Automating vulnerability scanning

I spoke to a recruiter recently regarding a security analyst position, she stated the primary duty for the person filling the position will be to automate the vuln scanning process to the point they "automate themselves out of a job" then "graduate" onto more difficult tasks. They expect this part to take 6 months.

This was a recruiter, not a technical person so I couldn't press for details or ask what they had in mind but isn't this something Nessus Security Center or even Seccubus could do in less than a week ?

If you were asked to automate the vulnerability assessment process what is there to automate?

1. Cron jobs to start scans
2. Bash/Powershell to parse $finding or $plugin from nessus output
3. Creating a differential between scans to monitor new/old/resolved findings

This does not sounds like a project that would take 6 months to accomplish...what am I not considering? Remediation is not a part of this task.

Find more posts tagged with

Comments

TechGuru80

I would ask for more information...you can schedule scans and a whole host of functions built into professional scanners...if I were to schedule a scan it would take maybe 5 minutes (if that) and a set of credentials to scan with. Just using Nessus not even Security Center lets you do this.

jibtech

I would guess part of the task is setting up effective reporting, to turn the data into information. So, automating the scans through Security Center, dumping the results to Archer or the like, to make the results actionable.

By the time you:
*figure out the scope of the scans,
*get everything configured,
*optimize the repositories,
*configure the reporting system,
*train the people touching,

...and then rethink everything...

6 months will have passed.

TheFORCE

The thing that takes longer during a vulnerability assessments isn't the automation of the vulnerability scanning activities, it's the actual analysis of the vulnerabilities that are found after the scan.

Prioritizing the findings is an important issues that shouldn't be left to the 1 person, but should be dictated by a policy.
Scheduling is another part, we don't scan during business hours, only ad-hoc individual hosts we can do during business hours. Everything else is done off hours.
Another thing to consider is having a good relationship with the people doing the actual remediation and understanding the criticality of a vulnerability.

First thing I'd do is create the policy, once that is set and you have everyone agreed then the rest should be relatively easy. Make sure you produce reports with trends for various categories and schedule weekly or mknthly meetings with everyone involved to discuss the progress or set backs.
Basically it's an on going activity, just because you automate a task doesnt mean you shouldn't be keeping an eye on it. For example, if the account running the scans got locked out or failed to do an authenticated scan then all your results will not be correct.

Danielm7

For some people that's their entire job. They tie it to a ticketing system, deal with false positives, work on remediation plans, assign them to the right people, work on reports for executive levels, etc. Wash, rinse, repeat month after month. You'll find just handing someone a 500 page report of issues doesn't mean anything is going to get done with them, if anything the larger the report the less chance someone is going to handle it.

NHStudent

Danielm7 wrote: »

For some people that's their entire job. They tie it to a ticketing system, deal with false positives, work on remediation plans, assign them to the right people, work on reports for executive levels, etc. Wash, rinse, repeat month after month. You'll find just handing someone a 500 page report of issues doesn't mean anything is going to get done with them, if anything the larger the report the less chance someone is going to handle it.

I did this for years for clients then wised up. Some security co would run a scan with a tool against their site then give the customer this ambiguous report that they likely did not pay the little extra for them to explain. I would get the requests to "fix" the issues and the raw report. Yet nobody knew what was real or what wasn't. After so many of them, I eventually started charging for false-positives. Either they reproduced and refined the vulnerability in detail or I would. If I did and could not find a real issue, it was $195 per hour. While this did yield some business along with some real issues, I think it was also a reality check for customers to realize they were buying information that they did not understand and trying to process it haphazardly.

Regarding scanning if we are talking about automating it, you would really need to hone in on what those tests are and have a reliable baseline to use. I had my team build this out for all automated tests including a security suite and we needed to be quite explicit with the security tests. As others mentioned, reading them and determining the real vulnerabilities was the real work and sensitive to false positives. Without eyes on those tests I rarely trusted them for anything more than noise and awareness.

