Good Day, I don't want this email to detract from the great value of this Bugtraq list but suspect most of us from time to time are too busy to monitor the list constantly (surely not!) With this in mind I have just updated the vendor agnostic list of subscription based vulnerability alert services found at http://www.securitywizardry.com/alert.htm I think it's pretty much complete but please notify me of any omissions. If you are considering the service route, I suggest you tread very carefully, the various products vary greatly in quality and price and the two don't necessarily correspond. The products discovered thus far at http://www.securitywizardry.com/alert.htm are: Symantec Deepsight Alert Services SecurityMob E-Secure-IT Sintelli Alert! iAlert Web PatchPortal SecurityTracker Vulnerability Tracking Service X-Force Threat Analysis Service If you are considering subscribing one I would like to suggest a few tips to consider Introduction Vulnerability Alert Services vary in the quality of output considerably. My experience has seen between zero and 80 alerts in a day. The great diversity in features between vendors should result in there being at least a few that meet your needs, though conversely perhaps many more that are perhaps unsuited to your environment. Length of evaluation Some alert services will only allow you to evaluate their services for one week, in my opinion this is not sufficient to fully gauge what they have to offer, aim for 30 days. Some will not allow you to trial what they have to offer at all, I'd ask, what are they hiding? Analysis The real value of an alert service is to cut down on your workload, monitoring and evaluating the threats on your behalf. When evaluating a service do they provide information regarding the threat that the vulnerability presents using terms like credibility of information source, verification of reported information, an estimate of risk, severity etc or are they merely regurgitating public information. Timing Whilst some alert services claim to offer 24x7 alerts my experience has shown otherwise, plot the receipt times of their alerts on a graph and see if they are truly a 24 hour operation, I was very surprised with the results. If you aren't interested in out of hours alerts and you are in the same time zone as the provider then use their lack of out of hour response to reduce the cost. If however you need 24x7 alerts go elsewhere. Latency Ideally your alert service will advise you of a vulnerability prior to it's public release, some do a good job at this. However, more common is notification over 24 hours after the public release, ie way, way too late. Filters Most Vulnerability alert services allow you to tune the events you receive to your environment. The most common method is to select those products you wish to see alerts for, for instance NT4 service pack 6a or later. The selection is usually based on an existing vulnerability database, see how far back their database goes. If however one of your products hasn't had a vulnerability discovered previously (Cyberguard) then you may not be able to select it for it's first vulnerability. If you look after a larger networking environment it may be worth checking if the provider allows you to select all products and exclude certain products that you don't have. This may also get around the first vulnerability problem mentioned earlier. Emergency Alerts Every now and the carp really hits the fan, in Europe this is usually 1730 on a Friday evening, allowing our American cousins enough time to address the problem before their weekend. Does your alert service output emergency alerts to a specified email address or SMS. Value Added Does the alert service also notify you about malware and other crucial Internet intelligence. Does it have access to live IDS feeds advising you about new port probe trends, does it monitor IRC for what is happening in the badlands. Cost The cost of the alert services seems to vary greatly, a higher price doesn't always indicate a better service. Hope it helps take care -andy Talisker Security Tools Directory http://www.securitywizardry.com
