2 20613 qualys_top_10_reports_vm

Top 10 Reports

#1 Network Perimeter Map Report

#2 Unknown Internal Devices Report

#3 SANS Top 20 Vulnerabilities Report #4 25 Most Vulnerable Hosts Report

#5 High Severity Technical Report

#6 Web Application Scan Report #7 Vulnerability Trend Report

#8 Risk Analysis Report

#9 Open Tickets Report

#10 Executive Review - Remediation Report

4

5

7

8

9

10

12

13

15

16

guide:

The Top 10 Reports for Managing Vulnerabilities

An open door, unlocked window, or our keys lying on top of the

front door mat – these all represent openings for criminals (or

even neighbors we know) to unravel the security fabric in our

lives. In our IT infrastructure, open ports, available wireless

access points and unpatched servers may result in the theft or

compromise of critical customer data, along with the disruption

of business operations. While we often can manage the

vulnerabilities around our homes by spending a few minutes

checking locks, etc., the task is much more difficult in a

distributed organization with tens or hundreds of thousands of

networked devices.

Vulnerabilities in the IT infrastructure environment consist of the

software flaws and configuration errors that are present in

servers, desktops, notebooks, routers, wireless access points,

networked printers and any other device with an IP address. The

key benefits and advantages in implementing a lifecycle

approach to vulnerability management are the increased

protection across your environment before attacks occur and

the documented assurance that your networks (internal and

external) are safe. The increased levels of security assure the

continuity of business across employees, customers and

partners.

Effective vulnerability management also serves to communicate

the levels of IT risk to line-of-business owners and executives. IT

administrators and operational staff are able to resolve problems

more quickly and accurately. The reality today is that new

vulnerabilities appear constantly and the ability to handle new

flaws and misconfigurations requires an automated workflow and

reporting structure. Pouring over extensive lists of raw vulnerabil-

ity data is of limited worth when trying to measure security levels.

Instead, concise reports containing the severity and business

criticality of vulnerabilities and IT assets are required. Further,

these allow access to proven remediation approaches and

solutions. Security information needs to be collected, customized

and presented to company management, auditors and regulators,

in addition to security professionals and system administrators.

The audience for this paper includes security professionals and

managers, systems and network administrators, IT operations

staff and others who must document, review and resolve

vulnerable networks. Out of literally hundreds of different

vulnerability management reports available, this paper introduces

10 of the most important reports and uses reports generated by

Qualys’ vulnerability management solution, QualysGuard, for

reference purposes. The reports are organized across the four

key steps in the vulnerability management lifecycle shown below.

Introduction Most of us don’t think twice as we sweep the perimeter of our homes before retiring at night or leaving for work in the morning. Why would we want anything less for the security of our networks and systems?

Asset Discovery and Inventory – Build and maintain an up-to-date repository of IT asset information,

including business impact and asset groupings.

Vulnerability Assessment – Test and document the effectiveness of both security policies and controls.

Analysis and Correlation – Add business intelligence through graphing, trending and understanding the

relationships between vulnerabilities and asset types.

Remediation and Verification – Prioritize and resolve the vulnerability issues that are found and retest the

assets for proof of correctness.


Asset Discovery and Inventory Reports

The first step in the quest for managing vulnerabilities is to find where they exist.

But even before that is achieved, an up-to-date repository of assets must be built

and maintained. This repository will include all hosts or devices with an IP address.

The type of information populated in the repository includes hardware, software,

applications, services and configurations. QualysGuard gathers all this information

in a two step process. The first step is network mapping, which identifies which

hosts are live. The result is an accurate baseline of all connected devices, be they

servers, destops, notebooks, routers, wireless access points, etc. After mapping,

the second phase is initiated. This consists of powerful scans which gather

additional information to round out the asset inventory.

It’s also important to determine the business impact for each asset. Business

impact simply means the value a particular device has in relation to all others. All

assets are not created equal; a test machine with individual access in a back room

carries less risk of business interruption than a server with financial projections or

personally identifiable information.

Having current and accurate asset inventory information allows for greater accuracy

when identifying which assets are impacted by a particular vulnerability. It reduces

the time spent performing vulnerability scans as the vulnerability checks themselves

are applied only on those devices where they may exist. The number of false

positives (defined as reporting a vulnerability where one does not exist) is reduced

by eliminating the unrealistic case of a Windows server reporting a vulnerability only

found on Linux operating systems. Another benefit is in the remediation process.

Efforts there will be more efficient when patches and fixes are applied to

corresponding assets.

