eEye Digital Security

We run Retina scans every month and what I'd like to do is show management the progress that's being made with IAV patching.

Is there a way in Retina where I can compare scans?

What I mean is:

1st scan shows IAVA 2009-A-0001 is vulnerable on client1, client2, and client3.

2nd scan shows the same IAVA 2009-A-0001 is vulnerable on client1 and client3.

Looking at that, I can easily tell that the patch was applied to one client (client2).  But imagine having multiple IAVs on hundreds of clients.  Now you can see that manually doing this is too cumbersome.

How are you running Retina?  What I mean is, are you running it from a server scanning your network, via Blink with REM, etc?

We run Retina as a stand-alone application to scan our network.

But now that you mention REM, is that something that could do comparisons?  We have it, but have never used it.

And when you say Blink, I have no idea what that refers to.

Blink is eEye's endpoint protection suite that has retina built into it.  To my knowledge, REM only works with Blink to display all of the alerts and to break things down by category, but someone from eEye would have to comment further on that to be sure.

Hi Jimbo,

Blue1978 is correct that the REM Management Console allows you to do delta and trending analysis on Retina scans. I'll give an example...

Scanner 1 scans Network A once a month

Scanner 2 scans Network B once a month

In REM, I can run a vulnerability report of the results for the same month to combine the results of Scanner 1 and 2.

In REM, I can run a vulnerability delta report for last month and compare to this month to see whats new, removed, and unchanged. The delta report can also be used to compare 2 scan jobs too (ie instead of 2 date ranges).

Hope that helps.

 I have been using Retina w/o Rem for quite some time and have a method for doing delta's.  The most difficult part is ensuring you have a solid process in place and the ability to write your own SQL.

Retina results are stored in .rtd files which for all intents and purposes is an access db readable format.  You can a) Merge the access db's, b) import them into SQL 2008 server, or c) link them in as linked DBs to SQL 2008 or Access.  (of course I am sure you can find a hundred different ways to skin this cat).

Once you have the data all in one place, it is a matter of just building queries that represent the reporting you would like to see on the data.  I have some basic ones like Count descending, top 10 offenders, bottom 10 offenders, top ten improvements, bottom ten improvements, and various dashboards and charts for management all from the data collected across any number of periodic scans.  I use these to create the reports for all levels as well as to support the kill cycle used during the remediation process.

If you have the cability to deply REM, especially in a distributed environment, that is your best bet as Blue1978 and bpatten have mentioned because the work I described above for the most part is being done for you.

In my situation, I needed a lot more flexibility and also integration with sharepoint and other automation tools so the raw data works best for me.

LD