Hi Chris McDevitt

You touched upon a very realistic scenario. Thanks for bringing the focus on this practically frequently observed scenario in most of the implementations.

Building on the scenario you aptly mentioned -  "Organization has discovered its application" now leverages metadata coming from scanner to script the assignment rule. To understand further will you be able to share a few examples of metadata you have seen which could be leveraged?

Thanks

Yes, I can.
First off, organizations must adopt an attitude of continuous process improvement. Second, do not expect perfection but strive towards perfection. Thrid, adapt a crawl, walk, run attitude as you mature your Vulnerability Response tool.

The first thing you need to understand is my vulnerable item formula: a VIT = a Vulnerability + a Configuration Item. This super object contains all your vulnerability scanner's knowledge (via Vulnerability) and your organization's knowledge about that asset (CMDB).

The first tool in our arsenal is the "Vulnerability Classification Rules." These rules allow us to "pre-process" the vulnerability library (Third-party) and determine a "classification" for this Vulnerability based on our organization's point of view. For example, is this Vulnerability an "OS" or an "Application" vulnerability? Not only have we expanded our information in VIT object, but we can also use that information in our Assignment Rules.

The second tool in our arsenal is the "Third-party vulnerability entries," again, this is the vulnerability part of our VIT object. Examine your Vulnerability closely. Look at all of the fields that can give you hints on which team would be best to remediate this issue. (These fields will be used in the Assignment Rules)

The third tool is the Assignment Rules themselves. Not only is the Condition Builder a powerful tool, once you add a scripted assignment to the mix, it becomes a super powerful tool. A long story short, I am working around insufficient data to produce the best assignment possible:

The following tool you can use is the Discovered Items module itself. I have written a white paper on it. The Discovered Items module is a great place to enhance your data. They use this data to either make assignments or drive the improvement process. I have different customers setting the Department, Business Unit, Data Center, subnets, and other things.

Now, this is getting out there, but it has proven successful; Enhancing your Configuration Items (The Configuration Item part of the formula). Sometimes we must make assumptions about the data and set CI attributes according. For example, I have applied a regular expression based on RFC 1819 to determine if the CI was internet-facing. (The customer is using that in risk score and an assignment). In another example, based on many factors, we guessed which Department an Incomplete IP Devices or Unclassified Hardware devices belonged to and set those attributes. Lacking other data, we used this as part of the assignment rule.

Here is the process improvement part; If the departments were unhappy with the assignments, they were instructed to work with the Discovery / CMDB team to get the host Discovered and identified correctly.

Finally, see this button:

Understand how to use it. Build the rules, get feedback, scratch your heads, make an improvement and push that button... Rinse and repeat.

I have a customer that I had to interview for an internal success story, and they told me that they had experienced a 90%+ reduction in the time it takes to assign vulnerabilities. This is a global customer with many many many "unique" business units. Due to many factors, the customer's CMDB is far from perfect.  Now here is the even better news... this is not an uncommon story 😉 

The bottom line is: Find a trusted coach/advisor then start a continuous process improvement journey backed up by OCM and an executive champion. 

There is more, but that is best left to some beverages in the evening at the Knowledge conference.