If you receive errors when attempting to view this white paper, please install the latest version of
Adobe Reader.
"Qualys® is headquartered in Redwood Shores, California, with offices in France, Germany, the U.K., Japan and Hong Kong, and has partners worldwide."
Source : Qualys
Vulnerability Management Buyer's Checklist
Vulnerability Management is also known as :
Vulnerability Management,
Vulnerability Scanner,
Improved Security Vulnerability Management,
Web Vulnerability Scanner,
Code Vulnerability Scan,
Security Event Management,
VM,
Vulnerability Management Process,
Improve IT Security with Vulnerability Management,
Vulnerability Management Solutions and Security Alerting,
Five mistakes of Vulnerability Management,
Free Vulnerability Mgmt,
Newest Vulnerability Management White Papers,
Vulnerability Management program,
Vulnerability Management Lifecycle,
Vulnerability Management and Compliance,
threat Vulnerability Management,
Vulnerability Management Platform,
Vulnerability Management Weathering,
Vulnerability patch Management,
Vulnerability Management Solutions,
Unified Vulnerability Management,
Decrease Website Vulnerability.
Vulnerability Management (VM) means systematically finding and eliminating network vulnerabilities. Choosing a
solution for VM is a critical step toward protecting your organization's network and data. Without proven, automated
technology for precise detection and remediation, no network can withstand the daily onslaught of new vulnerabilities
that threaten security. To help finalize your decision on which solution to buy, Qualys provides this 12-point short list
of considerations that will help you determine what will work best for your organization.
12 Key Decision Points
- Architecture
- Security
- Scalability /Ease of Use
- Accuracy /Performance
- Discovery / Mapping
- Scanning
- Reporting
- Remediation
- Policy Compliance
- Management
- Cost
- Solution Vendor
Architecture
How is the VM solution delivered?
Is there software or hardware that you need to install and maintain, or is software
delivered as a service (SaaS) and simply requires logging in to your account via a web
browser to start scanning? A system that requires you to manage installation, updates,
hardware, database security, etc. ends up costing more than just the purchase price of
the software, and may require additional manpower for ongoing operations.
Does the solution offer a graphical user interface?
Some offerings ' particularly older, low-end or "no-cost" solutions ' only have command
line interfaces that can be tough to operate and have limited customization features (or
access controls). Understand how the solution is delivered and test it before you buy it.
Do I have to run an agent on all my networked devices?
Software-based VM products may require you to install and update agents on every
system to be scanned. Look for architecture that does not require an agent, or any other
software to operate other than a standard, SSL-enabled web browser for accessing the
interface.
Does the product require me to run a database?
Software-based VM products may require you to install and operate a database to house
info for vulnerability management. The SaaS architecture does not carry that requirement.
Why should I consider using SaaS for VM?
For an application like VM, a SaaS solution makes more sense than software for most
companies. It is easier to deploy and manage, is more flexible in supporting evolving
business needs, has lower and more predictable costs, is scalable, does not lock you into
a long-term license, is easier to use, and is more reliable.
Security
What is the security model used to protect the solution?
It's crucial that the VM solution itself be secure, especially since it houses critical data
about the network's assets and potential vulnerabilities. With software-based solutions,
you are responsible ' and it can be a complex task to secure such systems and
information. With a hosted, SaaS solution, the security is handled by the SaaS provider.
Make sure the SaaS solution provides end-to-end security for sensitive vulnerability data
and uses multiple standard proactive controls to protect all layers of the application.
How is the solution physically protected?
Make sure you understand this from your vendor. Again, traditional software-based
solutions require you to do all of this work. By contrast, SaaS-based solutions handle this
for you. For example, the QualysGuard service is run in Secure Operations Centers that
successfully pass annual SAS70 Type II certifications. QualysGuard machines and racks
are locked in a private vault requiring badge and biometric authentication for access.
