Top 10 Reports
#1 Network Perimeter Map Report
#2 Unknown Internal Devices Report
#3 SANS Top 20 Vulnerabilities Report #4 25 Most Vulnerable Hosts Report
#5 High Severity Technical Report
#6 Web Application Scan Report #7 Vulnerability Trend Report
#8 Risk Analysis Report
#9 Open Tickets Report
#10 Executive Review - Remediation Report
4
5
7
8
9
10
12
13
15
16
guide:
The Top 10 Reports for Managing Vulnerabilities
page 2
An open door, unlocked window, or our keys lying on top of the
front door mat – these all represent openings for criminals (or
even neighbors we know) to unravel the security fabric in our
lives. In our IT infrastructure, open ports, available wireless
access points and unpatched servers may result in the theft or
compromise of critical customer data, along with the disruption
of business operations. While we often can manage the
vulnerabilities around our homes by spending a few minutes
checking locks, etc., the task is much more difficult in a
distributed organization with tens or hundreds of thousands of
networked devices.
Vulnerabilities in the IT infrastructure environment consist of the
software flaws and configuration errors that are present in
servers, desktops, notebooks, routers, wireless access points,
networked printers and any other device with an IP address. The
key benefits and advantages in implementing a lifecycle
approach to vulnerability management are the increased
protection across your environment before attacks occur and
the documented assurance that your networks (internal and
external) are safe. The increased levels of security assure the
continuity of business across employees, customers and
partners.
Effective vulnerability management also serves to communicate
the levels of IT risk to line-of-business owners and executives. IT
administrators and operational staff are able to resolve problems
more quickly and accurately. The reality today is that new
vulnerabilities appear constantly and the ability to handle new
flaws and misconfigurations requires an automated workflow and
reporting structure. Pouring over extensive lists of raw vulnerabil-
ity data is of limited worth when trying to measure security levels.
Instead, concise reports containing the severity and business
criticality of vulnerabilities and IT assets are required. Further,
these allow access to proven remediation approaches and
solutions. Security information needs to be collected, customized
and presented to company management, auditors and regulators,
in addition to security professionals and system administrators.
The audience for this paper includes security professionals and
managers, systems and network administrators, IT operations
staff and others who must document, review and resolve
vulnerable networks. Out of literally hundreds of different
vulnerability management reports available, this paper introduces
10 of the most important reports and uses reports generated by
Qualys’ vulnerability management solution, QualysGuard, for
reference purposes. The reports are organized across the four
key steps in the vulnerability management lifecycle shown below.
Introduction Most of us don’t think twice as we sweep the perimeter of our homes before retiring at night or leaving for work in the morning. Why would we want anything less for the security of our networks and systems?
Asset Discovery and Inventory – Build and maintain an up-to-date repository of IT asset information,
including business impact and asset groupings.
Vulnerability Assessment – Test and document the effectiveness of both security policies and controls.
Analysis and Correlation – Add business intelligence through graphing, trending and understanding the
relationships between vulnerabilities and asset types.
Remediation and Verification – Prioritize and resolve the vulnerability issues that are found and retest the
assets for proof of correctness.
The Top 10 Reports for Managing Vulnerabilities
Asset Discovery and Inventory Reports
page 3
The first step in the quest for managing vulnerabilities is to find where they exist.
But even before that is achieved, an up-to-date repository of assets must be built
and maintained. This repository will include all hosts or devices with an IP address.
The type of information populated in the repository includes hardware, software,
applications, services and configurations. QualysGuard gathers all this information
in a two step process. The first step is network mapping, which identifies which
hosts are live. The result is an accurate baseline of all connected devices, be they
servers, destops, notebooks, routers, wireless access points, etc. After mapping,
the second phase is initiated. This consists of powerful scans which gather
additional information to round out the asset inventory.
It’s also important to determine the business impact for each asset. Business
impact simply means the value a particular device has in relation to all others. All
assets are not created equal; a test machine with individual access in a back room
carries less risk of business interruption than a server with financial projections or
personally identifiable information.
