http://danielrm26.disqus.com/dmiessler.com/about/enFri, 08 Jun 2007 19:58:23 -0000http://dmiessler.com/blog/vulnerability-management-without-asset-management-isnt#comment-4354141<p>Johnathan:<br>arcsight has a few products which product contains the asset discovery tool?</p><p>thank you,<br>raymond</p>raymondFri, 08 Jun 2007 19:58:23 -0000http://dmiessler.com/blog/vulnerability-management-without-asset-management-isnt#comment-4354144<p>Heh, yeah...I'm a big fan of that tool. My buddy loves it.</p>Daniel MiesslerMon, 14 May 2007 23:55:29 -0000http://dmiessler.com/blog/vulnerability-management-without-asset-management-isnt#comment-4354145<p>There is a product that does just what you want Daniel, it's called ArcSight. It's got a pretty cool Asset Discovery tool and can run all the reports and queries you were using as examples (ie. All Solaris machines with SSH running as of x/x/x)</p><p>Check it out if you want/can: <a href="http://www.arcsight.com" rel="nofollow noopener" target="_blank" title="http://www.arcsight.com">http://www.arcsight.com</a>.</p><p>Disclaimer: Not cheap at all and sometimes feels "heavy" or bloated as it's all Java based. YMMV.</p>Jonathan S.Mon, 14 May 2007 16:56:11 -0000http://dmiessler.com/blog/vulnerability-management-without-asset-management-isnt#comment-4354146<p>Steven, I agree with that, but I think I'd rather deal with that than having one of these unknown systems spewing spam and/or bot traffic and embarrassing the company.</p>Daniel MiesslerWed, 09 May 2007 12:14:07 -0000http://dmiessler.com/blog/vulnerability-management-without-asset-management-isnt#comment-4354143<p>You talk about security risk in these systems, but it bears underscoring that there is some compelling disaster looming around unknown assets using unlicensed software.</p><p>We're true up on our photoshop licenses.....</p><p>( until you discover that your Windows shop actually has a hidden department of Macs running CS 3 that one guy got from a Spammy Re-seller? )</p>Steven G. HarmsWed, 09 May 2007 12:09:34 -0000http://dmiessler.com/blog/vulnerability-management-without-asset-management-isnt#comment-4354142<p>I've actually been involved in both ends - IT Asset Management engagements (mostly using CA products) and vulnerability management/assessments, and I definitely agree that this would be useful!</p><p>I have seen Qualys used at a lot of clients, and I'm pretty sure it has an asset discovery feature - but I dont think this works well as an enterprise wide Asset Management tool.</p><p>And on the other side, something like CA's asset management products can tell you what systems are where, but I don't think it has the capabilities to launch a qualys or other scan, or alert you to vulnerabilities, etc.. Although if it could tie in to another CA product like their security products, they'd probably be on to something.</p><p>disclaimer: I know I focused on one vendor there, but it's just what I'm familiar with from a deployment perspective and I'm FAR from a CA fan-boy/spammer/whatever so please point me in the direction of other similar products (I know they're out there).</p><p>The biggest thing about ITAM is, like security, the supporting processes around it are what make or break it. If the organization doesn't follow the framework/policies you work with them to develop, then the software is just going to sit on a shelf and collect dust and not be useful for reporting on your assets and thus, your vulnerabilities. But I'm sure I'm only preaching to the choir here!</p>craigWed, 09 May 2007 10:41:48 -0000