Physical access is restricted to designated Qualys employees, who undergo third-party
reference and background checks, and sign a confidentiality agreement. It is secured
behind a host-based firewall and a policy-driven file system and integrity checking system,
plus an IDS architecture. Staff continuously monitor all systems and administer proper
remediation and countermeasures. Qualys staff must be designated for access, and are
required to use two-factor authentication for logged access to critical servers. Full
backups are performed once every 24 hours to a standby server, and to encrypted tapes
handled by a third party for offsite rotation.
How does the VM solution protect vulnerability data transmission?
If you select a SaaS solution, make sure all interactions require HTTPS (SSLv3)
connections with at least AES 128-bit encryption from the user's web browser to the
system performing the scans. Be very careful of clear-text communication for interface
navigation, scan launching, or report generation. The system should support
username/password and optional two-factor authentication (SecureID) for login.
Furthermore, the user's password should not be stored on any servers, and the solution
provider should not have access to these passwords.
What access controls are built into the solution?
Be sure the VM solution provides hierarchal access control determined by user role and
privilege levels. A best-practice approach provides role-based access control for five
distinct roles: Manager (complete control), Unit Manager (business unit control), Scanner
(may perform scans against assets permitted by Unit Manager or Manager), Reader (only
permitted to create reports), and Contact (no access to system, email alerts only). Each
role should allow for additional configuration settings for granular permissions.
How does the solution protect vulnerability scan data?
Require that vulnerability data is encrypted and securely stored in a separate 'instance' of
a secure database. The encryption algorithm, key, and unlocking process needs to be
robust ' never written to disk in clear-text nor stored anywhere other than temporarily in
system memory during the authentication / decryption phase at login.
Scalability / Ease of Use
What does it mean to say a VM solution can scale?
When using a software-based product, scalability is bound by the infrastructure you
purchase, operate and maintain to run the product. Make sure you understand any
limitations. SaaS provides you with no boundaries in scale. It can perform external
network discovery and vulnerability scans in the largest enterprise network environment.
You should be able to scan every device with an IP ' every day.
How does the VM solution scale to handle my network size?
Efficiently processing a large-scale network discovery and vulnerability scan is unfeasible
without intelligent scanning. Make sure the system has intelligent scanning so it can
correlate the map it creates of your network devices and their operating systems with all
known vulnerabilities that can affect each particular system. This ensures maximum
speed and quality in assessing your network for vulnerabilities while minimizing network /
host traffic.
Is the VM solution fully automated?
Manual discovery (or mapping) and scanning is time consuming and impractical, so
automation is a must. Select a solution that lets you automatically assess your entire
network for security risks at any time and immediately measure your compliance with
external standards and controls. VM products that require too much manual intervention
are prone to human error and inaccurate results, and waste time and resources.
What level of support comes with the solution?
Vulnerability issues never sleep, so make sure the solution includes 24x7x365 support.
Support should include telephone calls, email, and comprehensive online documentation,
technical notes and FAQs. Be sure the vendor can back-up support claims with a SLA.
Does the support include training?
Be sure your vulnerability management solution teaches you everything you need to know
and offers live and recorded training and certification programs. Ideally, you want to have
this all included with your subscription.
How does the solution integrate with other applications?
Interoperability with your other IT security applications is essential. The solution should
enable built-in, custom workflow for scanning and remediation with existing call center /
help desk systems such as Remedy AR System, leading SIM / SEM solutions such as
Symantec SESA V2,patch management systems such as McAfee Remediation Manager,
and Cisco Security Monitoring, Analysis, and Response System.
Accuracy / Performance
How accurate is the VM solution?
If the solution happens to miss a vulnerability that hackers use to compromise your
network, the answer is "Not accurate enough." If the solution inaccurately points out
issues that are not real (i.e. "false-positives), then the solution is going to overload you
with bad data and waste valuable time. Many vendors make claims of superior accuracy;
ask them to validate these claims.
Where does the VM solution get its intelligence about vulnerabilities?
