Improving Visibility into your Vulnerability Management Program

Transcription

1 Improving Visibility into your Vulnerability Management Program One of the most challenging aspects of managing your vulnerability management program is understanding where to focus your time and effort. It can be strenuous to balance resources and provide consistent progress, while providing updates to your stakeholders and working with your IT teams to prioritize and remediate issues based on the most accurate data available at that time. Communication is critical, yet how do you know what to target and how do you share this information with your organization? Sequris Quantifiable Vulnerability Scanning and Reporting (Q VSR) service is based on Rapid7 Nexpose technology and is the perfect tool to help you achieve your security goals and communicate your status to your team. Our focused SEQ OPS TM team of experts have been working with Rapid7 to provide improved visibility and reporting based on your feedback. We are delighted to introduce three reports that will dramatically improve your visibility and effectiveness with these new reports, the risk scorecard, the trend report and the Top 10/25 remediation s report. The Risk Scorecard Report With this report you can see where you are doing well, what areas need work, and where to invest more time and resources. Based on the popular Site Report Card, the Risk Scorecard report includes all of your favorite features plus some awesome new ones and a slick interface that will enhance the visual communication of your data. The Risk Scorecard report provides grades for each of the sites. Additional reporting can be performed by Asset Tags, or Asset Groups based on how you want to organize your environment. The grading system works on the A through F range and is based on a curved scale system of your environment. The grade works by calculating the average risk of assets within the grouping type (Site, Asset Group, or Tag). This average becomes the curve that each unit is graded against. Reporting on a larger number of components is recommended so you see more variety and accuracy in your graded results. Page 1 of 5

2 The grading framework works by calculating the average risk of the assets within a group for each asset in scope. The average of this average sets the curve. From there, the curve is defined in the following way: A - a group's average risk per asset is more than 15% lower than the average B - a group s average risk per asset is between 5% and 5% lower than the average C - a group s average risk per asset is within 5% of the average D - a group s average risk per asset is between 5% and 15% higher than the average F - a group s average risk per asset is more than 15% higher than the average Because these grades are based on a curve, they are relative to your environment and will help you to determine what areas need the most attention based on the specific security needs of your environment. You can use this data to compare sites in ways that make the most sense for you based on how you group your assets. You can compare based on Sites, Asset Groups, or Tags within the scope of this report. For example, lets say you tag your assets based on office locations: Los Angeles, Miami, and New York. You can use the Risk Scorecard report to compare those three locations to each other. Los Angeles receives an A grade in the report, but Miami and New York both get Ds. The Risk Scorecard report provides you with breakdowns of information such as asset counts, vulnerabilities by severity, and available exploits so you can do a quick, side- by- side comparison to see what is making the security of one office more successful than the others. As a result, this report helps you to have the conversations you need to have with your IT teams and use this report as your points of comparison. It enables you to share with them how they are performing and how to improve your overall risk posture. The Trend Report Have you ever wondered how to track the security posture of your organization and the success of your remediation efforts over time? Have you ever asked questions like: Are the number of vulnerabilities increasing or decreasing over time? Are the number of assets increasing or decreasing over time? Is my remediation process effective? How are critical, severe, or moderate vulnerabilities changing? Is the average age of vulnerabilities going up or down? Page 2 of 5

3 This report shows key vulnerability trends so that you can easily track your security posture and the success of your remediation efforts for the past three to twelve months. Trends include assets scanned, vulnerabilities discovered, vulnerability age, severity levels, and exploit and malware kit exposures. Similar to any other report provided with your Q VSR Subscription, you can restrict the data in the report to specific sites, asset groups, or vulnerability categories based on your specific needs. The report can also be generated based on 3, 6 or 12 months of trending. For example, if you have a dynamic asset group that is configured to only include Windows Assets, you can create a trend report that displays trend charts for the Windows assets in your environment. The vulnerability trend report contains several trending graphs, as show below in detail. The Assets Scanned and Vulnerabilities Discovered chart shown on the left, explains how the number of vulnerabilities and assets are changing over time: The Vulnerabilities with Malware and Exploit Over Time chart shown on left, explains how your exposure to exploits and malware kits are changing over time: The Severity Levels chart shown on the right, explains how critical, severe, and moderate vulnerabilities are changing over time: Page 3 of 5

4 The Vulnerability Age chart shown on the left informs us whether or not your remediation efforts are effective at fixing older vulnerabilities. m The Top Remediation s Report The Top Remediation s by Risk report orders the remediations according to their effect on your organization, rolling up solutions across assets and allowing you to take the most impactful steps available. What does this mean for you? Well instead of asking, what is wrong you can now ask what should I do. Similar to other reports in Q VSR you can restrict and filter the data in the report to specific sites, asset groups or vulnerability categories for further configuration, granularity and visibility. For example, if you have a Dynamic Asset Group that is configured to include only Windows Assets, you can create a remediation report that only prioritizes remediation efforts for the windows assets in your environment. This allows you to tailor actionable reports to different IT groups within your organization. Making patch management and remediation more effective and improving efficiencies for your IT Team. Summary Page 4 of 5

5 Each of the reports presented above are just one aspect of the value Sequris Group and our expert team of security advisors and analysts have to offer. If you are not taking full advantage of your vulnerability management program contact a Sequris Account Team member today. By visiting our website at or calling Page 5 of 5