Qualys is great for identifying vulnerabilities and creating lists of them, as well as subdividing them into different groups using tags, sub-dashboards, etc..
But how well does it do for reporting on the fixing of these vulnerabilities?
Many of us are great at creating different views/dashboards/reports on the plethora of threats and vulnerabilities out to get us, but how many of us are good at reporting what we HAVE fixed in the past?
This is not a specific question, but an open request for ideas for me and others on how to Measure in Qualys how our guys who patch are doing . For instance, I don't patch systems, but I handle Qualys, and other systems.
So I have a number of questions (some are very open ended for you so that others can get something out of this thread)
- How do you get something out Qualys that is geared towards something akin to a KPI? Recording data from the scans on how the patching is going?
- Anyone have any good dashboards they are willing to share with this community on the other side of vulnerability reporting, the fixing (or fixed) part of it?
Again, this is an open ended one that I think would benefit the group greatly. I have benefited significantly from thread like this over the single year I have been here and this is one particular arena that I have not seen brought up very well so far. So here we go.
Hey John,
Good topic. In our environment I struggle as well. The objectives of the patch team are NOT the same as mine. They want the patch out timely and to not cause issues. Now if the patch is supposed to resolve a vulnerability that group does nothing to confirm this.
This has come up on other threads looking for a Configuration type flag. What we are working on to some degree is correlating the CVE Number from Qualys and the CVEs to be addressed by a patch. That coupled with the DATE of deployment. If we see a vulnerability that should have been resolved by a patch via the CVE correlation but it shows last detected after deployment we know we have an issue.
Not perfect or all encompassing but it is some step forward. We have not completed this and run into challenges but I think it is something worth doing.
David