Presentation on theme: "September 2, 2013 VM Evolution via API Parag Baxi, Technical Account Manager."— Presentation transcript:
September 2, 2013 VM Evolution via API Parag Baxi, Technical Account Manager
2 Vulnerability Management – Before Constant battle for IP Asset classification QualysGuard scan reports emailed Global metrics unavailable on security posture No administrator credentials
3 Vulnerability Management – After IT Assets in sync Reduced VM lifecycle Visibility in near real-time Biweekly authenticated scanning against all sites Users: Tuesday to Thursday, 10 AM - 4 PM Non-users: Friday, 10 PM - Sunday 10 PM Metrics for senior management and IT staff
4 Impact Increased awareness of security needs QGIR (QualysGuard Integration with Reporting) began at Customer in the second half of 2010. Increased effectiveness of QualysGuard VM
5 API integration with Configuration Management Database (CMDB) Hierarchy model Challenge: Asset Management Manual input No visibility on IT assets No visibility on ownership of assets Resulted in creating CMDB in shared Google Spreadsheet Problem: How to synchronize QualysGuard’s asset groups with the CMDB Google Spreadsheet?
6 Calculate static IP ranges and update the Google Spreadsheet. Have necessary information to create Asset Groups in QualysGuard. Create/Update asset groups in QualysGuard via API. Update host tracking information via QualysGuard API. Create/Update schedules for DHCP & static ranges. DHCP: Biweekly midweek from 10 AM to 4 PM. Static: Biweekly on weekends. Issues: No static IP ranges provided in CMDB Google Spreadsheet.. QualysGuard Asset Groups not in sync with Google Spreadsheet. QualysGuard-CMDB Integration
10 QualysGuard tickets are grouped by QID in Reporting. This enables easy patching. To further ease the administrative burden we utilize the patch report to consolidate vulnerabilities. QGIR tracks metrics against all offices fairly. All participating offices are given the same time frame and opportunity to remediate vulnerabilities. Further rounds supersede existing tickets. All unresolved Reporting tickets from the previous round are marked incomplete and the remaining vulnerabilities will be included in the new round. Create the tickets into Reporting, a JIRA ITIL-aligned implementation. With patching tool’s ability to patch multiple hosts for the same vulnerability, it makes sense to group by QID. Store the vulnerabilities and associated Reporting tickets in a separate database to allow for proper verification. QualysGuard vulnerabilities of the same QID for the same office are assembled into a CSV containing pertinent information. QGIR Workflow – Issue Vulnerabilities
11 QGIR Verify Workflow QGIR verification will reopen all QGIR Reporting issues that still have vulnerable hosts. For example, lets say Site A had 2 QGIR tickets in Reporting, and each of those QGIR tickets had 10 vulnerable hosts. If one host in both QGIR tickets was not fixed for either vulnerability then both tickets will be reopened. QGIR will verify that all hosts in each ticket that was marked resolved has, in fact, removed the vulnerability.
13 QGIR Verify – Decommissioned Hosts QGIR verification will reopen all QGIR Reporting issues that still have vulnerable hosts. Therefore, all QualysGuard remediation tickets associated with decommissioned hosts must be removed. Note the search by NetBIOS name is not an exact search. It will return remediation tickets containing the NetBIOS name. For example, a NetBIOS search of “USNYSMITHGE1” will also return tickets associated with hostname, “USNYSMITHGE11”. Remove these false positives by parsing the resulting XML file. QualysGuard will not report a very real, but previously discovered vulnerability on a replacement host with the decomissioned IP/hostname. The ticket must be deleted.
14 Parag Baxi, CISA, CISM, CISSP, CRISC, PMP Employee, Qualys Senior Security Engineer, Ogilvy & Mather Architected ITIL-aligned worldwide VM QualysGuard implementation with heavy emphasis on automation, ROI and security best practices. Over 10 years of enterprise experience at UMDNJ, EDS, HP Enterprise Services (consultancy for The Federal Reserve Bank of New York), and Google. Advocate and active contributor of the Qualys community. Published open-source QualysGuard integration code. B.S. degree in Computer Science from Rutgers University. Thank you!