310 likes | 644 Views
Implementation Best Practices by David French – Technical Account Manager, Qualys Inc. Deploying Vulnerability Management and Policy Compliance on a Global Scale O N TIME – O N BUDGET – O N DEMAND. December 2007. Implementation Timeline (based on a 120 day deployment). Phase 1 (1 st Month)
E N D
Implementation Best Practicesby David French – Technical Account Manager, Qualys Inc. Deploying Vulnerability Management and Policy Compliance on a Global ScaleON TIME – ON BUDGET – ON DEMAND December 2007
Implementation Timeline (based on a 120 day deployment) • Phase 1 (1st Month) • Deploy Scanner Appliances • Configure Domains / Add IP Tracked Hosts to the subscription • Perform Host Discovery Mappings • Begin enter Asset Groups, Business Units, and Users • Plan for use of delegation. Start with less delegation and add more rights over time. • Start baseline scans • Analyze baseline numbers to determine remediation strategy • Phase 2 (2nd Month) • Perform a second scan of all hosts • Continue entering Asset Groups, Business Units, and Users • Train QualysGuard users (Readers and Scanners) • Start building remediation policies (rules) • Deploy ticketing to a test group • Start testing report templates for executive reporting • Phase 3 (3rd Month) • Perform complete scan of environment • Implement use of the ticketing system • Change the tracking method for hosts utilizing DHCP • Start Developing Executive Reports • Start developing remediation metrics/reporting • Examine automation capabilities with the APIs • Phase 4 (4th Month) • Implement Executive Reporting • Implement Remediation Reporting • Automate processes via the API where possible/applicable
QualysGuard Implementation Steps • Depending on the size of the environment, perform either a baseline map, baseline scan, or both. (This may already have been performed as part of the evaluation.) • Prior to running a baseline map, the domains to be used as well as the methodology (geographical vs. the use of the none domain) must be decided on. • Prior to running a baseline scan, the IPs must be added via the Assets tab and Asset Groups for scanning must be created. You may also want to add “test” remediation policies at this time so you can see what a systems administrators' ticket queue would look like (from a workload perspective). • As you enter IP addresses to the account via the Assets tab, smaller ranges and IPs will collapse into larger ranges that are entered. You will want to think about how you want your Assets tab to look to facilitate administration. Do you want to enter in Class C ranges for server segments and Class B ranges for workstations? You can still drill down in the Assets tab to manage your addresses. This is not a major issue but one that should be considered before entering all IP information into your account.
QualysGuard Implementation Steps • Determine scanner placement based on knowledge of network segmentation and available bandwidth. • Gather data needed for scanner configuration at all locations. • If scanner appliances will be shipped overseas, it may be better to have Qualys ship them.
QualysGuard Implementation Steps • Based on whether or not you are deploying QualysGuard using a centralized or de-centralized model, determine the following: • Asset Group Structure for granting access to QualysGuard. (Asset Groups for scanning [if needed] should be in place at this time.) • Business Unit structure. • Rights to be delegated for Reader and Scanner accounts. • Remediation system use : policies and procedures. • Define Options Profiles to be used. • Define any needed Global Report Templates. • Procedures for support, typically centralized through the team that is implementing QualysGuard.
QualysGuard Implementation Steps • Automation: • Determine schedules for all scans and maps. Typically, change controls are used for the first test/baseline scans. Once initial scans and maps have been run, “rolling” change controls are typically issued and a schedule is posted on an Intranet site. • Enable remediation policies (rules) as you schedule segments/systems for scans. • Change the tracking method for workstations to NetBIOS.
QualysGuard Implementation Steps • Training: • Create company specific training for readers and scanners. • For QualysGuard administrators, you may want to send them to the certification course (1 day). • Web based training is available as well via the main Qualys web site.
QualysGuard Implementation Steps • Executive Reporting • Executive Reporting is generally not put into effect until several scans have been made of the entire environment. This is because vulnerability counts will increase as segments/hosts are added to the scanning schedule.