Your scanning solution should leverage the industry's most comprehensive database of
vulnerabilities and correlate this info with CERT, Symantec's DeepSight, Security Focus,
Secunia, Mitre, and Seclists. Additionally, the solution should incorporate security bulletins
from Microsoft and other leading software vendors.
How does the solution update its database with the latest vulnerabilities?
Before vulnerability detection signatures are released and made public (to you as a
customer), they should be thoroughly tested. Open source-based solutions often have no
formal testing and acceptance process, so you could be using inaccurate checks. Also,
signatures for high-risk vulnerabilities need to be updated and released within hours of
public disclosure. Make sure the vendor has a credible KnowledgeBase that is updated
multiple times per day with checks for new vulnerabilities and enhancements to existing
signatures. It's critical that the entire update process be fully automated and completely
transparent to you (the customer).
Can my scan policies automatically include new vulnerability signatures?
Automating vulnerability signature updates is crucial ' not just to protect your network
from the newest threats, but to ensure the continuous enforcement of corporate scan
policies for security. Check to ensure the solution handles this without human intervention.
How does the VM solution display vulnerabilities?
You will want to be sure you're kept aware of new vulnerabilities that may hit your
network. The solution should display a list of the most recent vulnerabilities added to the
KnowledgeBase. Information for each vulnerability should include a detailed description
and ways to remediate. Ideally, the list should be interactive, and enable users to query by
CVE ID, keyword or title, vendor reference, etc.
Discovery / Mapping
Is discovery / mapping a component of the solution?
The process of scanning a network for vulnerabilities has a prerequisite of knowing what's
out there to check. Vulnerabilities are specific, not general ' they affect a particular
platform, operating system and service pack, application and version number, patch
version, and so forth. Make sure the solution can map all systems on your network and
correlates that information with vulnerabilities to improve and speed the processing of a
scan. An accurate inventory enables prioritization for the remediation process, and
ensures that the correct patches are selected and applied. Also, the discovery / mapping
process ensures thorough coverage of all devices on your network.
Does the solution make it easy to identify all devices on my network?
This task could be manual drudgery. Make sure the solution you choose completely
automates the process. You should be able to simply enter an IP or range of IPs, and the
system should quickly identify all the devices on your network.
What information does mapping reveal about the network?
The solution's automated mapping capability should discover all live devices on the
network. A small footprint scan needs to accurately identify the device operating system
and type of device (e.g. router, switch, access point, etc.). Ideally, the discovery process
will also report other information such as DNS name, NetBIOS name, and when the
device was last scanned.
Can the system discover "rogue" devices?
Your discovery map should show any "new" devices that are "approved" or "rogue." That
way, you have a thorough understanding of your network.
Can the solution correlate mapping data with our business units?
Mapping data should not exist in a technical vacuum. The solution should allow you to
group network inventory by logical groups or by business units ' with granular information
about hardware, software, applications, services, and configurations. Access controls
allow a business unit to run maps, vulnerability scans and reports only on what it owns.
Associating mapped data with business units also helps make results actionable.
Scanning
What are the top things to look for in a vulnerability scanner?
The goal of scanning is to find and fix network vulnerabilities. A scanner tests the
effectiveness of security policy and controls in your infrastructure. To do this, it must
systematically test and analyze IP devices, services and applications for known security
holes. It also must provide a report of actual vulnerabilities discovered and state what you
need to fix in order of priority without jeopardizing the stability of devices.
Do I have to manually launch each scan?
In addition to manual control, the solution should allow you to pre-schedule scans that run
automatically without human intervention.
Does the solution support external and internal scans &8230; with all data in
one place and without poking a hole in my firewall?
These options refer to scanning devices that are outside the firewall as opposed to
configuration inside the firewall. The solution needs to have a secure methodology to
carry out perimeter scanning of external-facing IPs. The solution needs to understand the
whole network and should be able to map domains and scan IPs behind the firewall. The
devices required for internal scanning must be attack-resistant by using a hardened OS
kernel and by not running background services or daemons that are exposed to the
network. The internal devices should automatically download software updates, new
vulnerability signatures, and process job requests ' all in a secure and reliable manner.