Having current and accurate asset inventory information allows for greater accuracy
when identifying which assets are impacted by a particular vulnerability. It reduces
the time spent performing vulnerability scans as the vulnerability checks themselves
are applied only on those devices where they may exist. The number of false
positives (defined as reporting a vulnerability where one does not exist) is reduced
by eliminating the unrealistic case of a Windows server reporting a vulnerability only
found on Linux operating systems. Another benefit is in the remediation process.
Efforts there will be more efficient when patches and fixes are applied to
corresponding assets.
While smaller organizations with Class C sized networks (up to 256 devices) may
find they can complete the task of accounting for all devices attached to their
network manually, this same approach will quickly spiral out of control when the
networks total 10,000, 50,000 or 100,000+ devices across multiple subnets. The
most time consuming task, however, lies in the appropriate classification of the
assets once they have been identified. Since this is so arduous, companies without
automation must decide which segment or subset of their assets to classify, often
leaving out critical devices. Systems and networks are dynamic, they change and
must be revisited. Rogue devices may added to the network without permissions
and must be dealt with appropriately.
Asset Discovery and Inventory Reports
The Top 10 Reports for Managing Vulnerabilities
page 4The Top 10 Reports for Managing Vulnerabilities
#1 – Network Perimeter Map The Network Perimeter Map provides a view into the topology of your network for reference and documentation, by developing a
baseline of each connected device. With each asset properly identified, users of QualysGuard may group them in any way they
desire; by business unit, geography, platform, etc. These classifications are called asset groups. An asset may exist in multiple
asset groups. Once discovered, a new device may be added to an existing asset group or a new asset group may be created.
QualysGuard maps can be viewed in either graphical or text format. They show any device with an IP address that has been
discovered; externally, or internally using an appliance. From within this report, users can drill down on a particular asset and
view its detailed attributes, including what discovery method was used (DNS, ICMP, TCP, UDP or others), the domain name, the
operating system and whether the asset may be scanned for vulnerabilities. Administrators can also initiate either on demand or
scheduled scans for security assessments against specific asset groups.
Figure 1: QualysGuard Network Perimeter Map
page 5
#2 – Unknown Internal Devices This report lists all discovered devices which have not been
approved by a company administrator. QualysGuard can detect
rogue devices, including virtual hosts that could have possibly
been placed on your network. This is important information to
have when security administrators are reviewing the network to
clean up and eliminate devices placed on the network for
malicious purposes or simply those that pose additional risk
because of missing patches, unwanted services, etc. This
report should be run on daily basis to ensure maximum
protection levels are upheld. Once discovered, scans are
necessary to investigate the origin of these unknown devices.
Lastly, the proper precautions must be taken to prevent further
exposure from occurring.
Let’s have a look at two screenshots involved in generating an
Unknown Device Report. Figure 2 shows the map report
template used to generate the actual report. Note the filter
options which include multiple Host Types to include. Only
“Rogue” host type is selected for this particular report.
It should be noted that the column “A” is empty in Figure 3. “A”
stands for “Approved”. In this case, all of the devices in this
report have yet to be approved by a systems administrator.
The Top 10 Reports for Managing Vulnerabilities
Figure 2: Unknown Devices Report Map Template
Figure 3: Unknown Devices Report Results
page 6
Vulnerability Assessment Reports
Vulnerability assessment is the process of testing and documenting the effectiveness
of both security policies and controls, by examining the network infrastructure for
“known bads”. The assessments are performed across network devices and host
systems, as well as the services and applications that run on top of them. Scan
reports will show what vulnerabilities are present and where they are located, in
order to direct administrators towards what needs fixing and in what priority order.
