September 2, 2013

VM Evolution via API

Parag Baxi, Technical Account Manager

2

Vulnerability Management – Before

• Constant battle for IP Asset classification• QualysGuard scan reports emailed• Global metrics unavailable on security

posture• No administrator credentials

3

Vulnerability Management – After

• IT Assets in sync• Reduced VM lifecycle• Visibility in near real-time

• Biweekly authenticated scanning against all sites

• Users: Tuesday to Thursday, 10 AM - 4 PM

• Non-users: Friday, 10 PM - Sunday 10 PM

• Metrics for senior management and IT staff

4

Impact

• Increased awareness of security needs

QGIR (QualysGuard Integration with Reporting) began at Customer in the second half of 2010.

• Increased effectiveness of QualysGuard VM

5

• API integration with Configuration Management Database (CMDB)

• Hierarchy model

Challenge: Asset Management

• Manual input

• No visibility on IT assets• No visibility on ownership of assets• Resulted in creating CMDB in shared

Google Spreadsheet

Problem:How to synchronize QualysGuard’s asset groups with the CMDB Google Spreadsheet?

6

• Calculate static IP ranges and update the Google Spreadsheet. • Have necessary information to create Asset Groups in QualysGuard.

• Create/Update asset groups in QualysGuard via API.• Update host tracking information via QualysGuard API.

• Create/Update schedules for DHCP & static ranges.• DHCP: Biweekly midweek from 10 AM to 4 PM.• Static: Biweekly on weekends.

Issues:• No static IP ranges provided in CMDB Google Spreadsheet..• QualysGuard Asset Groups not in sync with Google Spreadsheet.

QualysGuard-CMDB Integration

7

Remediation Workflow Automated

• Email Scan Reports

• Patch Report• Remediation Policies• Remediation Tickets API

• Custom Report Templates

8

Remediation Workflow Automated

• QGIR (QualysGuard Integration with Reporting)

9

Sample Reporting Issue

10

QualysGuard tickets are grouped by QID in Reporting. This enables easy patching.To further ease the administrative burden we utilize the patch report to consolidate vulnerabilities.

QGIR tracks metrics against all offices fairly.All participating offices are given the same time frame and opportunity to remediate vulnerabilities.

Further rounds supersede existing tickets. All unresolved Reporting tickets from the previous round are marked incomplete and the remaining vulnerabilities will be included in the new round.

Create the tickets into Reporting, a JIRA ITIL-aligned implementation.

With patching tool’s ability to patch multiple hosts for the same vulnerability, it makes sense to group by QID.Store the vulnerabilities and

associated Reporting tickets in a separate database to allow for proper verification.

QualysGuard vulnerabilities of the same QID for the same office are assembled into a CSV containing pertinent information.

QGIR Workflow – Issue Vulnerabilities

11

QGIR Verify Workflow

QGIR verification will reopen all QGIR Reporting issues that still have vulnerable hosts.For example, lets say Site A had 2 QGIR tickets in Reporting, and each of those QGIR tickets had 10 vulnerable hosts. If one host in both QGIR tickets was not fixed for either vulnerability then both tickets will be reopened.

QGIR will verify that all hosts in each ticket that was marked resolved has, in fact, removed the vulnerability.

12

QGIR Verify Workflow – Attachments

13

QGIR Verify – Decommissioned Hosts

QGIR verification will reopen all QGIR Reporting issues that still have vulnerable hosts.Therefore, all QualysGuard remediation tickets associated with decommissioned hosts must be removed.

Note the search by NetBIOS name is not an exact search. It will return remediation tickets containing the NetBIOS name.For example, a NetBIOS search of “USNYSMITHGE1” will also return tickets associated with hostname, “USNYSMITHGE11”.Remove these false positives by parsing the resulting XML file.

QualysGuard will not report a very real, but previously discovered vulnerability on a replacement host with the decomissioned IP/hostname. The ticket must be deleted.

14

Parag Baxi, CISA, CISM, CISSP, CRISC, PMP

• Employee, Qualys• Senior Security Engineer, Ogilvy & Mather• Architected ITIL-aligned worldwide VM QualysGuard

implementation with heavy emphasis on automation, ROI and security best practices.

• Over 10 years of enterprise experience at UMDNJ, EDS, HP Enterprise Services (consultancy for The Federal Reserve Bank of New York), and Google.

• Advocate and active contributor of the Qualys community.

• Published open-source QualysGuard integration code.• B.S. degree in Computer Science from Rutgers

University.

Thank you!