Vulnerability management: How do you do it?

This is a broad question, I'm interested to hear from those with experience in doing serious vulnerability management.

How do you do it?

Best practices?

Tools you use?

How do you think it should be done?

Find more posts tagged with

Comments

TheFORCE

I'd be interested to know also. I'm in the processes of setting up a policy, you have to start from there. Also, how often is patching done in other companies, every week, bi-weekly, or monthly? I hear some companies do patches quarterly but that might be too long. We use SCCM but haven't gotten it to work right way yet.

Verities

Scans with Nessus on a bi-weekly basis. It receives auto-updates from Tenebal, so its current on any recent CVEs. If there are vulns, I have to mitigate them manually. However, I have seen quite a few false positives from Nessus and those are a fight with the security team (bunch of paper pushers with little to no technical experience) to get an exception so the "vulnerability" will clear.

Patches are automatically introduced into the environment via our Satellite server (checks in with RHN every 2 hours). Our servers check in with Satellite every 4 hours for updates. Only mission critical services aren't automatically (LDAP, DNS, DHCP) and are installed manually and monitored, which is fine because they're not updated more than maybe once a month.

STIGs for RHEL are used to provide the initial server hardening baseline. From there if we have any web applications on the servers they Apache put on the front end with increased security settings (+TLSv1.1, reverse proxy, etc) and restricting the firewalls so that all incoming packets are dropped, unless they meet specific rule sets. I've been told OWASP is good for web applications, but never have used it.

SELinux is set to enforcing on all of our servers, least privilege access is used for anyone who thinks they need access to my systems, and I routinely audit my access and sudoers logs. Logwatch is a bit of a PiTA to navigate through when you have anything more than 50 systems but its a very handy tool and I've caught a few people doing things they shouldn't have been doing using it.

I think our process is pretty forward thinking as most people are afraid to automatically push updates to their environment, but Red Hat is really good at keeping their patches stable. I'd like to see an increase in adherence to STIGs, since there are too many damn exceptions in my experience, an increase in use of configuration management tools (prevent people from making changes that create vulnerabilities), a removal of Java from everything, and would like OWASP to be the standard for web related vulnerability management.

winona_ryder

Verities wrote: »

SELinux is set to enforcing on all of our servers, least privilege access is used for anyone who thinks they need access to my systems, and I routinely audit my access and sudoers logs. Logwatch is a bit of a PiTA to navigate through when you have anything more than 50 systems but its a very handy tool and I've caught a few people doing things they shouldn't have been doing using it.

I think our process is pretty forward thinking as most people are afraid to automatically push updates to their environment, but Red Hat is really good at keeping their patches stable. I'd like to see an increase in adherence to STIGs, since there are too many damn exceptions in my experience, an increase in use of configuration management tools (prevent people from making changes that create vulnerabilities), a removal of Java from everything, and would like OWASP to be the standard for web related vulnerability management.

Dude. Nice. SELinux and automated patching. that's great!