This is the cornerstone for effective vulnerability management because this process
identifies and communicates the software flaws, missing patches and misconfigura-
tions that exist and pose security risks. In scanning live hosts, the mapping
generated from the asset discovery step will be used. Asset discovery is the prelude
to asset classifications, or groupings, which are further defined by business impact
ratings. The severity assigned to each vulnerability will also be used to differentiate
the flaws which present the highest danger of exposure. Included in the scan results
is information describing the properties of the vulnerability, such as the impact, the
type of device made vulnerable, cross references to external vulnerability classification
systems (e.g. Bugtraq, CVSS, CVE) and links to other information sources. Also,
solution recommendations are included to fix the exposure.
The Top 10 Reports for Managing Vulnerabilities
page 7
#3 – SANS Top20 Vulnerabilities The third report in our Top 10 list is the SANS Top 20. In June,
2000, the SANS Institute, along with the FBI’s National
Infrastructure Protection Center, began publishing a list of the
most critical internet security vulnerabilities. The SANS Institute
is a trusted source for information security training, certification
and research. This list was quickly adopted by organizations
worldwide as a standard guide for understanding and assessing
for the most dangerous areas of exposures. The list is a
consensus of the flaws that require immediate attention, and is
developed by leading security experts from multiple countries
across the globe. Nearly every year since its beginning, SANS
has updated the list to reflect the changes in threat vectors,
noting the recent rise in client side, anti-virus and web
application vulnerabilities.
The QualysGuard SANS Top 20 Report shows the results of
vulnerability scans derived from the SANS list. Figure 4 shows
the total vulnerabilities found in this assessment, along with the
average security risk score. Also note that Qualys offers a
SANS Top 20 Scan at no charge to organizations who wish to
register: http://sans20.qualys.com.
More detail into the specific SANS vulnerabilities that have been
identified through the scan is present in Figure 5. This detail
includes descriptions, impact and recommended solution.
The Top 10 Reports for Managing Vulnerabilities
Figure 5: SANS Top 20 Report with Detailed Vulnerability information
Figure 4: SANS Top 20 Report with Summary Vulnerability information
page 8The Top 10 Reports for Managing Vulnerabilities
#4 – 25 Most Vulnerable Hosts Across any organization, there are those systems that are in worse shape than others. Having a current listing of the hosts with
the most critical flaws helps direct the efforts to resolve these issues and lowers the risk to the organization. QualysGuard
delivers a ranking - beginning with the most vulnerable asset – based upon the security risk of the assets. QualysGuard
determines the security risk from the number and severity of vulnerabilities found during the last scan of each host. Vulnerabilities
are weighted on a scale of 1 to 5, with 5 being the most severe. The business risk not only considers the security risk, but also
factors in the business impact value placed on the asset. These business asset values are either Critical, High, Medium, Minor
or Low. The 25 Most Vulnerable Hosts Report, as shown in Figure 6, lists those assets with the highest number of Severity 4
and 5 vulnerabilities. The hosts are listed in order beginning with the most vulnerable. The report details the number of Severity
4 and 5 vulnerabilities, the business risk and security risk ratings, and also all the asset groups associated with that host.
Figure 6: 25 Most Vulnerable Hosts Report
page 9
#5 – High Severity Technical Report Whenever full vulnerability reports are generated, there is a lot
of information produced for each asset. While valuable, all this
information takes time to digest. In some instances, time is of
the essence and it is critical to quickly identify and resolve the
most dangerous areas of exposure. In these cases, only the
highest priority issues are able to garner scarce remediation
resources, so only the most severe vulnerabilities are included
here.
This report presents information about the vulnerabilities with
high severity levels only (4 and 5). As seen in Figure 7, only
Level 4 and 5 vulnerabilities are listed. The report template
filters out all vulnerabilities with severity rankings below Level 4,
as well as all potential vulnerabilities (defined as those that
cannot be fully verified) and those vulnerabilities categorized as
“information only”.
