IBM Security QRadar

 View Only
Expand all | Collapse all

Vulnerability Manager Capabilities vs. External Vulnerability Scanner

  • 1.  Vulnerability Manager Capabilities vs. External Vulnerability Scanner

    Posted Mon September 16, 2019 08:53 PM
    Hello.

    Can someone take a stab at something that is not overtly obvious from the information that is available out there on QRadar?

    From my understanding, QRadar has its own VM, which offers some capabilities to (together with QRM) find vulnerabilities and report them back on the console. However, there are external Vulnerability scanners that are available (e.g. NESSUS, Rapid7) that also provide Vulnerabilities that can be consumed by QRadar and incorporated into the console. 

    Does QRadar VM provide any capabilities that "compete" with external Vulnerability scanners? Or is it meant really to supplement an external scanner? My sense is that external scanners tend to provide up to date patch lists (for example) while the QRadar VM tends to provide information on misconfigurations of firewalls (for example). Am I understanding this correctly?

    ------------------------------
    Larry Edelstein
    ------------------------------


  • 2.  RE: Vulnerability Manager Capabilities vs. External Vulnerability Scanner

    Posted Tue September 17, 2019 10:17 AM
    In our experience QVM (the built in scanner) is painfully slow, you will need a lot of manageed hosts running scanners to scale to even a modest sized deployment. It is also kind of slow on updating vulnerabilities, many current threats take a long time to appear.

    On the plus side, they are promising the ability to add your own OVAL tests soon and maybe integration with OpenVAS.

    I guess your mileage may vary. Hope this helps. 

    Dan Sichel

    ------------------------------
    _____________________
    Daniel Sichel
    ------------------------------



  • 3.  RE: Vulnerability Manager Capabilities vs. External Vulnerability Scanner

    Posted Wed September 18, 2019 10:26 AM
    Hello,

    > It is also kind of slow on updating vulnerabilities, many current threats take a long time to appear.

    Yep, that's sad but true. For example the plugin for CVE-2019-11510 aka ID 230769 (Pulse VPN RCE):
    1. Published in May 2019
    2. Nessus plugin in May 2019 (the version of Pulse VPN can easily be queried via HTTP ...)
    3. Exploit published in August 2019, reported exploitation in the internet
    4. QVM plugin published on 11th Sept 2019

    Can't find a better term than "useless".

    ------------------------------
    Arnim Rupp
    ------------------------------



  • 4.  RE: Vulnerability Manager Capabilities vs. External Vulnerability Scanner

    Posted Tue September 17, 2019 05:40 PM
    Hi Larry,
    Most shops have VA Scan technology in place and simply import scan results into QRadar for population of assets/vulnerabilities in the QRadar Asset DB for correlation enrichment (e.g., server vulnerable to exploit, etc...). There is no additional cost to do so and the configuration guide (PDF) to do so is here: https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/b_vuln.pdf?origURL=SS42VS_DSM/b_vuln.pdf

    For shops that do not have a VA scanner in place, but have QRadar, there is an QVM add-on module and scan licenses to enable VA scanning from QRadar managed hosts. This add-on also enables a Vulnerabilities tab that provides enhanced searching/reporting, enables an integration app from the App Exchange, adds a dashboard, etc... QVM options can be scoped/priced by your QRadar team.

    Lastly, QRadar Risk Manager (QRM) is what you describe in your last paragraph and is a separate managed host/VM capability that models network topology and FW configuration to determine whether a vulnerable asset is reachable. This aids in risk prioritizing patching and other remediation. There are other use cases supported, but this is the high level. QVM & QRM were combined into a single license some time ago, and scan licenses can be added if that capability is also required.

    Hope that helps a bit,
    Kelly

    ------------------------------
    Kelly Abbott
    ------------------------------



  • 5.  RE: Vulnerability Manager Capabilities vs. External Vulnerability Scanner

    Posted Wed September 18, 2019 02:55 AM
    ​Hi Larry

    We have been using QVM for 2.5 years now. Therefore, I can say that we already have a lot of experience with this module.

    First, the look and feel has not changed in these 2.5 years. If you expect a modern VM tool, then you should look around the competition. It is positive that you only have to serve one platform from one vendor. The asset database in QRadar is also supplied with the vulnerability results, so there are more possibilities in the SIEM area. However, this strength is also a weakness.