While smaller organizations with Class C sized networks (up to 256 devices) may

find they can complete the task of accounting for all devices attached to their

network manually, this same approach will quickly spiral out of control when the

networks total 10,000, 50,000 or 100,000+ devices across multiple subnets. The

most time consuming task, however, lies in the appropriate classification of the

assets once they have been identified. Since this is so arduous, companies without

automation must decide which segment or subset of their assets to classify, often

leaving out critical devices. Systems and networks are dynamic, they change and

must be revisited. Rogue devices may added to the network without permissions

and must be dealt with appropriately.

Asset Discovery and Inventory Reports



#1 – Network Perimeter Map The Network Perimeter Map provides a view into the topology of your network for reference and documentation, by developing a

baseline of each connected device. With each asset properly identified, users of QualysGuard may group them in any way they

desire; by business unit, geography, platform, etc. These classifications are called asset groups. An asset may exist in multiple

asset groups. Once discovered, a new device may be added to an existing asset group or a new asset group may be created.

QualysGuard maps can be viewed in either graphical or text format. They show any device with an IP address that has been

discovered; externally, or internally using an appliance. From within this report, users can drill down on a particular asset and

view its detailed attributes, including what discovery method was used (DNS, ICMP, TCP, UDP or others), the domain name, the

operating system and whether the asset may be scanned for vulnerabilities. Administrators can also initiate either on demand or

scheduled scans for security assessments against specific asset groups.

Figure 1: QualysGuard Network Perimeter Map

#2 – Unknown Internal Devices This report lists all discovered devices which have not been

approved by a company administrator. QualysGuard can detect

rogue devices, including virtual hosts that could have possibly

been placed on your network. This is important information to

have when security administrators are reviewing the network to

clean up and eliminate devices placed on the network for

malicious purposes or simply those that pose additional risk

because of missing patches, unwanted services, etc. This

report should be run on daily basis to ensure maximum

protection levels are upheld. Once discovered, scans are

necessary to investigate the origin of these unknown devices.

Lastly, the proper precautions must be taken to prevent further

exposure from occurring.

Let’s have a look at two screenshots involved in generating an

Unknown Device Report. Figure 2 shows the map report

template used to generate the actual report. Note the filter

options which include multiple Host Types to include. Only

“Rogue” host type is selected for this particular report.

It should be noted that the column “A” is empty in Figure 3. “A”

stands for “Approved”. In this case, all of the devices in this

report have yet to be approved by a systems administrator.


Figure 2: Unknown Devices Report Map Template

Figure 3: Unknown Devices Report Results

Vulnerability Assessment Reports

Vulnerability assessment is the process of testing and documenting the effectiveness

of both security policies and controls, by examining the network infrastructure for

“known bads”. The assessments are performed across network devices and host

systems, as well as the services and applications that run on top of them. Scan

reports will show what vulnerabilities are present and where they are located, in

order to direct administrators towards what needs fixing and in what priority order.

This is the cornerstone for effective vulnerability management because this process

identifies and communicates the software flaws, missing patches and misconfigura-

tions that exist and pose security risks. In scanning live hosts, the mapping

generated from the asset discovery step will be used. Asset discovery is the prelude

to asset classifications, or groupings, which are further defined by business impact

ratings. The severity assigned to each vulnerability will also be used to differentiate

the flaws which present the highest danger of exposure. Included in the scan results

is information describing the properties of the vulnerability, such as the impact, the

type of device made vulnerable, cross references to external vulnerability classification

systems (e.g. Bugtraq, CVSS, CVE) and links to other information sources. Also,

solution recommendations are included to fix the exposure.


#3 – SANS Top20 Vulnerabilities The third report in our Top 10 list is the SANS Top 20. In June,

2000, the SANS Institute, along with the FBI’s National

Infrastructure Protection Center, began publishing a list of the

most critical internet security vulnerabilities. The SANS Institute

is a trusted source for information security training, certification

and research. This list was quickly adopted by organizations

worldwide as a standard guide for understanding and assessing

for the most dangerous areas of exposures. The list is a

consensus of the flaws that require immediate attention, and is

developed by leading security experts from multiple countries

across the globe. Nearly every year since its beginning, SANS

has updated the list to reflect the changes in threat vectors,

noting the recent rise in client side, anti-virus and web

application vulnerabilities.

The QualysGuard SANS Top 20 Report shows the results of

vulnerability scans derived from the SANS list. Figure 4 shows

the total vulnerabilities found in this assessment, along with the

average security risk score. Also note that Qualys offers a

SANS Top 20 Scan at no charge to organizations who wish to

register: http://sans20.qualys.com.

