Incorporating Automated Actions Into Your Vulnerability Management Process

Share and earn Cybytes
Facebook Twitter LinkedIn Email

In today’s security climate, we all want to know that our data is as current as possible. Often, customers will increase their vulnerability scanning frequency to weekly or even daily to meet the needs of an ever-changing environment. However, this requires a lot of resources and generates tons of data while making it difficult to identify only what has changed.

This is exactly why we developed automated actions within InsightVM, Rapid7’s vulnerability management solution! When we talk about new threats, we’re generally looking at the introduction of new unassessed assets or the release of new vulnerability content. With automated actions, we can find these changes and assess them individually without requiring the resource overhead of a full network assessment.

First, we need to identify new assets. You probably already have sites set up for your active network ranges to do discovery and assessment. You may even have some discovery connections configured to automatically discover assets from a source. It’s easy to set up an automated action for new assets from a discovery connection (you may have tried this already!), but did you know you can also discover new assets by scanning?

If your sites are currently built out by network segment, your workflow can be extended to support this more continuous model. In each existing site, create a new schedule to run once daily (or even more frequently, if you have the scan engine resources to support a faster discovery) using the default site engine with a discovery scan template.

After each site is set up with this daily discovery schedule, set an automated action trigger for new Assets in each site. Note that while it is possible to select multiple sites in the trigger configuration, each action will use a single Site, so it is best to align your actions one per site. Filter is not necessary unless you only wish to perform an assessment on certain types of assets joining the environment. Select “Scan in Site” as your action and select the same site again for the action.

Now, with automated actions set up for each of your network range-based and discovery connection-based sites, you’re assessing assets as they appear in your environment, without having to perform a full assessment on every asset in the environment. The other possibility for new risk is through new content, so we’ll add another set of actions for “New vulnerability coverage available”. Here, we can again select a filter to include only a subset of new content, such as by CVSS score if we only wish to be informed about the new content that bears the highest risk. When this action fires, it will assess all known assets that meet the criteria for the new content, but only for that new content, which requires far fewer resources than a full assessment.

With these simple automated actions configured, you now have a day-to-day view of the new risks in your environment without the overhead of frequent full network assessments. You can decrease your regularly scheduled full assessments to a schedule that’s more in line with your trend reporting, such as monthly, to see which vulnerabilities have been remediated and which ones still remain, without fear of missing newly introduced risks in the interim. Combine this with the use of agents on your known assets and you get a fully automated day to day view of your risk!

Are you ready to save time on your vulnerability management processes? Try the automated actions capabilities within InsightVM today. Not a customer? Download a free 30-day trial of InsightVM today.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Rapid7
Rapid7 (NASDAQ:RPD) powers the practice of SecOps by delivering shared visibility, analytics, and automation that unites security, IT, and DevOps teams. The Rapid7 Insight platform empowers these teams to jointly manage and reduce risk, detect and contain attackers, and analyze and optimize operations. Rapid7 technology, services, and research drive vulnerability management, application security, incident detection and response, and log management for more than 7,000 organizations across more than 120 countries, including 52% of the Fortune 100.
Promoted Content
30-Day Trial: UBA-Powered SIEM with Rapid7's InsightIDR
Rapid7 InsightIDR delivers trust and confidence: you can trust that any suspicious behavior is being detected, and have confidence that with the full context, you can quickly remediate. From working hand-in-hand with security teams, we understand how painful it is to triage, false-positive, vague alerts and jump between siloed tools, each monitoring a bit of the network. InsightIDR combines SIEM, UBA, and EDR capabilities to unify your existing network & security stack. By correlating the millions of events your organization generates daily to the exact users and assets behind them, you can reliably detect attacks and expose risky behavior - all in real-time.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?