Parag Baxi - Qualys presentation

Report
VM Evolution via API
Parag Baxi, Technical Account Manager
September 2, 2013
Vulnerability Management – Before
• Constant battle for IP Asset classification
• QualysGuard scan reports emailed
• Global metrics unavailable on security
posture
• No administrator credentials
2
Vulnerability Management – After
• IT Assets in sync
• Reduced VM lifecycle
• Visibility in near real-time
• Biweekly authenticated scanning against all sites
• Users: Tuesday to Thursday, 10 AM - 4 PM
• Non-users: Friday, 10 PM - Sunday 10 PM
• Metrics for senior management and IT staff
3
Impact
• Increased effectiveness of QualysGuard
VM
• Increased awareness of security needs
QGIR (QualysGuard
Integration with
Reporting) began at
Customer in the
second half of 2010.
4
Challenge: Asset Management
• No visibility on IT assets
• No visibility on ownership of assets
• Resulted in creating CMDB in shared
Google input
Spreadsheet
• Manual
• Hierarchy model
Problem:
• API integration with Configuration
How
to synchronize
QualysGuard’s
Management
Database
(CMDB) asset
groups with the CMDB Google
Spreadsheet?
5
QualysGuard-CMDB Integration
•Issues:
Calculate staticasset
Create/Update
IP ranges
groups
and
update
QualysGuard
Google
via API.
Spreadsheet.
schedules
forinDHCP
&the
static
ranges.
• No
Have
Update
static
necessary
host
IP ranges
tracking
information
provided
information
to
in create
CMDB
viaAM
QualysGuard
Asset
Google
Groups
Spreadsheet..
API.
in QualysGuard.
DHCP:
Biweekly
midweek
from
10
to 4 PM.
• QualysGuard
Asset
Groups not in sync with Google Spreadsheet.
Static: Biweekly
on weekends.
6
Remediation Workflow Automated
• Email Scan Reports
• Custom Report Templates
• Patch Report
• Remediation Policies
• Remediation Tickets API
7
Remediation Workflow Automated
• QGIR (QualysGuard Integration with Reporting)
8
Sample Reporting Issue
9
QGIR Workflow – Issue Vulnerabilities
QualysGuard vulnerabilities
ofWith
the patching
same
QID
for the
Further
rounds
supersede
tool’s
ability to
same
areAll
assembled
existing
tickets.
patchoffice
multiple
hosts
for the
into
a CSV
containing
unresolved
Reporting
same
vulnerability,
it makes
pertinent
tickets
from
the previous
sense
toinformation.
group
by QID.
Store
the
vulnerabilities
and
round are marked
associated
tickets in a
incomplete
and Reporting
the
separate
database towill
allow for
remaining
vulnerabilities
proper verification.
be included
in the new
round.
10
Create the tickets into
QGIR tracks metrics against all
Reporting, a JIRA
offices fairly.
ITIL-aligned
All participating
offices are given
implementation.
the
same timetickets
frame are
and
QualysGuard
opportunity
remediate
grouped by to
QID
in
vulnerabilities.
Reporting. This enables
easy patching.
To further ease the
administrative burden we
utilize the patch report to
consolidate vulnerabilities.
QGIR Verify Workflow
QGIR
verification
willthat
reopen
QGIR
will verify
all all
QGIR
Reporting
hosts
in eachissues
ticket that
that still
havewas
vulnerable
markedhosts.
resolved
has, in fact,
For example,
letsremoved
say Site A had
the vulnerability.
2 QGIR
tickets in Reporting, and
each of those QGIR tickets had
10 vulnerable hosts. If one host
in both QGIR tickets was not
fixed for either vulnerability then
both tickets will be reopened.
11
QGIR Verify Workflow – Attachments
12
QGIR Verify – Decommissioned Hosts
Noteverification
the searchwill
byreopen
NetBIOS
QGIR
all
name
is not anissues
exact that
search.
QGIR
Reporting
still It
willvulnerable
return remediation
have
hosts. tickets
containing the NetBIOS name.
Therefore, all QualysGuard
For example,
a NetBIOS
search
remediation
tickets
associated
ofdecommissioned
“USNYSMITHGE1”
willmust
also
with
hosts
tickets associated with
be return
removed.
hostname, “USNYSMITHGE11”.
QualysGuard
not false
reportpositives
a very real,
Removewill
these
by but previously
discovered
vulnerability
on XML
a replacement
host with the
parsing
the resulting
file.
decomissioned IP/hostname. The ticket must be deleted.
13
Parag Baxi, CISA, CISM, CISSP, CRISC, PMP
•
Employee, Qualys
•
Senior Security Engineer, Ogilvy & Mather
•
Architected ITIL-aligned worldwide VM QualysGuard
implementation with heavy emphasis on automation,
ROI and security best practices.
• Over 10 years
of enterprise experience at UMDNJ,
Thank
you!
EDS, HP Enterprise Services (consultancy for The
Federal Reserve Bank of New York), and Google.
14
•
Advocate and active contributor of the Qualys
community.
•
Published open-source QualysGuard integration code.
•
B.S. degree in Computer Science from Rutgers
University.

similar documents