Vulnerability response - reassign vulnerable items and vulnerability groups in response to CMDB changes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2022 09:57 AM
HI members
We have recently implemented Vulnerability response module using Rapid7 integration .
We have defined assignment rules based on Server Support group/Service offering support groups etc and
Vulnerability Groups are based on Rapid7 solution and Assignment Group and they seem to work pretty well normally.
However we see some challenges when CMDB data changes like
- When the Support group of the Servers , Service offerings etc change in CMDB the existing Vulnerable items and Groups remain with Old support group
- Application gets retired , Server gets decommissioned etc- existing VITs remain same
- Support groups get transitioned , like a Support group gets disabled and a new team takesover - existing VITs remain same
With all the above the new VITs that gets created after CMDB changes reflect fine as per latest cmdb data but wondering how everyone is dealing with the existing VITs /Groups in these situations- Do we need to build custom process for these cases , we are doing application service mapping and these changes seem to occur pretty often now.
I do see that im able to reapply assignment on specific targeted Vulnerable items by calling below script include new sn_vul.AssignmentUtils().getAssignmentGroup() but looking for best practices around these
Thanks in advance
Lann
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2022 11:17 AM
- When the Support group of the Servers , Service offerings etc change in CMDB the existing Vulnerable items and Groups remain with Old support group > Correct, assignment is based on the data at a point in time. You should configure the integration to use the assignment data from the source (CMDB, not the integration) that is always up to date.
If you trust the integration to provide the data, then the integration has to be kept up to date. - Application gets retired , Server gets decommissioned etc- existing VITs remain same Many times people say that, but the CI remains on the network and hence is still vulnerable to the finding.
You can write a BR that cascades status form CI down to open tasks such as VIT, INC etc.
Question for you: Can you retire something that is still used in workflows? Your answer should be No! - Support groups get transitioned , like a Support group gets disabled and a new team takesover - existing VITs remain same How can you transition something with open tasks? Maybe in your transition plan you should have a check for this.
Most of these are process issues IMHO
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-15-2022 02:27 PM
- When the Support group of the Servers , Service offerings etc change in CMDB the existing Vulnerable items and Groups remain with Old support group
This is an issue that we are facing as well since assignment rules and remediation task rules run only once. You would have to write something custom for this.
- Application gets retired , Server gets decommissioned etc- existing VITs remain same
Have you checked the auto-close configuration in V15? Enable the "Auto-close VIs linked to retired CIs" and it will do it for you going forward. Again, for the older ones you might have to do a fix script.
- Support groups get transitioned , like a Support group gets disabled and a new team takesover - existing VITs remain same
Same as #1, you would have to write something custom, like a scheduled job to fix existing VITs.
