Vendor Research: Beyond the Fancy Sales Presentations
Choosing a vendor for anything is extremely difficult.
Sales people only show off the best parts of the product. Demonstrations are exciting and seem almost magical. Products appear to solve problems in a way you have never seen before.
If you decide to take a product for a “test drive” you only run it on a small sample of your environment and everything seems great. Or, you are so inept that you can’t really get a good feel for all of the features. You choose the one you think is best, fork over a bunch of cash, and hope for the best.
Sometimes it works and sometimes you are left disappointed. Just like interviewing candidates for a job, you can’t possibly know all the details until after you make the hire…until after you buy the product.
I’m writing this short post today to share an idea for evaluating vendors beyond the perfect demos. The results really surprised me.
If you want to really find out what kind of vendor you are about to do business with, watch how they respond to events in the industry. Don’t focus on how cool their booth is or how nice their presentation is. Instead look at how they respond to a big event in the industry. Are they sharing on social media? Are they updating their blog with the latest developments? Are they contributing to the conversation and advancing whatever the issue is? Or are they silent?
I decided to try this by doing a search on each of the vulnerability management vendors I am familiar with to see how they participated in the Intel AMT vulnerability that was initially released on May 1st.
I think the results are extremely informative and they tell a lot about “who” the company is and what they REALLY care about.
First up is Tenable who provides the Nessus vulnerability scanner. They are first on my list and have the most impressive content regarding this Intel AMT vulnerability. They are not only detecting it, but they discovered the vulnerability before all the details were made public. This allowed them to provide vulnerability detection for their customers on the very day Intel publicly published the vulnerability.
Tanium is new, exciting and has an interesting approach to vulnerability scanning. They are very actively publishing content regarding the Intel AMT vulnerability and, from my conversation with them, they were detecting this within about 24 hours of the public release.
Rapid7 Nexpose is very active in the discussion too. It looks like they have already published an exploit tool for it too.
Qualys is a big vendor and was publishing early and often about this vulnerability. You can see below that they published on May 2nd and May 3rd about the vulnerability…breaking news.
BeyondTrust (eEye) Retina sadly hasn’t posted anything about this event as of 5/10/2017. This one is really surprising because they are such a big player in this space.
Edit: Yay, as of 5/12/2017 they are in the mix too.
Tripwire is a big company but I don’t hear much about their vulnerability scanner. This confirms that vulnerabilities are not their core focus.
Admittedly, you shouldn’t ONLY use this approach. Features and functionality are important and you have to consider those too. But, based on this, I would only bother comparing features between the companies who show a real interest and active participation in vulnerability research. Take their passion and engagement into consideration along with all the other product factors.
This is the kind of “background check” you must be doing before spending thousands of dollars and hundreds of hours on a new product and a new vendor relationship. Don’t just let the best sales person win the business!
Are your vulnerability scanning vendors leading the way in independent research or are they just sitting back and collecting the research of others?
Are there any other vulnerability management vendors I missed? Please search them and share your results.