Symantec Risk Automation Suite

Transcription

1 Symantec Risk Automation Suite SRAS Guide September 2011 Part Number: XXXXXX-XX

2 COPYRIGHT This User Guide is protected by United States and International Copyright laws. Copyright 2011 Symantec Corporation. All Rights Reserved.

3 Contents Preface...i Symantec Risk Automation Suite - An Insight...1 What is Symantec Risk Automation Suite (SRAS)?...1 Technology components and architecture...1 Production implementation...3 Additional Considerations...3 Robust scheduling options... 3 Bandwidth throttling... 4 Blacklisting... 4 Active directory integration... 4 Encryption... 4 Backups... 4 Working with Symantec Risk Automation Suite Portal...5 Accessing the SRAS portal...5 Customizing the SRAS Portal...6 Creating the organizational structure... 7 Adding asset classes and categories (optional)...11 Applying organizational structure, classes and categories...13 Portal Configuration Alerts...17 Auto Assignment...18 Biz Apps...20 Environments...24 Metrics...27 Settings...29 Portal Administration...31 Credential Management Add credential...31 User Management Add a new user...35 Manage users...37 Active directory settings...41 Manage roles...42 Scanner Management Scanner management tasks and alerts...45 View all scanners...47 View scanners (by type)...48 Agent updates...49 Content Management OS signatures...50 <Company logo will come here> iii

4 Contents OVAL Definitions...51 DeepSight DataFeeds...53 Application log...54 Symantec Risk Automation Suite - Module Management...57 Types of Scanning Discovery scans...57 Configuration scans...58 Vulnerability scans...58 WebApp...58 Scanning Scheduling scans...59 Credentialed scans...60 Security...60 Service oriented architecture (SOA)...60 Common scanning challenges...61 Pre-scan guidance...61 Pre-scan checklist...61 Discovery Scan Scan scheduling...62 Scan Queue...75 Scan History...77 Configuration Scans Scan Scheduling...78 Scan Queue...84 Scan History...84 Data Import (Off-line Scanning)...85 Vulnerability Scan Scan scheduling...90 Scan Queue...96 Scan History...96 Results Filtering...97 Reporting...99 Reporting Basics Reporting pre-work Asset Inventory Summary report Network Reports Host Reports Applications Reports External Asset Reports Rogue Technology Summary Reports Rogue Network Reports Rogue Hosts Reports Rogue Apps Reports Vulnerability Summary Reports Vulnerability Reports by Application, by Platform, by Network, by Host 135 Vulnerability Reports by Vulnerability Security Patch Report External Vulnerability Report iv <Company logo will come here>

5 DeepSight Reports Configuration Reports Software Configuration Hardware Configuration User Accounts Configuration Report System Configuration/Data Protection/Patches Report Scan Summary Configuration Report All Categories Configuration Remediation Reports Remediation Summary Policy Violations Rogue Technology Vulnerabilities Symantec Risk Automation Suite - Security Dashboard Policy management dashboard Vulnerability management dashboard Rogue technology dashboard Remediation dashboard Dashboard tasks Historical reporting Organizational map Favorites Tasks Alerts Symantec Risk Automation Suite (SRAS) Policies & Controls What is a control? How are controls used in SRAS? Adding controls to a policy statement Section summary Control Management Viewing and editing controls Suspending or deleting controls Secure Content Automation Protocol Overview Scope Pre-Requisites for SCAP scanning Pre-requisites for scanning Windows Vista Pre-requisites for scanning Windows XP & Vista FDCC conflicts and supporting rationale SCAP and SRAS CVE CCE CPE CVSS XCCDF OVAL LASR Contents <Company logo will come here> v

6 Contents RAS/SMP Integration SMP/Altiris 6.0 setup Vulnerability Policy vi <Company logo will come here>

7 Preface This User guide provides information on how to set up and use the Symantec Risk Automation Suite. Conventions and shortcuts This User Guide uses the following conventions: The names of document titles and cross-references are formatted in italics. The names of buttons, menu commands, options, icons, and other user interface elements are formatted in bold. Programming code, file names, and folders are formatted in Courier New fixed width. Notes page is provided at the end of a chapter to enable the user to write any additional comments/notes. i

8 Preface -NOTES- ii

9 Chapter 1 Symantec Risk Automation Suite - An Insight Congratulations on your selection of Symantec Risk Automation Suite (SRAS) by Symantec Corporation to meet your risk management needs! SRAS is a highly sophisticated collection of integrated tools that provides a fast, robust and holistic view of the technology and risks present in large IT networks. The following sections of this chapter will enable you to understand the technology and architecture that makes SRAS an outstanding Risk Automation Tool. What is Symantec Risk Automation Suite (SRAS)? Symantec Risk Automation Suite (SRAS) is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built as an SOA architecture, SRAS is entirely agent-less, is easy to install, and easily scales to any size of enterprise network. SRAS will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with requisite standards and provide a centralized portal for continuous, repeatable measurement and reporting. SRAS automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The SRAS Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large organizations in virtually all industries rely on SRAS to continuously measure IT risk and compliance. Technology components and architecture SRAS is a multi-tier application consisting of six integrated components. These components can be installed on one server, or multiple, distributed scanners. They are 100% agent-less and fully compatible with virtual server environments. Each of the integrated components is described below. 1

10 Chapter 1 - Symantec Risk Automation Suite - An Insight Figure 1-a: Technology components and architecture SRAS Portal the central hub of SRAS that provides all data analysis, reporting, scheduling, workflow, and management capabilities. It consists of a Web-based user interface, web services integrated with all other components, and a back-end database. SRAS Asset Discovery rapidly discovers and inventories all networks and network assets, including managed and unmanaged devices. This component consists of three scanning processes: network discovery, host discovery and OS discovery. SRAS Vulnerability Management orchestrates vulnerability scanners to conduct ongoing vulnerability detection and reporting for operating systems, infrastructure, network applications and databases. SRAS Configuration Management performs authenticated configuration scans and maintains an accurate inventory of system configurations, including installed software, user accounts and system changes. SRAS Policy Management continuously evaluates system configuration and compliance with industry standards and corporate policies. SRAS Perimeter Scan an integrated service of Symantec Corporation that performs continuous discovery and vulnerability scan of all Internet nodes and ports and your organization s publicly registered IP ranges. 2

11 Chapter 1 - Symantec Risk Automation Suite - An Insight Figure 1-b: Technology components and architecture (continued) Production implementation Virtual Windows 2003/08 Server with IIS 6.0/7.0? SRAS Portal? SRAS Discovery (Network, Host, and OS Discovery)? SRAS Configuration Management Linux Server? Vulnerability Scanner (Open Source or 3rd Party)? SRAS Vulnerability Management Existing MS SQL 2005/2008 Database? SRAS Database Additional Considerations Robust scheduling options All scans can be tightly controlled and scheduled to run based on numerous userselected factors. This includes time of day, day of week, type of device to be scanned (for example operating system), specific groups of devices (for example asset classes, 3

12 Chapter 1 - Symantec Risk Automation Suite - An Insight asset categories), locations, or business unit. By combining these options, users have extensive command and control over exactly what gets scanned and when. The schedules are set separately for each scanning process. For example, discovery scans can be run on a more frequent interval than configuration scans, which could, in turn, be run more frequently than vulnerability scans. Bandwidth throttling Each scanner integrated into SRAS has options for controlling the bandwidth and speed of scans. Bandwidth limits can be set uniquely per network, so that scans can occur much faster on high capacity networks, while conserving bandwidth on slower or smaller network connections. Bandwidth limits can also be set uniquely for each scanning process and can be set differently based on time of day. Blacklisting SRAS incorporates robust blacklisting options giving users greater control over scanning processes. Blacklisting is a process by which individual devices or entire networks can be eliminated from any or all scans. This feature is useful if third party systems need to be avoided during scans, or there is concern about specific network devices being impacted by scans. Active directory integration Application level authentication for SRAS can be handled with local application level accounts or tied to Active Directory. An AD user level account is required to be entered into the SRAS Portal to enable this option. Once entered, the user level account will be used to query the Active Directory and list AD user accounts to be given access to the SRAS Portal. Once added, users will sign into the SRAS portal, authentication will be passed to AD, and if successful, the users will be granted access. Object level authorization and role-based access is performed natively in the SRAS application. Encryption SRAS encrypts all passwords in storage and in transit. This includes application user passwords, AD credentials, and credentials used by the SRAS configuration scanner during authenticated scans. All communications between the SRAS scanners and the SRAS portal occurs over SSL encrypted web services with 128 bit encryption keys. In addition, all interaction between users and the SRAS Portal is forced to occur over an HTTPS session with 128 bit encryption. Backups Daily backups should be performed for the SRAS database since all data, schedules, and historical reports are stored there. Backup copies should be stored on physical storage that is separate from the original database. Backups for the SRAS Portal and SRAS scanners are recommended to ensure a rapid recovery, however, these applications can be reinstalled without any data loss. Therefore, backups for these applications could be bypassed altogether, or performed on a less frequent interval, such as weekly or monthly. 4

13 Chapter 2 Working with Symantec Risk Automation Suite Portal This chapter is designed to provide a novice SRAS user with basic guidance to get the solution set up and execute an initial set of scans.. NOTE This Chapter is not intended to replace formal training. It does not address all of the capabilities within SRAS and does not provide techniques for advanced use or longterm operations of the solution. This Chapter is most suitable for use during an initial series of scans, a onetime risk assessment or proof of concept deployment. Accessing the SRAS portal 1. Using your desktop Web browser, browse to the SRAS Portal ( SRAS is typically installed with SSL enabled and required for all user and client connections, therefore pre-pending the Risk Automation Suite URL with is necessary. 2. Log on to the SRAS Portal with your SRAS User Name and Password or with your Active Directory (AD) credentials, if AD authentication has been enabled in your SRAS Portal. Click Sign-In. Figure 2-a: Login page 5

14 Chapter 2 - Working with Symantec Risk Automation Suite Portal 3. In order to complete the tasks described in the remainder of this Chapter, you will need to have an Administrator role on the SRAS Portal. You can confirm that you have this role assigned to your account by verifying that the Module Management and Portal Administration nodes are visible in the Control Panel within the SRAS Portal. If you do not see these nodes visible, then you have not been designated as a SRAS administrator. Contact the system owner to request this role. The Control Panel is on the left hand side of the portal screen. Using standard hierarchical menus, this area is used for all navigation throughout the Symantec Risk Automation Suite product. There are five key areas at the root: My Security Reporting Policies and Controls Module Management Portal Administration Figure 2-b: Control Panel This User Guide will expand on each of these areas in both a general overview as well as detailed usage scenarios within each item. Customizing the SRAS Portal Before you get started with the SRAS portal, to enhance the reporting you must create the structure of your organization, that is define the business units. 6

15 Chapter 2 - Working with Symantec Risk Automation Suite Portal Creating the organizational structure Establishing the organizational structure is a critical step that enables you to assign networks and assets to organizational units. The purpose of the organizational units are to facilitate the assignment of the networks to those business units. This application of logical business containers will make reporting more meaningful and helps those using the software to understand the logical locations of the networks. Click Portal Administration > Portal Configuration > Organization to display the Organization Setup screen and begin entering the organization structure for the environment (See Figure 2-c). Figure 2-c: Organization Setup screen Adding organization map To add or modify an organization map, follow the instructions given below: 1. Click the Configure Organizational Map link at the bottom of the Organization Setup screen to upload and configure an organizational map (JPEG). The Dashboard Map and Layout screen displays. 7

16 Chapter 2 - Working with Symantec Risk Automation Suite Portal Figure 2-d: Dashboard Map and Layout screen 2. Click Browse to upload the map. 3. Click Change Map to modify the organization map. Click the Add Region or Edit link on the map to add or edit a region that displays on the map. 4. The Edit Region Status window displays, as shown in Figure 2-e. Click the dropdown list and select an appropriate region and click Update. The button label changes to Close. Figure 2-e: Edit Region Status window 8

17 Chapter 2 - Working with Symantec Risk Automation Suite Portal 5. Click Close Window to close the Edit Region Status window and return to the Dashboard Map and Layout Status screen. 6. Set the height and width of the map by entering appropriate values in the Height and Width fields and then click Change Size. Adding/editing region You can adjust the labels of units and sub-units to suite your organizational environment. You can make as many organizational entries as you wish, however, for simplicity purposes, it is recommended that the top level structure be comprised of 6 to 8 units with as many sub-units as needed. 1. Click the Add New Region link at the bottom of the Organization Setup screen. The Add New Region window displays. Figure 2-f: Add New Region window 2. Enter Region Name and Region Abbreviation and click Add Region to add the region to the organization setup. The added region displays in the Organization Setup screen. To edit a region: Click the Edit Region link in the Organization Setup screen to modify the region details. Deleting a region To delete a region, follow the instructions given below: 1. Click the Delete link to delete a region. The Delete window displays. 9

18 Chapter 2 - Working with Symantec Risk Automation Suite Portal Figure 2-g: Delete window 2. Click Delete the assets to delete the selected region and all assets associated with it. Or, 3. Click Reassign the assets to assign the assets to a different region. 4. After selecting an appropriate option above, click Delete Region. Or, 5. Click Close Without Deleting to close the window and return to the Organizational Setup screen. Adding division To add a division within a given region, follow the instructions given below: 1. Click the Add Division link under a region. The Add New Division window displays. 10

19 Chapter 2 - Working with Symantec Risk Automation Suite Portal Figure 2-h: Add New Division window 2. Enter the Division Name and Division Abbreviation and click Add Division. The new division displays under the region name in the Organization Setup screen. Adding asset classes and categories (optional) After you have specified the organizational structure, next step is to define the company-specific asset classes and asset categories under Portal Administration. This is an optional step. The classes and categories will enable you to assign these values to certain assets so that you can report and measure risks on these specific groupings apart for other enterprise assets. To add the names of any asset classes or categories appropriate to the IT environment, follow the instructions given below: 1. Click Portal Administration > Portal Configuration > Classes/Categories in the Control Panel. The Classification Settings screen displays. 11

20 Chapter 2 - Working with Symantec Risk Automation Suite Portal Figure 2-i: Classification Settings screen 2. Click the Add Classification link to add an asset class level. The Add Classification Level window displays. Figure 2-j: Add Classification Level window 3. Enter the asset class level name in the given field and click Add Classification. NOTE An asset (a network or host discovered by Risk Automation Suite) can only have one asset class assigned to it, but it can have multiple asset categories assigned to it. 4. Click Add Category to add asset categories. 12

21 Chapter 2 - Working with Symantec Risk Automation Suite Portal Figure 2-k: Add Category window 5. To modify the name of any asset classes or categories, click the Rename link. To delete an asset class or category, click the Delete link. Applying organizational structure, classes and categories After creating the organizational units, asset classes, and asset categories, you must then assign these to the assets discovered during network discovery and host discovery. While all of these options exist, most RAS users start with organizations and then slowly add categories and classes as it becomes necessary. However, any of these can be changed at any time. NOTE Making these assignments are optional (but recommended) as they can be very helpful when scheduling scans and generating custom reports. 1. In the Control Panel, click Reporting > Asset Inventory > Networks. The Network Asset Summary screen displays. 13

22 Chapter 2 - Working with Symantec Risk Automation Suite Portal Figure 2-l: Network Asset Summary screen 2. Click a network name in the Network Name column. The View Network screen displays, as shown in Figure 2-l. Figure 2-m: View Network screen 3. Click the Edit Network link on the top right side of the View Network screen. The Edit Network window displays that enables you to make assignments to the network selected. 14

23 Chapter 2 - Working with Symantec Risk Automation Suite Portal Figure 2-n: Edit Network window 4. Enter an appropriate network name in the Network Name field (this is optional). 5. Click the Region/Division External drop-down list and select an appropriate organizational unit/region. 6. Click the Classification drop-down list and select an asset class (this is optional). 7. Click a network name to select it for the selected asset class in the Category list. 8. Click an appropriate option under When Applying Network Settings. 9. Click Update Network. Alternatively, in the Control Panel click Module Management > Organize Assets. From here you can assign hosts, networks, biz apps or categorize hosts, networks in addition to classifying hosts or networks (see Figure 2-e). For more information, see Chapter 4, Module Management. 15

24 Chapter 2 - Working with Symantec Risk Automation Suite Portal NOTE These same assignments can be made to individual hosts as well as at the network level. This is typically more applicable to asset classes and categories, where you would have a specific machine assigned to a SOX category, for example. Organizational assignments, however, are usually made at the network level since most assets on a sub-network are typically at the same physical location. It is not recommended that individual host be assigned to organizational units. Figure 2-o: Making organization, class and category assignments Portal Configuration This section of the SRAS Portal enables you to customize the portal functions and appearance as per the requirement. It consists of the following sub-sections: Alerts Auto Assignment Biz Apps Classes/Categories Environments Organization Metrics Settings These topics are defined in the following sections of this chapter in detail. 16

25 Chapter 2 - Working with Symantec Risk Automation Suite Portal Alerts SRAS Portal has the provision of generating/sending automated alert messages to notify the user about SLA status as well as remediation task assignments. You can modify alerts so that tasks and/or executive dashboards can be ed at specific times and at specific intervals. 1. Click the Alerts link under the Portal Configuration branch of Portal Administration to pre-configure the alerts. The Administrative Security Alerts screen (as shown in figure 2-f). Figure 2-p: Administrative Security Alerts screen 2. Activate or deactivate the following notification alerts selecting the appropriate check box: 3. Dashboard and SLA Alerts: a. Select the Notify all users of changes in service level status check box to send an alert message to all users about any change in service level status. b. Select the Send all users a daily service level statistics summary check box to send daily service level statistics summary message to all users. 4. Task Alerts: a. Select the Send all users a daily summary of all assigned tasks check box to send daily summary of all assigned tasks to all users. b. Select the Exempt users with no tasks check box to exempt users with not tasks assigned from receiving task alerts. 5. System Alerts (Administrators Only): Select the Notify all administrators of system errors and alerts check box to send an alert message to all administrators of the SRAS Portal regarding any system errors and alerts. 17

26 Chapter 2 - Working with Symantec Risk Automation Suite Portal 6. Once the alerts have been defined, click on the Update Alert Preferences to save the changes. Auto Assignment SRAS Portal enables you to define rule-sets for auto-assignment of remediation tasks to authorized people in the organization in order to avoid time lapse and remediation delays. Click Portal Administration > Portal Configuration > Auto Assignment. This displays the Task Auto Assignment screen. Figure 2-q: Task Auto Assignment screen The Task Auto Assignment screen comprises two panes: Assignment Rules - This pane gives a tabular representation of all the previously defined task auto assignment rule-sets. Add Rules - This pane enables you to actually define the rule-set for autoassignments of the remediation tasks. Assignment Rules 18 The column names in this pane are described below: Order - Indicates the priority in which individual rule-sets will be executed. Module - Indicates the module for which the rule-set has been defined. Org. - Indicates the Region/Division for which the rule-set has been defined. Net. - Indicates the Network for which the rule-set has been defined. Class. - Indicates the Asset Class for which the rule-set has been defined. Cat. - Indicates the Asset Category for which the rule-set has been defined.

27 Chapter 2 - Working with Symantec Risk Automation Suite Portal Asset - Indicates the Asset Type for which the rule-set has been defined. Host Cat. - Indicates the Host Category for which the rule-set has been defined. OS - Indicates the operating system for which the rule-set has been defined. Platform - Indicates the platform for which the rule-set has been defined. Assign To - Indicates the name of the authorized person to whom the rule-set has been assigned to. Up/Down Arrow - Clicking the Up/Down Arrow increases/decreases the priority in which the rule-set will be executed. Delete - This link deletes the rule-set permanently from the Portal. Run Ruleset - Clicking this initiates the rule-sets and starts assignment of tasks to authorized people in order of priority. Clear All Task Assignments - Clicking this clears all previously assigned tasks to all people. NOTE Rules indicated in the Assignment Rules table are executed from top to bottom and left to right. Creating a new ruleset 1. Click Portal Administration > Portal Configuration > Auto Assignment in the Control Panel. The Task Auto Assignment screen displays. 2. Select the appropriate Rule Criteria - Module, Region/Division or Network, Classification, Category, Asset Type, Host Category, OS Type, and Platform for the new rule set. The above field names of the Add Rule pane are described below: 3. Click the Module drop-down list to set the module for which the task auto assignment rule-set has to be defined. The available options are: ALL Asset Management Configuration Management External Asset Management External Vulnerability Management Vulnerability Management 4. Under Apply Rule to Region/Division or Network, click the required drop-down list to define rule-sets based on region/division or network. 5. Click the Classification drop-down list to set the asset classifications for which the task auto assignment rule-set has to be defined. 6. Click the Category drop-down list to set the asset category for which the task auto assignment rule-set has to be defined. 7. Click the Asset Type drop-down list to set the asset type for which the task auto assignment rule-set has to be defined. The available options are: ALL 19

28 Chapter 2 - Working with Symantec Risk Automation Suite Portal Network Host Application NOTE Selecting Host or Application in the Asset Type drop-down list enables you to further narrow down the rules based on Host Category, OS Type, and Platform. 8. Click the Assign To drop-down list and select the user to whom these tasks will be assigned to. 9. Click Add Rule to add the new ruleset to the SRAS Portal. Other tasks Run Ruleset - Runs the assignment rules against the current assets. This is useful if you just finished creating a ruleset when RAS has already discovered assets. Clear All Task Assignments - Removes any task assignments identified on this page. Biz Apps By default, any asset can be classified under three primary asset class levels. Similarly, by default, an asset can be classified under ten asset categories. You can add additional asset categories, as desired by using the Biz Apps link under the Portal Configuration branch of Portal Administration. Click Portal Administration > Portal Configuration >Biz Apps in the Control Panel to add additional asset categories. The Business Applications screen displays (as shown in figure 2-g). Figure 2-r: Business Applications screen The Business Applications screen displays the data under various columns, which are described below: 20

29 Chapter 2 - Working with Symantec Risk Automation Suite Portal Name - Indicates the name of the asset category given by the user. Hosts - Indicates the number of assets classified under this Biz App category. Owner - Indicates the name of the user who created this category. Comment - Indicates any comments provided by the owner at the time of creation of the Biz App category. Date Added - Indicates the date on which the Biz App category was added. Last Update - Indicates the date on which the Biz App category was last used/modified. Edit - Provides a link to a Web page that allows the user to edit the Biz App category. Delete - Provides a link to delete a category. Click any column header to sort the data in ascending or descending order. Searching for business application To search for an application and perform other tasks on a business application, follow the instructions given below: 1. Enter the name of the business application(s) (search criteria) that you want to search for in the Filter criteria field. 2. Select the Use regex check box to perform a regular expression search using the (pipe) AND operator. The search results display in a grid, as shown in Figure <above figure>. 3. Click the Export to Excel link to export the search results to an Excel file. 4. To refresh the data, click the Refresh Data link. This refreshes the Web page with the most updated information. 5. Click the Results per page drop-down list to select the number of results to be displayed per page. Adding business application To add a business application category, follow the instructions given below: 1. Click the Add Biz App link on the top right side of the Business Applications screen. The Add Business Application window displays (as shown in figure 2-j). 21

30 Chapter 2 - Working with Symantec Risk Automation Suite Portal Figure 2-s: Add Business Application window 2. Enter an appropriate name for the business application in the Name field. 3. Click the Owner drop-down list and select the name of the user who is creating the business application. 4. Enter any desired comments for future references in the Comment field (optional). 5. Click Add Biz App to add the business application. A confirmation window displays indicating the successful addition of the business application. 6. Click Close Window to navigate back to Business Applications screen. Editing business application To edit a business application data, follow the instructions given below: 1. Click the Edit link next to the application name that you want to modify. The Edit Business Application window displays, as shown in Figure 2-h. 22

31 Chapter 2 - Working with Symantec Risk Automation Suite Portal Figure 2-t: Edit Business Application window 2. Enter the modified name in the Name field. 3. Click the Owner drop-down list and select an owner for the business application. 4. Enter any additional information in the Comment list. 5. Click Update Biz App to save the changes, or click the Close Without Saving link to close the screen without saving any changes done by you. To delete a business application category, follow the instructions given below: 1. Click the Delete link next to the application s name that you want to delete. The Delete confirmation screen displays, as shown in Figure 2-i. Figure 2-u: Delete BizApp 2. Click Delete to delete the business application from the SRAS Portal. The Deletion Successful message displays. 23

32 Chapter 2 - Working with Symantec Risk Automation Suite Portal 3. Click Close link to navigate back to the Business Applications screen. Classes and categories For more information, see section Creating the organizational structure earlier in this chapter. Environments SRAS provides an option to customize the appearance of the portal according to the users preferences. Click Portal Administration > Portal Configuration > Environments to display the Environment Configuration screen as shown in figure 2-r. The Environment Configuration page is divided in four sections. Company Information Color Selections Company Logo Environment Name Create New Environment 1. Click Portal Administration > Portal Configuration >Environments in the Control Panel. The Environment Configuration screen displays. Figure 2-v: Environment Configuration screen 24

33 Chapter 2 - Working with Symantec Risk Automation Suite Portal 2. Click the Create Environment link on top left corner of the Environment Configuration page. The Create Environment window displays prompting you to enter a name for the new environment. Figure 2-w: Create Environment window 3. Enter an appropriate name for the environment in the given field. 4. Click Create to save the environment. 5. In the Environment Configuration screen, click the Select an environment to update drop-down list and select the environment name you just saved. The blank Environment Configuration screen displays, which enables you to enter company information, color selections, logo, and other information. NOTE At any given point in time, the user can select any pre-saved environment and apply/update it using the Select an environment to update drop-down list at the right hand top corner of the Environment Configuration page. 6. Enter valid company information in the Company Information pane (as shown in figure 2-m) and click Save Company Information. Figure 2-x: Create Environment - Company Information pane 7. Select desired color choices in the Color Selections pane (as shown in figure 2-n). 25

34 Chapter 2 - Working with Symantec Risk Automation Suite Portal Figure 2-y: Create Environment - Color Selections pane 8. Click Save Color Selections to save the color choices. 9. Click Browse to locate and select the desired image that you wish to place on the Hero Banner (as shown in figure 2-o). Figure 2-z: Create Environment - Company Logo 10. Click Change Logo to upload the selected logo to the SRAS Portal. 11. Enter an appropriate name for the environment in the Environment Name field. Figure 2-aa: Create Environment - Environment Name 12. Click Update Name to save the environment on the SRAS Portal. Clone environment 1. Click the Clone Environment link in the Environment Configuration screen to clone an existing environment and save it with a different name. 2. The Clone Environment window displays. Enter the name for the environment in the given field. 26

35 Chapter 2 - Working with Symantec Risk Automation Suite Portal Figure 2-ab: Clone Environment window Delete environment Click the Delete Environment link in the Environment Configuration screen to permanently delete an existing environment. The default environment that is installed with the portal installation cannot be deleted using this option. Metrics The SRAS dashboard provides an IT manager the bird's-eye view of risks and vulnerabilities across all the networks and assets in the organization. The data represented on the dashboard is fetched from the various scans performed by the SRAS. Metrics enable you to view/edit the settings based on which the data from the scans appears on the dashboard. Clicking the Metrics link displays the Global Security Metrics screen. This page is divided in four panes. Policy Management Metrics (Published Policies) - This pane represents SLA information and Compliance/Remediation Alert Threshold information regarding all the published policies that are base to the Configuration Management in the SRAS Portal. Business Applications - Vulnerability Metrics - This pane represents SLA information, Protection/Remediation Alert Threshold information, and Risk Level information regarding all the items created under the Biz App category by the user. Vulnerability Management Metrics - This pane represents SLA information, Protection/Remediation Alert Threshold information, and Risk Level information regarding all the Asset Classes in the SRAS Portal. Rogue Technology Metrics (Unauthorized Assets) - This pane represents SLA information and Authorized/Remediation Alert Threshold information regarding all the Asset Types in the SRAS Portal. Edit SLA - Managing global security metrics 1. Click Portal Administration > Portal Configuration> Metrics in the Control Panel. The Global Security Metrics screen displays (as shown in figure 2-t). 27

36 Chapter 2 - Working with Symantec Risk Automation Suite Portal Figure 2-ac: Global Security Metrics screen- Policy Management Metrics 2. Click Edit in the SLA column (for the section which you wish to edit). A window with the respective SLA values displays. 28 Figure 2-ad: Edit metric 3. Enter the required SLA threshold values (baseline and acceptable) in the requirement fields. NOTE For example, let us consider the figure 2-u: In terms of compliance, for any real-time scan, if the compliance score is between 90% and 99%, the indicator on the dashboard will be yellow. If this value is below the 90% mark, indicator turns red, informing the user that immediate remediation is needed. In terms of remediation, if the value is between 7 days and 21 days, the indicator on dashboard will be yellow. If the number of days due past remediation threshold is greater than 21, the indicator turns red informing the user that immediate remediation is needed. 4. Click Update to accept the edited SLA values. A confirmation message displays indicating successful updation of SLA values. 5. Click Close Window to go back to the Global Security Metrics screen.

