Hi There, I'm a Security Analyst and have just taken on a new role a few months ago. I work for a small organisation (220 staff, 15 IT staff) and we have a variety of apps that report on vulnerabilities. To begin with I am trying to discover all our vulnerability sources, what vulnerabilities they currently have and their severity. So I have exports of detections to date from a vulnerability scanner, endpoint protection tool, Pen tests results, Web Application Security Scanner and a manually created list of vulnerabilities in the admin tools that we use and including users as a vulnerability too. My question is what is best practice in taking all these data sources and managing them in one place that is not a spreadsheet? Are there any free/low cost tools that can accept data from all these sources, display them and then allow me to track the remediation. Qualys is a good tool for tracking remediation and reporting but I cannot import other data into it. What do other people do?
Hi Thalpius, whilst that (Manage Engine Desktop Central) does provide reports of inventory and OS and third party software patching status, I cannot integrate Qualys reports into it or other manual vulnerability information.
Start with a software inventory of what you have and think about how often that software is used or exposed to risk. You cannot defend anything until you know what and where your responsibilities start and stop. Now look at your reports for high and medium risk items found in that first inventory. Common Vulnerabilities and Exploits (CVEs) range from 0-10 with 10 being the easiest or most destructive exploit. If at all possible patch and remediate those items first, no matter how painful they may seem at the time.
Go down through your list from highest to lowest, red - yellow - green, however your reports are presented and continue to work through reducing your overall risk. Ideally you will be able to look at the current state of patching and vulnerabilities in whole numbers today and compare them to next month, quarterly and annually to check your progress. We call this a baseline but for now allow yourself the luxury of learning the patching priority from both a technical and political standpoint. It's not uncommon for business (stakeholders) to put patching for for business reasons because "it's not broke" or convenience if not indifference. Concentrate on those things you can affect and warn against putting patching off for later.
These thing only look impossible when starting but once you get started will continue to build on itself. Doing much the same with a newer position myself.
Just takes time to get your arms around it all.
Also look at the CIS critical security controls and see if you are currently doing the top 6 well. If you are not even doing that well, no amount of pen tests, vulnerability management scans, etc. is going to do any long term good as you will be vulnerable because you do not have a good basic security posture. Then you can work on the foundational steps and then move on to the organizational portion of it. You may find that you need improvement in all areas, as most agencies do, but start with the basics.
Thanks, Beads. Yes it does look impossible good point on the responsibilities. I now have a list of all our infrastructure, endpoint, web applications and software assets as well as a list of vulnerability detections on each one. Next step to prioritise them!
Good luck to you too.
I agree that it does take time to wrap your arms around it all. What may be helpful is to utilize the API access from most of the tools you currently possess then customize them to fit your environment to get a better view (identification) and (response) alerting. Later, develop a project with in-house talent to create a customized dashboard where you can import data. Often the only way to stay within a budget is to leverage your current toolbox to your fullest capabilities. I hope this helps!