Is the solution able to "turbocharge" scanning speed?
Large enterprises can benefit by using a VM solution that optimizes the rate of scanning
without overloading the network. For example, QualysGuard uses a scanner
parallelization feature that increases scan speed up to four times faster while maintaining
scan accuracy. The feature distributes a scan process to multiple Scanner Appliances in a
particular asset group. Upon completion, results are combined into a single report.
What about scanning networks owned by my business partners?
Electronic business processes are often intertwined with business partners. Unfortunately,
their networks can be a conduit for vulnerability exploits so it's crucial to scan them all.
Some regulations for security compliance require partners to verify scanning ' or your
organization must do it for them. Your solution should be flexible enough that you can
quickly scan any Internet-facing IP or range of IPs so you can use it to scan partner
networks, just like your own.
Does the scanner support "trusted scanning?"
The Windows Authentication feature enables Windows trusted scanning. As a result, your
VM solution needs to fully support trusted scanning for Windows, and for UNIX, Oracle
and SNMP systems. This will allow you to gather more system intelligence on target
hosts, increasing the number of vulnerabilities that can be found by a scanner. Trusted
scanning is a mandatory requirement for compliance scans.
Reporting
What types of reports does the solution provide?
Reporting is a critical feature of a VM solution because it is used to guide remediation
efforts. Network scanners are of little use if the reporting does not help you achieve your
security and compliance objectives in a timely and cost-effective manner. The reporting
functionality needs to be both flexible and comprehensive. Reporting components should
include network assets (IPs and/or Asset Groups), graphs and charts showing overall
summaries and network security status, trending analysis, detailed information about
discovered vulnerabilities, and filtering and sorting options for custom views of the data.
What "canned" out-of-box reports are provided by the solution?
The solution should provide default reports that meet typical requirements of most
organizations. Scorecard reports are also critical as they can help you quickly isolate
Asset Group Vulnerabilities, Ignored Vulnerabilities, Most Prevalent Vulnerabilities, Most
Vulnerable Hosts, and provide you with a Patch Report. Look for solutions that include
Executive Level, Technical, Risk Matrix, and SANS20 reports. If you have specific
compliance requirements (e.g. Payment Card Industry), ask about pre-built reports to
meet these requirements.
What are the solution's template- and custom-reporting capabilities?
How does solution reporting rank vulnerabilities?
The solution should assign severity rankings based on industry standards such as CVE
and NIST. Vulnerabilities should be tagged to differentiate criticality. For example: Level 1
is minimal severity, Level 2 is medium, Level 3 is serious, Level 4 is critical, and Level 5 is
urgent.
Can the solution share reports with designated people?
To reduce duplication in work effort, the solution should systematically provide a report
distribution capability. This functionality should include collaboration and sharing of
vulnerability status reports. Look for solutions that incorporate the ability to distribute and
view reports determined by a user's assigned role.
What formats does the solution provide for external report applications?
The VM solution should provide flexible output options for custom use. The solution
should allow scan report data to be exported to external applications in PDF, Compressed
HTML, (zipped), Web Archive (MHT, for Internet Explorer only), CSV and XML.
Is there capability for trend analysis and differential reporting?
For strategic vulnerability management, the solution must include ability to analyze trends
and compare scan result data over time. For example, trend data should be presented for
a specific number of days, weeks, or months. A differential report can present the last two
scan detections of a specific group of assets. As you will want to compare results over
time, you need to pick and compare sets of scans from any point in time.
Are there reports to help us comply with PCI, HIPAA, SOX and other
regulations?
Compliance can be a major headache for IT departments that must produce
documentation to prove an organization has implemented appropriate and effective
security controls required by various laws and business regulations. Look for solutions
that include these compliance reporting capabilities with easy-to-use templates that allow
you to extract vulnerability and host configuration data to meet your specific reporting
requirements.
