We've seen almost all of these tools before - even the newcomers - and they mostly seem to have branched out in several directions. This branching out comes in a couple of flavors.
First, we have those products that are, essentially, the same products that we've seen over the years with the added benefit that they have evolved in capability without materially changing their scopes. These are good, solid tools that do what they advertise without trying to boil the ocean in the process.
On the other side of the ledger, we have products that have broadened their scopes significantly, adding functionality that is much more than improvement in what they already had. We don't see these as better or worse than the first group - just different. We review them - as we always have - on their individual merits, not on how they stack up against other, similar products. In fact, we can think of two or three combinations of products that would fit nicely together in a security stack. More on that as we look at the products themselves.
Vulnerability management is a horse of mixed color - sort of like the old joke about what is black and white and red all over? Answer, of course (no, not a newspaper) is an embarrassed zebra. While none of these products have any reason to be embarrassed, almost none could be characterized as either black or white, so no zebras here. Interestingly, though, we did find a lot of gray, and while that might imply difficult buying decisions, we don't think it's all that tough in reality.
For example, you may have a small enterprise. You need to make sure that you are doing your PCI scans, perhaps, but you are perfectly capable of managing the remediation since the enterprise is not large or complicated. That may allow you to use a very simple tool that tells you what to do but does not create complicated workflows that need to interact with other, equally complicated, tools.
Or, you may have - at the other end of the spectrum - a very large, widely distributed enterprise that is subject to all sorts of regulatory compliance and has offices/locations throughout the U.S., the EU and Asia, especially China. There are lots of different laws and regulatory requirements in these locations, there are tens of thousands of servers, hundreds of thousands of endpoints - and simply scanning just won't work for you. There are tools here to address that as well.
Finally, you may have a mixture of both environments - smaller branch offices connected to several regional headquarters, perhaps - and you have some risk management tools deployed that need both threat and vulnerability data that is current and accurate/complete. We got your back on that score this time as well.
The point is that you really need - perhaps more than at the other times we've said this - to understand your enterprise, your business requirements and your regulatory requirements. It is quite likely that more than one of these tools will fit your needs nicely and will work together smoothly. Or not. So tread slowly and get the lay of the land before you jump.
One of our tools under review does not do vulnerability scans directly. Rather it uses a process of analysis and takes input from third-party scanners. We did not count it out of this group because it is an analytical powerhouse and, in the right environment, is a definite must-see before you make final decisions. More on that when we look at the product.
Along with that, we have the age-old debate - at least since SATAN was developed and put out on the internet, many years ago - as to the difference between scanners and pen testers. Most security pros certainly know the difference, but what still seems open to debate is which (or both) should you have?
Our personal view has been for years that you always should do both. But today we've softened that position a bit because there are some very sophisticated passive scanners that can make any kind of active scanning or penetration testing obsolete. So, don't count those tools out until you've had a chance to evaluate them. You may be surprised at what they find.
Overall, this was a mix of good old standbys and surprises. We hope that you'll find something in this small, but rather elite, group. For us it was old friends, new friends and, in the reverse of the old expression, new wine in old bottles. Don't pass on that...there are some nice surprises there as well.
| Specification Matrix for Vulnerability Management | ||||||||||
| Company | Available as a cloud appliance | Available as an on-prem virtual appliance | Available as a physical appliance | Supports distributed scanning | Creates reports detailing compliance | Includes built-in policies and functionality to support regulatory compliance (e.g., custom scans) | Includes integrated malware scanning | Integrates with patch management systems | Can scan mobile devices | Applies next generation analytics (e.g., machine learning, integrated third party feeds, etc.) |
| Beyondtrust | X | X | X | X | X | X | X | X | X | X |
| Tripwire | X | X | X | X | X | X | X | X | X | X |
| Skybox Security | X | X | X | X | X | X | X | X | ||
| Saint | X | X | X | X | X | X | X | X | ||
| Digital Defense | X | X | X | X | X | X | X | |||
| Tenable | x | x | x | x | x | x | x | x | ||
