Sourcefire and Qualys combine IPS, vulnerability management tools

Sourcefire and Qualys tout the importance of interoperability between small vendors, announcing the integration of their intrusion prevention and vulnerability management tools.

Security analysts often need to make swift decisions to defend against imminent threats, a process that can involve trawling though multiple logs and system monitors. Anything that can integrate the information they need, and therefore speed up decision-making and intrusion prevention management, should make their tasks easier.

They have been in partnership for a long time -- it's great news but it seems to be reactive. They should have done it a while ago.


Nikki Babatola
security analystCanalys

A new partnership between intrusion detection vendor Sourcefire Inc. and Qualys, Inc., a vulnerability scanning and management specialist, aims to do just that.

The integration is achieved though Sourcefire's new Qualys Connector, which uses the Sourcefire Defense Center to automatically correlate threats detected by the Sourcefire intrusion prevention system (IPS) with host vulnerabilities detected by QualysGuard suite of vulnerability management tools. The combined information can deliver increased contextual data, and help security analysts prioritise intrusion alerts.

For instance, when a potentially dangerous exploit is detected, the Sourcefire IPS can scan a network host and, via the integration with QualysGuard, determine if it is properly patched and up to date, enabling analysts to discard irrelevant threats and focus their efforts elsewhere on more vulnerable targets.

The increased visibility also allows the IPS to reduce the number of intrusion events at the sensor level, intelligently self-tuning its protection and increasing the precision of its alerting and blocking features.

Graham Welch, European managing director for Sourcefire, said that more than half of his customers already use Qualys independent of the new partnership , so they could immediately make use of the new Connector product, which is downloadable at a cost of $11,200 .

"The two products augment one another," Welch said. "QualysGuard doesn't detect new hosts, it only scans devices it has been told to scan. RNA can be configured to identify new hosts and notify the Qualys administrator of any new hosts on the network, so the next time [the administrator] plans a scan, he can go after those particular hosts."

Such notification would be done on a manual basis at the moment, but Welch said Sourcefire was considering how the communication could be automated.

Nikki Babatola, a security analyst at Reading-based advisory firm Canalys, welcomed the move.

"Companies want interoperability between systems. Consolidation is driving a lot of end users to say it's not enough to just have point products anymore. The products need to communicate, or [end users] will look for a single source for security," she said. "If customers can't get the products to integrate, and they are already consolidating into a data centre, they might decide to rip out all the point products and go with Cisco [for example]."

She sounded a note of caution, saying that Sourcefire and Qualys need to show some real examples and case studies to demonstrate how the integration could be of benefit to companies.

"A lot of customers will have made investments in Sourcefire and Qualys technologies already. To remain sticky with those customers, the companies need to show they can communicate," Babatola said. "It's a strategy for the smaller vendors to work together and to remain relevant. They have been in partnership for a long time -- it's great news but it seems to be reactive. They should have done it a while ago."

Read more on Hackers and cybercrime prevention