Posts by Francisco Slavin

4 min Security Strategy

Checks and Balances - Asset + Vulnerability Management

Creating a Positive Feedback Loop Recently I've focused on some specific use cases for vulnerability analytics within a security operations program.  Today, we're taking a step back to discuss tying vulnerability management [] back in to asset management to create a positive feedback loop.  This progressive, strategic method can mitigate issues and oversights caused by purely tactical, find-fix vulnerability cycles.  And it can be done us

2 min Nexpose

Vulnerability Regression Monitoring With Nexpose

Recently I've been diving into some advanced [/2016/05/26/impact-driven-risk-analysis] and targeted [/2016/05/31/targeted-analysis-default-accounts] analysis features. Today I'd like to keep things simple while still addressing a significant use case - Vulnerability Regression. Often times the immediate response to high visibility vulnerabilities does not involve setting up future monitoring, leaving the door open for the same vulnerabilities to show back up time and again. [RELATED: Vulnerabi

5 min Nexpose

Focusing on Default Accounts - Targeted Analysis With Nexpose

In my last blog post I went in depth on Impact Driven Analysis and Response [/2016/05/26/impact-driven-risk-analysis], an often-overlooked but very handy analysis option in Nexpose. Today I'd like to talk about another great option for analysis - filtering assets based on their discovered vulnerabilities by Vulnerability Category. We will use Filtered Asset search to take a focused look at a specific category: Default Account findings. Default accounts are high significance findings with low e

4 min Nexpose

Impact Driven Risk Analysis and Response With Nexpose

Today I'd like to highlight an often overlooked but very handy analysis option in Nexpose - filtering assets based on their discovered vulnerability CVSS Impact Metrics (Confidentiality, Integrity, Availability). We will use RealContext tags and Filtered Asset Search to answer the following questions: * Are there any Availability Impact findings on High Availability systems? ( i.e. web servers, authentication servers) * Are there any Confidentiality Impact findings on systems with Highly