Monitoring vulnerability remediation involves viewing trends, managing risk, and
monitoring assignment groups. You can review high risk issues, assignment group workloads,
deferrals and, reoccurring vulnerabilities. Vulnerability Response offers tools,
reports, and procedures to make that process more productive and efficient.
Vulnerability Response
remediation process
Most remediation is done from the Vulnerability Group (VG). From
the groups in the Under Investigation state, you can perform several tasks.
Starting with
Vulnerability Response
v9.0, with
Change management for Vulnerability Response, you can
perform the following tasks directly from vulnerability groups (VG) for any groups in a
state other than
Closed:
- Create change requests (CHG).
- Associate a VG to an existing change request
- Filter out a subset of vulnerable items, split a vulnerability group, and move the
vulnerable items to a new group.
With state synchronization, there is a synchronized relationship between the State fields
of vulnerability groups and the State fields of change requests. This relationship expedites
your investigation and remediation of vulnerabilities, because after the tasks on a CHG are
completed and it is moved to the Review state, the VG
automatically moves to Resolved. See State synchronization between change requests and vulnerability groups for more
information.
For
Vulnerability Response prior to version 9.0, from the groups in the Under
Investigation state, you can perform several tasks.
- Create change requests.
- Add work notes and descriptions of vulnerabilities within the group.
- Defer the group and the vulnerable items in it until a later date.
- Close the group.
- Track new regulatory compliance obligations, which are usually time sensitive.
An overview of the process:
- Log in to your Vulnerability Response instance.
- Review your Vulnerability dashboards and reports to locate problem areas. For example,
view dashboards that show Vulnerability Group aging by states or
high risk vulnerable items (VIs) past their remediation target date.
Note:
Vulnerability Response, the Qualys Vulnerability Integration, and, starting with
v12.1, the Tenable Vulnerability Integration ship with overviews and dashboards.
These overviews and dashboards include the Vulnerability Management dashboard which
can help you monitor areas of concern. See Using the default Vulnerability Response dashboards for more information.
When the Performance Analytics for Vulnerability
Response plugin (com.snc.vulnerability.analytics) is
activated, users with certain roles can view data of interest to the Chief
Information Security Officer (CISO).
A large number of vulnerable items within your deployment can affect the
performance of your dashboards. Consider using filter conditions to limit the number
of vulnerable items reported.
Version 13.0: To limit the amount of data gathered for reports or related lists,
see Define service classifications for Vulnerability Response reporting and related lists.
- Review the state of Vulnerability Groups, in order of
risk.
- Starting with v10.0, you can view certain vulnerability management reports in
real-time. For more information, see Performance Analytics for Vulnerability Response.
- Revise the prioritization for the groups by adjusting your risk score calculators if
the risk score is not being calculated correctly or deferring VIs or VGs, as needed. See
Vulnerability Response calculators and vulnerability calculator rules or Defer a vulnerability group for more information on these
options.
- Review Solution information for the vulnerable items in the groups and create change
requests.
- Review deferred vulnerable items, about to reopen, for further action.
- Review feedback from IT Operations.
Starting with v10.3, Automatically close stale vulnerable items.
Starting with Vulnerability Response v9.0,
after the tasks on a CHG are completed and it is moved to the
Review state, the VG automatically moves to
Resolved.
Once you are notified that a change
request is resolved, move the vulnerability group state to Resolved and wait for the
next scan. Scans are triggered automatically by the third-party import schedule
configured in the Setup Assistant.
Starting with version 9.0, if you want to
initiate and track change activities on your assets and remediate your vulnerability
groups and their corresponding vulnerable items, for more information, see Change management for Vulnerability Response.
- After a scan, if the state is Fixed, vulnerable items are automatically closed during
import. The group closes when all vulnerable items in the group are fixed.
- After the scan, if the state is not Fixed, the VI is automatically moved back to Under
Investigation. Contact IT Operations to reopen the change request.
- Starting with v10.3, vulnerable items set to 'Resolved' in your instance but not
transitioned to 'Closed/Fixed' by the third party integration runs are reopened if they
are detected during rescans.
For Qualys detections, if the scanner
continues to find VIs that were set to 'Resolved' but then not transitioned to
'Closed/Fixed' by subsequent scans, these VIs move back to 'Open' when the last found
date is later than the Resolved date.
For Rapid7 detections, an
option is now available on the Rapid7 configuration page in your
instance to reopen resolved VIs by age. If enabled, VIs set to 'Resolved' but then not
transitioned to 'Closed/Fixed' by subsequent scans transition back to 'Open' after the
number of days that you enter.
Vulnerability Solution Management Deployment
Progress
Comprehensive deployment metrics for vulnerability groups and vulnerability entries are
included in Vulnerability Solution Management under Remediation Status in
vulnerabilities, vulnerable items. Easily identify which vulnerability group or
vulnerability is slowing remediation progress. Drill down into how the vulnerability is
identified, or what aspects of the affected assets may be causing the remediation issue.
Starting with v10.0, you can update the status of your metrics using the Update
status related link in the vulnerability, solutions, and vulnerability group
forms.
