1 / 14

Parag Baxi, Technical Account Manager

Parag Baxi, Technical Account Manager. VM Evolution via API. September 2, 2013. Vulnerability Management – Before. Constant battle for IP Asset classification QualysGuard scan reports emailed Global metrics unavailable on security posture No administrator credentials.

feivel
Download Presentation

Parag Baxi, Technical Account Manager

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Parag Baxi, Technical Account Manager VM Evolution via API September 2, 2013

  2. Vulnerability Management – Before • Constant battle for IP Asset classification • QualysGuard scan reports emailed • Global metrics unavailable on security posture • No administrator credentials

  3. Vulnerability Management – After • IT Assets in sync • Reduced VM lifecycle • Visibility in near real-time • Biweekly authenticated scanning against all sites • Users: Tuesday to Thursday, 10 AM - 4 PM • Non-users: Friday, 10 PM - Sunday 10 PM • Metrics for senior management and IT staff

  4. Impact • Increased effectiveness of QualysGuard VM • Increased awareness of security needs QGIR (QualysGuard Integration with Reporting) began at Customer inthe second half of 2010.

  5. Challenge: Asset Management • Manual input • No visibility on IT assets • No visibility on ownership of assets • Resulted in creating CMDB in shared Google Spreadsheet • Hierarchy model Problem: How to synchronize QualysGuard’s asset groups with the CMDB Google Spreadsheet? • API integration with Configuration Management Database (CMDB)

  6. QualysGuard-CMDB Integration • Calculate static IP ranges and update the Google Spreadsheet. • Have necessary information to create Asset Groups in QualysGuard. • Create/Update asset groups in QualysGuard via API. • Update host tracking information via QualysGuard API. Issues: • No static IP ranges provided in CMDB Google Spreadsheet.. • QualysGuard Asset Groups not in sync with Google Spreadsheet. • Create/Update schedules for DHCP & static ranges. • DHCP: Biweekly midweek from 10 AM to 4 PM. • Static: Biweekly on weekends.

  7. Remediation Workflow Automated • Email Scan Reports • Custom Report Templates • Patch Report • Remediation Policies • Remediation Tickets API

  8. Remediation Workflow Automated • QGIR (QualysGuard Integration with Reporting)

  9. Sample Reporting Issue

  10. QGIR Workflow – Issue Vulnerabilities Create the tickets into Reporting, a JIRA ITIL-aligned implementation. QGIR tracks metrics against all offices fairly. All participating offices are given the same time frame and opportunity to remediate vulnerabilities. QualysGuard tickets are grouped by QID in Reporting. This enables easy patching. To further ease the administrative burden we utilize the patch report to consolidate vulnerabilities. QualysGuard vulnerabilities of the same QID for the same office are assembled into a CSV containing pertinent information. Further rounds supersede existing tickets. All unresolved Reporting tickets from the previous round are marked incomplete and the remaining vulnerabilities will be included in the new round. With patching tool’s ability to patch multiple hosts for the same vulnerability, it makes sense to group by QID. Store the vulnerabilities and associated Reporting tickets in a separate database to allow for proper verification.

  11. QGIR Verify Workflow QGIR verification will reopen all QGIR Reporting issues that still have vulnerable hosts. For example, lets say Site A had 2 QGIR tickets in Reporting, and each of those QGIR tickets had 10 vulnerable hosts. If one host in both QGIR tickets was not fixed for either vulnerability then both tickets will be reopened. QGIR will verify that all hosts in each ticket that was marked resolved has, in fact, removed the vulnerability.

  12. QGIR Verify Workflow – Attachments

  13. QGIR Verify – Decommissioned Hosts Note the search by NetBIOS name is not an exact search. It will return remediation tickets containing the NetBIOS name. For example, a NetBIOS search of “USNYSMITHGE1” will also return tickets associated with hostname, “USNYSMITHGE11”. Remove these false positives by parsing the resulting XML file. QGIR verification will reopen all QGIR Reporting issues that still have vulnerable hosts. Therefore, all QualysGuard remediation tickets associated with decommissioned hosts must be removed. QualysGuard will not report a very real, but previously discovered vulnerability on a replacement host with the decomissioned IP/hostname. The ticket must be deleted.

  14. Parag Baxi, CISA, CISM, CISSP, CRISC, PMP • Employee, Qualys • Senior Security Engineer, Ogilvy & Mather • Architected ITIL-aligned worldwide VM QualysGuard implementation with heavy emphasis on automation, ROI and security best practices. • Over 10 years of enterprise experience at UMDNJ, EDS, HP Enterprise Services (consultancy for The Federal Reserve Bank of New York), and Google. • Advocate and active contributor of the Qualys community. • Published open-source QualysGuard integration code. • B.S. degree in Computer Science from Rutgers University. Thank you!

More Related