37 Chapter 2 - Working with Symantec Risk Automation Suite Portal Settings SRAS Portal enables you to set a few universal settings that apply to all users in order to maintain uniformity across the board for a given user role. These settings can be viewed/edited by using the Settings link of Portal Configuration branch under Portal Administration. The major settings options are: Account & Password Settings Aggregation Settings Application Settings Client Settings Discovery Settings Ticketing System Integration Click the Edit link to modify an application setting. 29

38 Chapter 2 - Working with Symantec Risk Automation Suite Portal -NOTES- 30

39 Chapter 3 Portal Administration This section enables you to set up the SRAS Portal in terms of functionality by configuring the access information, user creation and management, and scanner and content management. Credential Management Credentials are used to verify that the users requesting a service or access to 1 a resource are who they say they are. The SRAS Portal scanners use credentials to gain access to the assets for scanning purposes. For assets to be configuration or vulnerability scanned, you must enter a credential into the SRAS Portal. The credential must have administrative or root level privileges and the right to logon interactively with the target system. Symantec recommends a Domain Administrator credential be used to scan Windows systems. If an existing Domain Administrator account cannot be used, a temporary service account should be added to the domain and be given domain administrator rights. NOTE All credentials in SRAS are encrypted at rest and in transit. Add credential Click Portal Administration > Credential Management. The Scanning Credentials screen displays (as shown in figure 3-a). Figure 3-a: Scanning Credentials screen 1. 31

40 Chapter 3 - Portal Administration The data displays under the following column names: Name - Indicates the name of the credential information data provided by the user. Hosts - Indicates the number of assets related to this credential information data. Type - Indicates the type of the credential whether Shared or Domain. NOTE Shared credentials relate to common local administrator or root account, usually for Linux or Unix systems. Domain credentials relate to domain level and are the preferred way to use credentials. Username - Indicates the administrator Id used to validate the credential information. Updated - Indicates the date on which the credential information was last updated. Added - Indicates the date on which the credential information was created. Edit - This link allows the user to edit the credential information. Delete - This link allows the user to delete credential information. To add a credential, follow the instructions given below: 1. Click Add Credential link in the bottom right corner of the Scanning Credentials screen. The Add Credential screen displays. 2. Click the Select Type drop-down list and select Domain or Shared (Domain selected for descriptive purposes). Figure 3-b: Add Credential - Shared type 32

41 Chapter 3 - Portal Administration Figure 3-c: Add Credential - Domain type 3. Select Domain or Shared from the Select Type drop-down list (Domain selected for descriptive purposes). 4. For Domain credential type: Enter a unique descriptive name for the credentials in the given field. Click the Select Windows Domain Name drop-down list and select an appropriate domain. A list of all the discovered domains display. Enter the name of the domain(s) you want to search for, in the Filter criteria field or select it from the list. Enter the administrator username and password in the Username and Password fields. Click Add Credential to save the credential information in the SRAS Portal. NOTE Shared: Requested information includes a descriptive name for the shared credential, OS Type, OS Version, and ultimately the name and password of the shared credential. Hosts are listed if a specific OS type or version is selected. Domain: Requested information includes a descriptive name for the stored credential, which registered domain it pertains to, the username/ password to use for that domain controller. Only approved domains are available for selection. It is not necessary to prepend the domain name in front of the username. There is also an option to select a domain controller for enumeration of domain users. Unless a domain controller is selected, domain users will not be enumerated in the scan. NOTE All credentials are stored in encrypted format. 5. For Shared credential type: 33

42 Chapter 3 - Portal Administration Enter a unique descriptive name for the credentials in the given field. Click the OS Type drop-down list and select an appropriate operating system platform for the shared credential. Click the Show Filter Options link to display the following pane. Use these filters to narrow down your host selection options. Only the hosts associated with the filter criteria will be displayed. Figure 3-d: Filter Options NOTE Usage of these filters lets you narrow down the search criteria to a few desired options. It also eases the task to scroll through huge lists and make the selection. To get full benefit of this capability, review the Organizing Assets section. Enter the name of the domains(s) that you want to search for in the Filter criteria field. Click Add Credential to save the credential information in the SRAS Portal. 6. Click the Export to Excel link to export the search results to an Excel file. User Management SRAS Portal is designed to monitor and report the total inventory of assets that includes networks and hosts, their vulnerablities and configurations, associated with an organization. The sensitivity of such data for any organization depends on who has the access rights. SRAS provides role-based access for various user groups and supports the default roles such as Auditor, User, and Administrator. In addition, object-level security is implemented on the data with the ability to restrict access based on business unit and/or location. Users can be created/managed and granted access levels based on their respective roles in the organization using the User Management Link under Portal Administration. This page has a User Management navigation bar just below the hero banner that provides options described below:(shown in figure 3-c) Figure 3-e: User Management - Navigation bar Add New Users - This option in the navigation bar presents a web page that allows you to create a new user and assign a specific role to the user. 34

43 Chapter 3 - Portal Administration Manage Users - This option in the navigation bar presents a Web page that allows you to manage existing users of the SRAS Portal. This is the same page that is served by using the User Management link under Portal Administration. Active Directory Settings - This option in the navigation bar presents a web page that allows you to view and edit the active directory settings associated with a user account. In order to view and edit the active directory settings, you must first add the user to SRAS. Manage Roles - This option in the navigation bar presents the User Roles Web page that allows you to manage existing user roles and create new roles for SRAS Portal user accounts. Add a new user 1. Click Portal Administration > User Management in the Control Panel. The User Management screen displays. 2. Click Add a New User in the User Management navigation bar. The Add a New User screen displays. Figure 3-f: Add a New User screen 3. Enter the mandatory details (in bold) to create the new user account. The mandatory fields and a brief description is given below: User Name - Indicates the desired login name for the new user. Title - Indicates the appropriate salutation for the new user. First Name - Indicates the first name of the new user. Last Name - Indicates the last name of the new user. Time Zone - The local timezone for this user. 35

44 Chapter 3 - Portal Administration Business - Indicates a valid address of the user for any further communications. 4. Select a role from the User Role drop-down option that matches the user s profile in the organization. NOTE Contractors, consultants, vendors or temporary employee accounts should have their estimated termination date entered as a comment in the Comments or specific requests field. 5. Click Create New User Account to save the information and create the new rolebased user account. Manage users This option in the navigation bar displays a Web page that enables you to manage existing users of the SRAS Portal. This is the same page that is served by using the User Management link under Portal Administration. The User Management screen is divided in three panes. Pending User Management Tasks - This section provides a tabular representation of all the user management tasks that are pending on the SRAS Portal. Using the details from this table, a user with appropriate privileges can monitor and complete all the user related tasks that need attention. Active Users - This section of the User Management page provides a tabular representation of all the active users of the SRAS Portal. View Profile, Suspend, and Delete are the three major functions that a privileged user can perform on various user accounts from this page. Inactive Users - This section of the User Management page provides a tabular representation of all the inactive users of the SRAS Portal. An assessment can be made as to why these users are inactive and View Profile, Activate, and Delete functions can be performed for such user accounts from this page. To complete a pending user management task, follow the instructions below: 1. Click Portal Administration > User Management in the Control Panel. The User Management page displays. 2. Click Manage Users option on the User Management navigation bar. The User Management page with Pending User Management Tasks displays (as shown in figure 3-e). Figure 3-g: Pending User Management Tasks 36

45 Chapter 3 - Portal Administration The data displays under the following column names: Name - Indicates the name of the user for which the task is pending. User ID - Indicates the User Id of the user for which the task is pending. Location - Indicates the location of the user for which the task is pending. Pending Since - Indicates the date since which the task is pending. Status - Indicates the current status of the user account, that is Active/Suspended/Locked Out. 3. Click the View Profile link. The User Profile screen displays (as shown in figure 3-f). Figure 3-h: User Profile screen 4. Click Suspend User /Reset Password / Edit Profile / Delete User link on the top right corner of the User Profile screen to complete the respective action. These options are mostly used for users who are not active directory users but use the active directory credentials. NOTE Pending User Management Tasks section only displays users that have some userrelated action pending; for example users that need an account resetting or users who have been locked out due to expired passwords or expired accounts. To view details of active users and perform any user-related functions, follow the instructions given below: 37

46 Chapter 3 - Portal Administration 1. Click Portal Administration > User Management in the Control Panel. The User Management page displays. 2. Click Manage Users option in the User Management navigation bar. The User Management screen with Active Users displays (as shown in figure 3-g). Figure 3-i: Active Users Field names unique to Active Users pane are described below: Role (Unit) Modules - Indicates the role that the active user has been assigned at the time of user account creation. Environment - Indicates the environment settings which the user has set for customized appearance of the SRAS Portal. Last Logon - Indicates the date on which the user last accessed the SRAS Portal. Expires - Indicates the date, if any set, on which the user account will become invalid/inactive. Show Inactive Users - This link allows you to view the third and final section of the User Management page, that is the list of inactive users. 3. Click View Profile link. The User Profile screen displays. NOTE Contact Information and Account Information related to the user is available on the User Profile screen. 4. Click the Edit Profile link on the top right corner of User Profile page. The Edit User Profile screen displays (as shown in the figure 3-h). 38

47 Chapter 3 - Portal Administration Figure 3-j: Edit User Profile screen 5. Modify the information in the fields provided. 6. Enter comments in the comments field provided. 7. Click Update User Profile to update the user information. To view details of inactive users and perform any user-related functions, follow the instructions given below: 1. Click Portal Administration > User Management in the Control Panel. The User Management page displays. 2. Click Manage Users option in the User Management navigation bar. The User Management screen with Active Users displays. 3. Click the Show Inactive Users link at the bottom left corner of the User Management page. The Inactive Users section displays (as shown in figure 3-i). Figure 3-k: Inactive Users Field names unique to the Inactive Users pane are described below: 39

48 Chapter 3 - Portal Administration Date Suspended - Indicates the date on which the user account was suspended or rendered inactive. Reactivate - This link takes you to the User Profile page with an additional section to Reactivate User. Hide Inactive Users - This link allows you to hide the list of inactive users. 4. Click View Profile link. The User Profile screen displays. 5. Click the Activate User/Reset Password/Edit Profile/Delete User link to perform the respective action (Activate User link selected for explanatory purposes). The Reactivate User screen displays (as shown in figure 3-j). Figure 3-l: Reactive User screen 6. Enter the account expiration date in the field provided or select an appropriate date from the embedded calendar. 7. Select the appropriate radio button to keep the existing password or to assign a new temporary password. 8. Enter the new temporary password in case the Assign a new temporary password option is selected. 9. Enter any comments in the Administrator Comments/Notes field. 10. Select the Automatically send the temporary password by check box to send the password to the user via Click Reactivate User to reactivate the user account. Active directory settings This option in the navigation bar displays a Web page that enables you to view and edit the active directory settings associated with a user account. 40

49 Chapter 3 - Portal Administration Figure 3-m: Active Directory Settings screen The AD settings of a user account can be edited by selecting/deselecting the relevant check boxes. Clicking the Edit Connection Settings link displays a pop-up that enables you to edit the active directory account information used to access the SRAS Portal. Figure 3-n: Edit Active Directory Account Manage roles This option in the navigation bar presents the User Roles Web page that allows you to manage existing user roles and create new roles for SRAS Portal user accounts. Follow the instructions below to create a new user role. 1. Click Portal Administration > User Management on the Control Panel. The User Management page displays. 2. Click Manage Roles on the on the navigation bar. The user roles page displays. 41

50 Chapter 3 - Portal Administration Figure 3-o: User Roles The data displays under the following column names: Name - Indicates the name of the role. Comment - Indicates any comments entered by the administrator at the time when the user account was created. Organization - Indicates the division/region to which the user account will have access. HostCategory - Indicates the host category to which the user role is allowed access. OSType - Indicates the operating system type to which the user role has the rights to manage and view. OSVersion - Indicates the operating system version to which the user role has the rights to view and manage. For example, a particular role can have access only to information related to OSType: Windows and OSVersion: Server Click Add Role link on the top right corner of the User Roles page. The Add User Role screen displays (as shown in the figure 3-n). 42

51 Chapter 3 - Portal Administration Figure 3-p: Add User Roles screen 4. Enter an appropriate name for the new role in the Name of Role field. 5. Enter any comments, if necessary, in the Comment field. 43

52 Chapter 3 - Portal Administration 6. Select the appropriate option for Set User Organization Type. 7. Click the Host Category drop-down list and select an appropriate host category. 8. Click the OS Type drop-down list and select an appropriate OS type. 9. Click the OS Version drop-down list and select an appropriate OS version. 10. Click Save to add the new user role information in the SRAS Portal. 11. Click the appropriate User Role Rights section to expand/collapse the role right selection section. 12. Click to select/deselect appropriate check boxes to select/deselect the desired user role rights. 13. Click Save to add the selected user role rights to the new user role information created. Scanner Management The SRAS Portal provides the user with enterprise-wide reports relating to network/host/asset. All of the excellent reporting capabilities of the SRAS Portal depend upon the data collected by the various scanners. Hence setting up and managing these scanners is a task of utmost importance. Users can manage these scanners by clicking on the Scanner Management branch under Portal Administration. This page has a navigation bar just below the hero banner that provides options: Scanner Management Tasks and Alerts, View All Scanners, Agent Updates and View Scanners (by type) drop down list as shown in figure 3-q. Figure 3-q: Scanner Management - Navigation Bar Scanner management tasks and alerts This option in the navigation bar presents a Web page that allows you to view/edit pending scanner requests and warnings. The Scanner Management Tasks and Alerts screen comprises two panes. New Registration Requests: This section provides a tabular representation of new scanner registration requests that are awaiting a response from the SRAS Portal. A user can view details such as Hostname, IP, Scan Type, Scanner Type, Version, Status, Added and Updated date here. A user can view, activate or delete new scanners pending registration from here. Scanner Warnings: This section provides a tabular representation of scanners that have not successfully connected to the server within their defined alert interval. This section is helpful in monitoring individual scanners. A user can view, suspend or delete any dysfunctional scanner from here. The field names in this section are similar to the New Registration Requests section. 44

53 Chapter 3 - Portal Administration Follow the instructions below to approve a new scanner registration request: 1. Click Portal Administration > Scanner Management in the Control Panel. The Scanner Management Tasks and Alerts screen displays. Figure 3-r: Scanner Management Tasks and Alerts - New Registration Requests Field names unique to the New Registration Requests section are described below: Hostname - Indicates the name of the scanner whose request is pending. IP - Indicates the IP address of the scanner. Scan Type - Indicates the type of scan the scanner is intended to perform. The types of scans are AM - Host Discovery Scans, DS - Network Discovery Scans, CM - Configuration Manager Scans, VM - Vulnerability Scans. Scanner Type - Indicates the name of name of the service related to that type of scan. For example: Host Discovery, Network Discovery, OS Discovery, or Introspect. Version - Indicates the version number of the scanner. Status - Indicates the current status of the scanner request. Added - Indicates the date on which the scanner request was first detected by the SRAS Portal. Updated - Indicates the date on which scanner request was last updated. 2. Click the View link in the last column of the New Registration Requests pane to view the scanner details. The View Client Profile screen displays. Figure 3-s: View Client Profile screen 45

54 Chapter 3 - Portal Administration 3. Click the Approve/Reject link to add or reject the registration request of the scanner. NOTE Clicking on Activate, Suspend, or Delete links provides a pop-up window prompting the user to perform the respective actions. For example, clicking on Activate provides an Activate Scanner pop-up as shown in the figure 3-r. Figure 3-t: Activate Scanner View all scanners This option in the navigation bar presents the Scanner Report page. From here the user can view/manage all the scanners that have already been added to the SRAS Portal. The details such as Hostname, IP, Scan Type, Scanner Type, Version, Check-In Alert, Status, Added and Updated date can be found here. A user can perform view, suspend, or delete functions on the scanners from here. To suspend view an suspend a scanner, follow the instructions below: 1. Click Portal Administration > Scanner Management in the Control Panel. The Scanner Management Tasks and Alerts screen displays. 2. Click View All Scanners link on the navigation bar. The Scanner Report screen displays (as shown in the figure 3-s). 46 Figure 3-u: Scanner Report screen- All Scanners The data displays under the following column names:

55 Chapter 3 - Portal Administration Hostname - Indicates the name of the scanner whose request is pending. IP - Indicates the IP address of the scanner. Scan Type - Indicates the type of scan the scanner is intended to perform. Scanner Type - Indicates the type of the scanner that is Host Discovery, Network Discovery, OS Discovery, or Introspect. Agent OS Type - Specifies the agent OS Version - Indicates the version number of the scanner.check-in - Indicates the time interval in seconds after which the scanner needs to check-in with the server. Alert - Indicates the time interval in minutes after which the scanner needs to send an alert message if it is unable to check-in with the server. Status - Status of the scanner; (Active/Suspended) Added - Indicates when the scanner was registered with the portal. Updated - Indicates when the scanner last checked-in. 3. Click the View link in the last column of the Scanner Report table. The View Scanner Profile screen displays (as shown in the figure 3-t). Figure 3-v: View Scanner Profile screen 4. Edit details such as Check In Interval, Alert Interval, or enter any comment in the Comment field if required. 5. Click Save Configuration to update the scanner details. 6. Click Suspend/Delete link to deactivate or delete the scanner. 7. To update the Check-In interval for multiple scanners at one time, use the checkbox to the left of the Hostname column to select one or many scanners. The enter the Check-In interval for selected scanner(s) (in seconds) for the scanner or agent. Click Update to apply the new check-in interval to the selected scanners. View scanners (by type) This drop-down list in the navigation bar presents the Scanner Report screen with filtered data based on scanner type. The type of scanners available are: Configuration External Vulnerability Host Discovery Net Discovery 47

56 Chapter 3 - Portal Administration OS Discovery Vulnerability Agent updates This option in the navigation bar presents the Agent Updates Web page. From here the user can import latest agent updates for the SRAS Portal. SRAS can capture data from assets with the help of agentless, dissolving agent, agent based and off-line methodologies. When an organization uses agents that require an update, they are managed with this option. When an agent checks in to get instructions it updates itself with the help of file placed in this section. This page also provides a tabular representation of all previously loaded updates. To upload a new agent updates, follow the instructions below: 1. Click Portal Administration > Scanner Management in the Control Panel. The Scanner Management Tasks and Alerts screen displays. 2. Click the Agent Updates link on the navigation bar. The Agent Updates page displays (as shown in the figure 3-u). Figure 3-w: Agent Updates 3. Click Browse to locate the latest agent update XML file, as shown in figure 3-v. 48

57 Chapter 3 - Portal Administration Figure 3-x: Locate Agent Update XML 4. Click Import Update to import the desired agent update to the SRAS Portal. NOTE You may only activate one update at a time per OS Type and Architecture. The active update will be downloaded and installed by agents matching the OS Type and Architecture criteria. Content Management SRAS Portal provides SCAP based vulnerability detection and reporting for operating systems, infrastructure, network applications and databases. It maintains an accurate inventory of system configurations, including installed software, user accounts and system changes based upon SCAP compliant assessments. The SRAS Portal collects data about configuration changes and configuration gaps between current settings and those made during initial implementation. It identifies technology or security gaps against an established set of baselines. Thus the content (policies, standards, and signatures) on which the SRAS reporting is based must be accurate and updated at all time. This can be achieved by using the Content Management branch of Portal Administration. The Content Management section allows the user to update OS signatures, import latest policy definitions and other important datafeeds. The Content Management page is divided in three sections. 49

58 Chapter 3 - Portal Administration OS signatures An OS signature is created to identify the various hosts found in a customer environment. Symantec regularly updates signatures and customers can request to create special signatures for assets in their environment. If an asset can not be identified by the SRAS Host and OS Discovery Scanners, it is listed as an unknown asset. This section enables you to view, manage and update the various baseline OS signatures used in the SRAS Portal. Details such as total signatures, custom signatures, last check for updates date, last update applied date, and most recent signature date are present here. A screenshot of the OS Signatures section is given in figure 3-w. Figure 3-y: Content Management - OS Signatures Clicking the Update Now allows the user to check for OS signature updates and send a request for updates. After setting the various options by selecting/deselecting check boxes, the user can save these settings by clicking the Save Settings. The other options available are explained below: Automatic Updates Settings - A user can enable automatic signature update settings by selecting the start time and repetition interval. 50

59 Chapter 3 - Portal Administration Unknown Signature Uploads - A user can send request for upload of unknown signatures. An option is also available for the user to enable automatic upload of unknown signatures during the automatic updates. Export Signatures To XML - A user can export all the existing OS signatures from the SRAS Portal in XML format. There are options to export specific signatures based on known/unknown signatures and last update date. Import Signatures XML - A user can import OS signatures to the SRAS Portal in XML format. The import can be based on the known/known signature type. OVAL Definitions OVAL (Open Vulnerability and Assessment Language) Definitions detect the presence of software vulnerabilities, configuration issues, programs, and patches in terms of system characteristics and configuration information. By specifying logical conditions on the values of system characteristics and configuration attributes, OVAL Definitions characterize exactly which systems are susceptible to or have a given vulnerability, whether the configuration settings of a system meets security policies, and whether particular patches are appropriate for a system. System characteristics include operating system (OS) installed, settings in the OS, software applications installed, and settings in applications, while configuration attributes include registry key settings, file system attributes, and configuration files. This section allows the user to view, manage and update the various baseline OVAL definitions used in the SRAS Portal. Details such as total oval updates, last check for updates date, and most recent updates date are present here. A screenshot of the OVAL Definitions section is given in figure 3-x. 51

60 Chapter 3 - Portal Administration Figure 3-z: Content Management - OVAL Definitions Clicking the Update Now allows the user to check for OVAL updates and send a request for updates. After setting the various options by selecting/deselecting check boxes, the user can save these settings by clicking the Save Settings. The other options available are explained below: Supported OVAL Updates - A user can enable automatic download of OVAL definitions with windows updates. Automatic Updates Settings - A user can enable automatic OVAL definition update settings by selecting the start time and repetition interval. Import OVAL Definitions - A user can manually import OVAL definition and CPE (common platform enumeration) Dictionary. Import Signatures XML - A user can import OS signatures to the SRAS Portal in XML format. The import can be based on the known/known signature type. DeepSight DataFeeds DeepSight DataFeed is a single, customized source for vulnerability information, including mitigation guidance, impact analysis, and links to security patches. DeepSight DataFeed provides adware, spyware, and malicious code alerts based on a detailed analysis of active threats. 52

