Vulnerability scanners scan systems against a known list of vulnerability signatures. SecurityExpressions audits systems against a system security policy, such as a home grown policy or one published by Microsoft, SANS, NSA, NIST and other industry organizations. Vulnerability scanners serve a different purpose than an audit and compliance solution. Vulnerability scanners find certain specific security problems in your configuration, whereas an audit and compliance solution audits your systems against a complete detailed system security policy. Some items not covered in a typical vulnerability scanner that could be in a system security policy file include:

  • Operating system configuration settings such as users and groups, user rights, user account policies, registry settings and key permissions
  • Application configuration settings
  • Unauthorized hardware/software
  • Advanced settings such as queries, user account activity, login accounts and system utilization
The MS Fixes file (for Microsoft Hot Fixes/Patches) is usually updated within 3 days of Microsoft’s announcement of a new Security Bulletin. Other SPFs are updated as changes are required by customers.
SecurityExpressions includes many Security Policy Files, such as application inventory, MS hot fixes, Solaris patches, Microsoft Security White Paper, SANS step-by-step guidelines, NSA, NIST and others. All of these policy files are highly customizable. Rules can be edited, deleted or added. Most companies begin with a best practices security policy file and then delete rules, add rules, and/or edit rules to meet their own requirements. Due to flexible expressions, there is no limit to the settings that SecurityExpressions can audit and fix. SecurityExpressions is incredibly comprehensive, flexible and customizable – especially in regard to its Security Policy Files.
Benchmarking allows a single measurement of audit compliance status. All levels of IT management can work from a single number presented as a percentage of compliance. For example: if compliance was at 82%, and the set benchmark was 80% then 82% is a passing score. A weighting can be assigned to each policy item at a level of high, medium and low and a total composite percentage score can be calculated. Rules can be assigned Low, Medium, High and a weighted % can be added to create a weighted average. This provides for a single weighted average number for easy communications to all management levels.