<<< Date Index >>>     <<< Thread Index >>>

Vulnerability Alert Services



Good Day,
I don't want this email to detract from the great value of this Bugtraq list
but suspect most of us from time to time are too busy to monitor the list
constantly (surely not!)  With this in mind I have just updated the vendor
agnostic list of subscription based vulnerability alert services found at
http://www.securitywizardry.com/alert.htm I think it's pretty much complete
but please notify me of any omissions.

If you are considering the service route, I suggest you tread very
carefully, the various products vary greatly in quality and price and the
two don't necessarily correspond.

The products discovered thus far at
http://www.securitywizardry.com/alert.htm are:

Symantec Deepsight Alert Services
SecurityMob
E-Secure-IT
Sintelli Alert!
iAlert Web
PatchPortal
SecurityTracker
Vulnerability Tracking Service
X-Force Threat Analysis Service

If you are considering subscribing one I would like to suggest a few tips to
consider
Introduction
Vulnerability Alert Services vary in the quality of output considerably.  My
experience has seen between zero and 80 alerts in a day. The great diversity
in features between vendors should result in there being at least a few that
meet your needs, though conversely perhaps many more that are perhaps
unsuited to your environment.

Length of evaluation
Some alert services will only allow you to evaluate their services for one
week, in my opinion this is not sufficient to fully gauge what they have to
offer, aim for 30 days.  Some will not allow you to trial what they have to
offer at all, I'd ask, what are they hiding?

Analysis
The real value of an alert service is to cut down on your workload,
monitoring and evaluating the threats on your behalf. When evaluating a
service do they provide information regarding the threat that the
vulnerability presents using terms like credibility of information source,
verification of reported information, an estimate of risk, severity etc or
are they merely regurgitating public information.

Timing
Whilst some alert services claim to offer 24x7 alerts my experience has
shown otherwise, plot the receipt times of their alerts on a graph and see
if they are truly a 24 hour operation, I was very surprised with the
results.  If you aren't interested in out of hours alerts and you are in the
same time zone as the provider then use their lack of out of hour response
to reduce the cost.  If however you need 24x7 alerts go elsewhere.

Latency
Ideally your alert service will advise you of a vulnerability prior to it's
public release, some do a good job at this.  However, more common is
notification over 24 hours after the public release, ie way, way too late.

Filters
Most Vulnerability alert services allow you to tune the events you receive
to your environment.  The most common method is to select those products you
wish to see alerts for, for instance NT4 service pack 6a or later.  The
selection is usually based on an existing vulnerability database, see how
far back their database goes.  If however one of your products hasn't had a
vulnerability discovered previously (Cyberguard) then you may not be able to
select it for it's first vulnerability.  If you look after a larger
networking environment it may be worth checking if the provider allows you
to select all products and exclude certain products that you don't have.
This may also get around the first vulnerability  problem mentioned earlier.

Emergency Alerts
Every now and the carp really hits the fan, in Europe this is usually 1730
on a Friday evening, allowing our American cousins enough time to address
the problem before their weekend.  Does your alert service output emergency
alerts to a specified email address or SMS.

Value Added
Does the alert service also notify you about malware and other crucial
Internet intelligence.  Does it have access to live IDS feeds advising you
about new port probe trends, does it monitor IRC for what is happening in
the badlands.

Cost
The cost of the alert services seems to vary greatly, a higher price doesn't
always indicate a better service.

Hope it helps
take care
-andy
Talisker Security Tools Directory
http://www.securitywizardry.com