Effective patch management based on reports from the vulnerability scanner or how not to drown in endless tables

film frame "Mind games" (year 2001)
frame from the movie “A Beautiful Mind” (2001)

It is difficult to build effective protection of IT infrastructure, ignoring the process of control of vulnerabilities (Vulnerability Management, VM). It includes searching for and accounting for all information assets, assessing the level of security of network infrastructure and web applications, developing recommendations for fixing detected vulnerabilities, and verifying that these recommendations have been implemented. On the one hand, this process is automated – the scanner looks for weaknesses. On the other hand, this is manual work, since, based on scanning, security specialists prioritize many of the vulnerabilities found and eliminate the most critical ones in a short time. That is why it is extremely important that it is convenient for experts to read and process the data that the scanner produces. And how to achieve this – we will understand below.

What kind of reports are available?

Weaknesses can be found in almost every corner of the infrastructure. Based on the results of the scanner operation, a report is generated, and it can be of several types:

  • concise for business, which contains basic information about the vulnerabilities found (for example, their number, the weakest elements of the infrastructure, etc.). Such a report will give the company’s management a general idea of ​​​​how things are on the IT perimeter;

  • technical, which is actually a raw download from the scanner with all the details (CVE, detailed description of vulnerabilities and recommendations for closing them, etc.). Such a report is required by IT specialists who will correct the deficiencies found;

  • analytical, which contains more detailed data on the scan results (information on vulnerabilities, publication year, criticality level, etc. can be presented here). This report complements the technical report and is also intended for IT professionals.

The most common format for reports on discovered vulnerabilities is PDF. It is supported by the vast majority of scanners and many IT and information security specialists are used to it. Is this option the most convenient? Probably not. Of course, a PDF file can be made visually beautiful by presenting information in eye-pleasing formats such as charts and graphs. For a brief report to put on the manager’s desk and make a quick presentation about the state of the infrastructure, this option is quite suitable.

But the key task of scanning is not a pretty report. One of the main VM processes is the elimination of vulnerabilities (patch management), which is not possible without prioritization, that is, determining the sequence for eliminating vulnerabilities. Most often, IT and information security specialists are waiting for a clear answer to the question: how bad everything is, whether there are now critical vulnerabilities that need to be urgently addressed and fixed.

If we talk about the results of checking several IP addresses, the PDF looks quite representative. But when scanning a large infrastructure with a large number of vulnerabilities, the output is a huge document with thousands of pages and weighing hundreds of megabytes, with information that is difficult (and sometimes impossible) to work with and analyze. In this format, there is no option to search and filter by document, and in this case it is problematic to build a process for eliminating vulnerabilities.

For technical specialists, an important functionality of the scanner is the ability to upload reports in tabular or raw form, for example, in xml or csv formats. Such uploads usually contain the entire list of vulnerabilities and additional information on hosts obtained during scanning of IP addresses, as well as a detailed description of the vulnerabilities themselves and the entire range of data associated with them (detailed information from the scanner’s knowledge base). For example, vulnerability category, year of publication, criticality in terms of various scorings, metrics, etc.

But in order to work with such an upload, it is often necessary to pre-process it and import it into another program, for example, Excel. And then you need to organize this file so that it is convenient to work with it. At this point, the most interesting and most difficult begins.

Useful report – what is it?

A huge table with a horizontal list of IP addresses and a vertical list of vulnerabilities with a brief description and no identifiers is no better than a multi-page PDF. Correct and convenient presentation of data, including tables with data filtering necessary for operation, which will allow you to quickly work with criticality or vulnerability category, its identifier, can solve the problem and make the report an effective assistant:

Partially, the problem of filtering certain vulnerabilities can be solved by uploading a report from a scanner, but the problem is that this does not always give a result that is convenient for work. For example, if you have a report in an easy-to-use format (Excel), the data in it can be enriched with your own evaluation and prioritization criteria, for example, whether the vulnerability is in the business critical segment or not, whether it is mentioned in the media or is actively used by attackers “in the wild”. nature” (in the presence of such feeds). True, most scanners do not have such functionality, which means it cannot appear in the uploaded report by default, and such information must be added manually.

Also, for decision-making and analytics, specialists may find it useful to sort vulnerabilities by year of publication:

How bad everything is and where to start fixing errors is effectively demonstrated by statistics on the number of vulnerabilities on nodes, the ratio of the number of OS families used and vulnerabilities on them, and the criticality of the most common vulnerabilities. You can enter your own integral assessment for nodes, based on the criticality of the node for the infrastructure:

In an ideal VM report, there should also be a prioritization of vulnerabilities remediation – this is always the analytical work of IT and information security specialists. Sometimes a unique methodology created for a particular infrastructure can be used. The ideal option is when all this can be implemented in the body of the report:

All of the above IT or information security service of the company can do it on its own, or can contact a service provider. In the first case, full-time specialists themselves must configure and run the scanner, and then process technical reports with their own hands, prepare analytics, define criteria, and perform prioritization. In the case of the service model, the service provider takes care of scanning and reporting. And the customer receives data suitable for further work, prioritization and recommendations for eliminating vulnerabilities. The main advantage here is the expertise of the service provider’s specialists: they have their own knowledge base and methodology for processing scanning results and prioritization, which is constantly being improved thanks to experience working with companies from different industries. And full-time information security specialists


So, when working with scanners, you should move away from PDF if you need to compile a full-fledged technical report suitable for further effective work on eliminating vulnerabilities.

Give preference to tabular formats. One template in Excel will make it much easier to import data for new scans. Excel and Power Query have a rich set of simple and effective tools to automate this process – you don’t even need macros.

Maintain and use lists and knowledge bases about the most relevant vulnerabilities for a particular infrastructure (company). Are you reading the news about a new critical vulnerability? Write down the CVE in a list, a short description and a link to the source. If you can immediately assess (keep this in mind) how relevant and a priority this vulnerability is for your infrastructure, this is a big plus.

If such analytics is beyond the power of full-time information security specialists, hire a service provider who will scan and prepare a report with recommendations for you.

Similar Posts

Leave a Reply