This free guide covers the key aspects of the vulnerability management lifecycle and shows you what reports today's best-in-class organizations are using to reduce risks on their network infrastructure.
Most of us don't think twice as we sweep the perimeter of our homes before retiring at night or leaving for work in the morning. Why would we want anything less for the security of our networks and systems?
An open door, unlocked window, or our keys lying on top of the front door mat - these all represent openings for criminals (or even neighbors we know) to unravel the security fabric in our lives.
In our IT infrastructure, open ports, available wireless access points and unpatched servers may result in the theft or compromise of critical customer data, along with the disruption of business operations.
While we often can manage the vulnerabilities around our homes by spending a few minutes checking locks, etc., the task is much more difficult in a distributed organization with tens or hundreds of thousands of networked devices.
Vulnerabilities in the IT infrastructure environment consist of the software flaws and configuration errors that are present in servers, desktops, notebooks, routers, wireless access points, networked printers and any other device with an IP address.
The key benefits and advantages in implementing a lifecycle approach to vulnerability management are the increased protection across your environment before attacks occur and the documented assurance that your networks (internal and external) are safe.
The increased levels of security assure the continuity of business across employees, customers and partners.
Effective vulnerability management also serves to communicate the levels of IT risk to line-of-business owners and executives. IT administrators and operational staff are able to resolve problems more quickly and accurately.
The reality today is that new vulnerabilities appear constantly and the ability to handle new flaws and misconfigurations requires an automated workflow and reporting structure.
Pouring over extensive lists of raw vulnerability data is of limited worth when trying to measure security levels.
Instead, concise reports containing the severity and business criticality of vulnerabilities and IT assets are required. Further, these allow access to proven remediation approaches and solutions.
Security information needs to be collected, customized and presented to company management, auditors and regulators, in addition to security professionals and system administrators.
The audience for this paper includes security professionals and managers, systems and network administrators, IT operations staff and others who must document, review and resolve vulnerable networks.
Out of literally hundreds of different vulnerability management reports available, this paper introduces 10 of the most important reports and uses reports generated by Qualys' vulnerability management solution, QualysGuard, for reference purposes.
The reports are organized across the four key steps in the vulnerability management lifecycle shown below:
Asset Discovery and Inventory - Build and maintain an up-to-date repository of IT asset information, including business impact and asset groupings.
Vulnerability Assessment - Test and document the effectiveness of both security policies and controls.
Analysis and Correlation - Add business intelligence through graphing, trending and understanding the relationships between vulnerabilities and asset types.
Remediation and Verification - Prioritize and resolve the vulnerability issues that are found and retest the assets for proof of correctness.