Please enjoy this blog post that was co-authored and posted on behalf of Marc Ohmann - President, CEO - Digital Solutions, Inc and Jamison Masters, Co-Founder, Verus Corporation.
A vulnerability is a weakness in a covered device that can be exploited by attackers to gain unauthorized access to covered data. A vulnerability assessment and remediation program is critical to the effective prevention of exploits through detection and remediation in a timely manner. By proactively managing vulnerabilities on covered devices, an organization can effectively reduce or eliminate the potential for exploitation and ultimately save on resources.
As vulnerabilities are identified and remediation steps are taken, a remediation report is used to collect data relevant to the vulnerabilities and the remediation process. Through the remediation process, auditors expect that a remediation report be provided as evidence of remediation activities. In this post we’ll explore tips to make a remediation report more effective and accessible to auditors.
Pairing remediation activities with Change Management entries
Monitoring vulnerability and managing remediation includes reviewing trends and tracking assignment groups as you work towards managing risk. In order to substantiate the work performed in addressing a vulnerability, the remediation process must be able to invoke and track change management entries. High-risk issues, group assignments, workloads, deferrals, and new vulnerabilities should be prioritized to ensure your vulnerability response process remains efficient and productive. In pairing remediation activities with change management entries, you will need to create a change management request and associate the vulnerability to the newly created change request. Vulnerabilities can be grouped into subsets or split into multiple change management entries as required. This process will expedite your investigations and remediation of vulnerabilities through efficient change management tracking. Remediation activities should have their status updated to Change Management Initiated (CMI) and Change Management Completed (CMC) after the work has been performed and verified.
Copies of individual change management entries can be included in the remediation report as evidence of remediation efforts. In order to help the auditor process and avoid auditor concerns or requests for clarification, the remediation report should also directly pair vulnerabilities to their change management activities.
Using Excel to parse through the vulnerability scan data and prioritize findings to help drive the response
With tools such as Nessus, you can gain full visibility into your network by conducting a vulnerability assessment; however, sometimes you need more flexibility in prioritizing and parsing the data. This is where tools like Python or even Excel come in. Your scan tool likely provides export functionality into various formats such as HTML, CSV, or proprietary formats such as Nessus DB. Exporting to HTML can allow for sharing data on the web but the export to CSV function allows for further processing with external tools. Incredible data manipulation and processing can be done with programming languages such as Python but even Excel can offer further filtering with far less setup time.
Out of the box, Nessus will allow you to view scan results by hosts scanned, vulnerabilities, and remediations. But for those with large networks who may need to consolidate data across numerous scans into one report, a tool like Excel can help to merge the findings. After merging the multiple scan files in Excel, you can group findings across network segments by OS, Plugin Name, Protocol, Port, or even Service Name. This allows for far more flexibility in organizing results, especially across large networks.
Suggested methods to address auditor concerns
When conducting an audit, the last thing an auditor wants to find is the same deficiencies showing up year after year and audit after audit. Unfortunately, discovered vulnerabilities can often slip through the cracks and be ignored if the proper tools are not provided to the audit process. After an auditor has reviewed and recommended changes to the process, they should feel confident those changes will be implemented. Often the lack of resources and oversight can lead to auditor concerns being unaddressed. Audit findings should have proximity to security objectives. The value of audit findings must be communicated so the audit isn't seen as immaterial or irrelevant. All audit recipients must understand how the audit recommendations are going to help meet objectives. Otherwise, resources may not be allocated to the audit findings.
In the remediation report, issues should be ranked by severity for auditors to improve efficiency. Most auditors do not have a strong technical background. Their specialty is auditing and from a technical perspective, they are often limited to the information provided to them. In the remediation report, it is helpful to the auditing process if summaries of the remediation efforts are provided in simplistic terms. This language may seem overly simplistic to engineers but can greatly simplify the audit process and avoid requests for further information.
Auditors will often review the most severe red rankings and will ask questions about them first but may surprise you in analyzing a less severe yellow ranking that shows up repeatedly. Your responses to the auditor should be enough to cover their concerns but you generally don't have to get too far into the weeds to satisfy their questions. The auditor's goal is to validate the process by seeing proof of remediation and progress -- keep your progress reports at a high level but measurable.
Vulnerability response remediation, change management, and the auditor process are critical components to healthy security operations. Effectively managing the process will help transform inefficiencies across your extended enterprise into an integrated risk program. The outcomes will be better decision-making, strong compliance, and minimized risk.