QRadar Vulnerability Manager deployments

Locate and manage the vulnerabilities in your network by deploying IBM® QRadar® Vulnerability Manager. Enhance your network security by integrating add-on features such as HCL BigFix® and IBM Security SiteProtector.

IBM QRadar Vulnerability Manager discovers vulnerabilities on your network devices, applications, and software adds context to the vulnerabilities, prioritizes asset risk in your network, and supports the remediation of discovered vulnerabilities.

You can integrate QRadar Risk Manager for added protection, which provides network topology, active attack paths and high-risk assets risk-score adjustment on assets based on policy compliance. QRadar Vulnerability Manager and QRadar Risk Manager are combined into one offering and both are enabled through a single base license.

Depending on the product that you install, and whether you upgrade IBM QRadar or install a new system, the Vulnerabilities tab might not be displayed. Access IBM QRadar Vulnerability Manager by using the Vulnerabilities tab. If you install IBM QRadar SIEM, the Vulnerabilities tab is enabled by default with a temporary license key. If you install QRadar Log Manager, the Vulnerabilities tab is not enabled. You can use the Try it Out option to try out QRadar Vulnerability Manager for 30 days. You can purchase the license for QRadar Vulnerability Manager separately and enable it by using a license key. For more information about upgrading, see the IBM QRadar Upgrade Guide.

QRadar Vulnerability Manager components

The following information describes the QRadar Vulnerability Manager Processor.

  • The scan processor is responsible for the scheduling and managing scans, and delegating work to the scanners that might be distributed throughout your network.
  • You can have only one scan processor in a QRadar deployment.
  • When you install and license QRadar Vulnerability Manager on an All-in-One system, a vulnerability processor is automatically deployed on your QRadar Console and includes a scanning component.
  • The vulnerability processor provides a scanning component by default. If required, you can move the vulnerability processor to a different managed host in your deployment.
  • If you add a 600 managed host appliance, and QRadar Vulnerability Manager is used for the first time, then the scan processor is assigned to the 600 managed host appliance.
  • The scanning processor is governed by the processing license, which determines the maximum number of assets that can be processed by QRadar Vulnerability Manager.
  • The scan processor can run on the QRadar Console or a managed host.

The following information describes the QRadar Vulnerability Manager scanner.

  • You can deploy a scanner on a virtual machine or as software only.
  • You can deploy a QRadar Vulnerability Manager scanner dedicated scanner appliance, which is a 610 appliance.
  • You can deploy a scanner on a QRadar Console or on the following managed hosts: Flow Collector, Flow Processor Event Collector, Event Processor, or Data Node.
  • The number of assets that you can scan with a scanner is determined by the scanner capacity and is not impacted by licensing.

Components and scan process

Scan jobs are completed by a processor and a scanner component. The following diagram shows the scan components and the processes that run.

Figure 1. Scan components and process
Components and scan process
The following list describes the steps in the scan process:
  1. You create a scan job by specifying parameters such as IP addresses of assets, type of scan, and required credentials for authenticated scans.
  2. The scan job is accepted by the processor, logged, and added to the database along with scheduling information to determine when the job runs.
  3. The scheduler component manages the scheduling of scans. When the scheduler initiates a scan, it determines the list of tools that are required and queues them for invocation, and then the tools are assigned to the relevant scanner.
  4. Scanners poll the scan processor continuously for scan tools that it must run by sending a unique scanner ID. When the scheduler has queued tools that are relevant to the specific scanner the tools are sent to the scanner for invocation.

    QRadar Vulnerability Manager uses an attack tree methodology to manage scans and to determine which tools are launched. The phases are: asset discovery, port/service discovery, service scan, and patch scan.

  5. The dispatcher runs and manages each scan tool in the list. For each tool that is run, the dispatcher sends a message to the processor that indicates when a scan tool starts and finishes.
  6. The output from the scan tool is read by the result writer, which then passes these results back to the processor.
  7. The result dispatcher processes the raw results from the scan tools and records them into the Postgres database.
  8. The result exporter finds completed scans in the processor database and exports the results to the QRadar Console.
  9. The exported results are added to the QRadar database where users can view and manage the scan results.

All-in-one deployment

You can run QRadar Vulnerability Manager from an All-in-one system, where the scanning and processing functions are on the Console. The following information describes what you can do with a basic setup:
  • Scan up to 255 assets.
  • Unlimited discovery scans.
  • Use hosted scanner for DMZ scanning.
  • Manage scan data from third-party scanners that are integrated with QRadar.
  • Deploy a scanner on any managed host.
  • Deploy unlimited stand-alone software or virtual scanners.

Expanding a deployment

As your deployment grows, you might need to move the processing function off the QRadar Console to free up resources, and you might want to deploy scanners closer to your assets.

The following list describes reasons to add scanners to your deployment:
  • To scan assets in a different geographic region than the QRadar Vulnerability Manager processor.
  • If you want to scan many assets concurrently within a short time frame.
  • You might want to add a scanner to avoid scanning through a firewall that is a log source. You might also consider adding the scanner directly to the network by adding an interface on the scanner host that by-passes the firewall.

The following diagram shows a scanning deployment with external scanning and scanners deployed on managed hosts.

Figure 2. Scanning deployment
Scanning deployment

DMZ hosted scanner

A hosted scanner scans your DMZ from the internet by using your public IP address. If you want to scan the assets in the DMZ for vulnerabilities, you do not need to deploy a scanner in your DMZ. You must configure QRadar Vulnerability Manager with a hosted IBM scanner that is located outside your network. For more information, see the IBM QRadar Vulnerability Manager User Guide.

QRadar Vulnerability Manager integrations

IBM QRadar Vulnerability Manager integrates with HCL BigFix to help you filter and prioritize the vulnerabilities that can be fixed. BigFix provides shared visibility and control between IT operations and security. BigFix applies Fixlets to high priority vulnerabilities that are identified and sent by QRadar Vulnerability Manager to BigFix. Fixlets are packages that you deploy to your assets or endpoints to remediate specific vulnerabilities.

QRadar Vulnerability Manager integrates with IBM Security SiteProtector to help direct intrusion prevention system (IPS) policy. When you configure IBM Security SiteProtector, the vulnerabilities that are detected by scans are automatically forwarded to IBM Security SiteProtector. IBM Security SiteProtector receives vulnerability data from QRadar Vulnerability Manager scans that are run only after the integration is configured. Connecting to IBM Security SiteProtector.

Third-party scanners

QRadar Vulnerability Manager delivers an effective vulnerability management platform, regardless of the source of the scan data. QRadar Vulnerability Manager integrates seamlessly with third-party scanners such as Nessus, nCircle, and Rapid 7.

You require QRadar Vulnerability Manager scanning to get the following options:
  • Event driven and on-demand scanning
  • Asset database and watchlist based scanning
  • Scanning from existing QRadar appliances and managed hosts
  • Detection of newly published vulnerabilities that are not present in any scan results
You require QRadar Risk Manager to get the following options:
  • Asset, vulnerability, and traffic-based vulnerability management
  • Adjusted vulnerability scores and context aware risk scoring.