Merge.io

Merge.io – January 2014 Release Notes

0 , ,

vulnerability-managerAdded support for McAfee Vulnerability Manager / Foundstone

Merge.io now supports the direct import of the Foundstone/MVM Risk_Data.xml file. The Foundstone data is supplemented with additional vulnerability data from the National Vulnerability Database for use in the Merge.io platform.

Added National Vulnerability Database

nvd

The addition of 2million records of vulnerability data will help us to greatly enhance the vulnerability information that we have to correlate with customer’s data. See our blog post on the addition of the NVD to Merge.io.

Better charting and graphing support

We have changed our charting and graphics libraries to support better reporting and dashboard functionality.

Performance improvements

Added better caching in the import process to improve performance.

Reporting

Screen Shot 2014-02-06 at 9.09.32 AMWe have added project based reporting. The project reporting outlines the risk of the vulnerabilities of the project, the current status of remediation and validation and the specific filtering rules that were applied to vulnerabilities to determine which vulnerabilities were remediated and which were not. The report is a PDF report that includes the following sections:

  • Project Summary
  • Vulnerability Summary
  • Vulnerability Validation
  • Risk Profile Filters

Merge.io extends vulnerability data with the NVD

1 ,

nvdIn order to enrich the amount of data for vulnerabilities that are managed through the Merge.io platform, we have integrated a local copy of the National Vulnerability Database. The combined data set contains more than 2 million records with the resource and affected software categories and is updated on a daily basis from the NIST feeds.

With this data we have the ability to correlate imported vulnerabilities with the NVD to supplement and extend the vulnerability information that is managed by the product. This allows us to continue to build wider support for vulnerability scanning tools as well as provides additional, up-to-date information for the resolution of vulnerabilities.

 

Customized Risk Profiles with Merge.io

0 , , ,

Converting mounds of vulnerability scan data into operational action is a challenge that many organizations have. One major part of that challenge is how to go about systematically boiling down the volumes of vulnerability data to get to the vulnerabilities that you need to fix.

This is especially crucial when dealing with internal scans of larger networks. Internal vulnerability scanning tends to be a tricky process due to the fact that in most cases there is very little access control that is implemented between the scan engine and the target systems. With little access control in place, the vulnerability scanners produce a lot of vulnerability data to analyze. The question still remains – how do you make the most sense of the volumes of data that is generated?

We begin with a policy and a process. Does you have established remediation thresholds for ranked vulnerabilities and has management signed off on it? If not, start your journey here. Build an organizational policy that establishes a base set of conditions that determine which vulnerabilities must be remediated vs. vulnerabilities that are acceptable in a given environment. As an example policy/process may state that you remediate (per the defined remediation thresholds) any vulnerability that meet the following criteria for internal scans:

  • CVSS score of 5.5 or greater
  • SQL injection
  • Cross site scripting

Since these are internal scans, there will be certain vulnerabilities that we will choose not to remediate. This could be due to environmental variables, compensating controls, etc.  Examples of these may include:

  • Self signed certificates
  • Denial of service vulnerabilities

These are obviously just examples, but each organization generally has vulnerabilities they want to remediate and vulnerabilities that they don’t due to acceptable levels of risk. So how do you apply this logic in an automated fashion to our vulnerability data? The reality is that most companies that I deal with are still using Excel (the duct tape and bailing wire of the business world) to accomplish this. And even with the use of spreadsheets, the process is highly manual.

This is where Merge.io can help out. With Merge.io you can create custom risk profiles that can determine which vulnerabilities from the imported data sets to remediate and which to exclude for acceptance. Just create the profile using the risk profile builder and apply it to a scan import. All of the vulnerabilities that match your include criteria will be added to the Merge.io workflow system. And the vulnerabilities that match the exclude filter will be excluded from workflow tracking.

Risk profile filters can be built that examine vulnerability CVSS score, Risk rating, title description, port, service, operating system and more.

 Screen-Shot-2013-09-18-at-3.49.34-PM-1024x346

These filters are available for use with any scan imported into Merge.io. They can be built to match your internal remediation standards and they can be added to over time as the organization changes. This provides an automated, repeatable approach to managing the volume of data that vulnerability scans can create.

Merge.io has a built-in filter for PCI that matches the requirements laid out by the PCI ASV Program Guide Version 2.0. Additional compliance filters are coming soon!

Be sure to check out Automated Scan Validations with Merge.io.

Sign up for a free 60 trial account on Merge.io!

 

Automatic Scan Validations with Merge.io

1 , , ,

validated_shotPCI requirement 11.2 requires merchants and service providers to conduct internal and external vulnerability scanning on their infrastructures. The requirements further state that the scanning activities should be repeated until clean scans are achieved.

The devil is indeed in the details when it comes to operationalizing what seems to be a simple concept. Companies struggle with how to effectively achieve clean-scans when they are scanning many different assets running on multiple platforms that have different patching cycles.

Many companies create manual file comparisons using spreadsheets to compare scan files quarter over quarter. This manual comparison process can be come exceedingly complex and time consuming.

In order to stop the vulnerability management “whack-a-mole” we have incorporated an automatic validations feature into the Merge.io platform. This validation process allows you automatically compare scan data against closed vulnerabilities to prove that the vulnerabilities have been remediated on the target systems.

ProjDashStatus1-201x300Once a project is created and baseline scan data has been imported, the Merge.io platform provides a mechanism to allow continuous validation scan data to be imported into that project. For each validation scan file that is imported, Merge.io analyzes the data in the scan file, specifically looking for vulnerabilities that are in the “Closed-Approved” state on the Merge.io platform. If the vulnerability is not present in the validation scan file, then Merge.io marks the vulnerability as “Validated” noting the uploaded scan file that it compared. If the vulnerability still persists in the validation scan file, then Merge.io re-opens the vulnerability and assigns it back to the engineer who closed the vulnerability.

This closed-loop approach to vulnerability lifecycle management allows organizations to not only track the vulnerability state all the way through the vulnerability management process. But have assurance that each vulnerability has been proven not to persist.

Merge.io will be ready soon – feel free to contact us at info@merge.io for more information. Or sign up to be notified when it is released.