Once everything in a network has been discovered, SecurityCenter can enter continuous monitoring mode. It does this using a process of scanning, sniffing and logging while also looking for any indicators of compromise. For example, an Android phone that we purposely infected with rudimentary homegrown malware was detected based on its behavior alone, because the device was attempting to make queries into a protected database. Threat intelligence is also brought into the program from other vendors, so known botnets and common attacks are immediately found and identified. And because SecurityCenter first found all devices on a network, even older, forgotten or previously unknown computers will be protected.
SecurityCenter works by combining threat intelligence with network sniffing and passive scanning. It does not conduct full packet inspections of all traffic running through a network, nor does it decrypt SSL packets. Doing so would certainly increase the scan time by a large margin, and in our testing, SecurityCenter was able to stop every attack based on the behavior of the protected devices alone. That said, some very highly secure organizations may insist on deep packet inspections, which SecurityCenter doesn't offer.
Once an incident is detected, the response is quick and configurable based on what an administrator pre-programs, based on severity, device type or anything else. Emails can be sent to the appropriate people, deeper scans of suspect devices can be initiated, trouble tickets can be opened and log files can be written to name just a few possibilities. There are a lot of configuration options so that, for example, something minor like a new vulnerability being detected might warrant a low priority response while a critical problem like an ongoing attack could literally raise the alarm.
The icing on the cake for SecurityCenter is the easy-to-use security dashboards, which can be configured to show exactly what an administrator needs to know at a glance.
Dashboards can be set to show, for example, how many devices on a network comply with special regulations like HIPAA. Dashboards can be as complex as bringing up a list of vulnerabilities for compromised systems, or as simple as a big red light that illuminates should a critical problem be detected. SecurityCenter has quite a few out-of-the-box dashboards that should work for almost any installation, and either Tenable or a trained administrator can make custom ones, if needed.
HP keeps a pretty tight lid on who can use HP WebInspect and how it can be deployed. And that's a good thing because in the wrong hands, WebInspect would be a very dangerous weapon. For this review, we had to specify the IP range that was being scanned and the license would not allow us to ping anything outside of that zone. HP says companies that purchase the program would be under the same constraints, but that it's possible to modify the license after the fact by letting HP know how it should be expanded.
Sign up for CIO Asia eNewsletters.