Wednesday, September 18, 2019

How do your organizations do vulnerability management or security scanning?

Our security department is a relatively new addition to the company (as it's own entity) and with it comes a new director and a few new employees. I'm generally on-board with their goals and priorities, but the actual working relationship has been frustrating for everyone in my networking corner of the IT world. Specifically, we're dealing with a PCI audit and the patching / vulnerability mitigation that comes with it.

Currently, they use Tenable's Nessus, and we get a CSV dump of vulnerabilities by IP. We just finished an internal update project, so every single one of our devices has been upgraded to a Cisco starred release within the last 6 weeks. Still, we have a few hundred items that we have to manually review and (hopefully) prove are not applicable, or are mitigated via other means.

I don't really have any specific questions as the whole process is new and seems quite badly designed. I'm more interested in how you handle it and if you've discovered any helpful hints or tools that can make the process easier, both immediately, or over time. The few specific complaints I do have is that Nessus only reports via IP, so we get a lot of duplicate reports--one for most interfaces on each device. Additionally, we've been told that blacklisting only works for 90 days, and we've had to review many items repeatedly as they re-appear in our scan results.

I'm especially interested if any of you have automated tools for dealing with vulnerability verification or patching priority.

Thanks for whatever input you can give.



No comments:

Post a Comment