Automated incident response is one of the fastest growing fields in computer security. Alternatively called threat monitoring, vulnerability management or threat management, it encompasses the seemingly impossible task of defending a network from active threats as they happen, in addition to detecting every possible vulnerability that could be exploited by an attacker.
As such, you don't see tons of companies jumping into this area. But several companies have come out with automated incident response products and three of the leading vendors accepted our invitation for a comparative review — Tenable Network Security SecurityCenter, Hewlett Packard WebInspect and Co3 Systems Security Module.
Since vendors typically have their roots in one of those three areas — detection, prevention or automated response — their approaches are influenced by that starting point, leading to slightly different methods to achieve the goal of total network security. This means we needed to look at how effective the tools were overall, since there are few other metrics that can be compared side by side.
For this review, all programs were installed and tested with a variety of client machines and servers in a moderately sized test bed. Because the tested programs are all designed to work with hundreds and thousands of systems, no attempt to test scan performance was made, though program features designed to speed up scans were noted.
Each program was evaluated on ease of installation, features, ease of use, and automation level whether the program actually helped make patching the holes easier or simply pointed out what to do without any tracking or recommendations. In a sense, automation level could also be considered how complete the package is, now that all three elements of detection, prevention and response are combined together.
As a meshed, mature and easy to use product, Tenable SecurityCenter scored the highest of the three products in this review. It was able to provide true continuous monitoring for networks of any size and used customized dashboards to show the most relevant information concerning security to those who need to know. It's almost impossible to conceive of a successful attack occurring on a network that is so well guarded by SecurityCenter, where every PC, device and connection is constantly monitored for malicious or abnormal behavior.
HP WebInspect, by comparison, requires a little more elbow grease to get the job done, but might be perfect for organizations that like to take a more active approach to their security precautions. It uses the concept of having to think like a criminal to catch one and launches thousands of real but benign attacks against a network, silently recording which ones are successful. Network administrators can then plug real holes and use WebInspect to check their results. WebInspect will reveal the ugly truths about security on any network, but requires security professionals to roll up their sleeves to fix individual problems.
Sign up for CIO Asia eNewsletters.