ZOHO ManageEngine Security Manager Plus v5.5 (Build 5506)
Strengths: Quick and easy to configure and use.
Weaknesses: The ticketing/change management feature was fairly rudimentary.
Verdict: For the price, this is a strong entry-level tool for small organizations.
Security Manager Plus (Professional Edition) is a network security scanner that proactively reports on network vulnerabilities and helps to remediate them and ensure compliance. With vulnerability scanning, open ports detection, patch management, Windows file/folder/registry change management and vulnerability reporting capabilities, the tool protects the network from security threats and malicious attacks. ManageEngine, an External Vulnerability Aggregator, draws vulnerability information from various security sources through email and RSS feeds. Patch information is vetted and correlated into a vulnerability database. This database is published to clients in an effort to keep the database at the client end current. All scanning, patching and reporting is done by the Security Manager Plus at the client end. Agents are deployed to address systems that are behind firewalls or where configuration settings on a remote machine do not allow direct interrogation and remediation. Product features include vulnerability scanning, open port detection, hardware and software inventory, Windows users and groups, scheduling and scan automation, patch management (includes specific Linux distributions), trouble-ticket mail generation, Windows change management, audit reports, PCI DSS compliance, CVE cross-reference, and the vulnerability database.
The tool is often installed on Windows Servers and does not require the installation of any other third-party software for Windows (installation on Linux requires Samba-TNG to be installed additionally). The product has been validated to run under a number of Windows systems, as well as Red Hat Linux, Debian, CentOS and open SUSE. For our evaluation, ZOHO provided a CD for installing the product and our implementation went smoothly. Configuration took just minutes to complete and a scan was initiated. The product found all 11 of our test systems. The tool has a clean graphic dashboard that we used to look up support documentation, including the community website. The admin tab provided a dashboard for managing settings and an array of other functions. Email reporting was configured and CVE vulnerability reports were produced. Payment card industry reports were generated through automated reporting. Too, the risk and correction functions were easy to use and provided some easy remediation recommendations. Finally, change management tickets were created and processed. Overall, the product performed well.
Documentation included web-based assistance, including installation and user instructions, FAQ, troubleshooting tips, a document library, tutorials, user forums and more.
Basic no-fee support provides 24/5 telephone and email assistance for the evaluation period. Fee-based options are covered in the product cost for the first year. During subsequent years, fees cost 20 percent of the license fee.
We found that as an entry-level vulnerability management system, the value provided by this tool is good for its cost.