Can the solution work with other Security Information Management
technologies?
Many large organizations already use SIM / SEM solutions. Look for solutions that support
numerous related integrations including ArcSight, Guardednet, NetForensics, Network
Intelligence, Open Systems, Symantec SIM 4.0, NetIQ, Cisco MARS/Protego,
Intellitactics, and eSecurity.
Remediation
Why integrate remediation with a vulnerability scanner?
Discovering assets, scanning for vulnerabilities, and reporting are critical pieces of VM,
but the end goal is to fix and eliminate vulnerabilities. You will want to select a solution
that integrates an automated remediation ticketing tracking system. The system
automatically tracks changes in vulnerabilities detected after remediation to ensure the
workflow process reaches a successful conclusion.
How does the solution implement remediation policy?
There needs to be authorized policy control governing any remediation workflow. The
solution should have menus that allow you to easily create remediation policies that
determine how tickets will be created and to whom tickets will be assigned. Make sure the
system enables rules and permissions that are determined by user roles.
Is there a particular order in which the system schedules remediation?
Fixing vulnerabilities in order severity makes logical sense. However, you also need a
system that enables you to factor in the criticality of assets that need to be patched. The
solution needs intelligent capabilities to prioritize remediation via policies determined by
managers. The policies allow you to automatically prioritize remediation by factoring
severity of the vulnerability against business impact ' i.e. how exploitation would affect
operations of a particular asset, a business unit, or even the entire business operations.
What happens when a ticket is generated?
If using trouble-ticketing and workflow within your VM solution make sure that it can
automatically generate a ticket when a vulnerability is detected by a scan. Based on
predetermined policy, the ticket should be assigned to a designated person(s) for
remediation. The ticket should be classified as "open" until fixed. The classification
changes to "closed" after a subsequent scan verifies elimination of the vulnerability.
Does the solution's ticketing function integrate with external systems?
Helpdesks in large organizations already use a trouble-ticketing system. As a result, be
sure the VM solution can integrate with third-party ticketing systems via a dedicated
"ticketing API," which provides a programmatic XML-based interface for ticket extraction
and manipulation. For example, QualysGuard provides built-in integration with the
Remedy Help Desk system and has a dedicated "ticketing API" to integrate with other
trouble-ticketing solutions.
How does the solution manage remediation efforts?
A large network often has many remediation tickets open at any point in time. A manager
needs to understand the progress and compliance with remediation policy by running a
remediation report. Be sure your VM solution includes Executive reporting on tickets,
Tickets-per-Vulnerability, Tickets-per-User, and Tickets-per-Asset Group. Users and
managers will want to perform trend analysis on open tickets so they can monitor
progress. Also, look for solutions that allow you to receive daily remediation ticket
updates via email.
Policy Compliance
Why integrate policy compliance with the VM solution?
Policy compliance capability links VM with corporate security policies, laws, and
regulations. In particular, this capability allows you to automatically document and audit
compliance to internal and external auditors ' saving time, money, and lots of manual
effort. If this is important to you, look for solutions that have this capability.
How is the solution used by auditors?
In-house and third-party auditors require access to VM data to complete their
responsibilities. Look for solutions that enable you to grant auditors access to compliance-
management features.
Does the solution segregate assets for compliance?
Most laws and regulations affecting network security entail a subset of assets, such as
Sarbanes-Oxley's requirement to protect only systems used for financial reporting, or
PCI's requirement to protect only systems used for processing or transmitting payment
cardholder data. Be sure your VM solution allows you to assign specific assets to groups
associated with specific policy requirements.
What policies and controls does the solution support?
Controls are created based on CIS and NIST standards and mapped to frameworks and
regulations such as COBIT, ISO and ITIL. Controls are the building blocks for compliance
policies, which are collections of controls pertaining to one or more technologies in your
environment. Each control in the policy includes a statement of how the technology-
specific item should be implemented, and one or more checks performed by the solution
to validate the control. Look to select a solution that supports all these factors.
