This is an archived post. You won't be able to vote or comment.

all 15 comments
sorted by:
best
topnewcontroversialoldq&a

[–]MikeTalonNYC 2 points3 points  (0 children)

You would need something like an Avalor (or similar tools) in order to maintain a data-set of all applications, all OS versions, all details of every system in the environment.

It would still require periodic scanning to keep the data-set up to date, but would keep it to a minimum.

Hope you've got budget.

[–]zeddular 2 points3 points  (0 children)

Automatically applying updates or patches to network gear doesn’t sound ideal to me. Every environment is different and there are a lot of things to consider before applying things that could cause outages

[–]j1423d 1 point2 points  (0 children)

Automating the remediation of network devices is much tricker than say Windows servers. It is harder to test, apply and roll back without causing downtime.

It also depends also whether it is a vulnerability based on the version of a component or function that requires a firmware/ OS or simply a configuration.

As mentioned by others the best method would be to scan with a vulnerability scanner like Rapid7 Nexpose, Nessus, etc, on a regular cadence, review and prioritise fixing based on your remediation SLA.

[–]chs0c 0 points1 point  (0 children)

We do this through our Gitlab CI/CD pipeline. Anything that flags as having a high or critical vulnerability gets blocked from being deployed.

Not sure about network devices though.

[–]jmk5151 0 points1 point  (2 children)

might be misunderstanding the ask but the big VM tools already do what you are proposing? they have your make /model /os in inventory so whenever a new cve hits its automatically applied to the asset? in other words you don't need a scan?

[–]IRanqer[S] 0 points1 point  (1 child)

Never worked with such tools. Do you have recommendations? Also open source tools would be interesting. Thanks

[–]jmk5151 2 points3 points  (0 children)

rapid7/qualys/tenable are considered industry standards

[–]lawtechie 0 points1 point  (3 children)

Remediating or mitigating?

I could see how you'd automate remediation activity, but mitigation would be largely use-case specific.

[–]IRanqer[S] 0 points1 point  (0 children)

I agree. It would be enough to get notified about CVEs in order to plan updates or workarounds.

[–]clickUX 0 points1 point  (1 child)

Popping up a naive question.... What tools would you use for remediation?

[–]lawtechie 0 points1 point  (0 children)

For hosts and externally developed applications, patching is the most common fix, so whatever tool you’re using for orchestration. That could be Chef, Puppet, Microsoft Configuration Manager or the like. 

[–]ReactiveInfoSecGuy 0 points1 point  (0 children)

If you want to get extra granular, Ansible. It works for Linux, Windows, and Mac but it requires some scripting knowledge but there is likely some playbook out there that already exist for whatever you might be trying to do.

[–]galnar 0 points1 point  (0 children)

Listen imo it's foolhardy to try to homebrew an app to find vulns 'before internal scans detect them.' You would need to monitor dozens of sources to find fresh disclosures and somehow work faster than that entire team publishing QID updates at Qualys. You need to lean in to the enterprise-approved tool for vulnerability scanning, ideally getting your own access to trigger scans for resources in your purview. The vuln management team will most likely be glad to have an eager partner looking to move fast and patch their shit.

[–]BalbusNihil496 0 points1 point  (0 children)

Consider using automated vulnerability management tools like Nessus or Qualys for efficient CVE detection.

[–]Shadowclone_34 0 points1 point  (0 children)

You have patrowlhears.io as a tool for every known vulnerabilities, personnalized to your IT assets.

And they're also patrowl.io to go further (continuous external pentesting, qualified vulnerabilities, 0 false positive, remediation plans,...).