"Reducing Your Patch Cycle to Less Than 5 Days" Webcast: Recording and Q&A

by Paul Asadoorian
September 3, 2013

Jack Daniel and I recently presented the "Reducing Your Patch Cycle to Less Than 5 Days" webcast. This was part 1 in the “Vulnerabilities Exposed” webcast series, which will consist of four sessions delivered before the end of the year.

If you missed the webcast or would like to re-watch it, view the recording.

View Recording

Q&A

Here is a summary of the outstanding questions asked during the webcast.

General

Will the slides be available for download?

When will SecurityCenter 4.7 be released?

  • SecurityCenter 4.7 was released on August 29, 2013. Read more about this release.

In my environment, I'm looking at Windows 7, OSX, and Linux (multiple flavors). How can I be sure I'm finding everything on everything?

  • In the presentation, we covered using active scanning, credentialed scanning, configuration auditing, passive scanning, and analyzing logs for vulnerabilities. The combination of these techniques provides outstanding coverage for vulnerability discovery, covering all of the platforms you've listed (and more).

Can you change the vulnerability severity level based on security policies?

  • Yes, in both Nessus and SecurityCenter you can set the severity for each vulnerability.

Any suggestions on how testing patches in networking devices could be performed? Switches and routers are unique for a certain infrastructure, and creating a testing environment that mimics the production one is expensive.

  • Some networking products (such as Juniper's JunOS) allow you to create virtual machine instances of the routers. Similar techniques exist for Cisco IOS as well.

What schedules do you typically see for scanning? Monthly? Weekly? What about during patch release week? In other words, I'm asking you to define "frequently." What factors go into the decision about how often to scan?

  • Scanning frequency is something you must work out between the security staff, systems administrators, network engineers, and management. Organizations will typically scan, on average, once per quarter. The exact frequency is up to you, but Jack and I always recommend "more frequent." Frequency should take into account your patch cycle, resources, and communications plan. If you have a mechanism for distributing actionable results and a team in place that works together, you can set a much higher frequency. For example, scan your desktops each week and report on the anti-virus software (Is it the latest version, and are definitions up-to-date?). Then send that information to the folks responsible for managing the AV software and integrate it into their processes for keeping AV software up-to-date.

Competitive Comparisons

We're using a competing vulnerability scanner and are having big issues with the amount of workload to actually manage vulnerabilities once found. There is a massive amount of manual effort each scan to compare the new scan with old vulnerabilities/tickets and figure out what is new, what is old, what is verified, etc. Is there a good vulnerability management program to work with other teams and track vulnerabilities across thousands of hosts?

  • SecurityCenter is Tenable's enterprise vulnerability management platform, and it simplifies the tasks you outlined above including ticket tracking, comparison of scan data, and remediation tracking. Read about SecurityCenter.

Do you think using a vulnerability scanner is better than using exploitation frameworks, or is using a vulnerability scanner a pre-cursor to using exploitation frameworks?

  • The goals and results between vulnerability scanners and exploitation frameworks are different. In short, your vulnerability management program must effectively reduce your attack surface on a continual basis. Exploiting vulnerabilities will help define the risk for a subset of vulnerabilities in your environment.

GRC

When is Nessus implementing the DoD IAVA database and reporting on it? We're currently transitioning to Nessus, but our customers only understand their results broken out as IAVA-As/Bs.

  • You can search report results using the IAVA index, however, no other IAVA features are currently included or planned.

When will xTool be updated to support Windows 8/Server 2012 XCCDF conversion?

  • The xTool works with Windows 8/Server 2012 XCCDF content. SecurityCenter 4.7 supports SCAP as well.

Does SecurityCenter allow you to conduct a STIG compliance scan of a group of network devices, servers, and workstations, and then summarize results in an executive dashboard?

Patch Management Integration

Do Nessus reports have similar information or formats compared to something like WSUS or SCCM reports? I am hoping to start looking at scanning desktops and wondering how Nessus reports would be comparable to anything Microsoft has.

Do you integrate with the BigFix patching solution? Can you provide a list of patch management solutions that Nessus integrates with?

My question refers to PVS - can I change the alert level of different findings? For example, if Chrome shows up missing a patch, I may like that to be higher than the default.

  • SecurityCenter has the ability to adjust severity level for vulnerabilities coming from either Nessus or PVS.

Is it possible for Nessus to report incorrect patch levels when integrated with a patch management system like SCCM?

  • It is possible, however, we have worked extremely hard to ensure that this situation does not occur. If you do find that Nessus has reported something incorrectly, please contact Tenable Support and we will get it fixed right away.

Tenable reports vs. Microsoft reports – sometimes they don't match. Tenable finds more missing patches most of the time. Who should I believe ?

  • This situation requires troubleshooting and a collaborative effort between the security team and the Windows systems administrators. However, Nessus is able to check both the patch level of the system and what is being reported by the patch management system, making Nessus more of an authoritative source.

Credentialed Scanning

Do any of the Tenable solutions actually DO the patching of third-party products such as Java/Flash/Reader?

  • No, Tenable products report the conditions in your environment with respect to vulnerabilities and other information (such as application usage).

Any recommendations on what access rights should be granted for the purpose of credentialed scans?

  • Credentialed scans require system-level privileges (on UNIX/Linux it is root; on Windows it is Administrator, or if a domain is used Domain Administrator). The Nessus documentation details the implementation and covers how the credentials are secured.

Do you have any documentation about a strategy that can help us do an internal scan with Nessus and how to manage it?

An uncredentialed vulnerability scan can extract all vulnerabilities that can be seen by attackers. Why should we do credentialed scans for all systems?

  • Attackers are not limited to network-based vulnerabilities. In fact, the most common type of attack is to go after the client software (such as the web browser, Java, Flash, etc.), making credentialed scanning an extremely important part of you vulnerability management program.

Does Nessus store its administrative credential in plain text on disk?

  • Nessus stores credentials securely, and the Nessus server data can be encrypted (refer to the Nessus User Guide for more information). The next version of PVS will offer full encryption of all credentials.

"Vulnerabilities Exposed" Webcast Part 2 – Virtualization

The next webcast will be held on September 24th at 2 pm EDT, and we'll discuss how to address the security challenges of virtualization. Register today!