Last updated at Tue, 25 Jul 2017 16:00:30 GMT
Hi, my name is Eden Martinez, and I'm a Federal Sales Engineer with Rapid7.
Larger environments often list scalability as one of their top problems; specifically, too much data. With current tools, it's not hard to generate large data sets. Most tools are comprehensive with a focus on the largest list of results wins. While you can turn all the knobs on Nexpose up to 11, I've found many enterprise environments prefer to focus on prioritization of vulnerabilities and trending of the results. Management in particular needs to see, at a glance, how the vulnerability program is doing over time. Criteria varies per environment, but a high, medium, low classification of severity is common, with the lows potentially being weeded out (ICMP Timestamp). While Nexpose has some great trending reports out of the box today, one of the views it can't currently give is slicing time up in to segments (30 day, quarters, etc).
Nexpose's risk scoring is very rich, and I highly recommend using it to prioritize remediation. One problem with a numerical risk score is it loses context outside of the tool, or away from the rest of the data/assets, which is not good for management that isn't hands-on with Nexpose. Exactly how bad is a score of 919? A high is always going to be just that, higher than medium or low. Additionally, for compliance and standardization, many of the Federal environments are standardizing on CVSS. So I use that as my basis for the severity levels.
I've put something together to help fill that gap with a little Excel Visual Basic. Hope it helps. Let me know if you have any questions in the comments section.
Report 1: I'd like to see a breakdown of vulnerability severity by 30 day increments.
WHO: Primarily management, security or IT, who need to see some better trending and breakdowns. As such, I didn't include the vulnerabilities themselves to keep the report high level, but they could easily be added.
WHAT: Breakdown of High, Medium, and Low by CVSS Score of 10-8, 7-5, 4-1 respectively. Trying to prove less is more, I only pull two data fields out of Nexpose: Severity Level and Vulnerability Age. I left everything on one worksheet, which is messier but shows more clearly how the data is manipulated by Excel. Nexpose includes the word Days in the vulnerability age, and it's easy enough to copy that data into a new column for additional calculations. The Setup Command macro runs through all the data to generate what the pivot chart needs, which is already created and just using the Vulnerability Severity Level and Trending Age columns.
WHY: When management can see a good chart that shows no red flags, they leave everyone alone!
HOW: You'll need to use my Excel worksheet, with macros enabled (sorry). No virus in there, promise, but you can throw it in to a dev environment. If you want to put your own data in here, just copy over Column A and B. The macro is smart enough to calculate the number of rows automatically without you needing to define it anywhere. Click on the Setup button to recalculate at any time. Want to weed out results less than 30 days, or the lows? You can click on the Vulnerability Severity Level or Trending Age buttons on the pivot chart and uncheck those boxes.