61 Chapter 3 - Portal Administration Symantec DeepSight DataFeeds via Web Services provides an automated processes to retrieve and integrate vulnerability SCAP information into Risk Automation Suite interface. Symantec Risk Automation Suite provides customers with many views of their network assets. As part of the complete cycle of early warning detection to remediation, RAS now provides a means to cross-reference these assets to the early warnings Symantec DeepSight provides. This initial integration focuses on the SCAP criteria in order to cross reference the CPE identifiers within RAS with the CPE identifiers of the SCAP data feeds. This section enables you to view and manage various DeepSight FeedFiles used in the SRAS Portal. Details such as Total Vulnerability SCAP records, Total Feed Files Processed, Last Check for Updates date, and Last Update Applied date are present here. NOTE Before you can enable the DeepSight DataFeeds integration with RAS, you must obtain valid DeepSight credentials. 1. Click Portal Administration > Content Management in the Control Panel. The Content Management screen displays. 2. In the DeepSight DataFeeds pane, click Update Now to check latest DeepSight DataFeeds and send a request updates. 3. Automatic Updates Settings - Select the Enable automatic DeepSight DataFeeds updates check box. 4. Select the start time and repetition interval. 5. Enter your DeepSight credentials in the Username and Password fields. 6. Click Save Settings. 53

62 Chapter 3 - Portal Administration Figure 3-aa: Content Management - DeepSight DataFeeds NOTE To apply automatic updates for DeepSight DataFeeds, DeepSight Credentials are mandatory. See the Reporting chapter for information regarding the DeepSight DataFeeds Vulnerability report. Application log SRAS Portal automatically maintains a log of all the events and instances that occur whenever a user tries to sign in and use the Portal. This event log is very helpful in monitoring the overall activity taking place on the Portal by all users. View the event log by clicking Portal Administration > Portal Configuration > Application Log link. This displays the Application Event Log screen. 54

63 Chapter 3 - Portal Administration Figure 3-ab: Application Event Log screen The column names unique to the Application Event Log screen are described below: Summary - Indicates a very brief description of the event. Detail - Indicates detail description of the event. Category - Indicates the category under which the event falls. There are three event categories: Failure Audit Information Success Audit Added - Indicates the date and time at which the event occurred. View Events by Category - Allows the user to filter data by selecting event category type from the drop-down list. 55

64 Chapter 3 - Portal Administration 56

65 Chapter 4 Symantec Risk Automation Suite - Module Management This chapter is intended to provide clear and succinct instructions on performing various scans supported by the Symantec Risk Automation Suite and managing the discovered IT resources. The various topics covered in this chapter that are directly related with the Module Management selection within the Control Panel are: Configuration Discovery Vulnerability Organize Assets Global Blacklist Types of Scanning Before elaborating on the types of scans in more technical detail, it is worth defining the overall purpose and end-goal for each of the related scan types. The above-mentioned topics will be described in a particular order, which if followed, will simplify the tasks for a user of the SRAS Portal. Discovery scans Discovery scans are agentless scans which provide the ability to identify information assets within a defined network environment. Scanning reveals both physical devices (active IPs)as well as allows the user to logically organize those assets. This empowers groups within information security, internal audit, and IT Operations to achieve an automated way to inventory their active and online hosts on a network. This detective and preventive enterprise process helps minimize the gap that exists between authorized and unauthorized assets within a given network. Periodic asset discovery scans allow for reconciliation between inventoried assets and newly discovered assets that have been introduced into the network at any given point in time. This scan also is the first step to identify and better manage the IT resources. The organizational structure of the company used in SRAS Portal is built around the results of the Discovery Scans. Discovery Scans come in three different flavors: 57

66 Chapter 4 - Symantec Risk Automation Suite - Module Management Network Discovery scan: It allows an organization to detect all active network segments within the enterprise. Host Discovery scan: It identifies all the active hosts on those networks. OS scan: It starts automatically if the Host Discovery Scan is unable to identify the specific Host type during the Host Discovery Scan. Only the Network and Host Discovery Scans are scheduled. Best Practice: Network Discovery Scans should be scheduled to automatically run periodically, that is weekly or monthly. Host Discovery Scans should be scheduled to automatically run daily which maintains a current and accurate inventory of all assets. Configuration scans Configuration scans are authenticated scans that require credentials.these scans provide an automated solution for collection of configuration data, configuration changes, and to identify the configuration gaps. They provide an automated and repeatable process to identify technology and/or security gaps against an established set of baselines (in conjunction with the Policy Management module). The configuration scans include information such as hardware configuration, installed software, system settings, etc. Configuration scans provide full OVAL support and are used for OVAL based checks for both configuration and vulnerability needs. Configuration scans can use agentless, agent based, dissoving agent or offline methodologies to scan. Vulnerability scans These scans provide a controlled test of your information assets in order to identify security vulnerabilities and missing patches. They provide a proactive solution for safeguarding information assets by detecting vulnerabilities that pose serious risks to information systems and applications. SRAS manages these scans via a unified, intuitive interface for vulnerability management. Vulnerability scans within the SRAS come in two different forms: The first is an OVAL based authenticated scans that are included in the Configuration Scans. The second is for Risk Automation Suite to manage the 3rd party vulnerability scanners and include the identified vulnerabilities within the SRAS database. Vulnerability scans have the potential to be disruptive to certain hosts within a defined target network. As a result, Symantec recommends to plan vulnerability scans to avoid disruptions. SRAS provides a number of mechanisms to facilitate problem-free vulnerability scanning such as throttling, blacklisting, targeting scanning, etc. 58 Scanning The SRAS Portal manages all agent-less scans that require little to zero local administration of scanned target objects. For Discovery Scans and unauthenticated vulnerability scans, scans must be executed in time frames of lower network usage. It is very important to consider the type and objective of a scan. As Servers are stationary, the Data Center and the Servers can be scanned in the late evening. For best results of the non-server environment scans, scans must be done in the day when desktops and laptops are ON and available for scan. Network scans can be scheduled any time but, it is better to run Host Discovery scans in the day, as more number of

67 Chapter 4 - Symantec Risk Automation Suite - Module Management desktops and laptops are available at that time. However, SRAS s patent-pending scanning engine provides a controlled and a negligible impact on network usage, it still achieves a quick turnaround time to complete each of the scan types. The SRAS Portal employs the use of an IIS Web server with an MS SQL database instance for data storage. All data is stored and maintained within the database and each scanning engine submits its collected data through the use of Web services, but does not store any data. Typical administration takes place via the SRAS Web interface where scanning is managed by the administrator(s). Most of the navigation for scanning is done from Control Panel > Module Management, as shown in Figure 4-a. Figure 4-a: Control Panel > Module Management Scheduling scans To initiate Schedulling scans, navigate through the various options in the Control Panel. From the Module Management parent node, an administrator has the ability to expand upon the three scan types and their relevant child nodes: Configuration, Discovery, and Vulnerability. The sub-nodes within each child node (related to each scan type) provide administration of the primary functions mentioned below: Scan Scheduling Scan Queue Scan History Data Import (unique to configuration scans) Results Filtering (unique to vulnerability scans) 59

68 Chapter 4 - Symantec Risk Automation Suite - Module Management From within these sub-nodes, detailed scheduling information can be obtained related to network, host, time and date. Each section s child nodes provide additional subnodes with unique features for those scan types. Detailed information related to each of these child node options will be covered further in this User Guide. Recurring processes only need to be scheduled one time through the Portal. The Portal incorporates blacklisting, bandwidth throttling and other features for ease of use. More details related to these scanning features will be provided in this chapter. Credentialed scans Some scanning requires the use of credentials. Credential information related to these authorized scans is governed by the Portal Administration page. Credential information at the host or domain level is controlled via Portal Administration> Credential Management, as shown in Figure 4-b. Figure 4-b: Credential management options The credentials used in the scanning require Administrator-level privileges to the hosts to be scanned because of the detailed configuration and security settings collected. Only the Configuration scanning module requires credentials. Discovery scans and Vulnerability scans don t require credentials. Security All data is encrypted to and from the Portal via Secure Sockets Layer (SSL). All credentials are additionally encrypted in storage with Triple DES (3DES) encryption to protect the confidentiality of the credentials. Role-based access is supported for Auditor, User, and Administrator roles. In addition, object-level security is implemented on the data with the ability to restrict access based on business unit and/or location. Service oriented architecture (SOA) SRAS s SOA architecture ensures flexibility and interoperability amongst the scanning of network devices, hosts, and appliances. The fundamental design principle revolves around loosely defined services that can be easily coupled with other services to provide new processes. 60

69 Chapter 4 - Symantec Risk Automation Suite - Module Management Services employed for each of SRAS s scanning modules are independent services. As a result, a true enterprise scope is achieved via this architecture. Changing or growing needs do not exclude future processes from being incorporated into the SRAS Portal or being coupled into other new or custom enterprise processes. Common scanning challenges As briefly mentioned before, executing scans, regardless of its technology and communication vector, requires a strategic approach in order to ensure a successful result each time and minimize needless overhead. These issues will occur frequently if scans are executed in an ad-hoc manner: Overall scanning objective is not completed. Target systems/networks inadvertently missed. Overburdening network channels with high utilization levels or low bandwidth. Not running scans on a consistent and timely basis. Failed authentication when scanning (for authorized scans). Because of these issues, Symantec recommends to execute planned, regular and scheduled scan of the enterprise environment with periodic review of objectives and coverage. Pre-scan guidance Symantec Corporation recognizes that administrators of the SRAS Portal do not serve as data or host custodians for all of the targeted hosts in a given network. As a result, some degree of dependency and preparation is needed in order to ensure that technical and non-technical dependencies in a given environment do not preclude a successful scan. Both technical and non-technical dependencies need to be checked off in order to ensure that periodic or one-time scans complete successfully. Setting up new scans should generally not be a regular occurrence as most scans should repeat based upon pre-configured settings. Unless your environment is constantly changing, this process should be very infrequent so that the user can focus on interpreting results and reviewing reports rather than managing process. Pre-scan checklist Below is a basic listing of preliminary checks that is recommended prior to executing the use of the Configuration, Discovery, or Vulnerability scanning modules within the Portal. Non-technical Define a list of network administrators, system administrators, custodians, data owners, etc. who would be stakeholders in the collection of data by the SRAS Portal. Obtain permission from appropriate resources within IT Operations and relevant Business Units in order to conduct the scans. 61

70 Chapter 4 - Symantec Risk Automation Suite - Module Management Create an emergency support matrix of key individuals who would serve as a support, if disruptions or events occur during the scanning windows. Involve relevant third parties who need to be made aware that a scan or scans may occur. Address incident response procedures with those organizations in the event or a disruption. Verify that conflicting scan schedules do not exist. Technical Verify credential information for relevant configuration management scans to be conducted. Ensure that such information is current and up-to-date, pursuant to any password aging policies that govern their upkeep. Ensure the accuracy of target hosts/networks that are to be included for each module, particularly any relevant subnet mask information that was previously stored within the Portal. Ensure the accuracy of blacklisted IPs that has been previously defined from within the Portal. Ensure that any errors affecting the SRAS platform (OS, database, etc.) have been resolved prior to the execution of additional scans. Define the scope of assets to be scanned (hosts, network subnets, etc.) Be aware of any changes within the network management and Windows domain environment such as new SNMP strings, access lists, new or defunct Windows domains, host firewall settings, etc. Be aware of changes to switches and routers that are within the scope of the defined target network environment. Changes to these traversal points could adversely affect performance (for example, configuration of ports, network interface speed, duplexing, etc.) Discovery Scan Many features and options within Discovery Scanning are comparable to the other scanning modules. As you ll see, similar features and options will be present. One of the noticeable differences is the way in which the main scheduling page uniquely presents, network discovery separate from host discovery options. The next few sections will guide you through the various features of the Discovery scanning module. Scan scheduling Scheduled scans are an important component of the SRAS Portal. The scan scheduling feature enables you to configure scans which will be run automatically at a specific date/time. Scheduled scans can also be run periodically. There are various settings that you can adjust for the scheduled scans in order to meet the needs of your environment. Scan scheduling feature is common to all the scan types and very important function in terms of automation of risk and vulnerability assessment. For ease of understanding, we begin by looking at the Network Discovery capabilities of the Discovery module and how to navigate amongst subsequent windows used to configure these types of scans. 62

71 Chapter 4 - Symantec Risk Automation Suite - Module Management The Discovery Scan module can be accessed from Module Management > Discovery in the Control Panel. This displays the Discovery Scan Scheduling links. The Discovery Scan Scheduling is divided into two types, Network Discovery and host Discovery, as shown in Figure 4-c. Network Discovery - This screen enables you to view and manage all Network Discovery scans in the SRAS Portal. You can perform View/Edit Schedule, View Scan Queue, and Suspend Network Discovery functions from this screen. Host Discovery - This screen enables you to view and manage all Host Discovery scans in the SRAS Portal. You can perform Add New Schedule, View/Edit Schedules, View Authorized Criteria, View Port List, View Scan Queue, and Suspend Host Discovery functions from this screen. Figure 4-c: Discovery Scan Scheduling links - Network and Host Discovery Network discovery Network discovery is the first step to start a new asset inventory. Network discovery is designed to identify the subnets within your internal network. It will comb large ranges of IP addresses to identify the subnets. It will typically scan the private IP ranges / , / , / , and any public IP ranges that you are using internally. Keep in mind that Network discovery will only find the subnets and not discover the individual hosts on those networks; discovering hosts is the job of Host Discovery which will be discussed in the next section. NOTE Network Discovery should be run once a month! This automated scan can identify all subnets in a Class A network range in a few hours and a Class B in a few minutes! To add a schedule and view scan queue, follow the instructions below: 1. Click Module Management > Discovery > Network Scan Scheduling in the Control Panel. The Network Discovery Scan Scheduling screen displays, as shown in figure 4-c. 2. Click Add New Schedule link in the Network Discovery pane, as shown in Figure 4-c. This displays the Network Discovery Scan Schedule screen as shown in figure 4-d. This is where you define the target network scan configuration such as ranges, related frequency and throttling of network scans. 63

72 Chapter 4 - Symantec Risk Automation Suite - Module Management Figure 4-d: Network Discovery Scan Schedule - View/Edit Schedule 3. Enter the desired network range. NOTE For each network range of potential network addresses, enter between one and sixteen class B networks. Figure 4-e and Figure 4-f show examples of ranges of IP addresses for network discovery. Figure 4-e: Network discovery of the x.x address range Figure 4-f: Network discovery of the x.x x.x address range NOTE To minimize bandwidth consumption, it is recommended that the bandwidth throttle not exceed 500Kbs for network discovery. At this speed, a single class B address space will be scanned in approximately 5 minutes. For an expedient network discovery, limit the scope of potential network ranges to those that are known to be used within the corporate network. For a thorough network discovery, enter all private and/or public IP address space that is used by the enterprise. A thorough scan of all private address spaces can take up to 24 hours to complete. After adding the network ranges they will be added to the discovery queue and the first network range will begin being discovered. 64

73 Chapter 4 - Symantec Risk Automation Suite - Module Management 4. Click NEXT to continue to the Scan Frequency step. Click One time Scan to define the scan to occur for a single time. Or, click Recurring Scan to repeat the scan after a given interval of time as shown in Figure 4-g. Figure 4-g: Schedule Scan Frequency 5. Click Next to display the next step, Scan Schedule as pictured in Figure 4-h. Use this interface to create one or more timeslots in which a scan can begin. New scans will not begin outside of the timeslot window of time. Scans that have already started will continue to completion even if they exceed the timeslot end time. Figure 4-h: Scan Schedule Timeslot Click Edit to modify the configuration of an existing timeslot row. Click Update to save the changes. Click Add New Timeslot to add additional timeslots. NOTE A single timeslot is not permitted to exceed midnight. If a scan schedule is to continue through midnight, a new timeslot should be added for the additional time. For example: To schedule scans from 6:00PM to 6:00AM, two timeslots must be created. Create one timeslot from 6:00PM to 11:59PM and then another from 12:00AM to 6:00AM. 6. Click Next to display the next step, Scan Options as pictured in figure 4-i. Figure 4-i: Network Scan Options 7. Optionally select the appropriate scanner client group. To add or edit a group, click the (add/edit groups) link. A scanner group is comprised of one or more scanners that will monitor this scan schedule. 8. Optionally set the Scan Priority. Scan priority is only applied to new scans. Changing this item will not change the priority of an already running scan. The available options are: 65

74 Chapter 4 - Symantec Risk Automation Suite - Module Management Normal High Critical 9. Set the appropriate Throttle Type and setting. For network discovery, the only throttle type option is Bandwidth but the value options range from 10 Kbs to 100 Mbps. 10. Click Next to display the next step, Schedule Identification. Figure 4-j: Schedule Identification 11. Enter the appropriate unique title for this schedule. Enter a schedule description in the field provided. 12. Click Finish to create the network scan schedule. 13. Click Return To Scan Scheduling to return to the scan scheduling screen where another schedule can be created. Optionally click Show Scan Queue to return to the scan queue page where scans can be monitored. 14. Suspend Network Discovery/Activate Network Discovery provides a hot switch to enable/disable additional network discovery scans. NOTE Currently running scans will complete, but any further scans will remain suspended until re-activated. 66

75 Chapter 4 - Symantec Risk Automation Suite - Module Management 15. Click View Scan Queue link in the Network Discovery Scan Scheduling screen, as shown in Figure 4-c, to view the scan queue and check the status of scans. The Discovery Scan Queue screen displays (as shown in the figure 4-k). Figure 4-k: Discovery Scan Queue Queued scans are launched in the order of priority first and then by next scan date. The Discovery Scan Queue screen is divided in two panes. Current Discovery Scans - Enables you to view Discovery scans that are actively running on the targeted assets. This pane displays the following columns, which are described below:? Target Network range or asset being scanned.? Type Name of discovery module running the scan.? Scan Schedule Name of the scanner from which the scans are originating.? Scan Start Time and date when the scan started.? Completion Percentage of scan progress.? Status General status of the scan.? Actions Action links to control the specific active scan. Pause - Temporarily pauses an active scan. Reset - Restarts the active scan. Suspend - Aborts the active scan. The next scan will get picked up accordingly. Queued Discovery Scans - Enables you to view planned Discovery scans that are in the queue. This pane displays the following columns, which are described below:? Target Network range or asset being scanned.? Type Name of discovery module running the scan.? Scan Schedule Name of the schedule from which the scans are originating.? Next Scan Time and date of the next time the scan will run. 67

76 Chapter 4 - Symantec Risk Automation Suite - Module Management? Priority Denotes whether the scan is a priority or not. Priority scans will ignore time restrictions and run at the next available time.? Status General status of the scan.? Actions Action links to control the specific queued scans. Scan Now - Begin this scan now rather than wait for the next scan time. Skip - Do not run this scheduled scan. Queue up the next scheduled scan time. Suspend - Active scans continue but no new scans will begin when suspended. Delete - Deletes this scan schedule. Host discovery Host discovery drives many of the other integrated processes within the SRAS suite. Host discovery will inventory individual subnets to discover the hosts on those subnets, network application and service port information, identify operating systems, etc. Similiar to Network Discovery, the host discovery process is designed to work anonymously without any credential information about the hosts on those networks. However, SNMP community information provides additional valuable information, especially for determination of rogue status and OS identification of network devices. In addition, by recognizing the approved domains before/after scanning any asset that is found on an unapproved domain will be assigned a rogue status. OS Discovery is a complementing component of host discovery. It scans individual hosts that remain unidentified by the host discovery scan. OS Discovery is automated based on the results of a host discovery scan and is not controlled or scheduled by the user/administrator. Access the Host Discovery screen by clicking Module Management > Discovery > Discovery Scan Scheduling in the Control Panel. The Discovery Scan Scheduling screen displays, as shown in figure 4-l. Figure 4-l: Host Discovery Scan Scheduling Following information can be used as scan criteria for host discovery: Network Related Info Port Related Info Frequency Related Info Internal Networks TCP/UDP ports by port categories Identifies as a one-time scan 68

77 Chapter 4 - Symantec Risk Automation Suite - Module Management Network Related Info Port Related Info Frequency Related Info Geographic Area/Location/region/divis ion Specific TCP/UDP ports to use during scan Flexibility for recurring scans Category Date and Time of scan Classification Client (scanning) Bandwidth Throttling Levels To add a new Host Discovery schedule, follow the instructions below: 1. Click the Add New Schedule link. The Add Host Discovery Scan screen displays as shown in figure 4-m. 2. Click Show Filter Options to select target host networks by various options such as, Network Type, Region/Division, Category, and Classification. Figure 4-m: Add New Schedule - Step 1 Select Scan Targets 3. Select the appropriate filter criteria and select the appropriate network targets. 4. Click NEXT to continue to the Scan Frequency step. Click One time Scan to define the scan to occur for a single time. Or, click Recurring Scan to repeat the scan after a given interval of time as shown in Figure 4-g. 5. Click Next to display the next step, Scan Schedule as pictured in Figure 4-h. Use this interface to create one or more timeslots in which a scan can begin. New scans will not begin outside of the timeslot window of time. Scans that have already started will continue to completion even if they exceed the timeslot end time. 69

78 Chapter 4 - Symantec Risk Automation Suite - Module Management Click Edit to modify the configuration of an existing timeslot row. Click Update to save the changes. Click Add New Timeslot to add additional timeslots. NOTE A single timeslot is not permitted to exceed midnight. If a scan schedule is to continue through midnight, a new timeslot should be added for the additional time. For example: To schedule scans from 6:00PM to 6:00AM, two timeslots must be created. Create one timeslot from 6:00PM to 11:59PM and then another from 12:00AM to 6:00AM. 6. Click Next to display the next step, Scan Options as pictured in figure 4-n. Figure 4-n: Host Discovery Scan Options 7. Optionally select the appropriate scanner client group. To add or edit a group, click the (add/edit groups) link. A scanner group is comprised of one or more scanners that will monitor this scan schedule. 8. Optionally set the Scan Priority. Scan priority is only applied to new scans. Changing this item will not change the priority of an already running scan. The available options are: Normal High Critical 9. Set the appropriate Throttle Type and setting. For host discovery, the only throttle type option is Bandwidth but the value options range from 10 Kbs to 100 Mbps. The default value of bandwidth is 256Kb NOTE A high throttle rate will consume more network bandwidth but complete the scan quicker. 70

79 Chapter 4 - Symantec Risk Automation Suite - Module Management 10. The next pane, Select Ports to Scan lets you identify the ports that will be targeted for this host discovery scan, as shown in Figure 4-n. 11. Select appropriate ports to scan by category from the given drop-down list. NOTE Symantec recommends to limit the number of ports for particular scans. Usually, the high risk ports are scanned. SRAS identifies the top high risk ports. Additional ports can be identified to meet the enterprise requirements. 12. Click the View Port List link to view to all of the available port listing, along with their relevant risk ranking. The Application Discovery Ports window displays, which provides a listing of TCP/UDP ports which host discovery scans can target in any given scan. Figure 4-o: Application Discovery Ports window 13. In the Application Discovery Ports window, you can add, edit, and delete port information. a. Click the Add Port link to add new ports that can be included in the Host Discovery scan. The Add New Port window displays, as shown in figure 4-k. Enter appropriate values and click Add New Port. 71

80 Chapter 4 - Symantec Risk Automation Suite - Module Management Figure 4-p: Add New Port window b. Click the Edit link to edit port information such as risk level, protocol type, and category. The Edit Port window displays (as shown in figure 4-m). Figure 4-q: Edit Port window c. Click the Delete link to permanently delete a port from the port listing. This action cannot be reversed once deleted. If a port is inadvertently deleted, it must be added again using the Add Port link. 72

81 Chapter 4 - Symantec Risk Automation Suite - Module Management 14. Click Next to display the next step, Schedule Identification as shown in Figure 4-j. Enter a unique name for this schedule and a corresponding description in the fields provided. 15. Click Finish to create the schedule. 16. Click Return To Scan Scheduling to return to the scan scheduling screen where another schedule can be created. Optionally click Show Scan Queue to return to the scan queue page where scans can be monitored. 17. Click Suspend Network Discovery/Activate Network Discovery to provide a hot switch to disable any additional network discovery scans. NOTE Currently running scans will complete, but any further scans will remain suspended until re-activated. 18. Click View Scan Queue link in the Host Discovery Scan Scheduling screen, as shown in Figure 4-l, to view the scan queue and check the status of scans. The Discovery Scan Queue screen displays (as shown in the figure 4-k). View authorized criteria Provides users the ability to edit the domains, workgroups, and SNMP community strings that are stored and used by the discovery scan engine for information collection and authorized status determination. Authorized criteria are used to determine the preliminary rogue status of a host. If a host belongs to an authorized domain or is a device managed with an authorized SNMP community string, then the host s preliminary status will be designated as authorized as opposed to unauthorized or rogue. This option enables you to add, change, view, and delete authorization information.to use perform any of the functions mentioned here, follow the instructions below: 1. Click the View Authorized Criteria link in the Host Discovery screen or click View Authorized Criteria link in Reporting > Rogue Hosts. 2. The Authorized Criteria for Host Discovery window displays (as shown in figure 4-q). 73

82 Chapter 4 - Symantec Risk Automation Suite - Module Management Figure 4-r: Authorized Criteria for Host Discovery window The data displays under the following column names: Name - Indicates the name of the network. Hosts - Indicates the number of hosts in this network. Authorized - Indicates whether the network is authorized of not. 3. Click Change link to the authorization status of a network. 4. Enter a valid domain name in the Domain Name field. 5. Click Add Domain to input a new domain to the list of domains. 6. Enter an authorized SNMP community string in the Community Name field. 7. Click the Add Community link to add the SNMP information to the SRAS Portal. 8. Click Close link to go back to the Discovery Scan Scheduling screen. NOTE Though Windows domain information is discovered automatically that must be authorized, SNMP community strings must be entered manually. 74

83 Chapter 4 - Symantec Risk Automation Suite - Module Management View port list Click the View Port List link to view all of the available port listing, along with their relevant risk ranking. The Application Discovery Ports window displays, as shown in Figure 4-o. This provides a list of TCP/UDP ports which host discovery scans can target in any given scan. The ports list can be customized to enable changes in communication protocol used, what category it pertains to (pre-defined list for example: Web, mail, application server, etc). A risk level can be assigned to that port based upon information of current or emerging threats that are port specific. Any port can be deleted from the port list Scan Queue Click Module Management > Discovery > Scan Queue in the Control Panel to display the Discovery Scan Queue (All Discovery Modules) screen. This screen enables you to view all Discovery Scans (current and queued) and check the status of the scans irrespective of the discovery module running the scan. The column names of this screen are identical to the Discovery Scan Queue (Network/Host Discovery) screen. View scan queue Click the View Scan Queue link to view pending and currently active host discovery scans. You can view the Host Discovery Scan queue and check the status of the scans. The column names of this screen are identical to the Discovery Scan Queue screen (as shown in figure 4-s). The only prominent difference is that this page displays target hosts instead of networks. To view Host Discovery Scan queue, follow the instructions below: 1. Click the Scan Queue link in the Control Panel. The Discovery Scan Queue screen displays. This shows both network and host discovery. 75

84 Chapter 4 - Symantec Risk Automation Suite - Module Management 76 Figure 4-s: Discovery Scan Queue Queued scans are launched in the order of priority first and then by next scan date. The Discovery Scan Queue screen is divided in two panes. Current Discovery Scans - Enables you to view Discovery scans that are actively running on the targeted assets. This pane displays the following columns, which are described below:? Target Network range or asset being scanned. Click on the target link to display more detail.? Type Name of discovery module running the scan.? Scan Schedule Name of the scanner from which the scans are originating.? Scan Start Time and date when the scan started.? Completion Percentage of scan progress.? Status General status of the scan.? Actions Action links to control the specific active scan. Pause - Temporarily pauses an active scan. Reset - Restarts the active scan. Suspend - Aborts the active scan. The next scan will get picked up accordingly. Queued Discovery Scans - Enables you to view planned Discovery scans that are in the queue. This pane displays the following columns, which are described below:? Target Network range or asset being scanned. Click on the target link to display more detail.? Type Name of discovery module running the scan.? Scan Schedule Name of the schedule from which the scans are originating.? Next Scan Time and date of the next time the scan will run.

