What are the best tools and methods for vulnerability scanning and reporting according to sans 20?

Sans 20 controls is a great resource for you to utilize as a base for you to do a security assessment within your environment. When talking about Vulnerability Management, there are a couple of SANS top 20 (now CIS Controls V8) that are directly related to this, so make sure you have a tool that is able to perform those tests. Control 7 - Continuous Vulnerability Management - has 7 sub-controls to support you to stablish processes (vulnerability management and remediation), automated patching and scans, and perform remediation.

Vulnerability management tools for SANS Institute's Top 20 critical security controls: >Automated Scan Tools: Nessus, OpenVAS, QualysGuard, and Nexpose. >Manual testing and verification: penetration testing, network protocol analysis. >Continuous Monitoring: Astra Pentest, New Relic. >Reporting and Documentation: Include features for automated reporting with the provision for creating custom reports. >Interoperability: API maintains consistency in integration within the other security tools.

Some tools: Nessus Rapid 7 OpenVAS (Greenbone) Qualsys nmap nmap will show open ports and services. Rapid7, OpenVAS, nessus will show items such as missing updates, invalid certificates, accounts misconfigured, etc. nmap and openvas are free. If you do not have a budget, try these first. For help setting up openvas, use google.

One of the tools that I used extensively throughout my carreer was Qualys. You are able to perform system scans (OS level, services, network devices, etc.), application scans (OWASP). Within this solution, it has some templates you could use that indicates compliancy among PCI or CIS controls for example. Ps. What the article provides is an old version, it's called now CIS Controls V8: 1 - Enterprise Assets 2 - Software Assets 3 - Data Protection 4 - Secure Configuration 5 - Account mgmt 6 - Access Controls 7- Continuous Vuln. Mgmt 8 - Audit Logs 9 - Email/web Protections 10 - Malware 11 - Data Recovery 12 - Network Infra 13 - Monitoring and Defense 14 - Awareness 15 - 3rd party Mgmt 16 - App Security 17 - Incident Response 18 - PenTest

Don’t just report vulnerabilities , track them through to remediation. No tool patches to 100% effectiveness so how are you managing the 2% miss rate? What doesn’t get patched becomes control decay. Prioritize on CVSS if you must but prioritizing on Known Exploited Vulnerabilities is most efficient.

One simple advise is to not just share automated reports with system owners, indicate the ones that are most risky (like sensitive to business or storing/processing sensitive information and exposed to threats, like web applications/DMZ servers) compared with criticality of the vulnerability and exploit availability. As you start seeing progress, share the good news and keep your team motivated. A few metrics that helps to visualize progress: - Aging vulnerabilities (below 30 days, between 31 an 60 days, etc.) - New, recurrent and mitigated comparison - Number of critical and high severity Analysis on vulnerabilities is essential to have a good and effective vulnerability management program.

1) Try to fix all the high vulnerabilities first. This may not always be possible. If something cannot be fixed, can a "compensating control" be put in place. An example would be: This machine cannot be updated, but we have isolated it on the network, so only 2 people can access it. 2) While you are waiting on some of the high vulnerabilities to be fixed, see if some of the other ones can be fixed, especially the easy ones. Can something be fixed in under an hour, like changing the passwords on the printer console? Then fix it. Dont leave attackers footholds on your network. This breaks the mantra of "we only fix high" that is very prevalent in the industry, but can be fixed while you wait for the high ones

Implement a risk-based approach that looks for vulnerabilities based on exposure to threats and likelihood. In other words, identify assets that are sensitive to business (to maintain business continuity for example), and information that it stores/processes and review exposure to threats, like web applications/DMZ servers that are internet facing, or end-users that has high volume of incidents due to human error, VIP users and sysAdmins, and compare with how critical the vulnerability is and exploit availability. This way, you will notice a good progress on volumes and more engaged team

Review the latest version of the SANS, which is now called CIS Controls (currently on version 8). Control 20 talks about stablishing a process of continuously perform vulnerability scans. The best approach is use the following lifecycle: Identify, Prioritize, Remediate, Report Identify - Perform automated scans (both asset discovery and system vuln. scan) Prioritize - Just don't send a full set of scan results to your internal teams. Help them to identify what's a priority based on the exposure and likelihood of compromise Remediate - Apply patches and changes to fix the issue. Run validation scans to confirm it's resolved Report- Use a good set of metrics and indicators to help you to show either to execs and technical teams

Remediation is a key piece of this work, so partner with your internal teams and not against them. Understand applying patches and make configuration changes is not an easy task, every change performed in your environment may affect the business operations as services may be incompatible with newer OS versions for example. Use a risk-based approach perspective, where you may correlate the asset context with the vulnerability severity. For example, a high vulnerability against a critical service that is exposed to the internet may be prioritized compared with an internal server with a Critical vulnerability.