icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

Executive Vulnerability Metrics

by Stephanie Dunn
April 28, 2016

Vulnerability scanning and patch management can often be an overwhelming task for organizations to manage effectively. Organizations often utilize automated patch management solutions in order to patch systems in a timely manner, however many of these systems are not rescanned to confirm that vulnerabilities have been remediated. This dashboard can assist organizations in detecting and remediating recurring vulnerabilities, and can be useful in strengthening current patch management policies.

Security teams often assume that once a vulnerability has been patched, then the vulnerability has been mitigated. Although, most systems are patched properly, some systems may leave an organization with vulnerabilities that reappear at a later date. Recurring vulnerabilities can appear for several reasons including systems not being restarted after a patch was applied, virtual systems reverting to previous snapshots, and services that were disabled or failed to restart. Using SecurityCenter ContinuousView (CV) and the Passive Vulnerability Scanner (PVS), organizations can detect and track the life cycle of any vulnerability, and identify when a vulnerability was first seen, date last seen, and if the vulnerability has been mitigated. When a vulnerability moves from the mitigated section to the active section, the mitigation status is set to "Previously Mitigated.” Security teams should focus efforts on remediating both current and previously mitigated vulnerabilities, as this will help to reduce overall risk to the organization.

This dashboard provides a centralized view of both current and previously mitigated vulnerabilities across the enterprise. Organizations will be able to detect both current and previously mitigated vulnerabilities, which will provide a clear picture into how often systems are being scanned, patched, and rescanned. Statistics on vulnerability, mitigation, and vulnerability publication ages will alert analysts to when vulnerabilities were published, and how long a patch has been available for a vulnerability. In addition, analysts will also be able to quickly identify the top hosts with current and previously mitigated vulnerabilities. By leveraging credentialed Nessus scanning, organizations will obtain an accurate snapshot of existing and previously mitigated vulnerabilities.

This dashboard is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Executive. The dashboard requirements are:

  • SecurityCenter 5.3.1
  • Nessus 6.5.6
  • PVS 5.0.0
  • localChecks

SecurityCenter Continuous View (CV) provides continuous network monitoring, vulnerability identification, risk reduction, and compliance monitoring. SecurityCenter is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits. PVS provides deep packet inspection to continuously discover vulnerabilities traveling the wire. By integrating with Nessus, and PVS, SecurityCenter CV’s continuous network monitoring is able to detect events and vulnerabilities across the enterprise.

The following components are included in this dashboard:

  • Executive Vulnerability Metrics – Vulnerability Trend: This component presents a trend chart of both current and previously mitigated vulnerabilities over the last seven days. Information presented within this component can provide organizations with a comprehensive view into how often systems are being scanned, patched, and rescanned. Current vulnerabilities are identified and set to the “Never Mitigated” filter. When a vulnerability moves from the mitigated section to the active section, the mitigation status is set to "Previously Mitigated.” Previously Mitigated or recurring vulnerabilities can be the result of systems not being restarted after a patch was applied, virtual systems reverting to previous snapshots, and services that were disabled or failed to restart. Organizations can use this component to focus efforts on remediating both current and previously mitigated vulnerabilities.
  • Executive Vulnerability Metrics – 25 Day Trend Windows Vulnerabilities: This component provides a 25-day trend of Microsoft vulnerabilities.  The graph provides separate colors to denote the severity.  The vulnerability trending is calculated with 24-hour data points.
  • Executive Vulnerability Metrics - 25 Day Trend Linux Vulnerabilities: This component provides a 25-day trend of Linux vulnerabilities.  The graph provides separate colors to denote the severities.  The vulnerability trending is calculated with 24-hour data points.
  • Executive Summary – Vulnerability Age: This component displays counts of vulnerabilities across different time spans. The matrix is a cross reference of the different vulnerability severity levels of low, medium, high and critical against various date ranges. The date ranges for the matrix include the last 7, 30 and 90 days, as well as greater than 90 days. New hosts that have been recently detected also have a column of when vulnerabilities have been recently discovered in the same time frames.
  • Executive Vulnerability Metrics - Vulnerability Publication Age: This component provides a summary of vulnerabilities and their release dates.  The dates are summarized with 7, 30, 90, and more than 90 days.  The matrix provides columns for each severity ranging from low to critical.  The low severities are displayed with a green background and white text, and the medium severities are white on yellow.  The high and critical severities are orange and red with white text.
  • Vulnerability Top Ten – Top 10 Most Vulnerable Hosts: This component shows the top ten hosts with exploitable vulnerabilities of high or critical severity. Editing the filters in the component and changing the tool from IP Summary to Class C Summary or Port Summary can give information on exploitable vulnerabilities per subnet or per port, respectively.
  • Executive Vulnerability Metrics – Patch Publication Age: This component provides a summary of vulnerabilities and patch release dates.  The dates are summarized with 7, 30, 90 and more than 90 days.  The matrix provides columns for each severity, ranging from low to critical.  The low severities are displayed with a green background and white text, and the medium severities are white on yellow.  The high and critical severities are orange and red with white text.
  • Executive Vulnerability Metrics – Vulnerability Mitigation: This component contains a matrix displaying mitigated vulnerability ages. The columns identify new hosts (within the past 24 hours), and vulnerabilities from low to critical severities. The rows are labeled by the number of days the vulnerabilities have existed within the environment from the first discovery date, sorted by less than 7, 30, 90 days, and greater than 90 days.
  • Executive Vulnerability Metrics – Top 10 Previously Mitigated Hosts: This component presents a table of the top 10 hosts with previously mitigated vulnerabilities of high or critical severity. When a vulnerability moves from the mitigated section to the active section, the mitigation status is set to “Previously Mitigated.” Recurring vulnerabilities can appear for several reasons including systems not being restarted after a patch was applied, virtual systems reverting to previous snapshots, and services that were disabled or failed to restart. Filters can be modified to include additional severities, exploitable vulnerabilities, and more. Organizations may find this component useful in identifying blind spots, prioritizing remediation efforts, and strengthening current patch management policies.