85 Chapter 4 - Symantec Risk Automation Suite - Module Management? Priority Denotes whether the scan is a priority or not. Priority scans will ignore time restrictions and run at the next available time.? Status General status of the scan.? Actions Action links to control the specific queued scans. Scan Now - Begin this scan now rather than wait for the next scan time. Skip - Do not run this scheduled scan. Queue up the next scheduled scan time. Suspend - Active scans continue but no new scans will begin when suspended. Delete - Deletes this scan schedule. Scan History Click Module Management > Discovery > Scan Queue in the Control Panel to display the Discovery Scan History (All Discovery Modules) screen. This screen enables you to see all previously conducted Discovery Scans. It provides a quick point of reference for viewing Discovery scans that were successfully completed. This page provides clickable links that lead to details about networks that have been successfully scanned and the scanners that have completed these scans. Figure 4-t: Discovery Scan History (All Discovery Modules) The data displays under the following column names: Network/IP Address - Clickable link that leads to details about networks that was scanned. Scan Type- Indicates the type discovery scan performed. Start - Indicates the date and time when the scan was initiated. End - Indicates the date and time when the scan was finished. Error - Indicates the general error type or None if there was no error. Detail - Information regarding the success or failure of the scan. 1. Click a link in the Network/IPAddress column. The View Network screen displays. This screen comprises two panes: 77

86 Chapter 4 - Symantec Risk Automation Suite - Module Management Network Summary - Provides details about the network/host scanned. Figure 4-u: View Network screen Network Hosts - Provides tabular representation of network/host scanned. NOTE More details about these sections will be provided in the Reporting chapter of this user manual. Configuration Scans Configuration scans provide details about system configuration, configuration changes, and configuration gaps between current settings and those made during initial implementation. The nodes in the Configuration Module have similar primary functions to the Discovery Module. The only difference is the Data Import node that is unique to the Configuration module. Scan Scheduling Configuration Scan scheduling provides an automated and repeatable process for identifying technology or security gaps against an established set of baselines (in conjunction with the Policy Management module). Click Module Management > Configuration > Scan Scheduling in the Control Panel. The Configuration Scan Scheduling screen displays. 78

87 Chapter 4 - Symantec Risk Automation Suite - Module Management Figure 4-v: Configuration Scan Scheduling screen The data displays under the following column names View/Edit Schedules - Provides the ability to view existing scan schedules from within the same screen. Rows of scheduled scans appear for any scans that have been previously scheduled. Once clicked, the View/Edit Schedules link changes to Hide Schedules link. Suspend Scanning - Suspends all queued and active scans. Activities will remain suspended until re-activated. Add new schedule To add a new configuration scan schedule, follow the instructions below: 1. In the Configuration Scan Scheduling screen, click the Add New Schedule link. The New Configuration Scan Schedule screen displays. This page presents the Step 1, Configuration Scan Criteria to the user. Figure 4-w: New Configuration Scan Schedule screen- Step 1 2. Click the Scan Type drop-down list and select the type of scan. The available options are given below. (For explanatory purposes, Agent-less scan is selected). Agent-less scan - Scanning done across the network from a windows service. Agent-less scan on error do dissolving agent scan Dissolving agent scan - An agent is temporarily installed and removed immediately upon completion of the scan. Dissolving agent scan on error do agent-less scan 79

88 Chapter 4 - Symantec Risk Automation Suite - Module Management Agent - An agent is installed and persisted on the host target. NOTE Configuration scans are always authenticated scans. In an Agent-less scan all instructions come across the network and the host is kept connected until the scan is complete. Both the dissolving agent and agent allow the placement of an agent on the host to do the scan and report back its results. The Dissolving Agent is the most common scan type. The difference between a Dissolving Agent and a Persistent Agent is, one stays installed and the other dissolves after the scan. Agents are appropriate for Laptops. For example, when an agent checks in to the portal to receive instructions to scan, as a Laptop can stay off the network for extended periods of time, when it is connected it gets instructions to scan itself. 3. Click Next. The Step 2 screen displays. Figure 4-x: New Configuration Scan Schedule screen - Step 2 4. Under Scan Frequency, click One time Scan to define the scan to occur for a single time. Or, click Recurring Scan to repeat the scan after a given interval of time. For Recurring Scans, optionally select Static Asset Scan to ensure RAS scans the targeted assets regardless of when they were last seen on the network. This is particularly useful for servers which rarely switch ip addresses or are offline. Figure 4-y: Recurring Configuration Scan NOTE If the Static Asset Scan option is not selected, RAS will consider the last time that an asset was seen by RAS before attempting to perform the configuration scan. If the last time RAS has seen this asset is within the acceptable window, (4 hours by default) it will attempt the configuration scan. This window is enforced in order to prevent unnecessary or nuisance errors when assets are powered down or offline. 80

89 Chapter 4 - Symantec Risk Automation Suite - Module Management 5. Click Next. The Step 3 schedule timeslot screen displays. Figure 4-z: New Configuration Scan Schedule screen - Step 3 6. Click Add New Timeslot then enter the required details in the fields provided. Click Save to add the timeslot. Optionally click Edit in the timeslot row that requires a change. Make the necessary changes and then click Update to save the changes and return to the timeslot list. 7. Click Next. The Step 4 screen displays. Figure 4-aa: New Configuration Scan Schedule screen - Step 4 8. Click the Select a scanner client drop-down list and select a scanner. 9. Click the Scan Priority drop-down list and select an appropriate value. The available options are: Normal High Critical 10. Click the Throttle Type the drop-down list and select an appropriate value. The available options are: Total Scans Scans Per Scanner 11. Select the throttle criteria from the drop-down list relevant to the throttle type (number of scans at a time or number of scans per scanner). 12. Select the appropriate check box for choosing the appropriate categories to be scanned. 81

90 Chapter 4 - Symantec Risk Automation Suite - Module Management 13. Click Next. The Step 5 screen displays. Figure 4-ab: New Configuration Scan Schedule - Step Enter a unique name for the schedule and a brief description in the fields provided. 15. Click Finish. The New Configuration Scan Schedule completion screen displays (as shown in figure 4-ac). Figure 4-ac: New Configuration Scan Schedule - Completion Screen 16. Click the Return To Scan Scheduling link to return back to the Configuration Scan Scheduling screen. 17. Click Show Scan Queue link to view the Configuration Scan Queue screen. Configuration Scan Queue is discussed in the next section. View scan queue The View Scan Queue link in the Configuration Scan Scheduling screen to view the Configuration scan queue and check the status of the scheduled configuration scans. To view the Configuration scan queue, follow the instructions below: 1. Click the View Scan Queue link in the Configuration Scan Scheduling screen, as shown in Figure 4-u. 2. The Configuration Scan Queue screen displays. This screen comprises two panes. 82

91 Chapter 4 - Symantec Risk Automation Suite - Module Management Figure 4-ad: Configuration Scan Queue screen Current Configuration Scans - Enables the user to view Configuration scans that are actively running (as shown in figure 4-af). Queued Configuration Scans - Enables the user to view planned Configuration scans that are in the queue (as shown in figure 4-ag). The data displays under the following column names: Schedule Name Indicates the name of the configuration scan schedule. Type Indicates the type of the scan performed. Platform - Indicates the OS type of the system being scanned. Scanning - This column does not exist in the screen Idle - Frequency Indicates the frequency at which the scan will be performed. Status - Indicates the current status of the scan schedule (active/suspended). 3. Click theedit link next to the Status column. The Existing Configuration Scan Schedule screen (Step 1) displays. 83

92 Chapter 4 - Symantec Risk Automation Suite - Module Management Figure 4-ae: Existing Configuration Scan Schedule screen 4. Make the required changes in this screen. NOTE To plan a scan, you must consider the objective of the scan. It is important to consider the Platform, Category or Class of Asset,if they exist, as they can narrow the scan. For example, you must have separate scans for Windows Servers, Desktops and Linux Servers to get different scan windows and take advantage of the different credentials of each platform or domain. 5. Click the Select the credential to use drop-down list and change the appropriate credentials for the scan. Click the View Credentials link to view all the credentials available for performing the scan. This displays the Scanning Credentials screen. For more information, please refer Credential Management section of the Portal Administration Chapter. Click the Add Credential link to add new scanning credentials for the scan. This displays the Add Credential screen. For more information, please refer to the Credential Management section of the Portal Administration Chapter. 6. Click Next. Make the required changes in the various Step screens that display. For more information on the various Step screens, see the section Add New Schedule above. 7. Click Finish in the Step 5 screen while editing the configuration scan schedule. The Existing Configuration Scan Schedule completion screen displays. 8. Click the Return To Scan Scheduling link to return back to the Configuration Scan Scheduling screen. 9. The Suspend link is a toggle switch to enable or suspend a configuration scan. 10. Click the Delete link delete a configuration scan. 84

93 Chapter 4 - Symantec Risk Automation Suite - Module Management Scan Queue Click Module Management > Configuration > Scan Queue to display the Configuration Scan Queue screen. For more information, please refer to the previous section. Scan History Scan History enables you to see all previously conducted Configuration scans. This is a quick point of reference for viewing Configuration scans that were successfully completed. Click Module Management > Configuration > Scan History. The Configuration Scan History screen displays, which provides links that lead to details about hosts that have been successfully scanned. To view history of successfully completed scans, follow the instruction below: 1. Click Module Management > Configuration > Scan History. The Configuration Scan History page displays. Figure 4-af: Configuration Scan History screen The data displays under the following column names: IPAddress - Link that leads to details about hosts that have been scanned. Hostname - Provides the DNS Host Name of the asset. It is identified through Reverse DNS lookup. Platform - Indicates the operating system of the host that is scanned. Start - Indicates the date and time on which the scan was initiated. End - Indicates the date and time on which scan was completed. Error - Indicates errors that occurred during scanning, if any. Detail - Indicates other details regarding the scans. 2. Click a link in the IPAddress column. The View Host screen displays. This page provides high-level detail regarding the host that has been scanned. For more details about the View Host screen, refer to the Reporting Chapter. 85

94 Chapter 4 - Symantec Risk Automation Suite - Module Management Data Import (Off-line Scanning) Symantec Corporation Remote Compliance Connector (RCC) offers the ability to scan assets off-line. The application files can be copied to writable removable media such as USB drives, removable hard drives, etc. The SRAS Portal can export a customized scan request file that will compile all of the compliance information requirements into a single unified instruction set. The compliance information requirements are compiled from all of the policies that are being measured by SRAS in your environment. The application files and the scan request file can then be executed on any machine whether or not it is connected to the SRAS Portal or even any network at all. The application can be run by simply doubleclicking on the executable and will typically complete within 1-5 minutes. After the scan is complete, the results file can be uploaded to the SRAS Portal where the data will be integrated with other asset and compliance data. Step-by-Step Procedure 1. Click Module Management > Configuration > Data Import in the Control Panel. The Configuration Management Data Import screen displays. Figure 4-ag: Configuration Management Data Import screen 2. Click the Data Format drop-down list. 3. Click Generate Scan Request link. A download dialog box displays prompting you to save the scan request file. Figure 4-ah: Configuration Management Data Import - Save Scan Request 86

95 Chapter 4 - Symantec Risk Automation Suite - Module Management 4. Save the rccscanrequest.xml file to the removable media that you ll scan from. 5. Copy the remotecomplianceconnector.exe and cmlocalclientlibrary.dll files to the same media and path where you saved the rccscanrequest.xml file. These application files can be found in the Program Files\Symantec Corporation\SFIntrospect folder where your configuration scanner is installed. 6. Attach the removable media to the device that you wish to scan (Figure 4-al). Figure 4-ai: Copied executable files 7. Double-click remotecomplianceconnector.exe and a command window will display. Figure 4-aj: Command prompt 8. Once the command window closes (typically 1-5 minutes), the scan is complete and a rccscanresults.xml file is generated. 87

96 Chapter 4 - Symantec Risk Automation Suite - Module Management Figure 4-ak: Generated results XML file 9. The rccscanresults.xml file can then be moved to a computer with access to the SRAS Portal for uploading the results. Navigate from the Control Panel to Module Management > Configuration > Data Import and enter the required file name in the File to import field, or click Browse to select the rccscanresults.xml file (Figure 4-al). NOTE Offline scanners are an easy way to keep compliance on air-gapped hosts or networks! 88

97 Chapter 4 - Symantec Risk Automation Suite - Module Management Figure 4-al: Copy results XML file to SRAS Portal 10. Click Import Data to upload the results to SRAS. Figure 4-am: Import results XML to SRAS Portal 89

98 Chapter 4 - Symantec Risk Automation Suite - Module Management 11. Navigate to Module Management > Configuration > Scan History to confirm the imported data. The scan history will show latest scans/uploads. Figure 4-an: View imported results 12. You can click any IP address linkto view collected information about the host. 90

99 Chapter 4 - Symantec Risk Automation Suite - Module Management Figure 4-ao: View host Vulnerability Scan The objective behind vulnerability scans is to detect network or host based vulnerabilities before an outside attacker does. In doing so, an organization is equipped to know what technical vulnerabilities can be exploited by targeted malicious intrusion attempts, Trojan horses, worms, viruses, or other malicious network traffic. The SRAS provides multiple options for vulnerability scanning. SRAS is a SCAP validated vulnerability scanner. This capability is included in the configuration scan and takes advantage of OVAL based vulnerability checks. The second is the use of the Symantec VM module (CCSVM) to provide network, database and web application vulnerability scanning. The third is to take advantage of other 3rd party scanners already present in the network. SRAS has the ability to take command and control of some 3rd party vulnerability scanners to automate and consolidate the findings in a single portal, thus the need to manage two systems is eliminated. These scans can take advantage of 3rd party vulnerability scan vendors. The next few sections will guide you through the Vulnerability scanning module options. In order to take advantage of the SCAP based vulnerability scan with the help of OVAL, please refer the Configuration Scanning section. NOTE OVAL is a standardized check language which includes CVE and CVSS data. OVAL is used because, these enumeration and scoring systems have become the industry standard and are often necessary for audit compliance reporting. 91

100 Chapter 4 - Symantec Risk Automation Suite - Module Management Scan scheduling Vulnerability scanning allows you to locate weaknesses in your IT resources that can become potentially harmful for the organization. Hence, it very imortant to be up-todate in terms of Vulnerability scans. Vulnerability scan scheduling enables the user to repetitively perform these scans at preset intervals without any manual intervention, hence reducing the chances of any vulnerabilities actually converting in to a threat to the IT resources. NOTE This section assumes that either a Symantec VM scanner or a 3rd Party scanner has been successfully implemented. Please refer the installation guide for more information on Vulnerability scanning and SecureRecon. Add new schedule To add a new vulnerability scan, follow the instructions below: 1. Click Module Management > Vulnerability > Scan Scheduling. The Vulnerability Scan Scheduling page displays (as shown in the figure 4-as). Figure 4-ap: Vulnerability Scan Scheduling screen The data displays under the following column names: Schedule Name - Indicates the name of vulnerability scan schedule. Scans - Indicates the number of times that schedule has been run. Start - Indicates the date on which the scan schedule is activated. End - Indicates the date until which the scan schedule will stay active. Frequency - Indicates the frequency of the scan schedule in number of days. Description - A brief description of the scan schedule. Status - Indicates the current status of the scan schedule. 92

101 Chapter 4 - Symantec Risk Automation Suite - Module Management 2. Click the Add New Schedule link. The Step 1 of the New Vulnerability Scan Schedule screen displays. Figure 4-aq: New Vulnerability Scan Schedule screen - Step 1 3. Click Network(s) to scan a network or group of networks or Single Addresses to scan specific IP Addresses. 4. Click the Show Filter Options link to further narrow down the scan target criteria by selecting from the available options that are: Network Type - Click an appropriate option to choose either an internal or an external network to scan. Region/Division - Select the appropriate region/division of the network to scan. Category - Select the appropriate category of the network to scan. Classification - Select the appropriate classification of the network to scan. 5. Choose the networks/ip Addresses to scan from the Select column by selecting the respective check boxes. 6. Click Scan full network to scan all the hosts on a network or Advanced Targeting to filter specific hosts to scan on a network. This displays various dropdown lists to filter specific hosts in the Target hosts on networks pane: Asset Class Asset Category Biz App Host Category OS Type OS Platform 7. Click Next. The Step 2 of the New Vulnerability Scan Schedule screen displays. Click the appropriate option to specify one time scan or recurring scan. 93

102 Chapter 4 - Symantec Risk Automation Suite - Module Management Figure 4-ar: New Vulnerability Scan Schedule screen - Step 2 8. Click Next. The Step 3 of the New Vulnerability Scan Schedule screen displays. Click Add New Timeslot to add a new time slot for the scan or click the Edit link to edit an existing time slot. Figure 4-as: New Vulnerability Scan Schedule screen - Step 3 9. Click Next. The Step 4 of the New Vulnerability Scan Schedule screen displays. Figure 4-at: New Vulnerability Scan Schedule screen - Step Click the Select a scanner client drop-down list and select the desired scanner to perform the scan. 11. Click the (add/edit groups) link to add or edit scanner groups. The Scanner Group Manager screen displays. NOTE scanners can be grouped together or chosen individually based on the particular scan. You must consider the permissions and architecture to decide the appropriate scanner. Make sure all scanners in a group have access to the areas to be scanned! 94

103 Chapter 4 - Symantec Risk Automation Suite - Module Management Figure 4-au: Scanner Group Manager screen 12. Click the Scanner groups drop-down list and select the group to edit. 13. Enter a unique group name in the Group Name field. 14. Enter a description for the scanner group in the Group Description field. 15. Click the up/down arrow to set priority of a scanner in the respective group in the Available Scanners list. 16. Click Add/Save to update the scanner group information. Or, click Close to go back to the New Vulnerability Scan Schedule screen. 17. Click the Scan Priority drop-down list and select a priority for the scan. 18. Click the Throttle Type drop-down list and select an appropriate option. The available options are: None Scans Per Scanner Total Scans 19. Select the throttle criteria from the drop-down list relevant to the throttle type (number of scans at a time or number of scans per scanner). 20. Click Next. The Step 5 of the New Vulnerability Scan Schedule screen displays. Enter a unique name for the scan schedule and a description in the fields provided. Figure 4-av: New Vulnerability Scan Schedule screen - Step Click Finish. The New Vulnerability Scan Schedule completion screen displays. 95

104 Chapter 4 - Symantec Risk Automation Suite - Module Management 22. Click the Return To Scan Scheduling link to return back to the Vulnerability Scan Scheduling screen. Or, click the Show Scan Queue link to view the Vulnerability Scan Queue screen. Vulnerability scan queue is discussed in the next section. View scan queue Clicking the View Scan Queue link displays the Vulnerability Scan Queue screen that enables you to check the status of the scheduled Vulnerability scans. To view Vulnerability scan queue, follow the instructions below: 1. Click the View Scan Queue link in the Vulnerability Scan Scheduling screen. The Vulnerability Scan Queue screen displays. 2. This screen comprises two panes: Current Vulnerability Scans - Enables you to view Vulnerability scans that are actively running (as shown below). Figure 4-aw: Vulnerability Scan Queue - Queued Vulnerability Scans Queued Vulnerability Scans - Enables you to view planned Vulnerability scans that are in the queue. The data displays under the following column names: Target A link that indicates the name of network/host to be scanned. These links lead to Host Asset Summary screen. For more information, please refer the Reporting chapter. Type Indicates the type of the target whether network/host. Scan Schedule - Indicates the name of the scan schedule. Next Scan - Indicates the time and date of the next scan. 96

105 Chapter 4 - Symantec Risk Automation Suite - Module Management Priority - A clickable link that indicates the priority of the scan schedule. This link leads to the Change Scan Priority screen. From here user can set a new priority for an existing scan. Status - Indicates the current status of the scan schedule (active/suspended). Figure 4-ax: Change Scan Priority 3. Click the Scan Now link to scan the respective target (network/host) right away bypassing all the preset schedules and priorities. 4. Click the Skip link to skip scanning of the respective target (network/host), overriding all the preset schedules and priorities. 5. Click the Suspend link to suspend scanning of the respective target (network/host) until further activated. 6. Click the Delete link to permanently delete the scan from the SRAS Portal. The sections below will elaborate on the other primary functions of the Vulnerability module. Scan Queue This node of Vulnerability Module displays the Vulnerability Scan Queue screen. For more information, refer to the previous section. Scan History This node of Vulnerability module enables you to see all previously conducted Vulnerability scans. This screen provides a quick point of reference for viewing Vulnerability scans that were successfully completed. The Scan History screen provides links that lead to details about targets that have been successfully scanned. To view history of successfully completed scans, follow the instruction below: 1. Click Module Management > Vulnerability > Scan History in the Control Panel. The Vulnerability Scan History screen displays. 97

106 Chapter 4 - Symantec Risk Automation Suite - Module Management Figure 4-ay: Vulnerability Scan History screen The data displays under the following column names: IPAddress - Clickable link that leads to details about hosts that have been successfully scanned. Host Name - Indicates the DNS name of the Host or Asset. Platform - Indicates the operating system of the host that is scanned. Start - Indicates the date on which the scan was initiated. End - Indicates the date on which scan was completed. Error - Indicates errors that occurred during scanning, if any. Detail - Indicates other details regarding the scans. 2. Click a link in the IPAddress column. The View Host screen displays. This screen provides high-level detail regarding the host that has been scanned. NOTE For more details about the View Host page, please refer to the Reporting Chapter of this User Manual. Results Filtering The results filtering option enables an administrator to manage vulnerabilities that have been filtered for either individual hosts or globally. Filtering will remove vulnerabilities from the vulnerability reporting in the Portal and not consider them in vulnerability metrics calculation. Some of the most common reasons to filter vulnerabilities are false positives and the decision to accept the risk posed by the vulnerability due to operational considerations and/or mitigating controls. These pages present the audit trail associated with filtering and the ability to remove a filter. Filtering out appropriate results greatly limits the amount of repetitive work that would normally occur if vulnerability scan results were uniquely addressed each time. 98

107 Chapter 4 - Symantec Risk Automation Suite - Module Management NOTE Even though a vulnerability is filtered, data is still collected and updated on every vulnerability found as long as vulnerability scanning is taking place. The Results Filtering section is divided in two panes: Global Filtering - Presents vulnerabilities that were found and later filtered out globally against all hosts (as shown in figure 4-az). There is an option to remove each filter. Upon removing the filter, the vulnerability will be introduced in reports and metrics calculation. If additional vulnerability scanning has taken place, updated information will appear immediately. Figure 4-az: Global Vulnerability Filters In order to toggle between Global Filtering and Host Level Filtering, click the View Individual Filters by Host link located at the top right of this screen. Host Level Filtering - Presents vulnerabilities that were found and later filtered out for specific hosts (as shown in figure 4-ba). The Remove link will delete the filter on the vulnerability for that specific host. If additional vulnerability scanning has taken place, updated information will appear immediately. Figure 4-ba: Host Level Vulnerability Filters 99

108 Chapter 4 - Symantec Risk Automation Suite - Module Management 100

109 Chapter 5 Reporting The objective of this chapter is to provide guidance on how to navigate and understand the reporting capabilities included in the SRAS Portal. This chapter is intended to help the user maneuver through the many feature-rich reports related to the following modules: Asset Inventory Rogue Technology Vulnerability Configuration Remediation Now that the objective has been defined for this chapter, let us take a more in-depth look at the scope of what this manual will cover. This chapter is a step-by-step guide to navigate the reporting capabilities in SRAS Portal. At a high level, SRAS reports work by organizing and presenting previously collected data related to hardware and software assets across your enterprise. In most cases, the manifested data is the most current view of the enterprise based on the automated scan schedules set up for the organization. The content to be covered within this chapter will address the reporting capabilities of five modules as mentioned above. Reporting objectives for the user can easily be executed for these five areas within the Reporting menu tree. Below is a brief description of each reporting section and their overall benefit in reporting on security and compliance initiatives. Asset Inventory - Reveals both known and unknown information assets that have been discovered and reported to the SRAS portal. Asset Inventory reporting is broken down into distinct areas related to the network, individual host, network applications or services. Rogue Technology - Unauthorized or unknown networks, hosts and services discovered within your enterprise can be viewed using the set of Rogue Technology reports. Results obtained from this report can be validated for detecting rogue technology over time and ultimately understand the reasons as to how these types of unauthorized resources were able to be introduced into the corporate network. Vulnerability - Similar to the other reports, SRAS s vulnerability reports reveal the technical weaknesses that affect networks, hosts and applications. Above and beyond the ability to view this information by these designations, information can also be viewed by vulnerability types, platform and patch levels. 101

