BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

Vulnerability Management in a Data Warehouse

Post by Morey Haber November 16, 2010

Have you ever been asked, “How long has that vulnerability been in our systems?”

Have you ever wondered if your patch management process is keeping up with the number of new vulnerabilities being identified? Keep reading…

Let’s start by considering the following chart to answer these questions:

The green line represents the number of new vulnerabilities being discovered in the test environment. The blue line represents vulnerabilities fixed and removed compared to previous scans. The purple line represents the total number of vulnerabilities present. As we can easily ascertain, even though I am mitigating the risks (blue), my pace is not fast enough to keep up with the total number of new vulnerabilities (green) being identified and my environment is progressively getting worse (purple).

This type of data, albeit rather fundamental, eludes many organizations due to the lack of a data warehouse for vulnerability management data and the ability of a vulnerability scanner to properly identify when a vulnerability is truly fixed verses just no longer present.

To further our discussion, please consider this table:

The data warehouse used to produce this table clearly shows that the time to fix the vulnerabilities from first identification to patching exceeds 30 days for the month of August. For regulatory compliance initiatives such as PCI, this exceeds the guidelines of PCI DSS 1.2 (30 days) and would technically make your environment non-compliant. Now, if we remap the same data into the proper specification for severity and age as the PCI DSS mandates, we can clearly see that we are not in compliance:

A total of 145 severity 5 vulnerabilities are older than 30 days in my sample for the same month. Now imagine being able to produce reports, tables, charts, and other data using the same information for months and years at a time. In addition, consider that all the values support multiple layers of drill down capabilities (values that are underlined) to isolate the root cause of deviation that created these metrics. This supplements any remediation report that they already have. That is the primary strength of storing vulnerability management information in a data warehouse.

When working with vulnerabilities, I have heard many clients state that old vulnerability data is stale and does not reflect the current state of my systems; so why keep it? While that may have some truth, the time, date, and severity of the identified information is crucial for a data warehouse. When stored for long periods of time, these types of charts are easy to generate. In addition, they can reveal key functions to the business as to whether the process put in place for vulnerability management and regulatory compliance are actually working as implemented. From the example of PCI above, they clearly are not.

So the next time you work with your vulnerability management solution, ask yourself if you can get more than just a vulnerability report from the product? Is the data available for more than 90 days? Can I match that data to regulations such as PCI, HIPAA, SOX, or GLB and frameworks like COBiT or ITIIL?

Vulnerability management is more than just trying to keep your systems secure. The data can be used to make intelligent business decisions, guide you through regulations, and indicate which processes are working, and which are not, over long periods of time.

If you are looking for this type of information from your vulnerability management system, look no further than Retina.

(All charts and tables in this blog where generated using real data from Retina Insight.)

Tags:
, , , , , , ,

Leave a Reply

Additional articles

insider-threat-fed

Mitigating Inside Threats to U.S. Federal IT Environments

Recent high-profile cases have increased the perceived risks that go along with disclosure and usage of confidential information. One of the most difficult security threats to mitigate is an attack from the inside. When an over-privileged user, such as an unhappy current or former employee, contractor, or consultant, begins navigating your network, how will you…

Post by BeyondTrust Software April 17, 2014
Tags:
, , , , ,

Are you a Target? Investigating Security Breaches with Kevin Johnson

Last week, over 1,000 IT security professionals watched as Kevin Johnson, CEO of Secure Ideas, presented his expert opinion on lessons learned from recent, high-profile retail breaches. Here’s a summary of key takeaways from the webcast plus an on-demand recording of the full, 60-minute presentation. Understanding the “why” behind attacks According to Kevin, the primary…

Post by Chris Burd April 17, 2014
Tags:
, , , , ,

Vulnerability Expert Forum Highlights: April 2014

We had a great turnout for last week’s April 2014 Vulnerability Expert Forum (VEF) webcast. BeyondTrust Research experts, Carter and DJ, provided in-depth knowledge about the latest vulnerabilities and their potential impacts on network environments. Below are highlights from the Forum, plus an on-demand video of the presentation. Latest critical vulnerabilities, vendor patches, and zero-day…

Post by Chris Burd April 16, 2014
Tags:
, , , , ,