Does anyone here have institutional experience with McAfee Vulnerability Manager and Policy Auditor to give the straight dope on the similarities and differences? We're a large org, so a different department handles each of these tools and I'm the lowly ePO admin stuck in the middle.
From what I can tell, PA has great integrated reporting in ePO, whereas the integration with ePO for MVM is good in some ways (I can get the vulns on each host in ePO) but the reporting is limited. from ePO as it is only summary data.
Also, there seems to be a lot of overlap between the signatures giving us very redundant findings. What are the product differentiators?
Assuming you can scan all machines with creds, is there really a case to be made for using/maintaing/keeping both?
Here's the answer I received from our sales engineering team from McAfee. posted with their permission:
In terms of product differentiators, PA vs MVM, yes, there is a lot of overlap. PA is compliance centric, MVM is vulnerability centric, so you will not get CVE info from PA etc. Pulling MVM data into ePO for reporting purposes is common since MVM reporting is very constrained compared to PA-ePO. MVM has a larger body of checks, network devices, etc. that PA will never support. So an integrated audit-scan approach is optimal – PA audits what it can, MVM scans what is left and results combined in PA. Some folks with servers do not want PA installed, some folks have custom apps that do not like being scanned by MVM. So, as you can see, in terms of maintain one or the other--lot of different scenarios can lead to one or the other, or both being used.
However, while there is overlap and each can do much of what the other does the focus of each solutions is different.
MVM's focus is on vulnerability management. It's mission in life is to seek out vulns and report them. It does this across the network without using any agent on the target. Reporting can be done either from a vulnerability, patch, OS, asset, or compliance perspective but what is always being sought and reported against are vulns. MVM includes default capability to find many, many non-OS vulns like Adobe, java and Quicktime.
PA's focus is running benchmarks using the McAfee Agent as the execution mechanism. These benchmarks are generally used for compliance and patch management however the mechanism itself is capable of performing really anything that they are programed to do so PA is very much like a swiss army knife in that regard. The focus of PA is the flip side of the MVM coin; while PA can be made to look for vulns and compliance most benchmarks almost certainly involves verification of specific configuration parameters / vulns the focus is on the compliance template itself - not finding every vuln on the machine. It looks for the vulns that compliance template requires then stops whereas MVM collects every vuln it can find them can categorize them based on compliance templates.
From an operations perspective, MVM is much more automated - point and shoot. Select the targets, select what you're looking for, select the schedule then pull the trigger. PA requires much more set up and maintenance to ensure you're executing the right tests and collecting the right data. While the PA agent can literally do anything, configuring the agent to perform the kind of extensive checks that MVM does for every service and application would be time intensive. While updates and changes have made the benchmark editor easier to use it still lacks the point and shoot ease of use that MVM has. It should also be noted that PA is limited to running on endpoints that have the McAfee Agent while MVM can target any node on the network, including things like routers and switches.
The overlap is in reporting from a compliance framework - MVM does have templates built in that allow grouping vulns based on their respective compliance template and reporting on this - PCI for example. As mentioned PA does have some capability to seek out and report on vulns as a part of its benchmarks but it's focus is much narrower. Another aspect of overlap is in reporting vuln details to ePO so ePO can associate given vulns with managed nodes both for general reporting and MRA analysis.
It's all about focus - what each is focused on. In some ways they do many of the same things but from a different angle and for different end goals.