More detail into the specific SANS vulnerabilities that have been

identified through the scan is present in Figure 5. This detail

includes descriptions, impact and recommended solution.


Figure 5: SANS Top 20 Report with Detailed Vulnerability information

Figure 4: SANS Top 20 Report with Summary Vulnerability information


#4 – 25 Most Vulnerable Hosts Across any organization, there are those systems that are in worse shape than others. Having a current listing of the hosts with

the most critical flaws helps direct the efforts to resolve these issues and lowers the risk to the organization. QualysGuard

delivers a ranking - beginning with the most vulnerable asset – based upon the security risk of the assets. QualysGuard

determines the security risk from the number and severity of vulnerabilities found during the last scan of each host. Vulnerabilities

are weighted on a scale of 1 to 5, with 5 being the most severe. The business risk not only considers the security risk, but also

factors in the business impact value placed on the asset. These business asset values are either Critical, High, Medium, Minor

or Low. The 25 Most Vulnerable Hosts Report, as shown in Figure 6, lists those assets with the highest number of Severity 4

and 5 vulnerabilities. The hosts are listed in order beginning with the most vulnerable. The report details the number of Severity

4 and 5 vulnerabilities, the business risk and security risk ratings, and also all the asset groups associated with that host.

Figure 6: 25 Most Vulnerable Hosts Report

#5 – High Severity Technical Report Whenever full vulnerability reports are generated, there is a lot

of information produced for each asset. While valuable, all this

information takes time to digest. In some instances, time is of

the essence and it is critical to quickly identify and resolve the

most dangerous areas of exposure. In these cases, only the

highest priority issues are able to garner scarce remediation

resources, so only the most severe vulnerabilities are included

here.

This report presents information about the vulnerabilities with

high severity levels only (4 and 5). As seen in Figure 7, only

Level 4 and 5 vulnerabilities are listed. The report template

filters out all vulnerabilities with severity rankings below Level 4,

as well as all potential vulnerabilities (defined as those that

cannot be fully verified) and those vulnerabilities categorized as

“information only”.

Each high severity vulnerability may be viewed in depth for

more specific information. This information includes the name,

the date first detected and last detected, the port it where it

was discovered, the vulnerability identifier, category, and last

update, plus other details. It also lists the status (new, active,

ignore, etc.). Figure 8 is an example of this detailed information

for a Level 5 Microsoft IIS vulnerability with a status of “New”.


Figure 8: High Severity Vulnerability Details

Figure 7: High Severity Report Summary


#6 – Web Application Scan According to the SANS website at http://www.sans.org/top20, the number of vulnerabilities discovered in open source and

custom web applications has grown to account for almost 50% of all vulnerabilities now discovered. The danger here manifests

itself when trusted sites are transformed into masked areas used for phishing and other scams. Some of the web application

vulnerabilities important to identify and remediate are cross site scripting, SQL injection and remote code execution. As a result,

regularly scanning your Web applications is critical IT security component.

As web application vulnerabilities are code related, frequent testing should occur during the development of applications as well

as their actual deployment. Figure 9 shows how Web Application security threats can be proactively identified to prevent

compromise.

Figure 9: Web Application Scan Results

Analysis and Correlation Reports

After asset information has been gathered and vulnerabilities have been identified,

further analysis is often necessary to provide more insight into the security information.

This is made feasible through the use of automated solutions to collect, store,

compute and present the information through multiple views and in graphical

formats. The vulnerability and asset information is kept in a repository where analytical

engines can process it further. Examples of this advanced processing include

presenting trends in vulnerabilities over time, and correlating known properties of a

vulnerability (operating system, ports, services) with those of devices to see which

are at highest risk for the presence of a specific vulnerability.

As IT operations, systems administration and security move closer together for the

goal of improved operational performance, it’s critical for these groups to share

information and workflows. For example, IT operations (support staff, help desk

personnel) can assist with remediation tasks such as system patching if they have

the necessary information about what systems are affected and what software to

deploy. This information, along with an assigned individual responsible for action

and a date for completion, is summarized in trouble tickets created by QualysGuard.

This trouble ticketing helps ensure the timely and proper follow-up to vulnerability

and configuration issues, while coordinating the smooth integration of efforts across

IT groups.