Each high severity vulnerability may be viewed in depth for
more specific information. This information includes the name,
the date first detected and last detected, the port it where it
was discovered, the vulnerability identifier, category, and last
update, plus other details. It also lists the status (new, active,
ignore, etc.). Figure 8 is an example of this detailed information
for a Level 5 Microsoft IIS vulnerability with a status of “New”.
The Top 10 Reports for Managing Vulnerabilities
Figure 8: High Severity Vulnerability Details
Figure 7: High Severity Report Summary
page 10The Top 10 Reports for Managing Vulnerabilities
#6 – Web Application Scan According to the SANS website at http://www.sans.org/top20, the number of vulnerabilities discovered in open source and
custom web applications has grown to account for almost 50% of all vulnerabilities now discovered. The danger here manifests
itself when trusted sites are transformed into masked areas used for phishing and other scams. Some of the web application
vulnerabilities important to identify and remediate are cross site scripting, SQL injection and remote code execution. As a result,
regularly scanning your Web applications is critical IT security component.
As web application vulnerabilities are code related, frequent testing should occur during the development of applications as well
as their actual deployment. Figure 9 shows how Web Application security threats can be proactively identified to prevent
compromise.
Figure 9: Web Application Scan Results
page 11
Analysis and Correlation Reports
After asset information has been gathered and vulnerabilities have been identified,
further analysis is often necessary to provide more insight into the security information.
This is made feasible through the use of automated solutions to collect, store,
compute and present the information through multiple views and in graphical
formats. The vulnerability and asset information is kept in a repository where analytical
engines can process it further. Examples of this advanced processing include
presenting trends in vulnerabilities over time, and correlating known properties of a
vulnerability (operating system, ports, services) with those of devices to see which
are at highest risk for the presence of a specific vulnerability.
As IT operations, systems administration and security move closer together for the
goal of improved operational performance, it’s critical for these groups to share
information and workflows. For example, IT operations (support staff, help desk
personnel) can assist with remediation tasks such as system patching if they have
the necessary information about what systems are affected and what software to
deploy. This information, along with an assigned individual responsible for action
and a date for completion, is summarized in trouble tickets created by QualysGuard.
This trouble ticketing helps ensure the timely and proper follow-up to vulnerability
and configuration issues, while coordinating the smooth integration of efforts across
IT groups.
The QualysGuard analysis capability extends into areas such as reviewing the
length of time trouble tickets remain open, the number of open trouble tickets in
total and by severity, the vulnerabilities by status and severity, and changes in the
business risk of asset groups over time. Correlating the severity of a vulnerability
with the business value of an asset is important when determining which systems
need immediate remediation. This approach results in a better use of resources than
one where the most severe vulnerabilities are all resolved concurrently, regardless of
whether a machine is used in a test bed or in a live production environment.
In addition to the Analysis and Correlation Reports shown here, executive
dashboards are a way to view business intelligence and trend results. As long as
the dashboards are current and adaptable to changing requirements, they provide
“at-a-glance” insight into a company’s vulnerability and risk posture. Dashboards
can easily track how long it takes to patch vulnerable systems, for example, or
which servers consistently underperform relative to security policy. This aids
managers in their understanding of how IT risk is being managed by security and
administration teams.
The Top 10 Reports for Managing Vulnerabilities
page 12
#7 – Vulnerability Trend Report The vulnerability trend report is based upon a specific time
period (established by the user) and displays the trends,
increasing or decreasing, of vulnerabilities by severity and
across categories (types of assets). As with all QualysGuard
reports, permissions to create and view the Vulnerability Trend
Report is controlled by the user account settings. In Figure 10
below, the trend report was configured for a four month
analysis.
Another section of the Vulnerability Trend Report (shown in
Figure 11), graphs the changes in business risk by asset group
over time. QualysGuard allows you to create as many groups as
you like and group assets into specific business units in any
way desired (by geography, by function, by platform, etc.).