110 Chapter 5 - Reporting Configuration - Configuration reports offer users insight into the configuration of hosts that includes hardware, software, and system configuration. These reports include software, hardware, user accounts, registry entries, file shares and a lot more. Remediation - These reports identify the information assets that require remediation related to vulnerabilities or mis-configuration of identified information assets. It provides a convenient report mechanism for managing current and previously remediated task items. Reporting Basics We need to keep a few things in mind before getting into the SRAS s reporting capabilities. This section provides a brief overview regarding SRAS s Reporting module. Report information presented by the portal come directly from the SRAS scans. Therefore, frequency and scope of these scans is critically important. The results of the scans fuel the content for each of the report sections within the portal. Many of the portal s reports are pre-defined. There are various controls within the interface that allow to filter further and categorize search results. The presentation of the SRAS portal employs the use of an IIS web server for the serving of ASP pages. Data storage is achieved through the use of a SQL Server 2005 or 2008 database instance. The subsequent sections of this chapter will elaborate on how to navigate the reporting types as well as help you understand the best way in which scanning information can be conveyed with the power of SRAS s reports. Reporting pre-work The strength of any report is directly impacted by the quality of its data. In this case, the SRAS Portal provides a powerful technology to extract invaluable information from the enterprise network. Therefore, you must keep in mind the below related key points when any of the included reporting areas are used: Know where you are in the world. Make sure that the geographic location of your report data is set correctly. Know when to filter. Many drop-down controls on the web interface can either restrict or expand your reported data. Custom made reports. The Customize tab found across multiple reporting areas allows users to pick and choose columns, page size, and to sort data results. Other things to ensure accurate and consistent reporting include: Confirm blacklisting periodically. Review and assign new networks on a regular basis. Review scan logs periodically to confirm everything is correct. Look for incomplete scans or that have failed. Network or Credential changes will have big impacts on the data reported. Trust with other internal groups is highly dependent on the accuracy of the findings. 102

111 Chapter 5 - Reporting The sections ahead will take us through in-depth reporting capabilities of SRAS. Asset Inventory Asset Inventory (referred as Asset Discovery) reporting is broken down into distinct areas related to the network, individual host, network applications or services, and lastly but optionally an inventory of external, internet facing assets. Summary report We begin by reviewing Figure 5-a and 5-b, which reveal the Summary reporting interface. Click Reporting > Asset Inventory > Summary in the Control Panel. The Asset Management Summary screen displays. This screen is organized into five main areas. Figure 5-a: Asset Inventory - Summary 103

112 Chapter 5 - Reporting Figure 5-b: Asset Inventory - Summary (Cont d) Total Hosts by Region Provides a graphical representation of all hosts by region. On the Y-axis of this group, the user will be able to see the number of hosts, infrastructure devices, workstations and other assets found. Regions are identified at the time of configuration of organization. They must logically map to a meaningful organizational structure of the enterprise. These locations can be defined by clicking Portal Administration > Portal Configuration > Organization in the Control Panel. In this area, geographic locations can be defined, deleted, and added. Discovery Statistics Provides a look into the number of total, new, and unaccounted assets. This feature provides a look at the data in aggregate. The benefit of this table is, it provides a quick snapshot of how many assets exist within the scope of the scanning process. Moreover, it gives the user an easy way to view new additions to the network or hosts. Newest Hardware Assets This feature provides a look at the newest (excluding workstations and known hosts) hardware assets that have been discovered by the asset discovery engine. The table reveals the IP address of the asset, its make or OS, and the date on which it was added. Unaccounted Hardware Assets Similar to Newest Hardware Assets, this table provides the IP address, make or OS of assets that have been discovered on the network, but are currently unaccounted for or missing. A date is provided as well as to when the portal last had contact with the device. Assets by Region Provides a graphical representation of assets by OS as well as other network devices and appliances. This feature provides two sectionalized bar graphs: one related to total hosts by operating system, divided across the various pre-defined organizational units and the other being the number of both assigned and unassigned network addresses across the various organizational areas. 104

113 Chapter 5 - Reporting The Asset Management Summary screen provides a good, high level view of the more detailed information related to Asset Inventory reports, namely information related to inventory of networks, hosts, applications, and external assets. To view Asset Management Summary follow the instructions below: 1. Click Reporting > Asset Inventory > Summary in the Control Panel. The Asset Management Summary page displays as shown in figures 5-a and 5-b. 2. Click a link in the Host Name/IP Address (OS Type) column in the Newest Hardware Assets (Excluding Workstations and Unknown Hosts) section. The View Host screen displays, with the Applications tab active. The View Host screen is divided in two sections. The top half of this page displays the following information regarding the host: Host Name - Indicates the name of the host. IP Address - Indicates the IP address of the host. Network - Indicates the network to which the host belongs to. Region/Division - Indicates the region/division of the host. Classification - Indicates the classification of the host. Categorization - Indicates the category to which the host belongs to. OS Type/Version - Indicates the operating system type/version of the host. MAC Address - Indicates the MAC address of the host. Status - Indicates the status of the host, that is active or not. Authorized - Indicates the authorization status of the host. NOTE The Edit links in this section enable you to edit the host information. Clicking this link displays the Edit Host pop-up from where a user can change the details of the host. 105

114 Chapter 5 - Reporting Figure 5-c: Asset Management Summary - Applications Tab 3. The Applications tab allows the user to view the applications that run on the host (as shown in figure 5-c). These are often referred to as services that run on host. This section provides details about various applications (icmp, File Server, epmap, netbios-ns, ms-ds, etc.) running on the host. This section provides the following details. NOTE Applications in discovery are different from Software Applications on the host. There is a correlation between services visible from the network and applications on the host, but until a configuration scan is completed that link has not been verified! Name - Indicates the name of the application. Port - Indicates the name of the port running the application. Protocol - Indicates the name of the protocol associated with the application. Risk - Indicates the risk level associated with the application. Category - Indicates the category of the application. Authorized - Indicates the current status of the application. Discovered - Indicates the date on which the application was discovered by SRAS. 106

115 4. Click Authorize/Assign tab to authorize or assign the application. NOTE The application/service is authorized if it is acceptable based on the company policy. RAS automatically flags commonly high risk ports as unauthorized. Chapter 5 - Reporting 5. Click Vulnerabilities to view vulnerabilities associated with the host. This section provides the following information. Vulnerability - Indicates the name of the vulnerability. Service - Indicates the service running the vulnerability. Port - Indicates the port running the vulnerability. Risk - Indicates the risk level of the vulnerability. Source - Indicates the source of the vulnerability. NOTE The source in this context is the scanner which contributed the vulnerability. If both 3rd party scanners and the OVAL vulnerability scans are active, each of them will be designated separately. First Detected - Indicates the date on which the vulnerability was first detected. Last Detected - Indicates the date on which the vulnerability was last detected. Description - Indicates any comments regarding the vulnerability. NOTE Click Show Closed Vulnerabilities checkbox to view past vulnerabilities that have been assigned to a user and have been successfully closed. Click Show Filtered Vulnerabilities checkbox to view vulnerabilities that have been filtered by a user so that they do not effect the SLA values. 6. Click Configuration tab to view configuration settings of the host. This section provides the following information. OS - Indicates the operating system of the host. Role - Indicates the role assigned to the host. Manufacturer - Indicates the manufacturer of the host. Model - Indicates the model of the host. Last Update - Indicates the date on which the host was last updated. Error - Indicates any errors in the host. This pane also has Select a Configuration search box. It defaults to summary but the view can be changed to get more detailed configuration data on a specific device. SRAS defaults to the most current view of the data. If the intent is to look for changes in the configuration data there is a Show Changes checkbox which includes that data. 107

116 Chapter 5 - Reporting NOTE To view these details in summarized manner or in detail, user can select an option from the Select a Configuration Category dropdown list. 7. Click Policy Violations tab to view the policy violations occurring on the host (as shown in figure 5-d). This section provides the following details. Policy - This is a clickable link that indicates the name of the policy violation. Clicking on this link leads to the Policy Statement section of the Policies and Controls module of SRAS. Policy Statement - This is a clickable link that indicates section of the policy statement that has been violated. Clicking on this link leads to the expanded Policy Statement section of the Policies and Controls module of SRAS. Subcategory - Indicates the subcategory of the policy. Control - This is a clickable link that indicates the type of control applicable to the policy. Clicking on this link leads to the Control Detail Report page. For more information, refer to the Policies and Controls chapter of this User Guide. Value - Indicates the value associated with the policy. Opened - Indicates the date and time on which the policy violation was first noticed. Remediation - Indicates suggested steps for remediation of the violation. Figure 5-d: Asset Management Summary - Policy Violations Tab The internal workflow of SRAS provides three options on the Configuration tab: Assign - Manually assign to a user for remediation. Refer the Portal Administration section for automation of assignment of tasks. Exception - Exceptions are not counted in reporting and are only displayed on the Exceptions report page. A reason for the exception is identified and a date for remediation is assigned. Close - Close is a manual close of the policy violation. If the remediation has not occured, it will show up again in the next scan. Reversely, if the remediation has occured SRAS will close the violation automatically with no human intervention. 108

117 Chapter 5 - Reporting NOTE Click Show Closed checkbox to view past policy violations that have been successfully remediated. Click Show Exceptions checkbox to view policy violations that have been filtered by a user so that they do not effect the SLA values. 8. Click Assign tab to assign the violation for remediation. The Assign Policy pop-up displays (as shown in figure 5-e). Figure 5-e: Assign Policy 9. Select the user to assign the policy for remediation from the Assign Remediation to drop-down list. 10. Click Assign Policy Violation to assign and revert to the Policy Violation section. 11. Click Exception tab on the Policy Violation section to mark the policy violation as exception. The Add/Request Policy Exception pop-up displays (as shown in figure 5-f). 109

118 Chapter 5 - Reporting Figure 5-f: Add Policy Exception 12. Select an appropriate reason for the exception from the Exception Reason dropdown list. 13. Enter a date of exception expiration in the field provided. 14. Enter any comment related to the policy exception. 15. Click Add Exception to accept the exception and revert to the Policy Violation section. NOTE A user without administrative privileges cannot add an exception. In this case, the user must click Request Exception to send a request for the exception to be added by an administrator. 16. Click Close tab on the Policy Violation section to close a policy violation. The Close Policy Violation pop-up displays (as shown in figure 5-g). 110

119 Chapter 5 - Reporting Figure 5-g: Close Policy Violation 17. Select a reason from the Reason for closing drop-down list. Click Close Policy Violation to successfully close the violation and revert to the View Host page. 18. Click OS Fingerprinting tab on the View Host page. The OS Fingerprinting section displays. This section provides host information such as NetBios Name, Authenticated User, Domain/Workgroup, Domain Controller, SMB LANManOS, SMB LANMan, SMB MBS, SMB MMC, SMB DFS etc. 19. Click Documentation tab to enter/view any comments regarding the host. Before we visit the Networks menu link under Asset Inventory, let us address the horizontal navigation and filter bar at the top of the interface s page (as shown in Figure 5-h). Figure 5-h: Asset Inventory - Network Report Navigational Bar The horizontal navigational bar provides the same functionality as the menu links located within the Asset Inventory tree found within the Control Panel. Network Reports The following pages will reveal instructions related to understand the various reports for networks managed by the SRAS Portal across the defined organization. Overall, the set of network reports assist to manage both identified and accounted for networks as well as those that are new or unauthorized or not yet documented. Depending on the size of the networks that have been scanned and identified by the asset discovery engine, you may wish to filter results by the following criteria: Geographic Location Network Status Classification 111

120 Chapter 5 - Reporting Category Filtering for these various values can be quickly accomplished on the Networks page by selecting the drop down controls located within the horizontal navigation bar/filter found at the top of the page. Now let us take a look at the initial interface that is served by the portal for the Networks menu link (under Asset Inventory). Figures 5-i & 5-j provide a look at the what the user will see when initially clicking on the Networks menu link. Figure 5-i: Network Reports The snapshot of the Network Asset Summary page we see is devoid of the left Control Panel pane as well as the horizontal navigation/filter bar shown previously in Figure 5- c. Here we see three main sections to this page: Network Address Space, Network Search Bar, and a table for Network Discovery Statistics. These summarized data views allow for quick glimpses into both assigned and unassigned network segments across the various geographic locations of the organization. Network Address Space The Y-Axis shows the divisions of the organization while the X-axis reveals the number of assigned and unassigned network address spaces within the organization. In the above example, we can read the bar graph as it depicts that the CORP or corporate division has the greatest number of unassigned network spaces (as expected). If any new network addresses have been added and detected by the scanner, simply click the Refresh Chart link in order to have the latest results represented. Network Search Provides a quick and easy way to search for network address or network descriptors amongst the collected network data. A search for 192. will show all networks with that address which have been found. Network Discovery Statistics This tabular view provides a concise view of all network segments for the enterprise and aggregates them by either being authorized/unauthorized or unassigned. These designations are manifested in their 112

121 NOTE Chapter 5 - Reporting totality, as well as that have a new designation or being a network that is unaccounted for, meaning that it cannot be determined if indeed it pertains to the enterprise, however, it has been found at the time of discovery scans. Network Discovery Statistics is a quick way to view new networks that have been added since the last scan. You must confirm each entry and then assign it to an organizational structure. Figure 5-j: Network Reports (Cont d) The second half of the Network Asset Summary page is found in figure 5-j. The fourth section to the Networks Summary page reveals a very detailed, tabular view of all networks discovered within the enterprise. Each row provides the network name, subnet along with netmask info, geographic location, addresses used within the identified network segment, asset class (again relates to a pre-defined class level provided by the administrator under Portal Configuration), date the network was discovered, a flag whether or not the network is authorized. The last column on the right allows for the user to specify if they would like to blacklist (meaning exclude) the respective network in future search results or if the network should be all together deleted from the database object that contains this information. Below are the prompts that the user would be introduced if they were experimenting with Blacklist and Delete links from this interface (Figure 5-k and 5-l). 113

122 Chapter 5 - Reporting Figure 5-k: Blacklist Network If you don t want to bother with the network number, simply provide the known network name from the drop down control. You also have the luxury to specify to what degree you want to blacklist the network; across all modules or simply one (Vulnerability, Discovery, or Configuration). Figure 5-l: Delete Network If you delete the network, be wary that it will be gone forever from the database, at least until the next network discovery scan finds it again. To view network summary report, follow the instructions below: 1. Click Reporting > Asset Inventory > Networks on the Control Panel. The Network Asset Summary page displays as shown in figures 5-i and 5-j. 2. Click on a link in the Network Name column. The View Network page displays (as shown in figure 5-m). 114

123 Chapter 5 - Reporting Figure 5-m: View Network This page is divided in two sections. The Network Summary section provides the following network details: Network Name - Indicates the name of the network. The default name is the same as the Network number discovered. Most organizations add a short description or label as the Network Name to aid users who may not be as familiar with the Network Numbers. Network Number - Indicates the network number. Subnet Mask - Indicates the subnet mask of the network. Region/Division - Indicates the region/division of the network. External - Indicates if the network is internal or external. Classification - Indicates the classification of the network. Categorization - Indicates the category of the network. Total IP Addresses - Indicates the total number of IP addresses on the network. Used Addresses - Indicates the total number of IP addresses on the network in use. Available Addresses - Indicates the total number of IP addresses on the network that are available for use. Status - Indicates the status of the network, which is either a live network or one that is dead (has not been found is a series of scans). Authorized - Indicates the status of the network, that authorized or not. Date Discovered - Indicates the date on which the network was discovered by SRAS. 115

124 Chapter 5 - Reporting Last Contact - Indicates the date on which the network was last found by SRAS. The Network Hosts section provides the same details mentioned above in a tabular format. 3. Click the Edit Network/Blacklist Network/Delete Network link to perform the respective function. These functions have been explained in the previous section of this chapter. 4. Click a link in the IP Address column of the Network Hosts section. The View Host page displays. This page is similar to the View Host page that displays by clicking Reporting > Summary on the Control Panel and then clicking on any link in the Host Name/IP Address (OS Type) column of the Newest Hardware Assets (Excluding Workstations and Unknown Hosts) section (as shown in figure 5-c). NOTE The Applications, Vulnerabilities, Configuration, Policy Violations, OS Fingerprinting, and Documentation tabs present information and features discussed earlier in this chapter. 116 Helpful Tips Remember that results can all be filtered by the controls listed in the navigational search/filter bar. Data can always be exported here using the Export to Excel link shown above the header information of the table. Feel like adding a new network? Click on Add New Network and do exactly that. Specify all the fields listed in the table itself, and when done, click Add Network. Host Reports One of the most highly prized reports for most IT managers is one that details host related information on an enterprise network. This section goes over the reports contained under the Asset Inventory > Hosts section. The overall benefit from this section will allow the user to identify key information related to authorized and unauthorized hosts found within the enterprise network along with valuable descriptive information related to those hosts. Let us move to Figure 5-n which depicts the Host Asset Summary interface rendered by the portal when clicking Reporting > Asset Inventory > Hosts on the Control Panel. The host summary interface is organized into three main areas: Hosts by Operating System Bar graph revealing hosts by O/S across various geographic locations within the enterprise. Host Discovery Statistics Tabular representation of authorized/unauthorized hosts displayed in aggregate, as newly discovered hosts, or as unaccounted for hosts. Detailed Hosts Table A detailed tabular view of all hosts, describe by platform, version, category, authorized/unauthorized, and whether they are new.

125 Chapter 5 - Reporting Figure 5-n: Asset Inventory - Hosts Worth mentioning again is the search field located on all summary pages underneath the Asset Inventory sub-menu under the Reporting menu link. A simple search for Windows in this field should yield more filtered results in a subsequent page. A snapshot of such a query is depicted below in Figure 5-o. Figure 5-o: Host Inventory 117

126 Chapter 5 - Reporting NOTE Notice the Filter tab that can be used to further refine the constructed report from the search query. Notice the Customize tab that can be used to further refine the columns displayed in the report. The same or similar targeted report can be developed using the Navigation Menu bar found on most pages from within the portal. The search function allows you to specify more specific information specific to the data presented, while the Report Builder runs against the data using the pre-defined search criteria. Now that we ve alluded to the Customize tab, shown on the top, left corner of the detailed report, we ll show how additional customization to the reported data can be accomplished. The Data tab (shown above) simply shows the data that is returned by the defined query parameters. The Customize tab actually does not affect the number of records provided by the reporting engine but rather how the data is conveyed. By clicking Customize, fields can be added/subtracted from the report in order to create a specific report type (as shown in figure 5-p). Figure 5-p: Host Inventory - Customize Much of the above mentioned fields listed in the Customize screen are truly selfexplanatory. Essentially, the customize page awards users the ability to add/delete columns from the detailed report generated by previously requested report data. Sorting preferences can also be set using one of the pre-defined column names. 118

127 Chapter 5 - Reporting NOTE The Host Inventory Summary page also has horizontal navigation and filter bar at the top of the interface s page similar to the Network Report bar (as shown in Figure 5-h). The horizontal navigational bar provides the same functionality as the menu links located within the Asset Inventory tree found within the Control Panel. To view host reports, follow the instructions below: 1. Click Reporting > Asset Inventory > Hosts on the Control Panel. The Host Asset Summary page displays as shown in figure 5-n. The table on this page presents the following information. Platform - This is a clickable link that indicates the classification of hosts by its operating system or primary name. This link leads us to the Host Inventory page (as shown in figure 5-o). Version - This is a clickable link that indicates the version of the host s operating system or the model number. Host Category - Indicates the category of the host. All assets default to the three categories that SRAS has. These are Workstation, Server and Infrastructure. Desktops and Laptops are automatically categorized under Workstations, servers under Servers and everything else under Infrastructure. Infrastructure contains printers, network devices, IP phones etc. Total Hosts - Indicates the total number of hosts under this classification. Authorized - Indicates the total number of authorized hosts under this classification. SRAS automatically designates a host to Authorized if certain criteria is met. The Module Management has settings to know whether the host is a part of a known and authorized domain and whether it has a valid SNMP string. A Host can always be Authorized or Unauthorized mannually. Unauthorized - Indicates the total number of unauthorized hosts under this classification. An Unauthorized asset is one that is manually designated or it does not meet the Authorized criteria mentioned above. New (past 30 days) - Indicates the number of hosts newly discovered under this classification in the past 30 days. 2. Click a link in the Platform column. The Host Inventory page displays. This page provides host inventory segregated by HostName, IP Address, or Network. This page provides the following information: Hostname - This is a clickable link that indicates the name of the host. This link leads to View Host page (described in the previous sections). IP Address - This is a clickable link that indicates the IP address of the host. This link again leads to the View Host page. Network - This is a clickable link that indicates the network to which the host belongs to. This link leads to the View Network page. Platform - Indicates the operating system of the host. Organization - Indicates the unit of the organization to which the host is assigned. 119

128 Chapter 5 - Reporting Discovered - Indicates the date on which the host was discovered by SRAS. Authorized - Indicates the authorization status of the host. 3. Click Customize tab. The host inventory report customization page displays (as shown in figure 5-p). 4. Select the data column that you wish to include/exclude in the report and click >> or << buttons to perform the respective functions. 5. Click Build Report. The Host Inventory page displays with the desired data columns. 6. Click a link in the HostName column of the Host Inventory page. The View Host page displays. Helpful Reminders Remember that results can all be filtered by the controls listed in the navigational search/filter bar. Data can always be exported here using the Export to Excel link shown above the header information of the table. Feel like adding a new network? Click on Add New Network and do exactly that. Specify all the fields listed in the table itself, and when done, click Add Network. NOTE In most cases, the manual addition of network is completely optional. SRAS saves the organization's time that is spent on manual tracking of network lists. The proactive addition of networks, makes the network information known for the next network discovery scan. Likewise the network can be specifically targeted for network scanning in an adhoc manner. Remember that any report generated by the Report Builder (top navigational search/filter bar) or by the search field will produce detailed search results that can be exported to an Excel format for added convenience. Applications Reports The next section under the Asset Inventory (parent menu control located under Control Panel) is Applications. It is important to remember that this sub-section and the others previously covered all relate to information assets within the enterprise. The data itself is again obtained by the scanning engines of SRAS. In this section we ll cover application assets in a similar way to previous sub-sections under Asset Inventory. We begin by first dissecting the main components found within the main interface page of this section, the Application Summary page. By now you will find there are multiple similarities in the other screens in this chapter! Top Ten High Risk Applications As the name suggests, this bar graph reveals the highest risk applications found within the enterprise and organizes the graphed data based on application types on the Y-Axis while the X-axis has the quantity of applications found within these categories. 120

129 Chapter 5 - Reporting Application Search Box By simply placing a keyword in the search box, a report will be generated related to your query parameter(s). Application Discovery Statistics Similar to previously covered sections, this box reveals a tabular view of authorized/unauthorized applications within the enterprise and separately breaks up the number of total applications by whether they have been newly discovered. Application Data Table It reveals applications by the category to which they fall under. Along with each application category is a view into the total number of applications that are within that group, number of high risk apps, number of authorized and unauthorized apps, as lastly the number that have been designated as new. As a best practice, many organizations have a list of ports and services that are not allowed. It should be noted again that the Export to Excel link on the main page would provide users with the ability to transfer data from the tabular data representation to an Excel document. The following section will evolve on these areas on the main application summary page. We begin by correlating the described sections to the main interface for this feature (as shown in figure 5-q). Figure 5-q: Application Summary 121

130 Chapter 5 - Reporting NOTE Both the Apps Report Navigation Bar and Application Search field create customized reports based upon query parameters. Remember that if you recently completed a discovery scan, you may want to update your stats. Application categories are links that lead to the individual apps that have been identified and catalogued within this category. Again, the application summary interface is very similar to other summary pages covered earlier. Let us revisit some of the actual report building steps that are present here using navigation/filter bar (horizontal grey bar at top). In a test case, let us assume that we are mostly concerned with global apps that are unauthorized and running on port 80. The button to the right of this navigational bar provides the ability to run the report based upon these parameters. Below is the test result for this query in Figure 5-r. Figure 5-r: Application Detail - Port 80 NOTE The date shown under the Discovered column reveals the initial date in which the discovery scan recognized this application asset. The snapshot of the report generated again shows the precision of the reporting engine to deliver results from the total data warehouse related to application assets. We are able to view all unauthorized software assets that are running globally and using port 80 for whatever reason. Quickly, the user of this report is able to divide and see what sub-organization of the entire enterprise has the most unauthorized pieces of software running with a need to have port 80 in use. The user is presented with the ability to dive down further into each host and obtain more information outside of simply the scope of application assets. The application asset reporting interface does not provide a way in which you can customize fields in your data table, however, it is equipped to provide further refining of your query results via the Filter section at the top left corner of the data table. If I 122

131 Chapter 5 - Reporting wanted to further filter the results by limiting results to solely Windows 2003 servers as the platform for the application assets, we see what quickly happens in the next screenshot, Figure 5-s. Figure 5-s: Application Detail - Regex for Windows 2003 As we can see, our initial search results have been narrowed from over 1200 results to less than 130 application assets that fit the search and filter parameters. Notice that the label next to the field has turned red in order to indicate that the results shown are filtered. The option to clear the filter is possible using the button labeled Clear. To view application summary report, follow the instructions below: 1. Click Reporting > Asset Inventory > Applications in the Control Panel. The Application Summary page displays (as shown in figure 5-q). The table on this page provides the following information. Application Category - This is a clickable link that indicates the classification of applications by its type. This link leads us to the Application Inventory page. NOTE To add or remove Application Categories or Ports and to change the risk of a particular port will require administrative permissions. Go to Module Management > Discovery > Scan Scheduling and then click the link for View Port List under Host Discovery. Use the Add Port link to add Port and if a new category is required, just add the new category to the listing. Total Applications - Indicates the total number of applications (ports) in this application category. High Risk - Indicates the total number of applications with high risk levels in this category. Authorized - Indicates the total number of authorized applications in this category. Unauthorized - Indicates the total number of unauthorized applications in this category. 123

