VM Evolution via API Parag Baxi, Technical Account Manager September 2, 2013 Vulnerability Management – Before • Constant battle for IP Asset classification • QualysGuard scan reports emailed • Global metrics unavailable on security posture • No administrator credentials 2 Vulnerability Management – After • IT Assets in sync • Reduced VM lifecycle • Visibility in near real-time • Biweekly authenticated scanning against all sites • Users: Tuesday to Thursday, 10 AM - 4 PM • Non-users: Friday, 10 PM - Sunday 10 PM • Metrics for senior management and IT staff 3 Impact • Increased effectiveness of QualysGuard VM • Increased awareness of security needs QGIR (QualysGuard Integration with Reporting) began at Customer in the second half of 2010. 4 Challenge: Asset Management • No visibility on IT assets • No visibility on ownership of assets • Resulted in creating CMDB in shared Google input Spreadsheet • Manual • Hierarchy model Problem: • API integration with Configuration How to synchronize QualysGuard’s Management Database (CMDB) asset groups with the CMDB Google Spreadsheet? 5 QualysGuard-CMDB Integration •Issues: Calculate staticasset Create/Update IP ranges groups and update QualysGuard Google via API. Spreadsheet. schedules forinDHCP &the static ranges. • No Have Update static necessary host IP ranges tracking information provided information to in create CMDB viaAM QualysGuard Asset Google Groups Spreadsheet.. API. in QualysGuard. DHCP: Biweekly midweek from 10 to 4 PM. • QualysGuard Asset Groups not in sync with Google Spreadsheet. Static: Biweekly on weekends. 6 Remediation Workflow Automated • Email Scan Reports • Custom Report Templates • Patch Report • Remediation Policies • Remediation Tickets API 7 Remediation Workflow Automated • QGIR (QualysGuard Integration with Reporting) 8 Sample Reporting Issue 9 QGIR Workflow – Issue Vulnerabilities QualysGuard vulnerabilities ofWith the patching same QID for the Further rounds supersede tool’s ability to same areAll assembled existing tickets. patchoffice multiple hosts for the into a CSV containing unresolved Reporting same vulnerability, it makes pertinent tickets from the previous sense toinformation. group by QID. Store the vulnerabilities and round are marked associated tickets in a incomplete and Reporting the separate database towill allow for remaining vulnerabilities proper verification. be included in the new round. 10 Create the tickets into QGIR tracks metrics against all Reporting, a JIRA offices fairly. ITIL-aligned All participating offices are given implementation. the same timetickets frame are and QualysGuard opportunity remediate grouped by to QID in vulnerabilities. Reporting. This enables easy patching. To further ease the administrative burden we utilize the patch report to consolidate vulnerabilities. QGIR Verify Workflow QGIR verification willthat reopen QGIR will verify all all QGIR Reporting hosts in eachissues ticket that that still havewas vulnerable markedhosts. resolved has, in fact, For example, letsremoved say Site A had the vulnerability. 2 QGIR tickets in Reporting, and each of those QGIR tickets had 10 vulnerable hosts. If one host in both QGIR tickets was not fixed for either vulnerability then both tickets will be reopened. 11 QGIR Verify Workflow – Attachments 12 QGIR Verify – Decommissioned Hosts Noteverification the searchwill byreopen NetBIOS QGIR all name is not anissues exact that search. QGIR Reporting still It willvulnerable return remediation have hosts. tickets containing the NetBIOS name. Therefore, all QualysGuard For example, a NetBIOS search remediation tickets associated ofdecommissioned “USNYSMITHGE1” willmust also with hosts tickets associated with be return removed. hostname, “USNYSMITHGE11”. QualysGuard not false reportpositives a very real, Removewill these by but previously discovered vulnerability on XML a replacement host with the parsing the resulting file. decomissioned IP/hostname. The ticket must be deleted. 13 Parag Baxi, CISA, CISM, CISSP, CRISC, PMP • Employee, Qualys • Senior Security Engineer, Ogilvy & Mather • Architected ITIL-aligned worldwide VM QualysGuard implementation with heavy emphasis on automation, ROI and security best practices. • Over 10 years of enterprise experience at UMDNJ, Thank you! EDS, HP Enterprise Services (consultancy for The Federal Reserve Bank of New York), and Google. 14 • Advocate and active contributor of the Qualys community. • Published open-source QualysGuard integration code. • B.S. degree in Computer Science from Rutgers University.