Re: Compliance Product Recomendation

I CAN GIVE YOU A FEW BUT I MUST COUCH IT WITH THE FOLLOWING.
 I AM A SALES ENGINEER.  I WORK FOR ALTIRIS/SYMANTEC AND I
WORKED FOR ECORA.

SECURITY EXPRESSIONS (FROM ALTIRIS) - LOOKS AT YOUR SYSTEMS
(OS AGNOSTIC) FROM A POLICY STAND POINT.  YOU CAN CHOOSE A
PCI POLICY OR A CIS POLCIY OR A HIPAA POLICY AND THEN RUN
THESE POLICIES AGAINST YOUR SYSTEMS TO FIND OUT IF THEY ARE
OUT OF WHACK PER THAT POLICY.  IT CAN REMEDIATE.

AUDITOR FROM ECORA SOFTWARE - MANY DIFFERENT MODULES.  IT
COMES AT THINGS A BIT DIFFERENT THEN SE.  IT WILL COLLECT
ALMOST EVERY CONFIG AND THEN YOU DECIDE WHAT REPORT/POLICY
TO RUN AGAINST THE INFO COLLECTED.  THERE ARE PCI, SOX, ETC
REPORTS.

TRIPWIRE HAS A COME OUT WITH A SOLUTION BUT I DO NOT KNOW IT
WELL ENOUGH TO TELL YOU ABOUT IT.

CONFIGURESOFT WHICH IS MORE ALONG THE LINES OF CONFIGURATION
MANAGEMENT HAS REPORTS PER COMPLIANCIES.

QUALYS - I JUST FOUND OUT THAT THEY ARE COMING OUT WITH
POLCIES PER COMPLIANCE.  QUALYS USUALLY IS LUMPED IN WITH
SCANNERS LIKE NESSUS.  THE COOL THING ABOUT QUALYS IS THAT
YOU CAN DO IT OVER THE INTERNET.  YOU DO NOT HAVE TO
PURCHASE THEIR APPLIANCE.

THIS IS A SMALL LIST BUT IT GIVES YOU A GOOD PLACE TO START
YOUR RESEARCH.  I HOPE IT HELPS.

REGARDS,
DOUG

-----ORIGINAL MESSAGE-----
FROM: AVERSETORISKMANHUSHMAIL.COM [MAILTO:AVERSETORISKMANHUSHMAIL.COM]
SENT: FRIDAY, JULY 27, 2007 08:46 AM
TO: PSRCSECURITYFOCUS.COM
SUBJECT: COMPLIANCE PRODUCT RECOMENDATION

I WORK FOR A LARGE FINANCIAL SERVICES COMPANY IN THE
MID-WEST AND
AM NEW TO COMPLIANCE AND RISK MANAGEMENT. I HAVE BEEN TASKED
WITH
IDENTIFYING A RANGE OF PRODUCTS I SHOULD BUDGET FOR NEXT
YEAR TO
SOLVE THE SECURITY COMPLIANCE NEEDS IN MY COMPANY. I THINK
THESE
INCLUDE PCI, HIPAA AND GLBA AS WELL AS SOX.

CAN ANYONE RECOMEND ANY PRODUCTS AND OR APPROACHES TO
EVALUATING
TOOLS? ITS SEEMS THERE ARE LOTS ON THE MARKET, MANY OF WHICH
SEEM
TO MAGICALLY HELP ME ASSESS COMPLIANCE SO I AM A LITTLE
SCEPTICAL.

THANKS IN ADVANCE.

--
CLICK FOR MILITARY LOAN, FAST & NO LENDER FEE, APPROVAL
TODAY
HTTP://TAGLINE.HUSHMAIL.COM/FC/IOYW6H4D9CVGJL1Y4WV9D7E1U2NBD
SZDR7NRJ7BPDRH5HKFIV8URMP/

Doug

Which parts of a standards or regulation (or maybe rephrased
what percentage) do you think automated tools analyze? Maybe
PCI as an example?

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On Behalf Of dougsimpson.bz
Sent: Friday, July 27, 2007 4:48 PM
To: aversetoriskmanhushmail.com; psrcsecurityfocus.com
Subject: Re: Compliance Product Recomendation

I can give you a few but I must couch it with the following.
 I am a Sales Engineer.  I work for Altiris/Symantec and I
worked for Ecora.

Security Expressions (from Altiris) - looks at your systems
(OS agnostic) from a policy stand point.  You can choose a
PCI policy or a CIS polciy or a HIPAA policy and then run
these policies against your systems to find out if they are
out of whack per that policy.  It can remediate.

Auditor from Ecora Software - many different modules.  It
comes at things a bit different then SE.  It will collect
almost every config and then you decide what report/policy
to run against the info collected.  There are PCI, SOX, etc
reports. 

TripWire has a come out with a solution but I do not know it
well enough to tell you about it.

ConfigureSoft which is more along the lines of configuration
management has reports per compliancies.

Qualys - I just found out that they are coming out with
polcies per compliance.  Qualys usually is lumped in with
Scanners like Nessus.  The cool thing about Qualys is that
you can do it over the internet.  You do not have to
purchase their appliance.

This is a small list but it gives you a good place to start
your research.  I hope it helps.

Regards,
Doug

-----Original Message-----
From: aversetoriskmanhushmail.com [mailto:aversetoriskmanhushmail.com]
Sent: Friday, July 27, 2007 08:46 AM
To: psrcsecurityfocus.com
Subject: Compliance Product Recomendation

I work for a large financial services company in the
mid-west and 
am new to compliance and risk management. I have been tasked
with 
identifying a range of products I should budget for next
year to 
solve the security compliance needs in my company. I think
these 
include PCI, HIPAA and GLBA as well as SOX. 

Can anyone recomend any products and or approaches to
evaluating 
tools? Its seems there are lots on the market, many of which
seem 
to magically help me assess compliance so I am a little
sceptical. 

Thanks in advance. 

--
Click for military loan, fast & no lender fee, approval
today
http://tagline.hushmail.co
m/fc/Ioyw6h4d9CvgJL1Y4Wv9D7E1u2nBdSZdR7Nrj7BPDrH5hkfIv8urmP/

At 6:45 PM +0200 7/27/07, Mark Curphey wrote:

> Which parts of a standards or regulation (or maybe
rephrased what percentage)
> do you think automated tools analyze?

It seems to me that any metrics scheme used to answer this
question will
be deceptive.  If one were to take a hypothetical statement
"No object
shall be accessible to users whose job does not require
it" that is about
as small a percentage of its containing standard as
possible.  But the
amount of work to evaluate that manually is astronomical.

For a slightly more complex statement like "No
privileged user shall
use that privilege to violate the principle of separation of
duties",
the chances that a user doing the job manually would
thoroughly analyze
the audit logs of the past year or even the past month
approach zero.

The other sections of standards, dealing with issues not
susceptible to
automation, tend to be much more wordy, further skewing
metrics based
on text lines in the standard.

Certainly the automated tests will finish "first",
accomplished through
efficient use of computer cycles (once you get a tool that
works).  The
report may be printed before the human-only assessment
really gets started.
Of course the humans did a lot up front to configure the
automated tool.
And other humans did work to construct the tool.

===============================================

By "tool" I mean something that actually Examines
(800-53A terminology)
the configuration of the computer, rather than something
that is just a
more specialized form of a spreadsheet to prompt the human
through their
task.

Some assessment tasks can only reasonably be done by tools,
some can
only reasonably be done by humans.  I have a hard time
thinking of
any that could just as readily be done either by a tool or
by a human.
-- 
Larry Kilgallen