132 Chapter 5 - Reporting New (past 30 days) - Indicates the total number of applications discovered under this category in the past 30 days. 2. Click a link in the Application Category column. The Application Inventory page displays (as shown in figure 5-t). Figure 5-t: Application Inventory This page provides the following information about the applications: Name - This is a clickable link that indicates the type of the application. Port - This is a clickable link that indicates the port number on which the application is running. Protocol - Indicates the protocol on which the application is based. Category - Indicates the category of the application. Count - Indicates the total number of hosts running this application. High Risk - Indicates the total number of hosts running this application with a high risk level. Unauthorized - Indicates the total number of unauthorized hosts running this application. 3. Click a link in the Name column of the Application Inventory page. The Application Detail page displays (as shown in figure 5-r and 5-s). This page has HostName and IP Address columns that have clickable links and lead to the Host Inventory page. Apart from this, the other details included are Platform information, Organization, Application type, Port, Protocol, Discovered date, and Authorized status. External Asset Reports The last section under the Asset Inventory menu list is External. External assets are often times difficult to manage and can quickly introduce security threats if not continuously monitored. In the next section, we ll show you how to maximize the results gained from the Discovery Scanning engine through various reporting features found within this sub-menu item. We begin with a look at the External Asset Summary page (as shown in Figure 5-u and 5-v). 124

133 Chapter 5 - Reporting Figure 5-u: External Asset Summary NOTE This navigational bar displays a quick link to other asset inventory reports located under the Control Panel area. Figure 5-v: External Asset Summary (Cont d) Reviewing the interface for the External Asset Summary page, we notice a few differences compared to some of the other summary pages that we ve seen thus far. For starters, you won t find a search box or a navigational bar to enter in query parameters. Instead, this report is more pre-defined in its content. This is principally due to the fact there are far less assets that generally fall under this realm, although these assets are regarded to be extremely critical. The anatomy of the page is broken down as follows: Externally Accessible Applications As the name states, these apps can be accessed from outside your external gateway. This bar graph depicts services and ports (on the Y-axis) to the number of applications that sustain traffic to those ports from the outside world (qty. shown on the X-axis). 125

134 Chapter 5 - Reporting Externally Visible Hosts by Platform The pie chart in this section of the summary page reveals that hosts that are base to the applications that are externally accessible. External Hosts Inventory Lastly, the summary tables reveal the details at a host by host level along with O/S Type for that host and the number of open ports that were detected during the previously conducted Discovery Scans. Using the tabular view of the data presented at the summary page, you ll be able to uniquely get more detailed level information related to each host shown in the summary page. As always, if this data needs to be exported, the Export to Excel link can provide such capabilities. The external option must be used only when an organization's architecture allows for scanners to be positioned outside the enterprise. Generally, this would be a vulnerability scanner and a discovery scanner. Let us move ahead to the next section in reporting. Rogue Technology This section of Reporting module presents data about unauthorized or unknown networks, hosts and services discovered within your enterprise. These can be viewed using the set of Rogue Technology reports. Results obtained from this report can be validated for detecting rogue technology over time and ultimately understand the reasons as to how these types of unauthorized resources were able to be introduced into the corporate network. This has also been discussed in the other reporting sections in terms of Rogue assets that exist within each section. These summary reports consolidate this information for better visibility and tracking. Summary Reports The summary reports for rogue technology breaks up the data into three tiers: rogue applications, rogue hosts, and rogue networks. Again, as with all of the other reports delivered by the portal, the data has been collected through previously conducted scans that identified these rogue technologies within the enterprise. We begin by understanding the various parts of the main Summary Reports page. On the portal, follow Reporting > Rogue Technology > Summary. The Summary page displays the below information: Rogue Host Statistics Tabular representation of data related to rogue host assets (by category), in aggregate, as well as, looking at the number that are new. Numbers related to which of these the total rogue hosts are past due for remediation are also listed. Rogue Hosts by Category Graphical representation (bar graph) of rogue hosts (by category) across the organizational units of the enterprise. Rogue Application Statistics Tabular representation of data revealing raw figures on rogue applications (ports) across various application categories. Numbers related to their level of newness and whether or not they are past due for remediation or listed as well. 126

135 Chapter 5 - Reporting Rogue Applications Graphical representation (bar graph) of rogue applications across organizational units across the organization. Rogue Network Statistics Table that reveals a raw count of rogue networks that have been identified, number that are new, and the number that are past due for remediation. Total Rogue Networks Graphical representation (line graph) of the number of rogue networks over the course of one year. Overall, the summary page for Rogue Technology is divided into three sections: Hosts, Applications, and Networks. Each section allows links, entitled Manage Rogue (Hosts/Apps/Networks) in order to address past due rogue assets that require mitigating actions. This leads to reports which help the user to manage remediation. Figure 5-w and 5-x reveal screenshots for the Rogue Technology Summary page, which can be accessed by clicking Reporting > Asset Inventory > Rogue Technology > Summary in the Control Panel. Figure 5-w: Rogue Technology Summary 127

136 Chapter 5 - Reporting Figure 5-x: Rogue Technology Summary (Cont d) Now that we have a good understanding of what type of data is reported for Rogue Technology, let us take a more in depth look at each of the sub-menus under the Rogue Technology menu tree. To view the Rogue technology summary report, follow the instructions below: 1. Click Reporting > Rogue Technology > Summary. The Rogue Technology Summary page displays (as shown in figures 5-w and 5-x). 2. Click Manage Rogue Hosts link. The Rogue Hosts page displays (as shown in figure 5-y). Figure 5-y: Rogue Technology Summary - Manage Rogue Hosts This page provides the following information regarding rogue hosts: Host Name - This clickable link that indicates the hostname of the rogue host. IP Address - This clickable link that indicates the IP address of the rogue host. OS Type/Version - Indicates the operating system type and version of the rogue host. Region/Division - Indicates the region/division of the rogue host. Detected - Indicates the date on which the rogue host was first detected by SRAS. 3. Click a link in the HostName column of the Rogue Hosts page. The View Hosts page displays. 128

137 Chapter 5 - Reporting NOTE The View Host page in this section presents similar options and features as discussed earlier. 4. Click Authorize tab in the Assigned To column to authorize individual rogue host. The Authorize Rogue Host pop-up displays (as shown in figure 5-z). Authorizing a rogue host prevents the host to be reported as rogue in future scans. Figure 5-z: Authorize Rogue Host 5. Select an appropriate reason to authorize the host from the Reason drop-down list. 6. Click Authorize Rogue Host to revert to the Rogue Hosts page. 7. Click Assign tab in the Assigned To column to assign individual rogue host for remediation. The Assign Rogue Host for Remediation pop-up displays (as shown in figure 5-aa). Figure 5-aa: Assign Rogue Hosts for Remediation 8. Select the name of the user to whom the remediation task has to be assigned, from the Assign Remediation to drop-down list. 129

138 Chapter 5 - Reporting NOTE Assignment is part of the internal workflow of SRAS. As a best practice you must automatically assign rogue remediations. To automatically assign, follow Portal Administration > Portal Configuration > Auto Assignment. The Authorize and Assign functions can be performed in a collective manner by following the instructions below: a. Select the hosts to assign by clicking the respective checkboxes next to the Assign To column. b. Select a reason to authorize the host from the Authorization Reason drop-down list at the bottom right corner. c. Select the user to assign the remediation task to from the Assign to drop-down list at the bottom right corner. d. Click Authorize/Assign Selected Hosts to authorize/assign the host. The Manage Rogue Applications link and Manage Rogue Networks link provides similar data, options, and features for rogue applications and networks respectively. Rogue Network Reports Rogue networks pose serious threats to any enterprise s network, therefore being able to understand the information behind discovered rogue network is pivotal for remediation. Users can reach this menu clicking Reporting > Rogue Technology > Rogue Networks in the Control Panel. First, it s noteworthy to mention that reports for Rogue Networks is less feature and parameter driven compared to some of its other sibling reports under Rogue Technology. As a result, selecting a view of Rogue Networks will simply provide the user with a list of networks organized by their Network Names, Subnet, Network Mask, Number of Addresses Used, and date in which the network was detected. One of the key features from this page is the ability to authorize networks and/or to assign remediation to a pre-defined user. No further reporting options exist from this list of data outside of exporting to an MS Excel spreadsheet. NOTE As a best practice, when a valid rogue network is found, authorize it and identify the organizational unit it belongs to. Many organizations rename the individual networks to provide clarity to reporting and management. It should be added that the ability to select multiple rogue network listing and assign them for remediation as well as to authorize multiple networks at the same time exists. The rogue network are categorized as: Company Network Third Party Network 130

139 Chapter 5 - Reporting Figure 5-ab: Rogue Networks Rogue Hosts Reports Rogue hosts are almost certain in a large enterprise. Fortunately, SRAS s asset discovery engine just made keeping track of these assets a lot easier. These reports will give any IT manager a great resource for understanding how to control rogue hosts and to search the root cause of their occurance within the enterprise. In order to access the Rogue Hosts reports, users must click Reporting > Rogue Technology > Rogue Hosts in the Control Panel. Figure 5-ac shows the main user interface that is presented when viewing data related to rogue hosts. A navigational bar allows for search/filter parameters on all rogue host data to be applied. Customizing the filter parameters to values that assist the user with obtaining precise information can be step one to remediation. 131

140 Chapter 5 - Reporting Figure 5-ac: Rogue Hosts Remember that any customized report (accomplished using the drop down controls on the navigational bar) can be exported to MS Excel for your convenience. Rogue Host information is organized in tabular form by listing the following pieces of information: Host Name (may be similar to IP Address if no Hostname provided) IP Address O/S Type & Version Geographical Location of Rogue Asset Date Rogue Host was initially detected Above and beyond being able to provide search parameters in order to filter data results, Rogue Host reporting allows you to also authorize hosts that have been designated as rogue. Similarly, the user is able to select single or multiple hosts for assignment to personnel who would be in charge of remediation. Using the navigational bar with the drop down controls for report data filtering follows the same functionality found amongst other reporting interfaces. Selecting choices across the pre-defined domains will narrow results to the set of criteria that was defined. Pre-defined categories for further filtering are listed below. Results can be filtered on the following: Geographic/Location Host Category O/S Type O/S Version 132

141 Chapter 5 - Reporting Filtering results is as easy as selecting from the drop down controls in the top navigational pane. As an example, let us assume we want to narrow down our report of 517 hosts to a more specific target. Realistically, let us say that we were only concerned with all Cisco Router related hosts within Europe. Selecting the appropriate values in the drop down navigation bar provides for a more targeted result set of 34 hosts instead of the total of 517 hosts that were presented at first. Figure 5-ad provides a screenshot of the interface that would be created given the parameters submitted for the search. Figure 5-ad: Refined Rogue Host Search As we can see in the screenshot, the query results are narrower and reflective of the Geography/Location and the OS type of the asset. Now that you have a good idea of identifying rogue hosts in an effective manner, let us turn our attention to reporting rogue applications. Rogue Apps Reports Rogue applications are difficult to contain within an enterprise, particularly when users may be awarded privileged access to their local machines and even select servers. The end goal of running these reports is to gauge and see how IT managers can keep track of rogue applications that may prove harmful to their networked surroundings. The Rogue Application reports have the same features and functionality as many of the previously covered reports. Essentially, a main report page reveals the aggregate amount of rogue applications, categorized into various groups. Through the use of the navigational bar (at the top of the page), additional filters can be made to limit results by region, OS, category, application name, and port number used. Similar to other reports already covered, the user has the ability to authorize the reported application or assign remediation steps to registered personnel. Below we see a snapshot of the page s interface. 133

142 Chapter 5 - Reporting Figure 5-ae: Rogue Applications NOTE It should be noted that a complete port list is provided for the convenience of the portal end-user. As with the other reports, we are now going to try to filter these unfiltered results (totaling 971 applications) to solely look at applications that may meet a specific criteria. For example, let us say that we are simply concerned about P2P file sharing taking place in North America. Adjusting the Geography/Location as well as the Application Category should accomplish this business interest. The resulting report is generated upon clicking the button labeled Build Report (as shown in figure 5-af). 134 Figure 5-af: Refined Rogue Application Search

143 Chapter 5 - Reporting Reviewing the results, we see that our customized report only yielded one violation in North America for a Limewire installation. Helpful Tips for Rogue Asset Reporting Remember that all report screens have the ability to export to a spreadsheet format, authorize the rogue asset, and initiate the remediation process. Don t forget to see if you have the navigational filter bar on your screen; it may be able to provide you targeted information related to rogue technologies. Be mindful of what your query parameters are set to. Users can increase or decrease the number of results per page by using the drop down control located at the bottom right of all report pages. This concludes our view of the reports associated with Rogue Technology. We now will proceed to mastering the reporting features of Vulnerability Reporting. Vulnerability All of the pre-defined vulnerability reports can be accessed by clicking Reporting > Vulnerability in the Control Panel. The Vulnerability reports include the following: Summary Reports Provide high level reporting that aggregates all other specific report data related to vulnerabilities. By Application Provide vulnerability data reported by application categories and application names. By Platform Provide vulnerability data reported by platform. By Network Provide vulnerability data reported across pre-defined network(s) within the enterprise By Host Provide vulnerability data found to be present across enterprise hosts discovered on the network. By Vulnerability Provide listing of vulnerabilities checked for across enterprise information assets and the affected platforms and/or apps. Patches Provide data related to patch levels across the enterprise, by platform and geographic location External Provide vulnerability data that exclusively relates to external data environments. DeepSight - Provide vulnerability data that exclusively relates to DeepSight DataFeeds. Many of the Vulnerability reports offer very similar functionality and features. Specifically, vulnerability reports related to application, platform, network, and hosts (reports 2 5 listed above) are identical, related to the interface, functionality, and features for report customization. As a result, this manual will address those sections collectively in the subsequent and relevant sections of Vulnerability reporting. 135

144 Chapter 5 - Reporting Summary Reports The following pages will reveal instructions related to understanding the summary page for vulnerability reports. Similar to previously addressed summary report sections, this portal page provides a total view of vulnerability data across applications, hosts, networks, and platforms. As with most summary reports, the Vulnerability Summary page provides filtering capabilities that allow for customized reports to be built off of the geographic location, classification, category, business application, platform, and service port. We begin by reviewing Figure 5-ag and 5-ah, which shows the interface related to the Vulnerability Summary page. Figure 5-ag: Vulnerability Management NOTE Again we see the grey navigational bar that provides for filtering of the Vulnerability Report page. The search box also provides additional filtering capabilities using keyword search techniques. Figure 5-ah: Vulnerability Management (Cont d) 136

145 Chapter 5 - Reporting As seen above, two key filtering capabilities are provided for the user to filter summarized data results by specific values from the drop down controls (in the navigational bar located at the top of the page) as well as filtering values related to keywords in the search box. Vulnerability by Risk Level The various bands of colors denote shades of risk relative to the vulnerability types that are present within the enterprise. This cylindrical histogram maps out the number of vulnerabilities across organizational units within the enterprise based upon varying risk levels and closed risk items. Vulnerability Search Provides keyword search capabilities to filter vulnerability data. Vulnerability Scan Statistics Provides statistics on the number of vulnerabilities across the enterprise relative to those that are new, closed, risk levels and the time period to which they were or are present within the environment(s). Top High Risk Vulnerabilities Quick way to determine highest risk vulnerabilities found within your network. High Risk Vulnerability by OS Type Pie chart mapping out the greatest risk bearing vulnerabilities by platforms located on the network. To view a vulnerability summary report, follow the instructions below: 1. Click Reporting > Vulnerability > Summary. The Vulnerability Management Summary page displays (as shown in figures 5-ag and 5-ah). 2. Click a link in the Vulnerability Name (Port Number/Protocol) column of the Top High-Risk Vulnerabilities table. The Vulnerability Detail page displays (as shown in figure 4-ai). 137

146 Chapter 5 - Reporting Figure 5-ai: Vulnerability Detail This page is divided in two sections: Vulnerability Description - Provides details such as Vulnerability Name, Risk Level, Service Name, Port/Protocol, Open Instances, Closed Instances, Filtered Instances, Policy information, etc. The CVE and CVSS information, if available, can be found on this screen. Vulnerability Descriptions and recommended solutions can be edited or customized to meet the organizations needs. Hosts Affected - Provides details regarding various hosts, that have been affected by the vulnerability. The details include information such as Host Name, IP Address, OS Type/OS Version, Region/Division, Date Detected, and (Last Detected) date. The Hostname and IP Address columns have clickable links that lead to the View Host page. The View Host page presents all hosts affected by the vulnerability. The options and features of the View Host page in this section are similar to that of View Host page in previous sections of this chapter. 138

147 Chapter 5 - Reporting 3. Click Assign/Filter/Close tabs adjacent to the vulnerability to perform the respective functions on individual hosts. The same result can be achieved collectively on a a group of hosts by clicking the checkboxes and using the Assign/Filter/Close Selected Hosts tabs at the bottom right corner of the Vulnerability Detail page. NOTE When a false positive is verified, use the filter function on a single Host or on a global basis to eliminate the false positive! Vulnerability Reports by Application, by Platform, by Network, by Host As noted earlier, the vulnerability reports that relate specifically to applications, platforms, networks, and hosts, all have similar features and functionality on their respective report pages. As a result, we will speak of them collectively for this section and walk through the various parts of the report that are universal to all report types. All of these report types can be individually accessed by clicking Reporting > Vulnerability > by Application/Platform/Network/Host on the Control Panel. For the purposes understanding this section, we will be using the report related to applications. All the other report types have similar functionalities and features. The landscape of each of these vulnerability report pages is very straightforward. The report pages are broken up by a histogram that graphically maps out the number of vulnerabilities across applications, platforms, networks (by subnets), and hosts (by IP addr/hostname). The second half of the report page provides the details related to the vulnerabilities across applications, platforms, networks, and hosts. Universal to all of the vulnerability report types (related to the aforementioned four that are covered in this section), are details related to the vulnerabilities that are categorized by risk level (high, medium, and low levels). Vulnerabilities can be highlighted by CVE scores also, when this data is present in the vulnerability feed. Figure 5-aj reveals the screenshot for vulnerability reports (By Application as the example used). Below is again a brief description on each section of the report interface. 139

148 Chapter 5 - Reporting Figure 5-aj: Vulnerabilities by Application NOTE Don t forget to filter your data using the drop down controls for more targeted information results. Most Vulnerable Applications Graphical representation of total vulnerabilities across application/application groups. Similarly, vulnerabilities are graphed against defined platforms (OS), networks (by subnet/netmask), and hosts (hostname or IP addr). Most of the graphs reflect only high level vulnerabilities across most information assets; however, the Vulnerability by Hosts report actually includes color bands that denote low, medium and high vulnerabilities by hosts. Vulnerabilities by Application Detailed Report Tabular data representation that lists all services, port numbers, and protocols along with the total number of vulnerabilities assigned to that application service. Difference in other reports are namely in the first 4 columns of the report interface. Field names in the other reports may vary to include category levels, number of hosts affected per vulnerability, geographic location, classification, and O/S Type. The options and features provided by vulnerability reporting is similar for Vulnerability By Application, By Platform, By Network, and By Host. For ease of understanding, we will take up Vulnerability By Host. To view vulnerability report by host, follow the instructions below: 140

149 Chapter 5 - Reporting 1. Click Reporting > Vulnerability > By Host on the Control Panel. The Vulnerabilities By Host page displays. This page is divided in two sections. The first half, Most Insecure Hosts (Vulnerabilities per network host) section provides a graphical representation of the hosts that have the maximum number of vulnerabilities. The second half is tabular representation of the same data from the first section (as shown in figure 5-ak). Figure 5-ak: Vulnerabilities By Host The following information is provided by this table regarding vulnerabilities by host: Host Name - This is a clickable link that indicates the name of the host. IP Address - This is a clickable link that indicates the IP address of the host. OS Type/OS Version - Indicates the operating system type/version of the host. Region/Division - Indicates the region/division of the host. Classification - Indicates the classification of the host in terms of vulnerabilities. High - Indicates the total number of hosts with high vulnerabilities risk level. Medium - Indicates the total number of hosts with medium vulnerabilities risk level. Low - Indicates the total number of hosts with low vulnerabilities risk level. 2. Click a link in the Host Name column. The View Host page displays. This page is similar to the View Host page discussed in earlier sections of this chapter. A user can access information about applications, vulnerabilities, configuration, policy violations, OS fingerprinting, and documentation regarding the host from this page. Similar instructions can be followed to get Vulnerabilities By Application, By Platform, and By Network. Vulnerability Reports by Vulnerability Face value, a vulnerability report by vulnerabilities may seem to be rhetorical, however, the objective for this report type is to provide a one stop source of all vulnerabilities managed by the SRAS Portal and to understand how each listed vulnerability, as manifested by the tabular report, known as the Vulnerability Distribution Report. 141

150 Chapter 5 - Reporting The report itself is very straightforward, offering users the ability to dig deeper into each vulnerability listed, which are hyperlinks to another page revealing what hosts, networks, applications are affected by the selected vulnerability. The amount of vulnerability data presented by this report is quite extensive; therefore, taking advantage of some of the filtering features for the report page may prove to be a valuable ally. Both the horizontal, navigational bar at the top of the page is present along with the filter box, located just above the vulnerability report data. As with most other report, results on the page can be regulated by the number of rows that are listed. Additionally, data can be easily exported to MS Excel for further manipulation. Figure 5-al reveals Vulnerability Report interface. Figure 5-al: Vulnerability Report The report building parameters for Vulnerability Reports can be customized by clicking on Customize tab next to the Data tab. The interface to customize the Vulnerability Reports displays (as shown in figure 5-am). Figure 5-am: Customize Vulnerability Report 142

151 Chapter 5 - Reporting Clicking on Show Details presents the Vulnerability Report page with clickable links in the Name column. Clicking on these links presents the Vulnerability Detail page (as shown in figure 5-an). Figure 5-an: Vulnerability Details NOTE Each vulnerability line item is a hyperlink to more details related to that vulnerability and the assets it affects. Results show individual hosts by IP address, along with OS type, location, date detected, and to whom remediation is assigned to. Filtering can be accomplished at many levels and in different areas. To view vulnerabilities by vulnerabilities, follow the instructions below: 1. Click Reporting > Vulnerability > By Vulnerability on the Control Panel. The Vulnerability Report page displays (as shown in figure 5-al). 143

152 Chapter 5 - Reporting 2. Click a link in the Name column of the Data tab. The Vulnerability Detail page displays (as shown in figure 5-an). This page provides vulnerability description and information such as Vulnerability Name, Risk Level, Service Name, Port/Protocol, etc. 3. Click a link in the Host Name/IP Address column of the Host Affected section. The View Host page displays (discussed in previous sections). Security Patch Report This report provides a quick, helpful glance to patching across the enterprise by revealing patches by vendor as well as unpatched platforms and high risk patch compliance values by geography. A simply, yet powerful report, it provides sufficient detail in order to further patch management efforts based upon risk and compliance areas. Below we see key areas that make up the user interface to the security patch report: Missing Patches by Vendor This section of the report offers users the ability to see what patches have not been applied to applications/platforms related to various vendors within the enterprise. The tree branches shown next to the vendor name expand to reveal the vendor bulletin, associated vulnerability, risk level, and number of hosts affected. Top 5 Unpatched Platforms Platforms are shown on the Y-axis are graphically shown using a cylindrical histogram by quantity of both patched and unpatched hosts. High Risk Patch Compliance By Geography This cylindrical histogram shows the number of unpatched high compliance risk hosts across organizational units within the enterprise. The screenshot of the patch report interface is shown in Figure 5-ao. 144

153 Chapter 5 - Reporting Figure 5-ao: Vulnerability By Patches The options and features provided by this section are similar to the Vulnerability By Vulnerability section. 145

154 Chapter 5 - Reporting External Vulnerability Report Related to externally accessible hosts, the vulnerability report provides more graphical charts than any other vulnerability report. This section is referred only when the architecture of an organization allows external scanning of the enterprise. The purpose is to highlight the importance of the perimeter assets and vulnerabilities. Each graphical report provides a banded cylindrical graph that is banded by different risk levels. Graphs depict the most vulnerable applications and hosts within the external environment. This report can be easily accessed by visiting the Reporting menu link within the Control Panel and expanding the Vulnerability tree to reveal the last report listed, Patches. The contents of this report can be mapped out as follows: Most Vulnerable External Applications - Number of vulnerable applications are shown in this cylindrical histogram that has banded tiers related to risk levels. External Vulnerability Scan Statistics This table shows results from vulnerability scans and their related risk levels. High, Medium, and Low risk levels are shown by assets that have been scanned in either the last 7, 30, or 90 days. Most Vulnerable External Hosts This banded bar graph shows high, medium, and low risk (related to vulnerabilities) for the top seven hosts in the externally accessible environment. External Vulnerability Detail This detail table provides rows of vulnerability names and the related services, ports, risk levels, occurrences, and lastly description. Now that we have a good understand of this report and its functions, let us take a look at it visually in the following screenshots, in Figures 5-ap and 5-aq. 146

155 Chapter 5 - Reporting Figure 5-ap: External Vulnerability Management Summary Figure 5-aq: External Vulnerability Management Summary (Cont d) Let s move ahead to the next section on Reporting on Configuration. 147

