Enterprise Vulnerability Management

The Gorilla CISO has a blog post about vulnerability management that is worth reading. It sounds really familiar, though I’m dealing with it on a much much smaller scale.
” The way we manage patch and vulnerability information is something out of the mid-80’s.”
Tell me about it. Today I read RSS feeds (US CERT, SANS ISC, vendors, white hats, bloggers etc) and emails from vulnerability alert services (Deepsight, Microsoft Technical Account Manager, random people who read about a patch/virus in the Wall Street Journal). That gets entered into a spreadsheet with the CVE, Bugtraq, and vender reference ID. Once Qualys releases a detection the Qualys ID gets added as well along with the detection count.
This is a tediously manual process that no one seems to actually give a damn about. The auditors didn’t like the way we were (are?) managing vulnerabilities (it may still be a POAM item). And the reports seemed to mean nothing to management. It worked better when I didn’t bother creating the spreadsheet, and just told them what patches we deployed this month, and the detection count for a few key vulnerabilities that I felt required management attention, (Adobe Reader, MS08-067, etc).
At the Gartner Information Security Summit in National Harbor, MD (near DC) I attended a track titled “Qualys, Inc.: Using SaaS to Build Full Life Cycle Program for Security and Compliance.” I was hoping this might have a suggestion for how to do this. Unfortunately it seemed like the solution was creating a home grown database and correlating the results of multiple scanners. I’m sure that works great, but without instructions on building such a database, its a lot of work to build from scratch.
iDefense is now integrating the your Qualys vulnerability scan results into their vulnerability intelligence. If you could afford such a thing (apparently we can’t), you’d still have a problem. Vulnerability scans run at set times and systems may not be online when the scan is run. While its great for scanning servers, Qualys alone does not give an accurate reflection of all vulnerabilities for your end user equipment. While talking with Forescout, I found that they had a plugin for Retina. Forescout is a NAC product. When a computer comes online, the plugin would check with Retina and find out when the device was last scanned. If its longer than your configurable setting (hasn’t been scaned in X days), then it fires up Retina to initiate a scan. Qualys provides the appropriate APIs to do this as well, so I asked Forescout to look into improving their Qualys plugin.
The combination of iDefense, Qualys and Forescout (if Forescout updates the plugin) would be quite formidable in vulnerability lifecycle management. What’s left is desired configuration monitoring. Are my systems continuing to conform to my security policy. I am not currently scanning that regularly. Once I get a tool for that, then its one more thing to integrate.
There is no simple solution. I may have to polish up the SQL skills and take a run at building something myself.