Can the solution support existing policies?
Verify that the VM solution you select includes a Policy Library with controls that you can
import directly to your account and use for compliance reporting. Controls should be
classified by technology, compliance framework or regulation, and compliance check type.
Once imported, you should be able to edit the controls to tweak control values and
technologies to best suit the needs of your organization.
How does the solution provide a protected audit trail?
Auditors will suspect (and likely reject) any vulnerability data that can be manipulated by
your organization. Make sure the solution does not allow users to have direct access to
vulnerability data other than on a "read-only" basis. Be sure to 100% verify that your
organization's vulnerability data is fully protected ' and isolated ' from any external
manipulation.
Management
How does the solution allow you to manage assets?
Asset grouping enables organizing assets by groups and business units, assigning them
impact levels, and so forth. This feature is critical in the solution you choose. Be sure the
solution has great flexibility and fine-grained accuracy in vulnerability scanning,
remediation, and reporting.
How does the solution allow you to manage users?
The process of managing users of the VM solution essentially assigns various levels of
role-based access rights to execute device maps, vulnerability scans, create policies,
manage remediation, and govern policy compliance. Make sure the solution is robust and
enables you to manage users (in granular detail) effectively.
How does the solution work with complex network configurations?
With IT, complexity often slows processing and delays the completion of otherwise
straightforward operations. Test the VM solution's asset- and people-management
capabilities. Verify that the solution makes it easy to segment your network for efficient,
accurate VM.
Is there any system maintenance required, such as patching scanner
software?
The VM solution you chose could add to your continuous burden of patching software ' or
not. Look for SaaS-based solutions as they utilize an on-demand platform and handle all
patching and system updates automatically. Make sure there's nothing for you to
download, install, update, or maintain &8230; even to internal Scanner Appliances. You should
get the most up-to-date VM solution every time you use your solution.
What actions are required to manage activity by auditors?
The demands of an auditing team can be ' challenging. The VM solution you select
should enable a Manager or Unit Manager to simply create Auditor user accounts for
authorized people conducting an audit. You probably do not want Auditors running
compliance scans, but they should be able to define policies and run reports based on
compliance scan data.
Cost
What are the costs of doing VM with traditional software solutions?
Understand your complete costs with the various VM solutions you're evaluating. Be sure
to calculate the true, total cost of ownership. Using a software-based VM solution entails
many costs: the software itself requires license, annual support and maintenance fees.
Users and administrators must be trained. There is the people-intensive process of getting
departmental approvals, configuring, and fine-tuning the applications. Maintenance and
partitioning of a database is required, plus encryption for securing data. Supporting and
maintaining the applications requires staff to test and install updates and new signatures,
conducting scans and remediation. Finally, there is the cost of servers, appliances,
storage infrastructure, and disaster recovery.
Isn't it cheaper to hire a consultant?
Consultants can be a great resource, but their work is usually focused on a penetration
test, which simply finds vulnerabilities at a single point in time. Paying consultants to do
regular, ongoing vulnerability assessments quickly becomes too expensive compared to
other solutions. Consultants can best be utilized to augment your security department's
expertise and assist in remediating issues that are uncovered in the VM process.
Can I save money by using free, open-source software?
Using free, open source software can be tempting but in the long run, you need to factor
in the real costs and overall effectiveness of such a choice. The obvious drawbacks such
as questionable quality of code, potential injection of vulnerabilities via untested open
source modules, and skimpy training and support should weigh heavily in your decision.
Obviously, you still must pay for the traditional costs of using software noted above.
Does using commercial VM software offer a more cost-efficient option?
Commercial software is more likely to be higher quality than open source software, plus it
has better training and support. It carries the extra annual costs of license, annual
support, and maintenance. It also requires you to pay for all the usual requirements of
using software noted above.