156 Chapter 5 - Reporting DeepSight Reports Symantec DeepSight DataFeeds help large enterprises to reduce exposure to security risks with comprehensive, actionable, real-time intelligence on active threats, vulnerabilities, and mitigation recommendations from the Symantec global intelligence network. This unparalleled source of intelligence data leverages Symantec expertise as the leader in information security and early warning solutions. The Symantec DeepSight Vulnerability DataFeed, with Common Vulnerability and Exposures (CVE), and Common Vulnerability Scoring System (CVSS) scoring, is a single, customizable source for vulnerability information, that includes mitigation guidance, impact analysis, and links to security patches. The Symantec DeepSight Security Risk DataFeed provides adware, spyware, and malicious code alerts based on a detailed analysis of active threats. You must automate your global security intelligence data update. The vulnerabilityscap feeds from DeepSight provide early warning for potential vulnerabilities via standard SCAP information in order to identify the potentially affected hosts. Click Reporting > Vulnerability > DeepSight to display the DeepSight Potential Vulnerabilities Report screen. This report summarizes the DeepSight Potential Vulnerability warnings. The report is initially sorted by the last update field in order to the most current updates first. The data displays under the following column names: Title The title as defined by the unique DeepSight Vulnerability Last Update This datetime comes from DeepSight. It is the last time the vulnerability was updated by the DeepSight system. Effect - A text passage describing the possible consequences of a successful exploit of this vulnerability. The following columns are DeepSight vulnerability scores Impact, Severity, Urgency Impact Rates the Impact of a vulnerability. An integer value on the scale of 1 to 10. Severity This numerical rating describes the potential damage based on the weighted values for Impact, Availability, Authentication, and Remote. Severity is based on a scale of 0 (low) to 10 (high). Urgency This numerical rating implies the priority you should place on fixing or mitigating the vulnerability. It is based on the weighted values of Severity, Ease, and Credibility. NOTE Credibility is based on a scale of 1 to 6. In order for Credibility to comprise 15% of Urgency, the Credibility value must be multiplied by which makes the credibility scale consistent with other ratings based on a scale of 0 to 10. CPE Count Some of the vulnerabilities can affect multiple platforms. This count provides an indication of how many platforms are affected by this vulnerability. This is a function of how many hosts have actually been discovered by RAS and have a matching CPE value for the CPEs defined in this vulnerability. 148

157 Chapter 5 - Reporting Host Count This is a count of the live hosts identified by RAS that match the definition of this potential vulnerability. Basically, it is the scope hosts that are potentially affected by each vulnerability. NOTE The DeepSight integration can be considered as an early warning system for vulnerabilities and a way to assess the potential impact! DeepSight detail report - Vulnerability detail and host list This report shows more detail for the DeepSight vulnerability. It includes the critical details of the vulnerability as well as a list of hosts, identified by RAS, that match this potential vulnerability. Configuration Reports This section of the SRAS reports provide powerful insight into configuration across information assets within the enterprise. Configuration/mis-configuration levels can be isolated by geography, platform, application types, and more using the reports to be covered in this section. As with most SRAS reports that have been covered thus far, these reports provide both rich graphical representations to the data as well as tabular, detailed representations of the data. The set of configuration reports can all be accessed by clicking Reporting > Configuration on the Control Panel. The features present under the Configuration section are as follows: Software Supplies configuration data related to anti-virus agents, anti-spyware software, development IDEs, databases, etc. Hardware Provides hardware related info and configuration details related to all types of hardware devices on the network and categorizes them by hardware type. User Accounts Data collected from authorized scans, user account configuration data is a quick way to see how both local and domain level accounts have been configuration across various information assets on the network. System Configuration Provides the service type configuration of information assets found across the enterprise. Data Protection Related to Data Loss Prevention and Privacy efforts this report will highlight the file shares and file sharing permissions within your enterprise. This is a great report to denote what information assets are in-scope to these sensitive issues. Patches Patch configuration information relative to hot fixes and updates by software providers/manufacturers. This is a convenient way to confirm which patches have been installed. Scan Summary This report provides more of a scanning report relative to previously conducted scans on the network, relative to error messages received while scanning as well as those that were successfully completed. All Categories As the name implies, this report provides an aggregate detailed view of all configuration information relative to all information assets discovered and managed by the SRAS portal. 149

158 Chapter 5 - Reporting As was the case with the Vulnerability Reports in the last section of this manual, many sections of the Configuration Reports offer the same features and functions. As a result, the following Configuration Report sections have been bundled together: System Configuration, Data Protection, Patches. Software Inventory The software inventory configuration report will become your new ally in the fight to sustain compliance in software configuration. This reporting page packs massive amounts of information, both graphically and in a tabular format. The information revealed by this report provides software configuration stats across all organizational units for both authorized and unauthorized software assets. The following page dissects the configuration reporting page in greater detail. NOTE The software inventory report is often used to assess license compliance for major software vendors. This screen must be referred by those in the enterprise who are charged with license compliance. Figure 5-ar: Software Inventory 150

159 Chapter 5 - Reporting Figure 5-as: Software Inventory (Cont d) The five identified sections above all offer distinctive details on software that has been previously identified by the SRAS portal. These details are presented in order on the subsequent page. Software Search Keyword software search that allows for software assets to be found by a key word. Top 10 Software This section reveals a listing of software assets per categories that are listed in the drop down menu. The number of software assets is listed on the right side count column, where the numerical values themselves are hyperlinks to what those software assets are. Below is a quick snapshot as to what the drop down list includes. These categories can be customized by the customer that are done frequently. NOTE Many customers identify software titles which are not allowed in the enterprise and create a single category of those titles. This makes it very easy to identify the assets that do not follow the policy and also simplifies the remediation. Detailed Software Inventory Shows software by software category, total installations, licenses present for software assets throughout the global organization or filtered by organizational units within the enterprise. Licenses present in the organization are manually entered to provide insight on, when the numbers of licenses visible on assets exceed the number of licenses. To view software configuration detail report, follow the instructions below: 151

160 Chapter 5 - Reporting 1. Click Reporting > Configuration > Software on the Control Panel. The Software Inventory page displays (as shown in figure 5-ar and 5-as). 2. Click a link in the Software Category column. The Installed Software - Inventory Report page displays (as shown in figure 5-at). Figure 5-at: Installed Software - Inventory Report This page provides the following information about the installed software. Software Title - A clickable link that indicates the name of the software. This link leads to the Installed Software - Summary Report page. Vendor - Indicates the name of the manufacturer of the software. Cost Per License - Indicates the cost of a single license of the software. (manual entrt) Licenses - Indicates the total number of licenses purchased. (manual entry) Installs - Indicates the total number of licenses that are identified with the configuration scans. Net Count - Indicates the net count. A positive number here could possibly indicate too many licenses, while a negative number may indicate too few licenses. 3. Click Update in the last column. The Software Profile page displays (as shown in figure 4-au). 152

161 Chapter 5 - Reporting Figure 5-au: Software Profile 4. Select an appropriate category from the Category drop-down list. 5. Enter the total number of licenses for the software in the field provided. 6. Enter the cost per license in the field provided. 7. Select Yes/No from the Authorized drop-down list to set the authorization status of the software. 8. Select an appropriate vendor name from the Vendor Name drop-down list. 9. Enter any comments in the field provided, such as reason for update. 10. Click Update Software Profile to save the information and revert to the Installed Software - Inventory Report page. 11. Click a link in the Software Title column. The Installed Software - Summary Report page displays (as shown in figure 5-av). 153

162 Chapter 5 - Reporting Figure 5-av: Installed Software - Summary Report 12. Click a link in the subcategory name column. The Installed Software - Detail Report page displays (as shown in figure 5-aw). The Invert Results checkbox is a great way to point out all the assets where it is not installed instead of which assets have a particular title of software. Figure 5-aw: Installed Software - Detail Report 13. Click a link in the Hostname/IP Address column of the Detail Report page. The View Host page displays. NOTE The data columns can be customized by using the Customize tab and selecting the desired data column to build the report. Hardware Configuration 154 Similar to the interface for software configuration, the hardware configuration report provides the same report features relative to hardware assets located throughout the enterprise. The primary difference is the grey navigational bar that contains hyperlinks

163 Chapter 5 - Reporting to pre-defined reports relative to the hardware s manufacturer, model, processor, memory, disk drives, serial numbers, and BIOS Asset Tags. It is worth mentioning that both the software and hardware configuration reports offer multiple filtering capabilities through the use of keyword searches, pre-defined report links (in grey navigational bar as an example), as well as the additional links and drop down controls commonly found on these reports. Figures 5-ax and 5-ay reveal the interface for the hardware configuration report page and identifies the key areas for this report. Figure 5-ax: Hardware Inventory Figure 5-ay: Hardware Inventory (Cont d) Predefined Hardware Detail Reports (Manufacturer, Models, Processors, Memory, Disk Drives, Serial Numbers, BIOS Asset Tags) These predefined reports create a detailed tabular report on each of the listed areas. Clicking on the 155

164 Chapter 5 - Reporting links in the navigation bar will not yield a different rendition of the graphical charts that are listed. An exemplary display of what is returned by the reporting engine once one of these links are selected is displayed below. Figure 5-az: Predefined Hardware Detail Report - By Model NOTE The drop down box allows for further filtering across multiple configuration areas. Hardware Keyword Search This area of the report offers similar keyword functionality that is synonymous to other previously covered keyword searches. In an exemplary test of this functionality, we submitted the word HP, which result in the following tabular data results (as shown in figure 5-ba). Figure 5-ba: Hardware Keyword Search NOTE In the example above, the subcategory contains the individual assets with the search phrase HP. 156

165 Chapter 5 - Reporting Top 10 Model by Hardware Type This table provides dynamic data related to various pre-defined values within the drop down list control. The Count column reveals the number of hardware assets that are present within the enterprise for the hardware type specified. Below is an example of the output produced. Hardware Summary Statistics Information gathered during non-authoritative discovery scans allowed for a collection of data relative to hardware components within multiple hosts. Data relative to whether or not these hardware components pertain to workstations and/or servers are revealed by the table of data. By default, a look at solely the processors, memory, and disk drives are presented to the user. The ability to review all detected processor, memory, and/or disk drives is also present by clicking on the blue hyperlink associated with each report area. Similarly, a cumulative hardware report can be revealed by simply clicking on the All Hardware link. The visual UI for this section of the hardware configuration report is presented below. Because no unique functionality to this reporting page is present, in comparison to the software configuration section, we ll move ahead to the next section. User Accounts Configuration Report Configuration of user accounts is center to a strong user management program as well as compliance requirements across multiple different regulations. The layout of this type of report strongly resembles the last two covered under the configuration reporting section. Worth mentioning again is the fact that the navigational grey bar contains a lot of pre-defined reports relative the configuration of user accounts. The following pages will reveal sections of the user account configuration report along with a walkthrough of features and functionality unique to this type of report. We begin by first elaborating on the various sections of the user account configuration report page. (as shown in figures 5-bb and 5-bc). Figure 5-bb: User Account Summary 157

166 Chapter 5 - Reporting 158 Figure 5-bc: User Account Summary (Cont d) User Account Navigational Bar By clicking on any one of the active menu items, a detailed table will reveal configuration information relative to various user and domain account settings, including account lockout policy, log ins, password controls, and more. The next page reveals brief example of a screenshot relative to Local Account configuration reports. User Account Distribution This bar graph reveals both the number of local and domain level accounts found across the organizational enterprise. User Account Search This keyword search field box that is consistent with other configuration reports, provides filtering capabilities against the total dataset displayed on the main page. Top 10 Accounts with Failed Logins The data revealed in this box comes from event logs across varying hosts. As a result, the portal is able to portray what logins are the ones that have received the most failed login attempts. The count column on the far right provides a numeric count of the number of instances of failed login attempts. User Account Summary Statistics - This graph portrays user account policies and configurations by category and subcategory and lists the numbers of items that match within the categories or subcategories. Data can be filtered by using the drop down control located and the top right of each detail report. Detail reports can be obtained for all hyperlinks under the User Account Summary Statistics report. The summary statistics are broken up into two key areas: User Accounts & Account Status. Account status information maps out the number of domain and local hosts that have been disabled, locked out or that are privileged. Windows Computers Domain Distribution The pie chart located at the bottom right corner of the configuration report page provides a look into the top ten domain level names across the enterprise. System Configuration/Data Protection/Patches Report The following section will cover three report areas of configuration reports given the similarities amongst all three. All of these reports provide simple, table based data that allow users to review their patch levels, system configuration levels, as well as data

167 Chapter 5 - Reporting protection level. All of the three reports (System, Data Protection, and Configuration) have the exact same report format, and simply provide record counts as to what assets are configured in a certain manner. Filtering data can be accomplished by selecting the drop down list box at the top left. Similarly, additional filtering can be done by geography using the drop down control list, just above the tabular data. For ease of understanding we will take a look at the patches summary report. 1. Click Reporting > Configuration > Patches on the Control Panel. The Patches Summary Report page displays (as shown in figure 5-bd). Figure 5-bd: Patches Summary Report This page provides the following information: Category - Indicates the name of the patch. Subcategory - This is a clickable link that indicates the subcategory of the patch. This link leads to the Patches - Detail Report page. Items - This is a clickable link that indicates the total number of such patches discovered. This link again leads to the Patches - Detail Report page. 2. Click a link in the subcategory column. The Patches - Detail Report page displays (as shown in figure 5-be). 159

168 Chapter 5 - Reporting Figure 5-be: Patches - Detail Report This page provides Hostname/IP Address, Platform, and Patch details. The Hostname/IP Address entries are clickable links that lead to the View Host page and provides details regarding the hosts on which these patches are present. 3. Click Customize to add/delete data columns from the Detail Report page and create a custom built report. Scan Summary Configuration Report If you want to get your hands on data related to how well the SRAS portal is scanning against assets within the enterprise, this scan summary configuration report achieves just that. Both tabular and graphical representations of successful scans versus nonsuccessful scans are managed by this report. Scanning errors are detailed in the lower half of the screen and reveal IP address, netbios name, domain name, etc. A screenshot of the Scan Summary Configuration Report is given in figure 5-bf. 160

169 Chapter 5 - Reporting Figure 5-bf: Scan Summary All Categories Configuration The following screenshot reveals an aggregate look at configuration data for an organization s assets across categories, subcategories, and number of items that were initially detected during the asset discovery and configuration scans. Figure 5-bg: Configuration Report - All Category The clickable links in this table provide pages that have discussed earlier in the Configuration Reporting section. 161

170 Chapter 5 - Reporting Remediation Reports Remediation reports are extremely unique in comparison to the rest of the portal s reporting functions. These reports provide a roadmap to remediate many of the compliance or configuration gaps that exist. These reports offer predefined information that reveal policy violations, rogue technologies, and vulnerabilities found within the environment. The remediation reports managed by the portal are described in following section. Remediation Summary This sections provides details of assigned and unassigned tasks along with the number of days remediation items have been found to be in remediation. The drop down control on the bottom of the table actually allows for summarized data to be representative of rogue, policy violations, and vulnerabilities. Figure 5-bh: Remediation Summary The Remediation Summary report presents a collective picture of remediation details for the following: Policy Violations Rogue Technology Vulnerabilities In terms of options and features, the Remediation Reports are similar for all the three categories. A user can view individual reports for any one of these categories by selecting the appropriate category from the Select a category drop-down list at the bottom left corner of the Remediation Summary page. Hence, for ease of understanding we will take up Policy Violations. Policy Violations This section looks at remediation items that have been closed based upon time frame, user who performed the remediation, and date in which policy violations were made in the past. For active policy violation issues, you must go to the specific module 162

171 Chapter 5 - Reporting encompassing the item to be remediated. (example: A/V policy violation will be found under the applicable policy or standard that it violates within the Policy & Controls section of the Control Panel. To view Policy Violations Remediation Report, follow the instruction below: 1. Click Reporting > Remediation > Policy Violations on the Control Panel. The Policy Violations Closed By Date page displays. This page is divided in three sections. Closed Violations by Reason - Tabular representation of closed policy violations by reason. This table provides the number of policy violations closed due to a given reason in the last 7 days, 30 days, and 90 days. A screenshot of this section is shown in figure 5-bi. Figure 5-bi: Remediation - Policy Violation By Reason Policy Violation Remediation by End User - Tabular representation of closed policy violations by user. This table provides the number of policy violations closed by a particular user in the last 7 days, 30 days, and 90 days along with the total number of pending remediation tasks. A screenshot of this section is shown in figure 5-bj. Figure 5-bj: Remediation - Policy Violation By End User 163

172 Chapter 5 - Reporting Policy Violations Closed By Date - Tabular representation of closed policy violations by date. This table provides time-period wise clickable links that lead policy violation remediation details performed in that particular time frame. A screenshot of this section is shown in figure 5-bk. Figure 5-bk: Remediation - Policy Violation By Date 2. Click a link in the Closed Since column of the Policy Violations Closed By Date section. The Policy Violation Closed - (time frame) page appears. Policy violation remediation details similar to that of details in the first two sections of Policy Violations Closed By Date page are provided. NOTE Remediation is captured in two ways. The first is a physical close of a violation by an individual user. The second is when the system automatically closes a ticket after the next configuration scan as it has been remediated. Let us now briefly go through the other two sections of the Remediation Reporting node. 164

173 Chapter 5 - Reporting Rogue Technology This summary page for rogue hosts details the IP address, hostname, platform, status, and resolution for open issues related to rogue assets. This page offers two quick sections that reveal rogue hosts that were cleared by resolution as well as those that have been cleared by an end user. NOTE A rogue host is any host asset that is not on an approved domain or that does not use an approved SNMP string unless specifically identified as authorized. Networks are considered rogue if they are not assigned to a business unit or are not identified in the system as known. Applications are considered rogue if they fall within the un-approved list of ports. See module and scan management to adjust these settings. Rogue Technology Remediation details can be view for the following categories: Rogue Networks Rogue Hosts Rogue Applications For ease of understanding, we will take up Remediation reporting for Rogue Hosts. The other two categories have similar remediation reporting features and options. To view rogue host remediation details, follow the instructions below: 1. Click Reporting > Remediation > Rogue Technology on the Control Panel. The Rogue Host Remediation Summary page displays. This page is divided in three sections. Rogue Hosts Closed by Resolution - Tabular representation of remediated rogue hosts by resolution. This table provides the number of remediated rogue hosts closed by using a solution in the last 7 days, 30 days, and 90 days. A screenshot of this section is shown in figure 5-bl. Figure 5-bl: Remediation - Rogue Hosts By Resolution 165

174 Chapter 5 - Reporting Rogue Hosts Closed by End User - Tabular representation of remediation rogue hosts by users. This table provides the number of remediated rogue hosts closed by a particular user in the last 7 days, 30 days, and 90 days along with the total number of pending remediation tasks. A screenshot of this section is shown in figure 5-bm. Figure 5-bm: Remediation - Rogue Hosts By End User Rogue Host Remediation Detail - Tabular representation of rogue host remediation details such as Hostname, IP Address, Platform, Region/Division, Closed date, Resolution, and Closed By date. A screenshot of this section is shown in figure 5-bn. Figure 5-bn: Remediation - Rogue Host Detail 2. Select the number of days from the Past Days drop down list at top right corner to build the report for the rogue hosts remediation in that time frame. 3. Click a link in the Hostname/IP Address column of the Rogue Host Remediation Detail section. The View Host page displays. 166

175 Chapter 5 - Reporting NOTE Similar reports can be viewed for Rogue Networks and Rogue Applications by clicking the respective links on the top right corner of the Rogue Technology Remediation Summary page. Vulnerabilities This page reveals outstanding vulnerabilities that still require remediation on behalf of a user base. The detailed vulnerability report itemizes vulnerabilities that still require remediation and detail the hosts, services, locations, and geographic location that are impacted. The Vulnerability Remediation Summary page is divided in three sections. Closed Vulnerabilities by Resolution - Tabular representation of closed vulnerabilities by resolution. This table provides the number of remediated vulnerabilities closed by using a solution in the last 7 days, 30 days, and 90 days. A screenshot of this section is shown in figure 5-bo. Figure 5-bo: Remediation - Vulnerabilities By Resolution Closed Vulnerabilities by End User - Tabular representation of closed vulnerabilities by users. This table provides the number of remediated vulnerabilities closed by a particular user in the last 7 days, 30 days, and 90 days along with the total number of pending remediation tasks. A screenshot of this section is shown in figure 5-bp. 167

176 Chapter 5 - Reporting Figure 5-bp: Remediation - Vulnerabilities By End User Vulnerability Remediation Detail - Tabular representation of rogue host remediation details such as Hostname, IP Address, Platform, Region/Division, Closed date, Resolution, and Closed By date. Because no unique functionality to this reporting page is present, in comparison to other previously discussed sections within the Remediation menu, we ll conclude the Reporting chapter here. -NOTES- 168

177 Chapter 6 Risk Automation Suite - My Security This chapter explains the Security module of the Symantec Risk Automation Suite. Access the Security module using the Control Panel. My Security module can expanded into four additional nodes in the Control Panel. These are explained in the various sections in this Chapter. Figure 6-a: My Security module Dashboard Dashboards can be considered part of the reporting functions of Symantec Risk Automation Suite. This link enables you to access a variety of executive dashboards and trend reporting sections of the software. There are five different dashboards provided by the Security module. Click the Scorecard / Key Statistics link, as shown in Figure <> to display the various dashboards, as shown in Figure <>. 169

178 Chapter 6 - Risk Automation Suite - My Security Policy management dashboard Figure 6-b: Policy Management dashboard The Policy Management dashboard comprises several columns, out of which the first three columns of this report come from other areas of the application, which are: Risk Domain: comes from the Policies & Controls node in the Control Panel. Risk Domain is the name of a particular Policy or Control being measured. For more information, see Policies and Controls section. SLA: The SLAs are set in the Portal Administration node. The default SLA is 99%. For more information, see Portal Administration. Global: This column is a calculation of the measurements across all of the organizations defined within the application. The defined organizations are listed in the remaining columns in this report. Those organizations are identified and created in the Portal Administration node. For more information see Portal Administration. The remaining columns depicts the different regions over which the organization is spans. Considerations Measurements reported are entirely dependent on the scope and accuracy of the scanning process. The Policy Management dashboard is a reflection of the configuration scanning process within the Symantec Risk Automation Suite. For more information see Module Management section. 170

179 Chapter 6 - Risk Automation Suite - My Security NOTE 100% does not mean there are no compliance issues within the geography. 100% is assumed when no scans/measurements have taken place. SRAS has an innocent philosophy, until proven guilty. Vulnerability management dashboard Figure 6-c: Vulnerability Management dashboard The Vulnerability Management dashboard comprises several columns, out of which the first three columns of this report come from other areas of the application, which are: Current Service Level - Risk Domain: is defined by the Classification and Categorization of Assets by Vulnerabilities found in the Portal Administration menu item in the Control Panel. Risk Domain is the level of vulnerability being measured. For more information, see Portal Administration section. Business Applications - Risk Domain: is defined by the Biz Apps node found in the Portal Administration in the Control Panel. Risk Domain in the case is the level of vulnerability by Business Application asset grouping. For more information, see Portal Administration. SLA: The SLAs are set in the Portal Administration node. The default SLA is 99%. For more information, see Portal Administration section. Global: This column is a calculation of the measurements across all of the organizations defined within the application. The defined organizations are listed in the remaining columns in this report. Those organizations are identified and created in the Portal Administration node. For more information, see Portal Administration section. 171

180 Chapter 6 - Risk Automation Suite - My Security Current Statistics - Global: The third report in this dashboard reflects the total number of assets (hosts) affected by vulnerabilities. These numbers are a reflection of the scope and accuracy and frequency of the scanning process. Discovery scans are critical to identifying assets within the enterprise and must be encompassing in scope in order to attain enterprise-wide visibility. For more information, see Module Management: Discovery Scans section. Considerations Measurements reported are entirely dependent on the scope and accuracy and frequency of the scanning process. The Vulnerability Management dashboard is a reflection of the vulnerability scanning process within the Risk Automation Suite. For more information, see Module Management section. These measurements will reflect all vulnerability scanners including Oval based vulnerabilities from RAS configuration scanners or third party integration with other vulnerability scanners. For more information, see Module Management section. NOTE 100% does not mean there are no vulnerabilities within the geography. 100% is assumed when no measurements have taken place. Rogue technology dashboard Figure 6-d: Rouge Technology dashboard The rouge technology dashboard comprises several columns, out of which the first three columns of this report come from other areas of the application, which are: Current Service Level - Risk Domain: is defined by Authorized and Unauthorized designations within the application. These designations can be automated or manual. For more information, see Portal Administration section. 172

181 Chapter 6 - Risk Automation Suite - My Security Current Statistics -Risk Domain: is defined by the Network and Asset Discovery capabilities of the Risk Automation Suite found in Module Management node in the Control Panel. Risk Domain in this case is the total number of assets by Organizational grouping. For more information, see Portal Administration section. SLA: The SLAs are set in the Portal Administration node. The default SLA is 99%. For more information, see Portal Administration section. Current Service Levels - Global: This column is a calculation of the measurements across all of the organizations defined within the application. The defined organizations are listed in the remaining columns in this report. Those organizations are identified and created in the Portal Administration node. For more information, see Portal Administration section. Current Statistics - Global: This column is the total number of assets across all organizations. These numbers are a reflection of the scope and accuracy and frequency of the scanning process. Discovery scans are critical to identifying assets within the enterprise and must be encompassing in scope in order to attain enterprise-wide visibility. For more information, see Module Management: Discovery Scans. Considerations Measurements reported are a reflection of the scope, accuracy and frequency of the scanning process. Discovery scans are critical to identifying rogue assets within the enterprise and must be encompassing in scope in order to attain enterprise-wide visibility. For more information, see Module Management: Discovery Scans. The Rogue Technology dashboard is primarily a reflection of the discovery scanning process within the Risk Automation Suite. For more information, see Module Management section. NOTE 100% does not mean there are no vulnerabilities within the geography. 100% is assumed when no measurements have taken place. 173

