Incorporating Automated Actions Into Your Vulnerability Management Process

Last updated at Tue, 23 Jan 2018 17:44:27 GMT

In today’s security climate, we all want to know that our data is as current as possible. Often, customers will increase their vulnerability scanning frequency to weekly or even daily to meet the needs of an ever-changing environment. However, this requires a lot of resources and generates tons of data while making it difficult to identify only what has changed.

This is exactly why we developed automated actions within InsightVM, Rapid7’s vulnerability management solution! When we talk about new threats, we’re generally looking at the introduction of new unassessed assets or the release of new vulnerability content. With automated actions, we can find these changes and assess them individually without requiring the resource overhead of a full network assessment.

First, we need to identify new assets. You probably already have sites set up for your active network ranges to do discovery and assessment. You may even have some discovery connections configured to automatically discover assets from a source. It’s easy to set up an automated action for new assets from a discovery connection (you may have tried this already!), but did you know you can also discover new assets by scanning?

If your sites are currently built out by network segment, your workflow can be extended to support this more continuous model. In each existing site, create a new schedule to run once daily (or even more frequently, if you have the scan engine resources to support a faster discovery) using the default site engine with a discovery scan template.

After each site is set up with this daily discovery schedule, set an automated action trigger for new Assets in each site. Note that while it is possible to select multiple sites in the trigger configuration, each action will use a single Site, so it is best to align your actions one per site. Filter is not necessary unless you only wish to perform an assessment on certain types of assets joining the environment. Select “Scan in Site” as your action and select the same site again for the action.

Now, with automated actions set up for each of your network range-based and discovery connection-based sites, you’re assessing assets as they appear in your environment, without having to perform a full assessment on every asset in the environment. The other possibility for new risk is through new content, so we’ll add another set of actions for “New vulnerability coverage available”. Here, we can again select a filter to include only a subset of new content, such as by CVSS score if we only wish to be informed about the new content that bears the highest risk. When this action fires, it will assess all known assets that meet the criteria for the new content, but only for that new content, which requires far fewer resources than a full assessment.

With these simple automated actions configured, you now have a day-to-day view of the new risks in your environment without the overhead of frequent full network assessments. You can decrease your regularly scheduled full assessments to a schedule that’s more in line with your trend reporting, such as monthly, to see which vulnerabilities have been remediated and which ones still remain, without fear of missing newly introduced risks in the interim. Combine this with the use of agents on your known assets and you get a fully automated day to day view of your risk!

Are you ready to save time on your vulnerability management processes? Try the automated actions capabilities within InsightVM today. Not a customer? Download a free 30-day trial of InsightVM today.