Hi Larry
We have been using QVM for 2.5 years now. Therefore, I can say that we already have a lot of experience with this module.
First, the look and feel has not changed in these 2.5 years. If you expect a modern VM tool, then you should look around the competition. It is positive that you only have to serve one platform from one vendor. The asset database in QRadar is also supplied with the vulnerability results, so there are more possibilities in the SIEM area. However, this strength is also a weakness.
We have about 28 scanners in use (managed hosts) and a dedicated scan processor. Thus, 29 managed hosts are connected to QRadar. With each deploy of the qradar console long waiting times are possible, or a deployment cannot be carried out, if a managed host does not react.
The scans take relatively long. At least if you scan with authentication. Since update 7.3.2 Patch 2 the scan performance has improved by 50%. The long scan duration is not necessarily due to the scanners, but much more to the processing of the scan results on the QVM Processor.
Something else you should know. The scanners authenticate via NTLMv2 at the Windows endpoints. If you only allow Kerberos in your company via policy, the scanners can no longer authenticate at those endpoints. For us, this means that as time goes by we get less and less insight into Windows servers. With Linux systems, we authenticate ourselves via certificate. A request for enhancement regarding this topic has been rejected.
We also had to outsource the analysis of the scan results. This means that I export the results via API and present them on an external dashboard (Power BI).
If you need further information regarding QVM, just ask.
Hope I could give you some practical insight.
David
------------------------------
David Altanian
------------------------------
Original Message:
Sent: Mon September 16, 2019 08:53 PM
From: Larry Edelstein
Subject: Vulnerability Manager Capabilities vs. External Vulnerability Scanner
Hello.
Can someone take a stab at something that is not overtly obvious from the information that is available out there on QRadar?
From my understanding, QRadar has its own VM, which offers some capabilities to (together with QRM) find vulnerabilities and report them back on the console. However, there are external Vulnerability scanners that are available (e.g. NESSUS, Rapid7) that also provide Vulnerabilities that can be consumed by QRadar and incorporated into the console.
Does QRadar VM provide any capabilities that "compete" with external Vulnerability scanners? Or is it meant really to supplement an external scanner? My sense is that external scanners tend to provide up to date patch lists (for example) while the QRadar VM tends to provide information on misconfigurations of firewalls (for example). Am I understanding this correctly?
------------------------------
Larry Edelstein
------------------------------