Your KPI's At Work: Assurance Report Cards in SecurityCenter
One of the requests I get most often when discussing Vulnerability Management with our customers is how to properly track KPIs, SLAs and other business metrics. Most of us have to adhere to some kind of governance or tracking to ensure we meet our targets for discovery or remediation when it comes to vulnerabilities.
For years, SecurityCenter has given you powerful dashboards to be able to track the core scanning and actions that arise from this scans. When SecurityCenter version 5 was released, a new feature was included called Assurance Report Cards (ARCs). Despite SecurityCenter 5 having been released for two years now, ARCs are a tool that many are not using effectively.
An ARC can be used to track anything that SecurityCenter (and SecurityCenter Continuous View) can present to you in other forms; the classic being vulnerability information, and with SecurityCenter Continuous View also event information as well. Out of the box, every SecurityCenter user has 5 default ARCs:
- CCC* 1: Maintain an Inventory of Software and Hardware
- CCC 2: Remove vulnerabilities and misconfigurations
- CCC 3: Deploy a secure network
- CCC 4: Authorize Users
- CCC 5: Search for malware and intruders
* CCC: Critical Cyber Controls
Each ARC has a list of policy statements defined in them to detect how well you are performing in relation to a pre-defined SLA. In regards to CCC1, this has examples such as:
- Less than 20% of systems are unclassified assets
- Greater than 70% of systems are registered in DNS
- Greater than 70% of systems with software inventoried in the last 7 days
The common factor with all policy statements are defining what you need to track and a failure point. Taking the above three examples, the tracked elements are “unclassified assets”, “systems registered in DNS” & “software inventoried in the last 7 days”. These all then have a trigger value and operator for “failure”; more than 20% & less than 70%.
These are simple checks that SecurityCenter with Nessus can achieve, when scanning a host an automatic check will be performed to query local DNS for the host in question and provided DNS is correctly configured at the host level and domain level, this should pass – it’s a quick way to check for elements of Shadow IT and other problems in your network.
Having Assets correctly configured will also ensure you are scanning items on your network and have greater knowledge about them: an object not included in an asset could potentially be a new host that has no permission to be there.
Taking the above information and applying your own KPIs and metrics, you can quickly see how easy it is to simply track important information and report in simple terms. E.G. if you are required to perform credential patch audits on a monthly basis – which is quite common – you can set up a policy statement to track just this:
(I have created an asset that includes everything on my environment that needs to be scanned, which is a combination asset of all the OU’s in my Active Directory that I “care” about).
Once added and assessed by SecurityCenter this one will tell me if I am indeed performing this action on the schedule that I require:
A green tick on both the policy statement and the ARC as a whole means I have passed the whole metric, I can enhance this with further policy statements to add more granularity, user responsibility, scanning activity, remediation work and so on to see more detail and information on my metrics.
Consider other common requirements that businesses have and how they can be tracked simply:
- Scanning for compliance drivers (e.g. PCI) on a quarterly basis
- Ensuring critical and high vulnerabilities are remediated within 30 days
- No systems have been detected with active traces of malware
- Less than 5% of systems are running unsupported software
- Less than 10% of systems have medium vulnerabilities over 30 days old
Those examples above are simple, but very powerful and can help improve your workflow with just a few statements to assist in discovery and tracking of your vulnerabilities.
To discover how ARCs can help with your reporting process, please contact us today to see a demo from one of our technical experts!