Figure 12 shows two more trending graphs for vulnerabilities
found by QualysGuard scans. Users have the flexibility to
customize graph formats (pie charts, bar charts, etc.). In the
“Vulnerabilities by Severity over Time” graph, the total number
of vulnerabilities has decreased from June to September. This
was lead by a drop in the Severity 1, 4 and 5 vulnerabilities,
which offset a rise in the Severity 2 and 3 vulnerabilities during
this time.
The Top 10 Reports for Managing Vulnerabilities
Figure 10: Vulnerability Trend Summary
Figure 11: Vulnerability Trend Business Risk Graph
Figure 12: Vulnerability Trending by Severity and Status
page 13The Top 10 Reports for Managing Vulnerabilities
#8 – Risk Analysis Report This report may be run prior to an actual vulnerability scan. The user directs a vulnerability to be correlated with the attributes of
a specified host or asset group. Analysis is performed to determine the exposure level this asset contains. The more matches
the vulnerability has with the asset, across attributes such as operating system, ports and services, the higher the risk level.
The Risk Analysis Report identifies the hosts that are likely exposed to the specified vulnerability. By comparing vulnerability
exploit data to known information from past scans, QualysGuard is able to determine whether hosts are likely to be at risk to a
new vulnerability - even before a scan is launched! For example, if you receive new information on Microsoft’s Patch Tuesday,
but cannot scan before the week-end to assess your environment, this report will deliver probabilities on which hosts will be
most impacted in the interim. This information can then be used to develop an emergency action plan to protect you until full
scanning and patching occurs.
Figure 13: Risk Analysis Report
page 14
Of course, it’s not enough to simply identify the vulnerabilities or track their growth.
The bottom line in the vulnerability management lifecycle is more results oriented –
to resolve the causes of those software flaws or configuration errors. At this point is
where remediation comes into primary focus. Even when new patches are available,
there may be a delay in applying them due to the time required for implementation,
or fears about the potential impact to the availability and performance of IT assets.
An example of this behavior is found in the Conficker Worm. The Conficker Worm
exploits the MS08-67 vulnerability in the Microsoft Windows Server Service. Even
though Microsoft released the patch for MS08-67 in October, 2008, the number of
PCs infected since that time is estimated to be in the range of 5 to 10 million,
primarily on corporate and government computers.
Coordination of remediation efforts, often by using an automated trouble ticketing
system, helps organizations proactively manage what needs to be fixed, and by
whom. Automated notifications and reports allow for the workflow required to keep
remediation tasks on target and prevent gaps in protection. The prioritization by
business impact ensures the most valuable systems are addressed first. Less
critical assets then may be handled on regularly scheduled dates, such as a
monthly patch or configuration change cycle.
After patching or implementing other configuration changes, rescanning IP addresses
is necessary to ensure the fix is complete and no other issues have been created as
a result of the change.
Accurate and timely reporting is important at this stage because remediation tasks
are often performed by a different team than the security group which identified the
exposure. IT security will most likely perform the scan. Then, systems administrators
or IT operations staff (helpdesk, support) will implement the fix. Remediation and
validation reports are useful to achieve better understanding of how quickly and
thoroughly your organization responds and resolves security issues. When results
are less than desired, improvements in the incident management process can be
made.
Remediation and Validation Reports
The Top 10 Reports for Managing Vulnerabilities
page 15The Top 10 Reports for Managing Vulnerabilities
#9 – Open Tickets Report The QualysGuard native ticketing and remediation functions ensure outstanding issues are scheduled for completion and
vulnerabilities are resolved before further damage is done. Each vulnerability is individually tracked until it is fixed. This
automated remediation and trouble ticketing workflow generates tickets base on policy rules. These rules define specific criteria
that trigger response actions when met. For example, a rule can be created such that a trouble ticket is opened whenever a
Level 4 or 5 vulnerability is identified. The rule will establish the assigned individual, let’s say the administrator who ran the scan,
and the time period (perhaps two days) for remediation.