The QualysGuard analysis capability extends into areas such as reviewing the

length of time trouble tickets remain open, the number of open trouble tickets in

total and by severity, the vulnerabilities by status and severity, and changes in the

business risk of asset groups over time. Correlating the severity of a vulnerability

with the business value of an asset is important when determining which systems

need immediate remediation. This approach results in a better use of resources than

one where the most severe vulnerabilities are all resolved concurrently, regardless of

whether a machine is used in a test bed or in a live production environment.

In addition to the Analysis and Correlation Reports shown here, executive

dashboards are a way to view business intelligence and trend results. As long as

the dashboards are current and adaptable to changing requirements, they provide

“at-a-glance” insight into a company’s vulnerability and risk posture. Dashboards

can easily track how long it takes to patch vulnerable systems, for example, or

which servers consistently underperform relative to security policy. This aids

managers in their understanding of how IT risk is being managed by security and

administration teams.


#7 – Vulnerability Trend Report The vulnerability trend report is based upon a specific time

period (established by the user) and displays the trends,

increasing or decreasing, of vulnerabilities by severity and

across categories (types of assets). As with all QualysGuard

reports, permissions to create and view the Vulnerability Trend

Report is controlled by the user account settings. In Figure 10

below, the trend report was configured for a four month

analysis.

Another section of the Vulnerability Trend Report (shown in

Figure 11), graphs the changes in business risk by asset group

over time. QualysGuard allows you to create as many groups as

you like and group assets into specific business units in any

way desired (by geography, by function, by platform, etc.).

Figure 12 shows two more trending graphs for vulnerabilities

found by QualysGuard scans. Users have the flexibility to

customize graph formats (pie charts, bar charts, etc.). In the

“Vulnerabilities by Severity over Time” graph, the total number

of vulnerabilities has decreased from June to September. This

was lead by a drop in the Severity 1, 4 and 5 vulnerabilities,

which offset a rise in the Severity 2 and 3 vulnerabilities during

this time.


Figure 10: Vulnerability Trend Summary

Figure 11: Vulnerability Trend Business Risk Graph

Figure 12: Vulnerability Trending by Severity and Status


#8 – Risk Analysis Report This report may be run prior to an actual vulnerability scan. The user directs a vulnerability to be correlated with the attributes of

a specified host or asset group. Analysis is performed to determine the exposure level this asset contains. The more matches

the vulnerability has with the asset, across attributes such as operating system, ports and services, the higher the risk level.

The Risk Analysis Report identifies the hosts that are likely exposed to the specified vulnerability. By comparing vulnerability

exploit data to known information from past scans, QualysGuard is able to determine whether hosts are likely to be at risk to a

new vulnerability - even before a scan is launched! For example, if you receive new information on Microsoft’s Patch Tuesday,

but cannot scan before the week-end to assess your environment, this report will deliver probabilities on which hosts will be

most impacted in the interim. This information can then be used to develop an emergency action plan to protect you until full

scanning and patching occurs.

Figure 13: Risk Analysis Report

Of course, it’s not enough to simply identify the vulnerabilities or track their growth.

The bottom line in the vulnerability management lifecycle is more results oriented –

to resolve the causes of those software flaws or configuration errors. At this point is

where remediation comes into primary focus. Even when new patches are available,

there may be a delay in applying them due to the time required for implementation,

or fears about the potential impact to the availability and performance of IT assets.

An example of this behavior is found in the Conficker Worm. The Conficker Worm

exploits the MS08-67 vulnerability in the Microsoft Windows Server Service. Even

though Microsoft released the patch for MS08-67 in October, 2008, the number of

PCs infected since that time is estimated to be in the range of 5 to 10 million,

primarily on corporate and government computers.

Coordination of remediation efforts, often by using an automated trouble ticketing

system, helps organizations proactively manage what needs to be fixed, and by

whom. Automated notifications and reports allow for the workflow required to keep

remediation tasks on target and prevent gaps in protection. The prioritization by

business impact ensures the most valuable systems are addressed first. Less

critical assets then may be handled on regularly scheduled dates, such as a

monthly patch or configuration change cycle.

After patching or implementing other configuration changes, rescanning IP addresses

is necessary to ensure the fix is complete and no other issues have been created as

a result of the change.

Accurate and timely reporting is important at this stage because remediation tasks

are often performed by a different team than the security group which identified the

exposure. IT security will most likely perform the scan. Then, systems administrators

or IT operations staff (helpdesk, support) will implement the fix. Remediation and

validation reports are useful to achieve better understanding of how quickly and

thoroughly your organization responds and resolves security issues. When results

are less than desired, improvements in the incident management process can be

made.

