Highlighted
kartronix Regular Contributor.
Regular Contributor.
387 views

Vulnerability Management

Hello All,

So far what we have done is forwarded the nessus log to the ESM.

1. What should be the next step taken? Is there any way to automate the tagging of vulnerabilities to the asset?

2. What is the benefit of vulnerability management using ESM in case of an MSSP environment? Is it of any use as we are not authorized to run automated Nessus scan on client environment.

3. What correlation rules can be made using logs received from Nessus?

Thanks in advance

Labels (2)
0 Likes
2 Replies
pbrettle Acclaimed Contributor.
Acclaimed Contributor.

Re: Vulnerability Management

Some answers for you:

1. What should be the next step taken? Is there any way to automate the tagging of vulnerabilities to the asset?

If you have integrated the SmartConnector correctly, the assets will be created automatically with the vulnerability data attached. So this is simple and straightforward and you can find the assets in the relevant location in the asset model / network model. If you havent setup the networks zones correctly though, you will find the assets dumped into their relevant RFC network ranges - so browse for them and see if you can find them from there.

2. What is the benefit of vulnerability management using ESM in case of an MSSP environment? Is it of any use as we are not authorized to run automated Nessus scan on client environment.

The advantage of using vulnerabilities is that you can solve a few very specific use cases. Firstly, you will get information on a change of an asset. So if you do an initial scan and then get a subsequent one later that has NEW vulnerabilities on an asset, you can trigger rules and so on. This is an excellent way to track these things if you dont have an automated process around your vulnerability management software.

Secondly, you have the ability to do the reverse mapping of vulnerability to asset to IDS / IPS event / attack. What I mean is that we do the reverse mapping on the leading IDS / IPS vendors and understand what event maps to which vulnerability. This means that an alert will be automatically increased (or decreased) in priority if the asset is vulnerable or not or if it is relevant or not (such as OS etc). This means that you can start to prioritize things extremely well and understand the true threats involved.

3. What correlation rules can be made using logs received from Nessus?

I really recommend that you read the ESM 101 document as it will walk you through a number of scenarios and situations in which this can be used. Basically though, you can use the 'has vulnerability' operator in a rule and actually do an active look up against the asset and check if it has a relevant vulnerability. This is extremely powerful and flexible way to address things - as you do the lookup rather than having to know each and every rule / vulnerability match.

0 Likes
kartronix Regular Contributor.
Regular Contributor.

Re: Vulnerability Management

Thanks for the reply

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.