BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Vulnerability Management in a Data Warehouse

Posted November 16, 2010    Morey Haber

Have you ever been asked, “How long has that vulnerability been in our systems?”

Have you ever wondered if your patch management process is keeping up with the number of new vulnerabilities being identified? Keep reading…

Let’s start by considering the following chart to answer these questions:

The green line represents the number of new vulnerabilities being discovered in the test environment. The blue line represents vulnerabilities fixed and removed compared to previous scans. The purple line represents the total number of vulnerabilities present. As we can easily ascertain, even though I am mitigating the risks (blue), my pace is not fast enough to keep up with the total number of new vulnerabilities (green) being identified and my environment is progressively getting worse (purple).

This type of data, albeit rather fundamental, eludes many organizations due to the lack of a data warehouse for vulnerability management data and the ability of a vulnerability scanner to properly identify when a vulnerability is truly fixed verses just no longer present.

To further our discussion, please consider this table:

The data warehouse used to produce this table clearly shows that the time to fix the vulnerabilities from first identification to patching exceeds 30 days for the month of August. For regulatory compliance initiatives such as PCI, this exceeds the guidelines of PCI DSS 1.2 (30 days) and would technically make your environment non-compliant. Now, if we remap the same data into the proper specification for severity and age as the PCI DSS mandates, we can clearly see that we are not in compliance:

A total of 145 severity 5 vulnerabilities are older than 30 days in my sample for the same month. Now imagine being able to produce reports, tables, charts, and other data using the same information for months and years at a time. In addition, consider that all the values support multiple layers of drill down capabilities (values that are underlined) to isolate the root cause of deviation that created these metrics. This supplements any remediation report that they already have. That is the primary strength of storing vulnerability management information in a data warehouse.

When working with vulnerabilities, I have heard many clients state that old vulnerability data is stale and does not reflect the current state of my systems; so why keep it? While that may have some truth, the time, date, and severity of the identified information is crucial for a data warehouse. When stored for long periods of time, these types of charts are easy to generate. In addition, they can reveal key functions to the business as to whether the process put in place for vulnerability management and regulatory compliance are actually working as implemented. From the example of PCI above, they clearly are not.

So the next time you work with your vulnerability management solution, ask yourself if you can get more than just a vulnerability report from the product? Is the data available for more than 90 days? Can I match that data to regulations such as PCI, HIPAA, SOX, or GLB and frameworks like COBiT or ITIIL?

Vulnerability management is more than just trying to keep your systems secure. The data can be used to make intelligent business decisions, guide you through regulations, and indicate which processes are working, and which are not, over long periods of time.

If you are looking for this type of information from your vulnerability management system, look no further than Retina.

(All charts and tables in this blog where generated using real data from Retina Insight.)

Tags:
, , , , , , ,

Leave a Reply

Additional articles

pbps-blog2

8 Reasons Your Privileged Password Management Solution Will Fail

Posted September 18, 2014    Chris Burd

Leveraging complex, frequently updated passwords is a basic security best practice for protecting privileged accounts in your organization. But if passwords are such a no-brainer, why do two out of three data breaches tie back to poor password management? The fact is that not all privileged password management strategies are created equal, so it’s critical…

Tags:
, , , , , ,
pbps-customer-campaign-image

You Change Your Oil Regularly; Why Not Your Passwords?

Posted September 11, 2014    Chris Burd

There are many things in life that get changed regularly:  your car oil, toothbrush and hopefully, your bed sheets.  It’s rare that you give these things much thought – even when you forget to change them. But what if you’re forgetting something that can cost you millions of dollars if left unchanged for long periods…

Tags:
, , ,

On-Demand Webcast: The Little JPEG that Could (Hack Your Organization) with Marcus Murray

Posted September 10, 2014    Chris Burd

IT security has come a long way, but every once in a while you see something that makes you think otherwise. Every day, internal and external hackers breach and traverse “secure” environments, making you wonder just how easy it is for attackers to completely compromise your network. In a new on-demand BeyondTrust webcast, Marcus Murray,…

Tags:
, , , , ,