Remediation and Validation Reports



#9 – Open Tickets Report The QualysGuard native ticketing and remediation functions ensure outstanding issues are scheduled for completion and

vulnerabilities are resolved before further damage is done. Each vulnerability is individually tracked until it is fixed. This

automated remediation and trouble ticketing workflow generates tickets base on policy rules. These rules define specific criteria

that trigger response actions when met. For example, a rule can be created such that a trouble ticket is opened whenever a

Level 4 or 5 vulnerability is identified. The rule will establish the assigned individual, let’s say the administrator who ran the scan,

and the time period (perhaps two days) for remediation.

The ninth report in our Top 10 list is the Open Tickets. As seen below in Figure 14, this lists the tickets and may be sorted by

ticket number, status, due date or others. Each ticket is assigned a unique number with general information, vulnerability

details, remediation history and required actions. Each ticket owner is also listed. Viewers of this report have the option of

drilling down into the report to gain additional information associated with the ticket, such as its history.

QualysGuard further aids in the remediation process by delivering automated ticket notification emails. These notifications are

sent to each user who has open trouble tickets assigned to them. The ticket statistics in the notification include the number of

open tickets which are overdue (those past the scheduled resolution date) and the number which are not overdue, the tickets

resolved and the tickets closed. A QualysGuard hyperlink is also included for recipients to easily click and check on the details

of their assigned tickets.

Figure 14: Open Tickets Report

#10 – Executive Review – Remediation Report In addition to providing the detail by user of the status of open

tickets, QualysGuard also makes available summary levels for

reviewing trouble tickets. Users select which asset groups and

which users to include in the report settings. Figure 15 below is

an example of the trouble ticket statistics presented; you see

not only the number of tickets resolved and still open (by

severity level), but also view the number overdue and the

average time in days for ticket resolution. These statistics are

very useful when assessing the performance of the groups

involved in vulnerability resolution, and deliver metrics to gauge

improvements made over time.

Figure 16 shows more ticket trending information in graphical

format. These statistics are often required for weekly status

meetings, presentations to management and to demonstrate

achievement in Service Level Agreements (SLAs). You can see

here the drastic increase in the number of open (and closed)

tickets during the last week of this report, alerting executives

“at-a-glance” to the increased activity.


Figure 15: Remediation Report – Tickets by Severity and Open Tickets

Figure 16: Remediation Report – Aggregate Ticket Changes

© Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. 09/09

www.qualys.com

USA – Qualys, Inc. • 1600 Bridge Parkway, Redwood Shores, CA 94065 • T: 1 (650) 801 6100 • [email protected] – Qualys, Ltd. • Beechwood House, 2nd Floor, 10 Windsor Road, Slough, Berkshire, SL1 2EJ • T: +44 (0) 1753 872101Germany – Qualys GmbH • München Airport, Terminalstrasse Mitte 18, 85356 München • T: +49 (0) 89 97007 146France – Qualys Technologies • Maison de la Défense, 7 Place de la Défense, 92400 Courbevoie • T: +33 (0) 1 41 97 35 70Japan – Qualys Japan K.K. • Pacific Century Place 8F, 1-11-1 Marunouchi, Chiyoda-ku, 100-6208 Tokyo • T: +81 3 6860 8296 United Arab Emirates – Qualys FZE • P.O Box 10559, Ras Al Khaimah, United Arab Emirates • T: +971 7 204 1225 China – Qualys Hong Kong Ltd. • Suite 1901, Tower B, TYG Center, C2 North Rd, East Third Ring Rd, Chaoyang District, Beijing • T: +86 10 84417495

Summary So there you have it – the Top 10 Reports for Managing Vulnerabilities. By looking across the complete lifecycle of vulnerability

management, starting with asset discovery and ending with remediation and verification, the breadth and depth of the information

to be gathered, analyzed, stored and communicated is seen in full force. This is what makes true vulnerability management

different that just vulnerability scanning. And this lifecycle approach, along with well defined and customizable reporting, is what

sets Qualys apart.

By providing easy to understand reports, such as the Network Perimeter Map, the SANS Top 20 Report, the High Severity

Technical Report and the Remediation Report, QualysGuard delivers thorough overviews to executives along with the detailed

breakdown and analysis for IT security, systems administration and IT operations. By combining hosts into asset groups,

assigning business impact weightings and calculating Security Risk and Business Risk metrics, QualysGuard provides a

solution that is quick to deploy and easy to use, resulting in increased security posture and compliance with regulatory and

standards requirements.


2 20613 qualys_top_10_reports_vm

Technology