How does Software-as-a-Service lower the costs of VM?
SaaS is the most cost-efficient way to do VM. With SaaS, a third party such as
QualysGuard, runs the application on a secure Internet web server, which users operate
and control on demand with a web browser. You save money by paying a periodic
subscription fee, instead of paying for software, regular updates, and ongoing
maintenance.
From an operational perspective, what other ways does SaaS lower
costs?
A SaaS solution such as QualysGuard is already "up and running," so it immediately
deploys no matter how large and complex the infrastructure. There are no agents to install
or other software to deploy anywhere in the infrastructure. QualysGuard also provides an
API for simple, rapid integration with enterprise network management platforms.
Aside from deployment savings, isn't SaaS just as expensive as using
software?
A SaaS solution such as QualysGuard provides more cost efficiency than software
because it's a hosted solution. Updates to software and vulnerability signatures are
automatic and instant for the entire enterprise. Collation of vulnerability data is automatic,
so you get instant enterprise-wide views of your security posture.
What are the "soft costs" lowered by SaaS?
There are many areas for additional savings. Deployment of software to nationally- or
internationally-dispersed business units often requires onsite help or professional
services; SaaS deployment is instant. Scaling software requires more hardware
infrastructure; SaaS is instantly and infinitely scalable without requiring users to deploy
more hardware. Compliance with corporate encryption policy using software can be
complex; with SaaS, encryption is automatic. Interoperability of software solutions often
requires extensive customization; QualysGuard's built-in XML-based API is immediately
plugs in to any application using this universal standard.
Solution Vendor
What is the solution provider's business history and market strength?
Make sure you're selecting a market leader that focuses on vulnerability management.
Look at resources from analysts such as Gartner and Forrester to see what they have to
say about the company and solution. Read case studies and review their references. The
company should have a solid reputation and a proven track record.
What is the solution provider's VM product line?
A provider that focuses on VM solutions usually can offer breadth and depth of their
product offerings. Make sure the solution fits your specific need. In other words, make
sure the solution is scalable, robust enough, easy-to-use and cost-effective.
Who are some of the solution provider's customers?
Look to see how many customers are using the solution &8230; and what they have to say
about it. Does the company openly provide case studies and testimonials of brand-name
market leaders that are using the solution? Are these companies actually using the VM
solution? Check references and ask to speak with customers that may be in your industry.
Who are some of the solution provider's partners?
Who does the company work with? Integrate with? See if the solution integrates with
leading security solutions and technologies in Security Information & Event Management
(ArcSight, Cisco, netForensics, Network Intelligence, Novell, StillSecure, 1Labs,
Symantec); Patch Management ( Citadel), Help Desk Ticketing Systems (CA Service
Center, BMC Magic Service Desk, HP Service Desk, Bugzilla and others); Risk
Management (Redseal, Skybox); Network Access Control (MetaInfo); IDS/IPS (Neon
Software, ForeScout); Network Patching (BlueLane); Network Behavior Analysis (Mazu
Networks); Security Policy Management (Archer Technologies, McAfee); Penetration
Testing (Core Security Technologies).
What recent awards has the vendor won for its solution?
Recent awards are another strong indicator of product quality and market penetration. For
example, a few of Qualys' recent awards include SC Magazine Awards 2008 Winner
(U.S.), Information Security Readers Choice 2008, Frost & Sullivan Best Practices Award
2008, Information Security Decisions Best in Show 2007, SC Magazine Awards 2007
Europe Winner, and Network World Clear Choice Award.
Can I get a free evaluation of the VM solution?
If you can't try it, don't buy it. You should see how the solution would work in your
environment and give it a thorough test drive. It is important to see how easy (or difficult) it
is to install, maintain, and use ' across your entire organization.
Qualys provides a free 14-day trial evaluation of the fully-functional QualysGuard
solution. Start your evaluation now by logging onto:
www.qualys.com/products/trials/.