Like most security professionals I subscribe to a plethora of email lists from Dark Reading to Threat Post. Every day I receive their news and review the titles in their daily summary emails and drill into a few that may catch my eye. The thing I like about this approach is that I receive a daily summary of “what’s new” and decide what actions I want to do (to read or not to read). Now you may be asking what does this have to do with Vulnerability Management reports for Daily Security? Should your daily security involve combing through a hundred page report for the information you need or would a summary email, or even an alert, be better if something has changed that warrants your attention (what’s new)? I vote for the latter.
So how can you get your top vulnerability management reports for daily security? Every vendor in the vulnerability management space can create a vulnerability report and most can create some form of executive report. The executive report is good for a daily view of the overall assets that you may want to track. For a security professional, it lacks the depth and technical findings that might merit further investigation. So how do you get the best of both worlds for your daily view? How about a Score Card that provides that executive look, and allows drill down into the technical components if more details are needed. Let’s start with an example of a regular Executive Report:
While this provides incredibly valuable information regarding the most vulnerable assets in the group and the last 30 days of vulnerabilities identified across the enterprise, it is not enough for the security professional to decide if they need to take immediate action. This problem is true for executive reports regardless of vulnerability management solution. It is top level information with little guidance for immediate corrective actions or process change on a daily basis.
Now let’s look at the concept of a Score Card Daily Report. In lieu of just showing assets and vulnerabilities, having the report focus on the importance of the data related to my business helps understand the relevance of each vulnerability. Consider if your business was tied to the Healthcare vertical market. Having each of these vulnerabilities map to compliance requirements and presented in a way that shows unaccepted risk would be more important; right ? Below is a sample from Retina Insight for this type of mapping:
On a daily or even a weekly basis, a Score Card report can be automatically produced showing you the vulnerabilities in your environment mapped to the technical requirements of HIPAA (or whatever regulations are applicable to your business). This shows you the age of the vulnerabilities, how long they have been present in a single glance and are color coded to illustrate when problems have been identified longer than the acceptable threshold. From a security professionals point of view, the longer a vulnerability is present, and unpatched, the more likely it will be exploited. Vulnerabilities over 30 days are generally not acceptable unless you accept the risk and document the exclusion. So from this Score Card Report perspective, understanding the age vulnerabilities and how they relate to my business is just one of the top reports for daily security. These reports exist in Retina Insight for PCI, SOX, HIPAA, GLB, NERC/FERC, and many others.
Another report that security professionals like on a daily basis is based on Alerts. This is the kind of “What’s New” in my environment that I should be aware of. Within Retina CS, a user has the ability to create Smart Groups and Smart Rules based on almost any discovered trait of a host. This includes the ability to build a rule based on newly discovered devices (or rogue) devices and send an email and report out when new devices are identified or changes occur. Below is a sample of this type of rule:
From a daily perspective, a security professional may want continuous monitoring on a sensitive network like one used for credit card payment transactions. All changes to the environment should be planned and documented accordingly, and no new devices should be coming online without following the proper processes. This type of alert would notify me when a new device is added, automatically build a logic group for any and all devices in that segment, and a scheduled report would tell me the details based on the scan used to identify the new devices. If the environment stays status quo, no alerts are generated and I receive my daily scan report via email. If changes occur, either new vulnerabilities or devices (depending on how I setup the rule), I am alerted and I can investigate deeper in my automatically delivered report. This meets the need of a high level summary with the ability to drill down just like the Score Card.
The top vulnerability management reports for daily security will vary per business and by requirements. The common theme is to make them relevant to your business and identify when unwarranted exceptions occur. eEye’s Retina solutions can do both and ease the burden of reporting on vulnerabilities for daily security management.