BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Top VM Reports for Daily Security

Posted February 15, 2011    Morey Haber

Like most security professionals I subscribe to a plethora of email lists from Dark Reading to Threat Post.  Every day I receive their news and review the titles in their daily summary emails and drill into a few that may catch my eye.  The thing I like about this approach is that I receive a daily summary of “what’s new” and decide what actions I want to do (to read or not to read). Now you may be asking what does this have to do with Vulnerability Management reports for Daily Security? Should your daily security involve combing through a hundred page report for the information you need or would a summary email, or even an alert, be better if something has changed that warrants your attention (what’s new)? I vote for the latter.

So how can you get your top vulnerability management reports for daily security? Every vendor in the vulnerability management space can create a vulnerability report and most can create some form of executive report. The executive report is good for a daily view of the overall assets that you may want to track. For a security professional, it lacks the depth and technical findings that might merit further investigation. So how do you get the best of both worlds for your daily view? How about a Score Card that provides that executive look, and allows drill down into the technical components if more details are needed.  Let’s start with an example of a regular Executive Report:

While this provides incredibly valuable information regarding the most vulnerable assets in the group and the last 30 days of vulnerabilities identified across the enterprise, it is not enough for the security professional to decide if they need to take immediate action. This problem is true for executive reports regardless of vulnerability management solution. It is top level information with little guidance for immediate corrective actions or process change on a daily basis.

Now let’s look at the concept of a Score Card Daily Report.  In lieu of just showing assets and vulnerabilities, having the report focus on the importance of the data related to my business helps understand the relevance of each vulnerability. Consider if your business was tied to the Healthcare vertical market.  Having each of these vulnerabilities map to compliance requirements and presented in a way that shows unaccepted risk would be more important; right ? Below is a sample from Retina Insight for this type of mapping:

On a daily or even a weekly basis, a Score Card report can be automatically produced showing you the vulnerabilities in your environment mapped to the technical requirements of HIPAA (or whatever regulations are applicable to your business).  This shows you the age of the vulnerabilities, how long they have been present in a single glance and are color coded to illustrate when problems have been identified longer than the acceptable threshold. From a security professionals point of view, the longer a vulnerability is present, and unpatched, the more likely it will be exploited. Vulnerabilities over 30 days are generally not acceptable unless you accept the risk and document the exclusion. So from this Score Card Report perspective, understanding the age vulnerabilities and how they relate to my business is just one of the top reports for daily security. These reports exist in Retina Insight for PCI, SOX, HIPAA, GLB, NERC/FERC, and many others.

Another report that  security professionals like on a daily basis is based on Alerts. This is the kind of “What’s New” in my environment that I should be aware of. Within Retina CS, a user has the ability to create Smart Groups and Smart Rules based on almost any discovered trait of a host. This includes the ability to build a rule based on newly discovered devices (or rogue) devices and send an email and report out when new devices are identified or changes occur. Below is a sample of this type of rule:

From a daily perspective, a security professional may want continuous monitoring on a sensitive network like one used for credit card payment transactions. All changes to the environment should be planned and documented accordingly, and no new devices should be coming online without following the proper processes. This type of alert would notify me when a new device is added, automatically build a logic group for any and all devices in that segment, and a scheduled report would tell me the details based on the scan used to identify the new devices. If the environment stays status quo, no alerts are generated and I receive my daily scan report via email. If changes occur, either new vulnerabilities or devices (depending on how I setup the rule), I am alerted and I can investigate deeper in my automatically delivered report. This meets the need of a high level summary with the ability to drill down just like the Score Card.

The top vulnerability management reports for daily security will vary per business and by requirements. The common theme is to make them relevant to your business and identify when unwarranted exceptions occur. eEye’s Retina solutions can do both and ease the burden of reporting on vulnerabilities for daily security management.

Tags:
, ,

Leave a Reply

Additional articles

webinar_chalk

Webinar March 4th: Recreating the Carbanak Breach & Techniques for Mitigating Similar Attacks

Posted March 3, 2015    Lindsay Marsh

Join BeyondTrust Research and Development team for an in-depth live webinar that will explore the attack vectors used in the Carbanak Bank Breach and share successful mitigation techniques needed to prevent this type of attack.

Tags:
, ,
VMware Hardening Guidelines-img3

How to Audit VMware ESX and ESXi Servers Against the VMware Hardening Guidelines with Retina CS

Posted February 27, 2015    BeyondTrust Research Team

Retina CS Enterprise Vulnerability Management has included advanced VMware auditing capabilities for some time, including virtual machine discovery and scanning through a cloud connection, plus the ability to scan ESX and ESXi hosts using SSH. However, in response to recent security concerns associated with SSH, VMware has disabled SSH by default in its more recent…

Tags:
, , , ,
dave-shackleford-headshot

Privileged Passwords: The Bane of Security Professionals Everywhere

Posted February 19, 2015    Dave Shackleford

Passwords have been with us since ancient times. Known as “watchwords”, ancient Roman military guards would pass a wooden tablet with a daily secret word engraved from one shift to the next, with each guard position marking the tablet to indicate it had been received. The military has been using passwords, counter-passwords, and even sound…

Tags:
, , ,