Highlighted
seniorj@bennett Absent Member.
Absent Member.
780 views

Vulnerability assessment -- remediated assets?

Jump to solution

I am using a vulnerability assessment scanner to get data into Arcsight - this process itself is working excellently, but I was wondering what everybody is doing for remediation vulnerabilities?

It seems a general theme is to just use strong asset aging to expire the assets out of the database as soon as possible, but this also puts the network at a bit of a risk if the vulnerability scanner doesn't import or doesn't run for some reason against a target host - we lose all metrics about that particular machine.

Is anybody doing a one-week asset aging interval?

Is it possible to allow the arcsight model importer to expire everything about that -particular- asset during connector import, eg, "Freshen" the statistics?

Thanks kindly!

0 Likes
1 Solution

Accepted Solutions
Established Member.. sdietz1
Established Member..

Re: Vulnerability assessment -- remediated assets?

Jump to solution

I am not sure if this is the most ideal way, but you could set the assets to delete before your next scan, then only new vulnerabilities will show.

#Defines how many days can pass before a scanned asset is defined as old after this time the asset will be disabled

#Default value: disabled (assets will not be aged)
asset.aging.daysbeforedisable = -1
# Defines what should be do when assets reach the age to be considered as old, either delete or disable.Possible values are disable and delete
# Default value disable
asset.aging.task.operation = disable

0 Likes
8 Replies
Acclaimed Contributor.. balahasan.v1 Acclaimed Contributor..
Acclaimed Contributor..

Re: Vulnerability assessment -- remediated assets?

Jump to solution

Hi,

r u doing security advisory and patch updates on the devices identified with vulnerabilities(Remediation).

0 Likes
seniorj@bennett Absent Member.
Absent Member.

Re: Vulnerability assessment -- remediated assets?

Jump to solution

Yes, the vulnerabilities are remediated and do not show up again in the next nexpose xml export, but they just don't go away from the arcsight asset information.

0 Likes
Established Member.. sdietz1
Established Member..

Re: Vulnerability assessment -- remediated assets?

Jump to solution

I am not sure if this is the most ideal way, but you could set the assets to delete before your next scan, then only new vulnerabilities will show.

#Defines how many days can pass before a scanned asset is defined as old after this time the asset will be disabled

#Default value: disabled (assets will not be aged)
asset.aging.daysbeforedisable = -1
# Defines what should be do when assets reach the age to be considered as old, either delete or disable.Possible values are disable and delete
# Default value disable
asset.aging.task.operation = disable

0 Likes
seniorj@bennett Absent Member.
Absent Member.

Re: Vulnerability assessment -- remediated assets?

Jump to solution

This is actually a pretty good idea. Thanks, Steven.

0 Likes
sreekanthk881 Absent Member.
Absent Member.

Re: Vulnerability assessment -- remediated assets?

Jump to solution

Hi JP,

Did it worked perfectly?I am trying to import the data from nexpose In our case we have to do it manually every week/month could you please suggest how can we automate it ?

Regards,

Sreekanth Nair

0 Likes
rvoloch Respected Contributor.
Respected Contributor.

Re: Vulnerability assessment -- remediated assets?

Jump to solution

JP,

I believe the feature you are looking for is to age the vulnerability not the asset.

Be sure to add your name to feature request NGS-9831

"When a vulnerability is patched, the asset continues to have the vulnerability associated to it but our vulnerability scanner no longer is reporting the vulnerability. Asset vulnerability aging would be a great feature to assist vulnerability management programs. This will also reduce false positives for CVE matching with IDS events. Also see https://protect724.hp.com/message/45414#45414 In other words, this can be accomplished by having a TTL on each asset+vulnerability pair. For example, if after 30 days the vulnerability scanner no longer reports a vulnerability on an asset, the vulnerability is removed from the asset. This feature request would be a feature of ESM and be vulnerability scanner independent (rapid7, nessus, ncircle, etc…)"

Ryan

0 Likes
vikram_rajpoot Trusted Contributor.
Trusted Contributor.

Re: Vulnerability assessment -- remediated assets?

Jump to solution

Hi,

An asset will be updated (overwritten) with the latest information every time the scan is run. So if an asset is patched and then we run scan, will it still lists old vulnerabilities in the asset?

Regards

Vikram

0 Likes
rvoloch Respected Contributor.
Respected Contributor.

Re: Vulnerability assessment -- remediated assets?

Jump to solution

Yes!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.