlation to Windows host assessments that make shorter work of IT managers' vulnerability assessment chores.

Using Foundstone's updated distributed vulnerability assessment tool, IT managers can now correlate new threats and use customized weighted scores to find security exposures and determine their severity. The initial costs are competitive, and ongoing maintenance is in line with what we'd expect for distributed enterprise products.

Like competitors such as Qualys Inc.'s QualysGuard appliance (see review), it took Foundstone Enterprise 3.0.1 a significant amount of time to scan our test network for vulnerabilities. Although scan time is certainly a factor that IT managers should consider in vulnerability assessment tools, the quality of the scan should weigh far more heavily. In this regard, we believe Foundstone Enterprise, which is based on the company's Foundscan engine, is a top-notch competitor and should be placed on the short list of IT managers at midsize and large enterprises.

Foundstone Enterprise 3.0.1 with threat correlation capabilities ships early next month and starts at $15,000, which includes the Foundstone FS1000 appliance. The Threat Correlation module is an additional 10 percent of the base software cost.

Threat correlation is a clever value-add to Foundstone Enterprise, and we used the function to quickly assess systems in the test network. Foundstone takes in security advisories from many sources, including manufacturers such as Microsoft Corp. and Cisco Systems Inc., and creates a bulletin that is made available to Foundstone users. The bulletin explains the vulnerability and, most importantly, allows users to run a check of systems for the exposure.

In tests, for example, Foundstone Enterprise Threat Correlation found multiple Windows 2000, XP and 2003 systems in our network that were susceptible to a buffer overrun. Microsoft Security Bulletin MS03-039 described the exposure and how to remediate it. Because Foundstone staff had pre-processed the security bulletin and created a threat correlation update to check our systems, it was a snap for us to run a check and identify which systems were at risk.

There are two reasons why the threat correlation function is so appealing. First is that it made easy work of assessing our IT infrastructure for specific weaknesses without straining the network. We got results with little thought to the load that a full vulnerability scan would impose because the threat correlation bulletin runs against the Foundstone Enterprise database, and not against agents installed on the systems or other network infrastructure devices, such as routers and switches.

The second reason we liked the threat correlation module is that it does away with most of the work involved in figuring out how to ferret out new weaknesses. Foundstone experts put the threat correlation bulletin together, so we were able to get the update from the Foundstone site and search our IT resources with hardly a second thought.

All this takes time, however. Even a scan against our relatively small collection—about 25 devices including desktops, routers, switches and a variety of servers running Novell Inc., Red Hat Inc. and Sun Microsystems Inc. operating systems—often took between 3 and 10 minutes, depending on what we were looking for.

That said, we are becoming less concerned with the length of time it takes a vulnerability assessment system tool to run a scan. We advise IT managers to look closely at the quality of the scan—the number of vulnerabilities found, some kind of ranking of the importance of the vulnerabilities and, increasingly, information about how to remediate the vulnerability.

In this regard, we liked Foundstone Enterprise's remediation center. The built-in ticket center is perfectly fine as a stand-alone break/fix tracking system.

It can also be integrated with most popular trouble-ticket systems, although this will involve a little help from Foundstone professional services.

Aside from the usual features, such as opening new tickets and tracking ticket status, we liked the remediation center's ability to ensure that items marked as fixed were easy to check. The click to check feature is great for quality control in the remediation process or just as a sanity check for security managers.

We tested the feature by running a report that showed resolved trouble tickets. After opening an individual ticket, we clicked on the verify button, which checked the individual system.

The ticket system worked reasonably well, but the information about vulnerabilities could stand some improvement.

For example, the Foundscan vulnerability detection engine correctly identified an SNMP default community name on our WatchGuard Technologies Inc. Firebox V80 firewall appliance. Although the trouble ticket correctly identified the WatchGuard Firebox system in the header, all the remediation information was geared toward correcting the problem if it occurred in a Microsoft operating system.

Next page: Scoring Points

Scoring Points

Clearly laid-out foundstone scores in the refined dashboard made identifying overall trends much easier than in previous versions. These scores can be configured by IT managers to more accurately reflect the importance of specific IT assets by assigning what Foundstone officials call a criticality multiplier.

We think Foundstone has done something good here for IT managers, but the company has also opened the product up for a little mischief, too. During tests, it was possible to doctor the criticality multipliers to make our Foundstone score go down. (In this case, a lower number is better.)

Fortunately for non-IT executives, Foundstone Enterprise keeps two sets of Foundstone scores: the default set and the customized set.

In the interest of getting the most accurate assessment, it's a good idea to ask for both sets of scores, reflecting a period of at least six months, when evaluating the health of the network.

It's also a very good idea to base performance pay on the default Foundstone score. Even though a customized Foundstone score is susceptible to being doctored to reflect positively on IT staff, we still think this is a good addition to the product because it allows IT managers to ensure that really critical vulnerabilities get forced to the top of the fix-it list.

Senior Analyst Cameron Sturdevant can be contacted at [email protected].




eWeek
Copyright (c) 2003 Ziff Davis Media Inc. All Rights Reserved.