BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

Vulnerability Management in a Data Warehouse

Posted November 16, 2010    Morey Haber

Have you ever been asked, “How long has that vulnerability been in our systems?”

Have you ever wondered if your patch management process is keeping up with the number of new vulnerabilities being identified? Keep reading…

Let’s start by considering the following chart to answer these questions:

The green line represents the number of new vulnerabilities being discovered in the test environment. The blue line represents vulnerabilities fixed and removed compared to previous scans. The purple line represents the total number of vulnerabilities present. As we can easily ascertain, even though I am mitigating the risks (blue), my pace is not fast enough to keep up with the total number of new vulnerabilities (green) being identified and my environment is progressively getting worse (purple).

This type of data, albeit rather fundamental, eludes many organizations due to the lack of a data warehouse for vulnerability management data and the ability of a vulnerability scanner to properly identify when a vulnerability is truly fixed verses just no longer present.

To further our discussion, please consider this table:

The data warehouse used to produce this table clearly shows that the time to fix the vulnerabilities from first identification to patching exceeds 30 days for the month of August. For regulatory compliance initiatives such as PCI, this exceeds the guidelines of PCI DSS 1.2 (30 days) and would technically make your environment non-compliant. Now, if we remap the same data into the proper specification for severity and age as the PCI DSS mandates, we can clearly see that we are not in compliance:

A total of 145 severity 5 vulnerabilities are older than 30 days in my sample for the same month. Now imagine being able to produce reports, tables, charts, and other data using the same information for months and years at a time. In addition, consider that all the values support multiple layers of drill down capabilities (values that are underlined) to isolate the root cause of deviation that created these metrics. This supplements any remediation report that they already have. That is the primary strength of storing vulnerability management information in a data warehouse.

When working with vulnerabilities, I have heard many clients state that old vulnerability data is stale and does not reflect the current state of my systems; so why keep it? While that may have some truth, the time, date, and severity of the identified information is crucial for a data warehouse. When stored for long periods of time, these types of charts are easy to generate. In addition, they can reveal key functions to the business as to whether the process put in place for vulnerability management and regulatory compliance are actually working as implemented. From the example of PCI above, they clearly are not.

So the next time you work with your vulnerability management solution, ask yourself if you can get more than just a vulnerability report from the product? Is the data available for more than 90 days? Can I match that data to regulations such as PCI, HIPAA, SOX, or GLB and frameworks like COBiT or ITIIL?

Vulnerability management is more than just trying to keep your systems secure. The data can be used to make intelligent business decisions, guide you through regulations, and indicate which processes are working, and which are not, over long periods of time.

If you are looking for this type of information from your vulnerability management system, look no further than Retina.

(All charts and tables in this blog where generated using real data from Retina Insight.)

Tags:
, , , , , , ,

Leave a Reply

Additional articles

PBPS-screenshot-blog aug2014

Failing the Security Basics: Backoff Point-of-Sale Malware

Posted August 22, 2014    Marc Maiffret

At the beginning of this month, US-CERT issued a security alert relating to a string of breaches that had been targeting Point of Sale (POS) systems. The alert details that attackers were leveraging brute forcing tools to target common remote desktop applications such as Microsoft’s Remote Desktop, Apple Remote Desktop, Splashtop and LogMeIn among others….

Tags:
, , , , , ,

Troubleshooting Windows Privilege Management Rules with Policy Monitor

Posted August 21, 2014    Jason Silva

When defining and testing PowerBroker for Windows rules for production or pilots, customers sometimes tell us, “I don’t think this policy / program is working.” This is usually a case of the policy not properly triggering because of the way the rule was created. A unique feature of PowerBroker for Windows compared to other solutions is a client-side…

Tags:
, , ,
darren-mar-elia

BeyondTrust Webcast: Darren Mar-Elia’s 4 Active Directory Change Scenarios to Track

Posted August 20, 2014    Chris Burd

In our latest webcast, we joined Darren Mar-Elia, CTO at SDM Software, to discuss best practices for Active Directory (AD) change management. Here are some key takeaways from the presentation, followed by a link to a full-length video of the presentation. Mar-Elia kicks things off with a critical insight: that the best AD change management…

Tags:
, , , , , , ,