Aligning Corporate Security Policies and Standards with Selective Data Collection and Multi-Level, Multi-Focus Reporting
Policy and Standards
- Vulnerabilities identified through vulnerability assessment scanning will be ranked on an ascending severity scale from one (1) to five (5). The Common Vulnerability Scoring System (CVSS) version 2 will be applied to establish the severity parameters, as set forth below.
- External systems will leverage CVSSv2 Base scores.
- Internal and Endpoint systems will leverage CVSSv2 Temporal scores.
- Remediation Timelines are based on infrastructure segments, those being: External, Internal and Endpoints
Aligning Qualys with Corporate Policies and Standards
Question: How do I select specific types of vulnerabilities based on corporate severity rankings?
Answer: Qualys Search List
Assumptions: Qualys Administrator Skill Set
For the purpose of this document, we will assume the Qualys administrator has the appropriate skill set and manager rights to:
Log into Qualys UI
- Create Search Lists
- Create Asset tags
- Create Remediation Policy Rules
- Create Report Templates
- Export reporting results from Qualys in CSV format
Log into Qualys API
- Prepare API commands in cURL format
- Execute cURL commands to extract data from Qualys to CSV format
Leverage Excel to format reporting results; execute basic calculations, formulas using IF, VLOOKUP, MATCH commands; Visualize data by creating pivot tables, charts and graphs.
OPTIONAL: Leverage an ETL for API data collection and data transformation.
OPTIONAL: Leverage a Data Visualization tool.
Categorization of assets based on the infrastructure segment, for example:
- Corporate Client Endpoints
- Corporate On-Prem Network Addressable Assets
- Platform On-Prem Network Addressable Assets
- Platform Public Facing Network Addressable Assets
- Cloud HostedInternal Network Addressable Assets
- Cloud Hosted Public Facing Assets
Assessment Meta Data Needed:
- Assets scanned within 45 days (today-45)
- External: CVSSv2 Base 4+
- Internal and Endpoints: CVSSv2 Temporal 4+
- Status: New, Active, Re-Opened, Fixed
- Vulnerability Type = Confirmed (+Potential for External)
- Display Non-Running Kernels = Yes (Internal assets only)
curl -u “USERID:PASSWORD" -H "X-Requested-With: Curl” -X "POST" "https://[QUALYS_POD]/api/2.0/fo/asset/host/vm/detection/?
tag_set_exclude= ASSETTAG, ASSETTAG, ASSETTAG&
Challenges Will Be Identified – Example Inventory Management
- Disconnected Systems: Systems that are disconnected from the corporate network, which makes it almost impossible to perform an assessment or to apply a patch or update.
- Unmanaged Systems: Some peoples’ roles require them to be excluded from the direct control of the IT security staff—such as executives, engineers, and technical staff. Their systems connect to the network but may be excused from updates.
- Can’t Change the System: In some cases, these systems may be always on and always connected. For example, systems that perform critical business operations or highly specialized functions.
- Old Systems: You’d like to update these, but they may be running older versions of the operating system or business applications that can’t be changed due to licensing restrictions, support requirements, or as a result of known or potential compatibility issues with an update.
- “Exception” Systems: Some systems can’t be changed due to external regulation. For example, in order for Payment Card Systems to be PCI compliant, they cannot be changed if they are to retain their certification status.
- Systems Running on Systems: Virtualization technologies introduce on-demand system provisioning. With this, the number of new systems running within an organization could increases (or decrease) dramatically. And, chances are, a large number of these assets are often undiscovered, unmanaged, and un-patched.
Inventory Challenge? Recommended Solution
Benefits of Leveraging Qualys Cloud Agents
- Eliminates the need to manage credentials, and vaults, for authenticated vulnerability assessment scanning.
- The Qualys Cloud Agent improves and enhances vulnerability assessment data through authentication.
- With improved/enhanced vulnerability assessment data information technology teams will see a marked reduction in diagnostic time, thereby improving time to remediation.
- Deployed via a compact silent installer (< 2MB) with no reboot requirement.
- The agent is self-updating, self-healing, with no reboot requirement.
- Minimal impact on systems and networks, normally consuming less than 2% of CPU resources with peaks in the range of 5% during normal operation.