Re: Why eEye Retina (was MBSA scanner)

[Shawn Edwards <shawn.edwards () nokia com>]

ext clarke-cummings () columbus rr com wrote:

> eEye didn't have a
> good answer as to why the results were so inconsistent.  Any guesses?
>
>  
These are just my 2 cents...but I've 'been in your evaluation shoes'...

I don't necessarily want to comment on Retina specifically.  However, I 
have over the past couple of years kept a close eye (no pun intended) on 
the VA space.  I would however like to give you a more generic comments 
on your evaluations that should/may help.

1. Every vendor will get false positives.  Some may have better 
methodologies on enumeration and may have 'better' checks. However, I 
would recommend that you build 'static' hosts (possibly vmware 
instances, however some vendors will blame that for the fp's) and run  
all the va products that you are interested in parrallel against them so 
that you are comparing apples to apples.  Delay between the audits of 
course may skew your results as checks are (hopefully) released daily.  
Of course if the fp's are ridiculous then ok...maybe there are other issues.

2. Each vendor has their target market (aka strength & weaknesses). But 
this is important because it helps a great deal if you first understand 
your focus and goals.  For example, if you have a very large 
organisation (10s of thousands of hosts) then maybe you are looking for 
performance, controlling scan times, distributed scanning, redundancy, 
scalability, customised checks, etc.  Then, IMHO, the players are 
reduced to a handfull.  If you are heavier on one OS/app or another that 
may make a difference as well.

3.  Beware of their marketing departments.  For example, checks 
schmecks.  Marketing math gets very creative with vuln check numbers so 
don't put too much weight on it, however, turn around times on new vulns 
should be quick (like ~24 hours).  Scan perfomance may not be as big a 
deal as being able to control the perfomance of the scan and times at 
which it can operate...in large scans anyway.

> Also, how is their support response for those that are customers?  As a
> trial customer they aren't a very impressive organization.
>  
That's a pretty harsh statement, but hey, everyone entitled to their 
opinion right! :)  I know for a fact that they have some very skilled 
persons doing dev there.  Just check some of their development 
discoveries (http://www.eeye.com/html/Research/index.html) that's gotta 
count for something!

Hope this helps...if you want any more biased, (opinions are always 
biased), personal opinions just fire me a mail and I'd be happy to discuss.

br,

s

--
Work EMail: shawn.edwards[at]nokia.com
Personal EMail: shards[at]hush.ai
Personal Website: http://%6A%6A%6A%2E%78%65%6C%63%67%30%74%33%33%78%2E%62%65%74


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------