Vulnerability Alert Services

From: Andy Cuff (lists_at_securitywizardry.com)
Date: 06/23/04

  • Next message: Marceta Milos: "Security Advisory : FreeBSD local DoS" 
    To: <bugtraq@securityfocus.com>
Date: Wed, 23 Jun 2004 10:27:12 +0100

    Good Day,
    I don't want this email to detract from the great value of this Bugtraq list
    but suspect most of us from time to time are too busy to monitor the list
    constantly (surely not!) With this in mind I have just updated the vendor
    agnostic list of subscription based vulnerability alert services found at
    http://www.securitywizardry.com/alert.htm I think it's pretty much complete
    but please notify me of any omissions.

    If you are considering the service route, I suggest you tread very
    carefully, the various products vary greatly in quality and price and the
    two don't necessarily correspond.

    The products discovered thus far at
    http://www.securitywizardry.com/alert.htm are:

    Symantec Deepsight Alert Services
    SecurityMob
    E-Secure-IT
    Sintelli Alert!
    iAlert Web
    PatchPortal
    SecurityTracker
    Vulnerability Tracking Service
    X-Force Threat Analysis Service

    If you are considering subscribing one I would like to suggest a few tips to
    consider
    Introduction
    Vulnerability Alert Services vary in the quality of output considerably. My
    experience has seen between zero and 80 alerts in a day. The great diversity
    in features between vendors should result in there being at least a few that
    meet your needs, though conversely perhaps many more that are perhaps
    unsuited to your environment.

    Length of evaluation
    Some alert services will only allow you to evaluate their services for one
    week, in my opinion this is not sufficient to fully gauge what they have to
    offer, aim for 30 days. Some will not allow you to trial what they have to
    offer at all, I'd ask, what are they hiding?

    Analysis
    The real value of an alert service is to cut down on your workload,
    monitoring and evaluating the threats on your behalf. When evaluating a
    service do they provide information regarding the threat that the
    vulnerability presents using terms like credibility of information source,
    verification of reported information, an estimate of risk, severity etc or
    are they merely regurgitating public information.

    Timing
    Whilst some alert services claim to offer 24x7 alerts my experience has
    shown otherwise, plot the receipt times of their alerts on a graph and see
    if they are truly a 24 hour operation, I was very surprised with the
    results. If you aren't interested in out of hours alerts and you are in the
    same time zone as the provider then use their lack of out of hour response
    to reduce the cost. If however you need 24x7 alerts go elsewhere.

    Latency
    Ideally your alert service will advise you of a vulnerability prior to it's
    public release, some do a good job at this. However, more common is
    notification over 24 hours after the public release, ie way, way too late.

    Filters
    Most Vulnerability alert services allow you to tune the events you receive
    to your environment. The most common method is to select those products you
    wish to see alerts for, for instance NT4 service pack 6a or later. The
    selection is usually based on an existing vulnerability database, see how
    far back their database goes. If however one of your products hasn't had a
    vulnerability discovered previously (Cyberguard) then you may not be able to
    select it for it's first vulnerability. If you look after a larger
    networking environment it may be worth checking if the provider allows you
    to select all products and exclude certain products that you don't have.
    This may also get around the first vulnerability problem mentioned earlier.

    Emergency Alerts
    Every now and the carp really hits the fan, in Europe this is usually 1730
    on a Friday evening, allowing our American cousins enough time to address
    the problem before their weekend. Does your alert service output emergency
    alerts to a specified email address or SMS.

    Value Added
    Does the alert service also notify you about malware and other crucial
    Internet intelligence. Does it have access to live IDS feeds advising you
    about new port probe trends, does it monitor IRC for what is happening in
    the badlands.

    Cost
    The cost of the alert services seems to vary greatly, a higher price doesn't
    always indicate a better service.

    Hope it helps
    take care
    -andy
    Talisker Security Tools Directory
    http://www.securitywizardry.com

  • Next message: Marceta Milos: "Security Advisory : FreeBSD local DoS"