LAS VEGAS — At a reception late last week at Qualys Security Conference 2013, I talked to a Qualys customer who said Qualys does a great job at vulnerability scanning, in fact, too great of a job in the opinion of some of his IT staff. As QualysGuard identifies vulnerabilities, you must triage the problems to fix them.
|We all know that what you don’t know can definitely hurt you when it comes to computer security. With QualysGuard data in hand, it is important to determine: Which issues are the most important? What can be done to remediate them effectively and efficiently? The answers to these questions depend on the customer’s specific networks and operations, which only the customer can truly understand.
photo credit: James Lumb
QualysGuard is integrated with tools that can help customers prioritize their remediation steps. Corey Bodzin, solution manager for RSA, gave an overview of RSA’s Archer Risk Management solution, which helps organizations assess and resolve risks identified by Qualys. Marlene Veum, director of security for product development IT at Oracle, talked about how organizations can find the “actionable needle in the compliance haystack” by using Oracle Application Express.
With Archer, IT admins can pull the technical data into one place, set up a workflow and rules, prioritize issues and measure outcomes to make the best business decisions possible. Maybe a proof-of-concept that has been ignored should now be paid attention to because it’s being used in active watering hole attacks targeting the customer’s industry. “Something has changed that makes me want to respond differently,” Bodzin said in this scenario. “Archer sees that it’s flagged and that it’s part of the PCI data world… Now I’ve got to go in and ask people what are you going to do and address this change.” Archer can also help admins measure the results, find out what the average remediation time, for instance. “If an issue is 45 days old but it took 28 days to make a decision, then we need to fix it,” Bodzin said. The outcomes can be published in Archer dashboards and viewed by executives as a part of the company’s overall IT, operational and financial risk. “Qualys grabs the technical bits and Archer helps grab the human bits,… and make good business decisions in a timely fashion,” he said.
Meanwhile, Oracle’s system helps companies pull data from other sources within the company to put the Qualys data into context. Qualys “is so good at collecting information that that’s the challenge — how do you deal with it?” Veum said. By pulling in asset, system and network information, and establishing a baseline, an organization can get better understand its environment. It’s important to “have the ability to see we have a problem and to share the information with people who can act on it,” she said. Oracle Application Express, a free html-based tool that works with Oracle Database, has an executive dashboard for executives to see consolidated scans broken down by line of business and viewable by project status, scan summary and categories like vulnerability type.
Having data on vulnerabilities is just one part of managing risk; you need to know enough about your network to decide how to act on the information. These tools in the Qualys ecosystem can help organizations get the most out of their vulnerability data.