--chris--

An update for whomever cares:

I spoke to the hiring manager today, the "automating vuln assessment" portion of the job was overblown. He said that while this is the top priority for the person they hire it is not going to be a permanent task nor do they expect it to take a full 6 months. He said realistically he thinks 2-3 months to have all the wrinkles ironed out then weekly bumps for remediation/report delivery meetings and upkeep (like was mentioned above) is more than likely.

Ultimately they are looking for someone with experience to do that task, then move onto learning other things as they move security in house.

Of course I let them know I am the man for the job and will continue the interviewing process

shochan

Sounds like they need someone whom knows how to write scripts that actually work. Some of the tools we use, work "halfa$$" and feel like some of the scripts are poorly written & doesn't always patch the system. There is no real confirmation that it actually patched either. I actually work vulnerabilities at my job, but even though there are some easier vulnerabilities to remediate than others. You will always have devices you will have to remote into or physically touch to get it compliant. IMO, it is a boring job and feel like a "Professional Copy & Paste Spreadsheet Analyst" - not what I expected to sign up for...But it pays well and will continue exploring other, more challenging positions.

TheFORCE

shochan wrote: »

Sounds like they need someone whom knows how to write scripts that actually work. Some of the tools we use, work "halfa$$" and feel like some of the scripts are poorly written & doesn't always patch the system. There is no real confirmation that it actually patched either. I actually work vulnerabilities at my job, but even though there are some easier vulnerabilities to remediate than others. You will always have devices you will have to remote into or physically touch to get it compliant. IMO, it is a boring job and feel like a "Professional Copy & Paste Spreadsheet Analyst" - not what I expected to sign up for...But it pays well and will continue exploring other, more challenging positions.

Have your company pay $10k for Qualys and your boring task will become easier.

Ertaz

There are *special* 1-off scans that you can do with Nexpose through ruby scripting.... We used to do a lot more of it until they updated their UI scheduling several months ago.

BlackBeret

Good to hear they didn't really think this was a full-time 6 month project. I've seen a lot of organizations that have full scans configured to run on a regular basis, and nothing happens with the information afterwards. Some things that might take more time to set up include properly configuring the scan policies and plugins for each system you'll run in to. How in-depth do they want to go, ie. are you just doing the basic vulnerability scans with Nessus plugins, or are you configuring scans using other plugin sets, compliance scans from DISA or CIS? If you're going more in-depth with things, then you need to know what they want looked at, software packages they want scanned, what systems they reside on, etc. etc.

Depending on the size of the organization, you could end up configuring a few dozen+ different policies, each with hundreds of different plugins/checks enabled/disabled, etc. Or you could do like most people, enable everything and let Nessus figure out which plugins it's going to run.

Also, updates. Updating Nessus, license keys, plugins, verifying and reconfiguring policies after plugins have been updated, etc. Something like Nessus can be a powerful, highly configurable, and useful tool. It seems like most companies barely scratch the surface of its use by using a default network vulnerability scan policy on a scheduled basis and never doing anything else. Forget advanced features and usage, forget optimization, forget additional plugins, heck most people can't even configure the login features for different systems.

I'm not a fan of set it and forget it. It's not something that requires full-time attention, but it does require a good bit actual work to set-up properly, and a knowledgeable person to refine, optimize, and maintain. Once that process is down, someone really should be looking at the reports and remediating.

yoba222

Hopefully they have Security Center and not Nessus Professional. Tenable just yanked API support in Nessus Professional version 7, which came out 2-3 weeks ago, so all scans must be done from within the GUI. Over the past two or so years it seems that Tenable has been on a path to neuter Nessus Professional as much as possible to incentivize companies to cough up for a Security Center license. Personally I'm working on a vulnerability management database/Python front end to manage this and I couldn't pull it off in a matter of hours.

Will likely be demoing other vendor's scanners this year and kinda looking forward to that.