Where does QualysGuard fit into your Security Operations Center? (SOC) • The next three slides will show sample Daily, Weekly, and Monthly SOC Analyst duties and where QualysGuard would fit in.
Sample SOC Procedure (1) • Daily Duties: (Note events in the SOC Analyst Log.) • Check IPS console • Check AV console • Check SIM • Check VPN Access logs • Run EventCombMT / LogParser Scripts • Check QualysGuard for rogue hosts on DMZ’s and/or critical server segments (Qualys) • Check security portals • http://www.securitywizardry.com/radar.htm • Check Mailing Lists (Secunia, etc.)
Sample SOC Procedure (2) • Weekly Duties: • Run AV outbreak report • Run Remote Access/VPN report • Run tickets per user report (Qualys)
Sample SOC Procedure (3) • Monthly Duties: • Run vulnerabilities by severity report (Qualys) • Internal systems • Externally facing systems • Business Unit comparison reports (scorecards) • Run virus outbreak reports • Run system compliance reports (Qualys) • Is Anti-Virus installed? • Is SMS and/or other required services installed? • Are systems running unauthorized services?
Engaging Support • Support is available via phone or e-mail 7X24X365. You can access the phone numbers or submit a ticket via the QualysGuard application via the support link in the upper right hand corner. • Instead of submitting tickets through the QualysGuard GUI you may want to use your regular e-mail client to submit trouble tickets and feature requests. If you type a meaningful subject line, the auto response mechanism will create a ticket with the subject line as the title of the ticket. • When working with support they will often request scan data. They are looking for raw data (obtained from the Scan section) in PDF format. If the file is large or has sensitive information, you can request a secure upload link when you enter the ticket. (Be sure to modify your default report profile (Scan Results (“username”) to include the appendix.) • If you feel you need an issue escalated, do not hesitate to contact your Technical Account Manager. Also, feel free to copy your Technical Account Manager on critical tickets as you submit them.
Gathering Data for Support • Support will need raw data from the scan section of QualysGuard for their first analysis. (Be sure to modify your default report profile (Scan Results (“username”) to include the appendix.) • Sometimes, you will need to take a trace while running another scan to re-create the issue. If you can’t have the network team implement a sniffer in a timely fashion, you can use ngSniff to capture data for Windows hosts. ngSniff does NOT require packet drivers (WinPcap). (http://www.ngsec.com/ngresearch/ngtools/) • Some customers place network taps in front of Scanner Appliances that reside in Datacenters to facilitate the gathering of trace files.
QualysGuard Settings to Be Aware Of • Scanner polling intervals • Scanner polling intervals should be set to 30 seconds. Update traffic is light and modifying this setting will make map and scan jobs get picked up more quickly. (If your scanner appliances are intermittently disappearing within QualysGuard, increase your polling interval to 60 seconds. This rarely happens and is due to the egress environment the scanner appliances reside in.) • Map Settings • The default settings on the Map tab for Options Profiles are set to “All Hosts” and NOT to ignore hosts discovered via DNS. This is because mapping was developed first to be used for Internet facing systems. For internal maps you should change the “Perform basic information gathering setting” to “Netblock Hosts Only” and enable the option to ignore hosts discovered only via DNS. • Brute forcing • The default options profile has Brute Forcing set to limited. Again, this is because QualysGuard started out as an Internet bases scanning technology. For internal scans against systems/environments with account lockout policies in place, Brute Forcing should be set to “Minimal” or “None”. • Using Brute Force settings higher than “Minimal” internally should only be done when you are intending to verify blank/weak passwords on systems with the understanding that account lockouts may occur as a result. • Scanning for only a few QIDs • To run scans for specific QIDs, there are five “base” QIDs that must also be selected. These are listed in the Scanning FAQ. (In the help file, do a search for Scanning FAQ.) Always be sure to add QID 45038 – Host Scan Time, to any custom Options Profile you create.