Vulnerability Response remediation target rules

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Vulnerability Response Remediation Target Rules

    Remediation target rules in Vulnerability Response define the expected time frames for addressing vulnerable items (VIs), similar to service level agreements (SLAs). For instance, vulnerabilities related to PCI data must be remediated within 30 days as per PCI DSS requirements. These rules enable vulnerability managers to set remediation targets, reminder targets, and designate notification recipients for overdue vulnerabilities.

    Show full answer Show less

    Key Features

    • Visibility: Remediation target dates are displayed in the vulnerability item form and list views for items not in Deferred, Resolved, or Closed states.
    • Color-Coding: The status of vulnerable items is visually indicated: green for items not yet due, orange for items nearing the target date, and red for overdue items.
    • Notifications: Summary emails are sent when VIs approach or exceed their remediation target dates.
    • Rule Management: Remediation target rules can be deactivated or deleted, affecting the associated VIs accordingly. Active rules determine the application of remediation targets based on the most restrictive criteria.
    • Scheduled Jobs: The Evaluate remediation targets job runs daily at 4:00 AM to update remediation target dates based on active rules.
    • Efficient Updates: Changes to remediation target rules can be reapplied to open VIs using the Apply Changes button, streamlining the process for vulnerability admins and analysts.

    Key Outcomes

    By implementing remediation target rules, organizations can ensure timely remediation of vulnerabilities, maintain compliance with regulatory standards, and enhance overall security posture. The system provides clear visual indicators and automated notifications, allowing teams to prioritize and manage vulnerabilities effectively. Vulnerability managers can efficiently track and apply changes using the Vulnerability Manager Workspace for better operational efficiency.

    Remediation target rules define the expected time frame for remediating vulnerable items (VI), much like SLAs provide a time frame for remediating the vulnerability itself. For example, if an asset contains PCI data (credit card data) then the vulnerability on that item needs to be fixed within 30 days according to PCI DSS.

    Vulnerability managers can create remediation target rules by defining:
    • The remediation target
    • The reminder target
    • The reminder and notification recipients — Who should be notified when the vulnerable items (VIs) are past the reminder or remediation target date and haven’t been remediated.

    Vulnerability analysts and managers can see the remediation target date in the vulnerability item form and list views, as long as the vulnerable items aren’t in Deferred, Resolved, or Closed state. Remediation target rules are run on import and rerun if a VI is reopened.

    The Remediation target date is color-coded on the VI list view as dots, as follows:
    • Vulnerable items that haven’t reached their notification date are shown in green.
    • Vulnerable items approaching the remediation target date are shown in orange.
    • Vulnerable items past the remediation target date are shown in red.

    A summary email, per remediation target rule, is sent when one or more VIs are either approaching their remediation target date or the remediation target date has passed.

    Remediation target rules can be deactivated or deleted

    When a rule is deactivated, the current remediation target dates for the VIs it was applied to are cleared. If a VI satisfies any active rule that rule is applied, otherwise the VI has no rule or target date, and its status is No Target.

    When rules are deleted, the Remediation target date and related fields on closed, deferred, or resolved VIs are preserved. The Remediation target date and related fields on non-closed VIs are cleared and any dependent rules are reapplied.

    Remediation target rule scenario

    When multiple remediation target rules are applied to the same vulnerable item, the most restrictive rule is applied.
    Note:
    Remediation targets are calculated from the Last Opened date plus the number of days (measured as 24-hour increments).

    Starting from V17.1, remediation targets are calculated from the Target from (date). The default value remains Last opened date.

    For example, if a vulnerable item meets the condition for two remediation target rules:

    Scenario: Vulnerable item last opened on 03/01/2018 at 10:00:00.
    • Remediation target rule 1: Last opened on 03/07/2018; remediation target is 15 days since it was last opened; calculated remediation target date is 03/16/2018 10:00:00.
    • Remediation target rule 2: Last opened on 03/10/2018; remediation target is 10 days since it was last opened; calculated remediation target date is 03/11/2018 10:00:00.
    In this scenario, the Remediation target rule 2 applies to the vulnerable item since it has the more restrictive date. 10 days since the vulnerable item was first identified versus 15 days.
    Note:
    Once the Remediation target rule is defined, remediation target dates are calculated by the Evaluate remediation targets scheduled job.

    About the Evaluate remediation targets scheduled job

    Evaluate remediation targets runs once at 4:00:00 daily.

    It iterates through all active vulnerability rules, starting with those rules with the earliest remediation target date. It looks at all vulnerable items that:
    • Aren’t in a Closed, Deferred, or Resolved state.
    • Have no remediation target date.
    • Have a remediation target date that is later than the date in the remediation target rule.

    Evaluate remediation targets adds a remediation target date, if one does not exist, or if a rule results in an earlier date than the one in the record, it updates the existing target date. Finally, it updates the Remediation target and Remediation status fields in the vulnerable item form.

    Once the Evaluate remediation targets runs, available notifications are sent.

    Evaluate remediation targets clears the remediation fields on the VI and stops sending notifications.

    Starting with Vulnerability Response v19.0, the sn_sec_cmn.evaluate_targetmissed_records property, when enabled, prevents the Remediation Target Rules scheduled job from evaluating missed VIs. This property is enabled by default.

    Reapplying remediation target rules

    When you change a remediation target rule, use the Apply Changes button on the Remediation Target Rules list page to rerun all the changed rules on all active Open VIs except those in the Closed, Deferred or Resolved state. Depending on how many VIs you have, this may take time.
    Note:

    If the scheduled job, Evaluate remediation targets is running, you can’t initiate a reapply process. However, if a reapply process is already running, and the scheduled job it triggered, they run in parallel.

    The reapply processes in Vulnerability Response and Application Vulnerability Response are independent and can run in parallel.

    Important:
    As a vulnerability admin and analyst, you can obtain the latest remediation target date for selected vulnerable items in the Vulnerability Manager Workspace. This method is more efficient than running the Remediation Target Rules for all vulnerable items in the classic UI, which is a time-consuming process. For more information, see Re-evaluate the remediation properties of the records in the Vulnerability Manager Workspace.