    We have about 28 scanners in use (managed hosts) and a dedicated scan processor. Thus, 29 managed hosts are connected to QRadar. With each deploy of the qradar console long waiting times are possible, or a deployment cannot be carried out, if a managed host does not react.

    The scans take relatively long. At least if you scan with authentication. Since update 7.3.2 Patch 2 the scan performance has improved by 50%. The long scan duration is not necessarily due to the scanners, but much more to the processing of the scan results on the QVM Processor.

    Something else you should know. The scanners authenticate via NTLMv2 at the Windows endpoints. If you only allow Kerberos in your company via policy, the scanners can no longer authenticate at those endpoints. For us, this means that as time goes by we get less and less insight into Windows servers. With Linux systems, we authenticate ourselves via certificate. A request for enhancement regarding this topic has been rejected.

    We also had to outsource the analysis of the scan results. This means that I export the results via API and present them on an external dashboard (Power BI).

    If you need further information regarding QVM, just ask.

    Hope I could give you some practical insight.

    David

    ------------------------------
    David Altanian
    ------------------------------



  • 6.  RE: Vulnerability Manager Capabilities vs. External Vulnerability Scanner

    Posted Wed September 18, 2019 08:38 AM
    Thank you for these responses. I guess what I am trying to determine is whether an external Vulnerability Scanner like NESSUS or RAPID7 provide additional Vulnerability data (in terms of the Vulnerabilities that they report on) over and above what QRadar VM provides. In other words, let's assume for a minute that you can be perfectly happy with the QRadar VM in terms of its performance. Can you get everything you need from it in terms of what it reports on? Or would licensing NESSUS or RAPID7 and incorporation of their output provide more info on your network/endpoint compliance?

    ------------------------------
    Larry Edelstein
    ------------------------------



  • 7.  RE: Vulnerability Manager Capabilities vs. External Vulnerability Scanner

    Posted Wed September 18, 2019 08:46 AM

    I have to admit, the results I receive from the scans are good. With active authentication I do not have many false / positives. Our IT can work with the results, which we provide them via our Power BI Dashboards.
    However, we do not have comparable results with Nessus or Rapid 7. Maybe I can tell more when we start the PoC with Rapid 7 in 2020.



    ------------------------------
    David Altanian
    ------------------------------



  • 8.  RE: Vulnerability Manager Capabilities vs. External Vulnerability Scanner

    Posted Fri September 20, 2019 06:18 AM
    What we were missing is the ability to scan into many vlans. If you have many segments with only a few hosts seperated by a firewall and you want to avoid scanning through the firewall due to the many drawbacks (firewalllogs, incomplete picture, and many more) it is technically possible to have the scanner connected in every vlan, but it is not supported. We raised the RFE "Officially support of VLANs (Interface Vlan trunking) through UI (133933)" for that. Would be nice if you vote for it if you might need it as well. We think this feature will get much more important as we see the trend to segmententation (microsegmentation) in networking.

    ------------------------------
    Martin Schmitt
    ------------------------------



  • 9.  RE: Vulnerability Manager Capabilities vs. External Vulnerability Scanner

    Posted Wed September 25, 2019 02:47 AM
    If it helps, I will gladly vote for your request. Unfortunately, I cannot access this RFE because it is set to private. Pity, I should have advertised my RFE on this platform. Mine was rejected because the effort was too great for the change. However, if more customers would request this change in the future, they would resubmit my RFE for consideration. This decision was the nail on the coffin, which is why we will use another product next year.

    ------------------------------
    David Altanian
    ------------------------------



  • 10.  RE: Vulnerability Manager Capabilities vs. External Vulnerability Scanner

    Posted Mon September 21, 2020 02:38 PM
    Hi. Can someone share the link and procedure to download QVM vulnerabilty database updates and how to install in offline mode.

    Thanks.

    ------------------------------
    Shahzad Ahmed
    ------------------------------



  • 11.  RE: Vulnerability Manager Capabilities vs. External Vulnerability Scanner

    Posted Tue September 24, 2019 12:04 PM
    QVM is painful.  
    We've successfully implemented the Qradar/Qvm connections previously Nessus and now Qualys.  
    (Actually, we briefly had SAINT & Rapid7 Nexpose connected in PoC's, also.)

    FYI,
    Troy

    ------------------------------
    Troy Barnhart
    ------------------------------