topic Re: Vulnerability Management in Welcome

Vulnerability Management

Samclarke80 — Tue, 24 Apr 2018 11:50:03 GMT

Hi There, I'm a Security Analyst and have just taken on a new role a few months ago. I work for a small organisation (220 staff, 15 IT staff) and we have a variety of apps that report on vulnerabilities. To begin with I am trying to discover all our vulnerability sources, what vulnerabilities they currently have and their severity. So I have exports of detections to date from a vulnerability scanner, endpoint protection tool, Pen tests results, Web Application Security Scanner and a manually created list of vulnerabilities in the admin tools that we use and including users as a vulnerability too. My question is what is best practice in taking all these data sources and managing them in one place that is not a spreadsheet? Are there any free/low cost tools that can accept data from all these sources, display them and then allow me to track the remediation. Qualys is a good tool for tracking remediation and reporting but I cannot import other data into it. What do other people do?

Re: Vulnerability Management

Thalpius — Tue, 24 Apr 2018 12:07:59 GMT

Qualys is a lot more than that. What about your ITSM software?

Re: Vulnerability Management

Markus_Miedaner — Tue, 24 Apr 2018 12:12:20 GMT

I suggest taking a look at threadfix by denim group.

Re: Vulnerability Management

Samclarke80 — Tue, 24 Apr 2018 14:00:50 GMT

Hi Thalpius, whilst that (Manage Engine Desktop Central) does provide reports of inventory and OS and third party software patching status, I cannot integrate Qualys reports into it or other manual vulnerability information.

Re: Vulnerability Management

Samclarke80 — Tue, 24 Apr 2018 14:01:34 GMT

Thanks looks just like what I need, is it expensive though?

Re: Vulnerability Management

Beads — Tue, 24 Apr 2018 14:12:29 GMT

Start with a software inventory of what you have and think about how often that software is used or exposed to risk. You cannot defend anything until you know what and where your responsibilities start and stop. Now look at your reports for high and medium risk items found in that first inventory. Common Vulnerabilities and Exploits (CVEs) range from 0-10 with 10 being the easiest or most destructive exploit. If at all possible patch and remediate those items first, no matter how painful they may seem at the time.

Go down through your list from highest to lowest, red - yellow - green, however your reports are presented and continue to work through reducing your overall risk. Ideally you will be able to look at the current state of patching and vulnerabilities in whole numbers today and compare them to next month, quarterly and annually to check your progress. We call this a baseline but for now allow yourself the luxury of learning the patching priority from both a technical and political standpoint. It's not uncommon for business (stakeholders) to put patching for for business reasons because "it's not broke" or convenience if not indifference. Concentrate on those things you can affect and warn against putting patching off for later.

These thing only look impossible when starting but once you get started will continue to build on itself. Doing much the same with a newer position myself.

Just takes time to get your arms around it all.

Good luck!

Re: Vulnerability Management

CISOScott — Tue, 24 Apr 2018 14:29:29 GMT

Also look at the CIS critical security controls and see if you are currently doing the top 6 well. If you are not even doing that well, no amount of pen tests, vulnerability management scans, etc. is going to do any long term good as you will be vulnerable because you do not have a good basic security posture. Then you can work on the foundational steps and then move on to the organizational portion of it. You may find that you need improvement in all areas, as most agencies do, but start with the basics.

Re: Vulnerability Management

Samclarke80 — Tue, 24 Apr 2018 15:40:02 GMT

Thanks, Beads. Yes it does look impossible good point on the responsibilities. I now have a list of all our infrastructure, endpoint, web applications and software assets as well as a list of vulnerability detections on each one. Next step to prioritise them!

Good luck to you too.

Sam

Re: Vulnerability Management

Samclarke80 — Tue, 24 Apr 2018 15:46:19 GMT

Thanks for the direction, Scott. We have the inventory down, just moving onto the vulnerability management now as that is a basic requirement.

Re: Vulnerability Management

canLG0501 — Tue, 24 Apr 2018 15:51:45 GMT

I agree that it does take time to wrap your arms around it all. What may be helpful is to utilize the API access from most of the tools you currently possess then customize them to fit your environment to get a better view (identification) and (response) alerting. Later, develop a project with in-house talent to create a customized dashboard where you can import data. Often the only way to stay within a budget is to leverage your current toolbox to your fullest capabilities. I hope this helps!

Re: Vulnerability Management

Samclarke80 — Wed, 25 Apr 2018 11:14:49 GMT

Thanks, yes perhaps an in house solution might be possible although our developers are flat out. Exporting spreadsheets is the way forward for now until I can get agreement on extra resources or extra finances!

Re: Vulnerability Management

JeffOdegard — Thu, 26 Apr 2018 15:11:36 GMT

There is a free, open source tool that isn't very widely known yet, which solves some of your problems. The best part is that it's extensible, so we can add parsers for any number of sources.

https://sourceforge.net/projects/sagacity/

Please let me know if I can help in any way.

- Jeff

Jeff A. Odegard, CISSP, CPT, C|EH

jeff.odegard@CyberPerspectives.com

Re: Vulnerability Management

Samclarke80 — Thu, 26 Apr 2018 15:44:26 GMT

Hi Jeff, great thanks I will take a look. Sam

Re: Vulnerability Management

Samclarke80 — Fri, 27 Apr 2018 11:37:44 GMT

Hi Jeff,

Looks great! Before getting this installed am I going to be able to add data from Manage Engine Desktop Central, Qualys Web Application Scanner and Qualys VM scanner data and add manual info from a Pen test report? Even if I can only add info from Qualys and manually enter vulnerabilities that is going to be a great help.

Thanks

Sam

Re: Vulnerability Management

JeffOdegard — Fri, 27 Apr 2018 15:35:12 GMT

We don't have parsers for those products yet, but if you email me, we can discuss getting some sample data and building some parsers for you. It doesn't take long. - Jeff jeff.odegard@cyberperspectives.com

Re: Vulnerability Management

Samclarke80 — Wed, 02 May 2018 10:47:45 GMT

Hi Jeff,

Fantastic. Ok I will go ahead and ask the IT guys to install and configure as per your video next week. Will email you now.

Thanks

Sam