Monday, August 17, 2020

Review process for cisco security alerts

Were in the process of trying to improve how we review security alerts released by our vendors, primarily cisco.

currently, we receive monthly emails from cisco for each platform we have. the problem is that they often are full of vulnerabilities or bugs for versions of code we dont run. so we end up having to sort through the emails for alerts that actually affect us. While the "find" feature works ok, the next challenge is also that we need to document what came in, and how we responded, for PCI. Currently we do this by creating a monthly ticket, attach the emails, and the update the ticket with our response.

overall, this is just clunky and prone to error, im sure there has to be a better way or tools we can use to manage this better. Im aware we can start by filtering which versions we receive emails on from cisco, but it still leaves us with a poor process for documentation for PCI. ideally we would have something that auto ingests the alerts, filters for what is relevant based on platform and version of code (which we would maintain either manually or referencing netbox or some other source of truth), and then track that we responded and allow us to document what the response was for the purpose of PCI compliance.

i looked at the RSS feed from cisco, but it does not contain the versions affected, just links. was really hoping we could ingest the RSS into splunk or something and filter off that as a starting point. https://tools.cisco.com/security/center/rss.x?i=44

looking for suggestions or tools we might look into for this a more automated/streamlined approach for the ingestion and documentation portion.



No comments:

Post a Comment