The ninth report in our Top 10 list is the Open Tickets. As seen below in Figure 14, this lists the tickets and may be sorted by
ticket number, status, due date or others. Each ticket is assigned a unique number with general information, vulnerability
details, remediation history and required actions. Each ticket owner is also listed. Viewers of this report have the option of
drilling down into the report to gain additional information associated with the ticket, such as its history.
QualysGuard further aids in the remediation process by delivering automated ticket notification emails. These notifications are
sent to each user who has open trouble tickets assigned to them. The ticket statistics in the notification include the number of
open tickets which are overdue (those past the scheduled resolution date) and the number which are not overdue, the tickets
resolved and the tickets closed. A QualysGuard hyperlink is also included for recipients to easily click and check on the details
of their assigned tickets.
Figure 14: Open Tickets Report
page 16
#10 – Executive Review – Remediation Report In addition to providing the detail by user of the status of open
tickets, QualysGuard also makes available summary levels for
reviewing trouble tickets. Users select which asset groups and
which users to include in the report settings. Figure 15 below is
an example of the trouble ticket statistics presented; you see
not only the number of tickets resolved and still open (by
severity level), but also view the number overdue and the
average time in days for ticket resolution. These statistics are
very useful when assessing the performance of the groups
involved in vulnerability resolution, and deliver metrics to gauge
improvements made over time.
Figure 16 shows more ticket trending information in graphical
format. These statistics are often required for weekly status
meetings, presentations to management and to demonstrate
achievement in Service Level Agreements (SLAs). You can see
here the drastic increase in the number of open (and closed)
tickets during the last week of this report, alerting executives
“at-a-glance” to the increased activity.
The Top 10 Reports for Managing Vulnerabilities
Figure 15: Remediation Report – Tickets by Severity and Open Tickets
Figure 16: Remediation Report – Aggregate Ticket Changes
page 17
© Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. 09/09
www.qualys.com
USA – Qualys, Inc. • 1600 Bridge Parkway, Redwood Shores, CA 94065 • T: 1 (650) 801 6100 • [email protected] – Qualys, Ltd. • Beechwood House, 2nd Floor, 10 Windsor Road, Slough, Berkshire, SL1 2EJ • T: +44 (0) 1753 872101Germany – Qualys GmbH • München Airport, Terminalstrasse Mitte 18, 85356 München • T: +49 (0) 89 97007 146France – Qualys Technologies • Maison de la Défense, 7 Place de la Défense, 92400 Courbevoie • T: +33 (0) 1 41 97 35 70Japan – Qualys Japan K.K. • Pacific Century Place 8F, 1-11-1 Marunouchi, Chiyoda-ku, 100-6208 Tokyo • T: +81 3 6860 8296 United Arab Emirates – Qualys FZE • P.O Box 10559, Ras Al Khaimah, United Arab Emirates • T: +971 7 204 1225 China – Qualys Hong Kong Ltd. • Suite 1901, Tower B, TYG Center, C2 North Rd, East Third Ring Rd, Chaoyang District, Beijing • T: +86 10 84417495
Summary So there you have it – the Top 10 Reports for Managing Vulnerabilities. By looking across the complete lifecycle of vulnerability
management, starting with asset discovery and ending with remediation and verification, the breadth and depth of the information
to be gathered, analyzed, stored and communicated is seen in full force. This is what makes true vulnerability management
different that just vulnerability scanning. And this lifecycle approach, along with well defined and customizable reporting, is what
sets Qualys apart.
By providing easy to understand reports, such as the Network Perimeter Map, the SANS Top 20 Report, the High Severity
Technical Report and the Remediation Report, QualysGuard delivers thorough overviews to executives along with the detailed
breakdown and analysis for IT security, systems administration and IT operations. By combining hosts into asset groups,
assigning business impact weightings and calculating Security Risk and Business Risk metrics, QualysGuard provides a
solution that is quick to deploy and easy to use, resulting in increased security posture and compliance with regulatory and
standards requirements.
The Top 10 Reports for Managing Vulnerabilities