Abraham,
I appreciate the response, however it is not quite what I am looking for.
Let me clarify. We have a similar process that you suggested in place. The
problem is that the amount of input to the process has gotten so enormously
huge that the manual tracking of each issue has become nearly impossible.
Once an issue is discovered and communicated there is no central place for
us to verify the risk was mitigated. With vulnerability discoveries coming
from a multitude of places (vulnerability scanners, security assessments,
software vulns, etc.) we need I system that is flexible enough to accept
input from multiple sources (that does not mean it has to be automated).
The system should be able to take this input and manage it such that every
issue is assigned a criticality level, person or group responsible, and a
deadline for remediation. The system needs to be able to track the issue
from the day it is input to the day it is fixed or alert the appropriate
people that the issue has gone unchecked. I know that there is issue
tracking software available that meets this criteria however I just wanted
to see if there was any software specifically designed for this purpose or
if anyone had any luck with a specific solution.
Thanks,
BT
-----Original Message-----
From: Abraham Lincoln [mailto:sunninja@gmail.com]
Sent: Thursday, November 04, 2004 9:18 PM
To: infosecgod@gmail.com
Cc: security-management@securityfocus.com
Subject: Re: Vulnerability Mitigation Management
Hello,
You can apply the following Process
1] DisCovery
- Identify vulnerabilities in your network
- identify threats
2] Prioritize and Determine Risk - based on vulnerability data and
threat that was gathered during discovery process
3] Mitigate Risk
- Implement Access-controls
- Patch updating
- eliminate problems
4] Monitoring
- monitoring network
- patch management
hope those process will work. If your concern is Cost tools like SNORT
and NESSUS will help you ALOT =) in doing network discovery, vuln
discovery, passive scanning etc...
Abraham
On 4 Nov 2004 15:57:57 -0000, infosecgod@gmail.com <infosecgod@gmail.com>
wrote:
In-Reply-To: <BAY1-F22qYYrX0cIUP30000750a@hotmail.com>
>I recently began working for a large corporation and have been given the
task to >develop a vulnerability mitigation management
system/program/process.
A daunting task to say the least
>some feedback from anyone who has experience in this area and/or has used
any >technology for this purpose. I welcome any discussion or thoughts.
Tenable Network Security has a commercial tool that front-ends Nessus as
well as using passive VA scanning and data from snort and other IDS ? it
has a system for tracking vulnerabilities, assigning remediation and
tracking the work and it is not too expensive. I am sure that other
commercial tools provide simlar function but I have not used them in this
capacity.
J
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
