SecurityCenter – Speedier Remediating
A Verizon Data Breach Report release always brings with it a wealth of information regarding industry trends towards the discovery of vulnerabilities and how fast organisations are able to act once they have been discovered; and this year is no different.
Despite the report itself being a few months old now, it’s always a useful metric to compare how your organisation is doing against the rest of the world, and there are more than a few ways that Tenable can help with SecurityCenter. Considering the last few months have had more than their fair share of global publicity when it comes to vulnerabilities hitting the front pages of mainstream media, now is a good time as any to start looking at methods to decrease the amount of work you have to do to discover and remediate the problems we see every day.
Some of the trends seen in this year’s report for vulnerability discovery are actually encouraging; the time for some verticals to discover new vulnerabilities is as high as 50% in less than a week (Healthcare; Retail; Manufacturing; Information). In the very words of the Report (Appendix B: The Patch Process Leftovers)
“Only a single-digit percentage of breaches in this DBIR involved exploiting a vulnerability. That is comforting, but it doesn’t mean we are condoning a moratorium on vulnerability scanning or patching vulnerabilities. Having a good patch process is a fundamental security practice.”
They later go on to mention that in almost 60% of cases of a vulnerability having been discovered, a fix isn’t applied for at least 4 weeks, however most organisations that allows this 4 week window to pass actually only fix 80% in 12 weeks – 3 months of a vulnerability being actively available on your environment.
SecurityCenter can help you track your own discovery and remediation metrics in near real time using their own built in dashboards but there are a number of ways you can increase the information available to you.
First and foremost for a majority of organisations, have a well-defined discovery cycle is fundamental to the start of this process. Using SecurityCenter this is thankfully very easy, once you have defined what you want to discover and where you want this discovery process to occur; e.g. All Windows based vulnerabilities on all Servers can be a very broad scope, but is also critical to understanding the standing of your most critical infrastructure. This can also be easily configured with a default Credential Patch Audit scan, provided by SecurityCenter. This scan will show you vulnerabilities that are based on OS, third party software and in some cases configuration (e.g.; SSL Certificates that are self-signed or due to expire). Having performed this type of scan you can now begin to prioritise what needs to be remediated.
To begin this process, there are a number of dashboards for this scenario available as part of your SecurityCenter feed. Remember that all dashboards can be focussed to specific assets, so once a scan has been completed an asset can be built/populated to focus on “Windows Servers”.
“Outstanding Remediations Tracking" is useful for showing the top 25 outstanding patches and a breakdown of how many hosts have an outstanding number of patches and how many patches are outstanding:
Figure 1: 56 hosts have between 1 and 9 patches outstanding; 3 hosts have between 20 and 29 patches missing
Although the above dashboard is a good starting point to look at a high level of vulnerabilities, it can always be useful to look at more granular detail. The “Tracking Microsoft Security Bulletins” dashboard can take the same scan information and show you a different viewpoint into that data highlighting vulnerabilities by age and severity, rather than just “What’s missing” to allow you to focus on those metrics instead.
Figure 2: Each element above that is numbered is a clickable object, taking you directly to the vulnerabilities behind the object
In the above screenshot we can now see a breakdown of the same vulnerability information in “Outstanding Remediations Tracking” in a different, more actionable format. We can either focus on everything over 30 day old, or patches from a specific year group or severity, or maybe just the exploitable vulnerabilities.
Separate from just dashboards you can configure a number of alerts within SecurityCenter to notify you if a particular vulnerability; or family of vulnerabilities; pass a certain age on certain hosts. As with a lot of alerting and reporting tools, we need to know three elements to enable alerting: Schedule on which to check; What “things” to check; How to report; and SecurityCenter is no different.
Figure 3 Name & Description for the alert; Schedule to check data (can be 15 min to 20 Months; Does this alert fire first or every time
Figure 4 A Series of checks to look for; MS Bulletins over 30 days old with High and Critical Severity on my Windows Server asset (operating system detection is performed as part of Credentialed Patch Audits)
Once we have chosen how often we need to look and what we need to look for, we now choose our notification settings. We can choose any of the 6 below options in any combination:
Figure 5 Notification options, multiple can be chosen and combined
If we wanted to send an email to our external ticketing system, we would choose “Email” as an option, and we would be presented with the following screen:
Figure 6 Here we can choose the subject of the email and the body. Any words surrounded by % are variables based on the settings from the previous section
Once we decide on the contents of the email to be sent, we need to inform SecurityCenter where it should send the results of the alert:
Figure 7 Users can have email address in their account, or it can be sent to a separate email for your ticketing system
Once all three elements of Name, Triggers and Destination are configured, you can add other alerting functions such as sending a syslog or performing more in-depth scans (this can actually be used to trigger later alerts or reports if subsequent automatic scans detect that vulnerabilities have been mitigated) or if you are happy with the notifications configured, save the alert by clicking the Submit button. Once you have submitted the alert, it will automatically evaluate existing SecurityCenter vulnerability data and trigger if there is already data that breaks the triggers set and then at every time boundary you have set within the alert itself it will check the latest vulnerability data collected to see if any further alerts are required to be sent.
So there’s a few quick methods to use SecurityCenter to help you get towards your SLA’s, to help you speed up your remediation steps but there are always more methods to suit any size organisation using Tenable as their Vulnerability Assessment platform.
If you would like to see any more information regarding Tenable SecurityCenter or would like to see a demo, please contact us today!