182 Chapter 6 - Risk Automation Suite - My Security Remediation dashboard Figure 6-e: Remediation dashboard The Symantec Risk Automation Suite does not remediate assets. The SRAS measures assets for policy violations and vulnerabilities on a periodic or semi-basis and reports these findings. The Remediation dashboard assists the user in the measurement of the time to remediate those findings. The Rouge Technology dashboard comprises several columns, out of which the first three columns of this report come from other areas of the application, which are: Current Service Levels - Risk Domain: This column is a listing of the current Policies, Controls and Vulnerabilities being measured with Risk Automation Suite. Policies and Controls come directly from the Policies & Controls node in the Control Panel. For more information, see Policies and Controls. Vulnerabilities come directly from the Vulnerability Classification and Business Applications breakouts defined in Portal Administration. For more information, see Portal Administration. Current Statistics - Risk Domain: These are defined using the Risk Automation Suite Workflow and reflect all current tasks; Total, Assigned and Unassigned. SLA: The SLA in this case is defined in Portal Administration and should reflect the number of days expected between identification of a violation or vulnerability and the remediation of the same. For more information, see Portal Administration. Global: This number is a total number of days on average between identification of a violation or vulnerability and remediation of the same. This reflects all assets in the scope of that policy or vulnerability category/class. The accuracy and relevance of these measurements are dependent on the scope, accuracy and frequency of the scan processes (Please review Module Management and the Methodology sections of this document for more information). 174

183 Chapter 6 - Risk Automation Suite - My Security Dashboard tasks You can perform the following tasks in the all the five dashboards: Select the Highlight SLA Violations check box to highlight the host machines that violate the SLA rules. This dashboard maintains a daily historical view of the scorecard. Click the Select Scorecard Date drop-down list and select an appropriate date for which you want to view the results, and then click Go to view the historical differences in the scorecard. Click the Export to Excel to the given results to an Excel file. Click the Module Dashboards drop-down list and select the required summary reporting pages highlighted in the Reporting node from the Control Panel (see Reporting for more information). Historical reporting In the Executive Dashboards menu bar, click Historical. This link provides an additional set of options for reporting focused on trending as given below: Figure 6-f: Historical reporting Trend Chart: The Trend charts include trending for specific policies, vulnerability groupings, remediation reports and rogue asset reporting. Choose one of the reports from this drop-down list. When a new categorization or policy is being measured it will automatically be added to this drop-down list. Time Frame: Choose the time frame for review of the trend. Options include ranges from the last 7 days to the last 5 years. The total amount of trending will be restricted by the amount of data that is kept on hand in the database. If only one year of data is maintained then only one years worth of trending will be available in the reporting. For more information, see Portal Administration. Scope: The scope is related to the organizational units which are set up in the system and can be controlled through RBAC controls as well. For more information, see Portal Administration. Organizational map In the Executive Dashboards menu bar, click Organizational Map. This link provides an additional set of options for reporting focused on trending as given below 175

184 Chapter 6 - Risk Automation Suite - My Security Figure 6-g: Organizational Map The Organizational Map dashboard displays an image (this image can be changed by the SRAS administrator) with the measured organizations reflected on this image. The example above is a world map and is the default image shipped with the software. The organizations are those that are set up in Portal Administration. For more information, see Portal Administration. The placement of the organizations are configurable and this is done from the Organization node within Portal Administration. Each organization has four red-yellow-green indicators. These indicators reflect the SLAs for each of the four areas of measurement: Policy Management, Vulnerability Management, Rogue Technology, and Remediation. Favorites Favorites can be saved from virtually any custom built report within the SRAS. This option is available on most of the screens in SRAS and enables you to save the specific report on which you are currently working. Click Add to My Favorites in the upper right hand corner. The Add Favorite window displays, as shown in Figure 3-h. There is no limit to the number of favorites that can be saved. Favorites are for personal use only and can not be saved globally. 176

185 Chapter 6 - Risk Automation Suite - My Security Figure 6-h: Favorites To view favorites: 1. Click My Security > Favorites. The My Favorites screen displays. Figure 6-i: My Favorites screen 2. Under Favorite Reports, click a link to view the corresponding screen. 3. Click the Rename link to rename the title of the favorite. 4. Click the Delete link to delete a favorite. 5. Click the Move Up and Move Down icons to change the order of the favorite in the screen. Tasks If the user is designated as someone who is receiving tasks then their individual tasks will show up in this space. 177

186 Chapter 6 - Risk Automation Suite - My Security Figure 6-j: Tasks Alerts Use Alerts if you want SRAS to send certain notifications to you. You can modify the Alerts so that tasks and or executive dashboards can be ed at specific times and at specific intervals. 1. Click My Security > Alerts in the Control Panel. The My Security Alerts screen displays. 178

187 Chapter 6 - Risk Automation Suite - My Security Figure 6-k: My Security Alerts screen 2. Select or clear the given check boxes to set the notification alerts. 3. Click the Edit link to modify the address. Notifcations are sent to address you specify. 4. Click Update Alert Preferences to save the changes. 179

188 Chapter 6 - Risk Automation Suite - My Security -NOTES- 180

189 Chapter 7 Symantec Risk Automation Suite (SRAS) Policies & Controls This chapter provides instructional guidance on how manage policies and controls on SRAS portal. It provides instructions to create, assign, and manage existing controls via the Symantec Risk Automation Suite (SRAS) platform. What is a control? In respect to SRAS, controls are created and used to define compliance levels to various internally defined and externally driven policies and standards. How are controls used in SRAS? Controls are used to support policies and standards managed by the Policy section within SRAS. Figure 5-a reveals how controls fit into the hierarchy of an actual policy or technical standard. In this example, Payment Card Industry (PCI) Standard is used as an example (only part of the standard is represented). The hierarchy on the right of Figure 5-a represents how parts of a policy/standard are organized within SRAS. The hierarchy corresponds to the hierarchy that exists in any policy/standard. The descriptions on the left of Figure 5-a represent the underlying level of the policy/standard. 181

190 Chapter 7 - Symantec Risk Automation Suite (SRAS) Policies & Controls Figure 7-a: Example of Policy/Control Hierarchy using the PCI DSS Standard The fourth layer of Figure 5-a shows the layer in which a control assignment would take place. Once assigned, compliance to the parent policy can be reached. In summary, here is how controls are used in SRAS: Controls provide automated means for measuring compliance to a policy or standard. Controls can be easily managed in SRAS (added, deleted, assigned to policies/standards, and suspended more later on these features). Controls provide technical checks against target hosts within an enterprise in order to test their configuration settings against known vulnerabilities and configuration best practices. NOTE The most common policies used in SRAS are NIST , FDCC and USGCB. All of these ship with the product along with many others. Adding controls to a policy statement This section describes in detail how to add controls to existing policy standard statements. This is done by selecting a policy/standard of choice within SRAS first. 1. Click Policies & Controls > Summary in the Control Panel. The Policy Summary screen displays. 182

191 Chapter 7 - Symantec Risk Automation Suite (SRAS) Policies & Controls Figure 7-b: Policy Summary screen The Policy Summary screen displays the non-compliant policies and statements by percentage. 2. Click the Limit results to drop-down list to view the results for the complete organization or different regions. 3. Click a policy. The Policy Statements screen displays, as shown in Figure 5-b below. Figure 7-c: Policy/Standard 4. Select the Edit Policy Statements check box, as shown in Figure 5-c. 183

192 Chapter 7 - Symantec Risk Automation Suite (SRAS) Policies & Controls 5. Click Access Control. View the hierarchy, beginning with the policy and then followed by an initial policy statement, as shown in Figure 5-c. Figure 7-d: Access Control In the Figure above, sub-statement 1.1 relates to an administrative portion of the NIST policy. Therefore, statement 1.1 would not be able to have a control assigned in order to automatically measure a technical configuration. Figure 5-d reveals the actions that would follow once you select step 4 (above) is selected and is specific to the 1.2 sub-statement. Figure 7-e: Account Management 6. View the policy sub-statement that supports an underlying statement. 7. You can add controls in order to support an existing sub-statement. Click the Add Controls link to display the Add Control window. Use this window to add a control to a sub-statement and policy. 184

193 Chapter 7 - Symantec Risk Automation Suite (SRAS) Policies & Controls Figure 7-f: Add Control window The Add Control window displays the policy and statement name to which this control will be assigned to. 8. Click the Control Category drop-down list and select a control category. This organizes the controls that exist within your SRAS database. 9. Click the Control Subcategory drop-down list and select and appropriate option. The values in this drop-down list are populated depending upon what you select in the Control Category drop-down list. A control subcategory provides additional organization within the control category. 10. Click the Select Control drop-down list and select the control that corresponds to the Control Category and Control Sub-category. Figure 5-g shows how a specific control looks like by selecting values in the dropdown lists - Control Category, Control Sub-Category, and Select Control. 185

194 Chapter 7 - Symantec Risk Automation Suite (SRAS) Policies & Controls Figure 7-g: Add Control window - With values 11. As shown in Figure 5-g above, you can alter a Violation Criteria. The drop-down list that is disabled is not customizable. The given field provides the flexibility to enter a value based upon the standard (in this case, PCI), whether it is driven by internal or external compliance. 12. You can also define the scope for any control that has been added, as shown in the following Figure. This pane located on the bottom half of the Add Control window. NOTE OVAL checks are checks that meet the SCAP requirements of standardized content. OVAL checks have fixed violation criteria. Identify the correct OVAL check from the list. OVAL is a control category in SRAS. Figure 7-h: Add Control window - Define scope of the control Section summary When assigning controls, the most important thing to consider is the following: Overall understanding about the control whether or not the organization would like to measure for internal/external compliance efforts. 186

195 Chapter 7 - Symantec Risk Automation Suite (SRAS) Policies & Controls Understanding about where the controls will be located in respect to Control Categories and Control Sub-Categories. NOTE Start with a proven baseline standard. Most RAS customers use NiST , FDCC or USGCB templates for their baselines, if not the entire policy. These policies are proven, accepted by auditors and governing bodies and save the time to create a new policy. Understanding, what would you want the control to check for, specifically in order to ensure that the control violation criteria is set correctly or in the case of an OVAL check to choose the exact check. Control Management This section describes how to view and edit controls. SRAS also provides the ability to easily manage existing controls that relate to a policy or template. The actions listed below would be present next to each control, allowing for each of these actions to take place. A simple definition for each one is provided below. To enable the management links next to each control click the Edit Policy Statements check box at the bottom of the screen, as shown in Figure 5-c. This enables the options to edit, suspend or delete each control. Viewing and editing controls View Details Click the View Details link (as shown in Figure 5-e) to enable for a separate view to appear which reveals how the control is affecting specific parts of the organization (by platform, asset category, biz app, etc). Edit Click the Edit link (as shown in Figure 5-e) to edit the scope of the control or the control assigned to the statement itself. Suspending or deleting controls In addition to viewing and editing controls you can also remove controls from a policy statement or suspend a control and remove it from the compliance score until it is reactivated. Suspend Click the Suspend link (as shown in Figure 5-e) to suspend a control for some reason. Reasons may be that it does not accurately reflect IT objectives or base configurations or even compliance efforts at this point in time. Delete Click the Delete link (as shown in Figure 5-e) to unassign the control from the statement in which it is assigned to. The actual control, metadata, and the check itself is still stored in the database. Deleting a control in one part only deletes the control from that specific place within a policy statement. 187

196 Chapter 7 - Symantec Risk Automation Suite (SRAS) Policies & Controls -NOTES- 188

197 Chapter 8 Secure Content Automation Protocol The objective of this chapter is to provide a more focused look at how the SRAS utilizes the Secure Content Automation Protocol (SCAP). Overview SRAS is a highly-scalable, integrated framework of compliance technologies, which enables organizations to quickly, and easily measure security and compliance across the enterprise network. Built as an SOA architecture, SRAS is entirely agent-less, installs in less than one day and easily scales to any enterprise class network, including networks exceeding 100,000 s of network assets. SRAS is compatible with all SCAP components; CVE, CCE, CPE, CVSS, XCCDF and OVAL. SRAS will quickly discover and classify every asset connected to the network, scan the appropriate assets for compliance with Federal standards (that is, FDCC), and provide a centralized portal for continuous, repeatable measurement and reporting. SRAS is SCAP 1.0 validated. In addition to the SCAP components, SRAS achieves seven of the NIST defined SCAP Capabilities in one offering. These capabilities include: Federal Desktop Core Configuration Scanner an authenticated configuration and vulnerability scanner that can identify mis-configurations, missing patches, and vulnerabilities using privileged credentials to connect to and scan a remote machine for configuration settings, patches, and vulnerabilities specified by the NIST FDCC data stream. Authenticated Configuration Scanner an authenticated configuration scanner that can identify mis-configurations using privileged credentials to connect to and scan a remote machine for configuration settings in order to provide configuration data for informational purposes and for the identification of mis-configurations on the target system(s). Authenticated Vulnerability Scanner an authenticated vulnerability scanner than can identify software flaws and patch status using privileged credentials to connect to and scan a remote machine based on OVAL definitions. Asset Management an asset discovery scanner than can remotely scan and discover networks, hosts, and applications; assessing asset characteristics, location, ownership, and other valuable information. 189

198 Chapter 8 - Secure Content Automation Protocol Asset Database an asset database framework that allows the storage of asset information from network, hosts, and applications such as asset characteristics, location, ownership, and other valuable information. Vulnerability Database a vulnerability database framework that allows the storage of vulnerabilities and patch information collected from our authenticated vulnerability scanner or an integrated 3 rd party scanner with associated CVE information. Mis-Configuration Database a configuration database framework that allows the storage and analysis of configuration information to report on and track misconfigurations with associated CCE information. Leveraging the SCAP standards, SRAS automates enterprise-wide asset discovery, vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. The SRAS Portal offers powerful asset classification, scheduling and reporting features to provide users with complete command and control over enterprise scans and report generation. Large government and commercial entities rely on SRAS to continuously measure IT security and compliance with government policies and standards, including: FISMA, FDCC, C&A criteria, and NIST 800 Series standards. SCAP Components The scope of this chapter is limited to a high level presentation of the SCAP capabilities within SRAS. SRAS includes a full implementation of the SCAP method and the six underlying components, all of which are defined below. The remaining sections of this chapter will provide descriptions, illustrations and screen shots regarding the use of each SCAP component in SRAS. SCAP (Security Content Automation Protocol)* - SCAP is a method for using specific standards in concert to enable automated vulnerability management, measurement, and policy compliance evaluation. The SCAP version allows the versions of the SCAP component standards to be referred to as a collection. CVE (Common Vulnerability Enumeration)* - CVE is a format to describe publicly known information security vulnerabilities and exposures. Using this format new CVE Ids will be created, assigned and referenced in content on an as-needed basis without a version change. CCE (Common Configuration Enumeration)* - CCE is a format to describe system configuration issues in order to facilitate correlation of configuration data across multiple information sources and tools. CPE (Common Platform Enumeration)* - CPE is a format for identifying information technology systems, platforms, and packages. CVSS (Common Vulnerability Scoring System)* - CVSS is a scoring system that provides an open framework for determining the impact of information technology vulnerabilities and a format for communicating vulnerability characteristics. XCCDF: (extensible Configuration Checklist Document Format)* XCCDF is an XML based language for representing security checklists, benchmarks, and related documents in a machine 190

199 Chapter 8 - Secure Content Automation Protocol readable form. An XCCDF document represents a structured collection of security configuration rules for one or more applications and/or systems. OVAL (Open Vulnerability Assessment Language)* - OVAL is a XML-based language used for communicating the details of vulnerabilities, patches, security configuration settings, and other machine states in a machine-readable form. *NIST Security Content Automation Protocol (SCAP) Validation Program Test Requirements Version 1.0 by Peter Mell, Stephen Quinn, John Banghart, and David Waltermire. Pre-Requisites for FDCC scanning The following pre-requisites for Windows XP and Windows Vista should be completed prior to running any FDCC related scans. These pre-requisites will ensure that the SRAS scanner will have adequate privileges and the remote systems will perform adequately during scans. Pre-requisites for scanning Windows Vista 1. The workstation should have at least 512MB of memory, preferably 1024MB. 2. For systems configured in workgroups or as stand-alone machines, turn off User Account Control (UAC). This does not apply to domain members or domain controllers. This change is necessary to allow remote access to the machine for scanning. a. Go to Control Panel > User Accounts and click the Turn User Account Control on or off link. b. In the window that displays, clear the the Use User Account Control (UAC) to help protect your computer check box and click OK. 3. If Vista firewall is turned on, use Group Policy to allow the scanner to pass through the firewall. To implement firewall exceptions manually on a local machine: a. Open a command prompt, enter gpedit and press the ENTER key. b. When Group Policy Editor opens, navigate to Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security Local Group Policy Object and select Inbound Rules. c. Right-click Inbound Rules and select New Rule. d. For Rule Type, select Custom and click Next. e. For Program, select All programs and click Next. f. For Protocol and Ports, select Protocol type: Any, Protocol number: 0, Local port: All Ports, and Remote port: All Ports and click Next. g. For Scope, select Any IP address for local and select These IP Addresses for remote and click Add under remote. h. Add the IP address(es) of all the SRAS scanners and click OK. 191

200 Chapter 8 - Secure Content Automation Protocol i. Click Next. j. For Action, select Allow the connection and click Next. k. For Profile, select Domain and Private and unselect Public and click Next. l. Add a name of your choosing for the rule and click Finish. m. At the command prompt type gpupdate /force and press the Enter key. n. Reboot the Windows Vista system to complete this step. Pre-requisites for scanning Windows XP & Vista 1. The workstation should have at least 256MB of memory, preferably 512MB. 2. If XP firewall is turned on, use Group Policy to allow the scanner to pass through the firewall. To implement firewall exception through domain group policy: a. Enable remote administrative access by adding the following entry to the ICF.AddReg.DomainProfile section of the Windows Firewall INF file: HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Fi rewallpolicy\domainprofile\remoteadminsettings" (Values: "Enabled", REG_DWORD,1) b. Limit the scope for Remote Administration to the SRAS Scanner IP address by adding the following to the ICF.AddReg.DomainProfile section of the Windows Firewall INF file: HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Fi rewallpolicy\ DomainProfile\RemoteAdminSettings" (Values: "RemoteAddresses", REG_SZ, x.x.x.x (insert IP address)) 3. For standalone machines not configured in a domain, apply the same steps above to the firewall registry settings, except replace DomainProfile with Standard Profile in steps a. and b. above. 4. Firewall exceptions implemented manually on a local machine: a. Open a command prompt, enter mmc and hit Enter. b. In the MMC console window, click File > Add/Remove Snap-in. c. Click Add from the Add/Remove Snap-in window. d. Select Group Policy Object Editor, click Add and then Finish. e. Click Close and then OK in the Add/Remove Snap-in window. f. Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > Standard Profile (for workgroups) or Domain Profile (for member workstations). g. Enable Allow remote administration exception and Disable Do not allow exceptions. h. Click OK or Finish and close the MMC console. 192

201 Chapter 8 - Secure Content Automation Protocol i. At the command prompt enter gpupdate /force and press the ENTER key. j. Reboot the Windows XP system to complete this step. 5. The Administrators group must be able to read the SAM key, if it is being blocked. a. At a command prompt, enter regedit and press the ENTER key. b. Expand HKEY_LOCAL_MACHINE > SAM > SAM. c. Right-click on the bottom SAM key and select Permissions. d. Highlight Administrators and select the Read Allow check box. e. Click OK and close the Registry Editor. FDCC conflicts and supporting rationale The scanning pre-requisites include two settings which conflict with FDCC requirements. An explanation of these conflicts and the justification are included below: Local firewall rule Target platforms which are running a local firewall, must add a firewall rule that allows the SRAS scanner to remotely access the machine. This is necessary when the SRAS is used as an entirely agent-less platform and performs all SCAP functions from a remote scanner. The firewall exception can be strictly limited to a single IP address corresponding to the SRAS scanner, while blocking all other traffic. This rule can be deployed enterprise-wide through a simple group policy setting or through the local policy on stand-alone machines. Remote access for stand-alone Vista machines For Windows Vista systems configured in workgroups or as stand-alone machines, User Account Control (UAC) must be disabled. This change allows remote access to the machine by valid user accounts, which would be otherwise blocked. Remote access is necessary when the SRAS is used as an agent-less platform and performs all SCAP functions from a remote scanner. This requirement does not apply to Windows XP systems, and does not apply to Windows Vista systems participating in a domain. NOTE SRAS can perform scans which are either agent-less, agent based or those which use dissolving agent. As conflicts are eliminated, most organizations prefer the dissolving agent methodology. SCAP and SRAS The full implementation of SCAP 1.0 was added to SRAS in version 3.5 and will be supported in all future version of SRAS. Certain components of SCAP had been previously supported as far back as SRAS version 1.0. However, the expansion of SCAP standards in SRAS 3.5 was comprehensive including all available components. SCAP Component Implemented in SRAS 3.5 are listed below: 193

202 Chapter 8 - Secure Content Automation Protocol SCAP Components Implemented in SRAS 3.5 Common Vulnerability Enumeration (CVE) Common Configuration Enumeration (CCE) Common Platform Enumeration (CPE) Common Vulnerability Scoring System (CVSS) extensible Configuration Checklist Document Format (XCCDF) Open Vulnerability Assessment Language (OVAL) In addition to the SCAP components, SRAS achieved a majority of the NIST defined SCAP Capabilities. An SCAP Capability provides context for how the SCAP Components are being utilized. For example the CVE Component could be implemented in both a vulnerability scanner versus and an anti-virus product. The designation of SCAP Capabilities demonstrates the type of solution that the SCAP Components are being used by. As an integrated suite of technologies, SRAS has achieved seven SCAP capabilities in one offering. CAP Capabilities Achieved in SRAS 3.5 Federal Desktop Core Configuration Scanner Authenticated Configuration Scanner Authenticated Vulnerability Scanner Asset Management Asset Database Vulnerability Database Mis-configuration Database More information about the implementation of SCAP in SRAS is provided in the remaining sections of this chapter. CVE Common Vulnerability Enumeration (CVE) is used within SRAS to associate any vulnerabilities reported in the SRAS Portal to a corresponding CVE ID. CVE IDs are displayed on Vulnerability Distribution reports and Vulnerability Detail reports, which can be accessed by clicking on any vulnerability name in the SRAS Portal. Once viewing this page, users can click the CVE ID number to access the NVD and or Mitre records for the CVE. 194

203 Chapter 8 - Secure Content Automation Protocol Figure 8-a: Vulnerability Distribution Report with CVE Reference (Reporting > Vulnerability > By Vulnerability) Figure 8-b: Vulnerability Detail Report with CVE Reference (Reporting > Vulnerability > By Vulnerability> select a vunerability) Importing CVE references CVE references can be updated at any time by following the steps below. 195

204 Chapter 8 - Secure Content Automation Protocol 1. Current CVE definition files can be download from NIST at Once downloaded copy the downloaded checklist(s) to the folder C:/Program Files/Risk Automation Suite/SFpolicyevaluatoruator on the SRAS Portal. 2. Open a command prompt and navigate to C:/Program Files/Risk Automation Suite/SFpolicyevaluatoruator on the SRAS Portal. 3. Enter policyevaluator -h to view the import options and syntax. Figure 8-c: XCCDF Import Options 4. Execute the CVE import command policyevaluator importcve <filename.xml>. Upon successful importation of the CVE file, SRAS reports will reflect the new references. CCE Common Configuration Enumeration (CCE) is used within SRAS to associate configuration values reported in the SRAS Portal to a corresponding CCE ID. CCE IDs are displayed on the Control Detail Report, which can be accessed by clicking on any Control name in the SRAS Portal. Once viewing this page, users will find the CCE ID located in the Control Description field. The CCE ID can be clicked on to access the NVD record for the CCE. 196

205 Chapter 8 - Secure Content Automation Protocol Figure 8-d: Control Detail Report with CCE Reference (Policies & Controls > policy name menu > Controls > select control) CPE Common Platform Enumeration (CPE) is used by SRAS to align SCAP data streams and assessment results with the intended platforms. CPE values are imported from XCCDF data streams and are used in conjunction with OVAL definitions and the SRAS Configuration Management scanner. CPE values are updated in SRAS during the XCCDF importation process. To update the CPE values, download the relevant XCCDF files from or for FDCC. Each XCCDF checklists includes an xml file containing a CPE dictionary. This dictionary can be uploaded from a command prompt on the SRAS portal. The steps and screen shots illustrate this process. 1. Copy the CPE dictionary file into the C:\Program Files\Risk Automation Suite\SFpolicyevaluatoruator folder. 2. Execute the CPE import routine by running policyevaluator importcpe <filename.xml>. 3. Select which of the supported operating system types corresponds to the XCCDF checklist being imported. 4. Select which of the supported operating systems versions corresponds to the XCCDF checklist being imported. 197

206 Chapter 8 - Secure Content Automation Protocol Figure 8-e: Completed CPE importation CVSS The Common Vulnerability Scoring System (CVSS) is used within SRAS to prioritize and display risk scores for any vulnerabilities reported in the SRAS Portal. CVSS scores can be viewed for each vulnerability in the Vulnerability Detail reports and View Host reports. Figure 8-f: Vulnerability Detail Report with CVSS Reference (Reporting > Vulnerability > By Vulnerability > select a vulnerability) Click the CVSS Score to view all sub-scores, modifiers and metrics associated with the score calculations. These values can be updated to reflect the actual environmental factors. 198

207 Chapter 8 - Secure Content Automation Protocol Figure 8-g: CVSS Drill Down from Vulnerability Detail Report (click on CVSS Score when viewing vulnerability) XCCDF SRAS is fully compatible with the NIST XCCDF format. This section will outline the specific steps required for utilizing and importing XCCDF content. During the import process, the SRAS database will be updated with the XCCDF content. This update will be evident in two ways. First, any new OVAL definitions and tests will be included into future configuration scans against the platforms designated in the XCCDF files. Second, the XCCDF rules and desired values will be parsed and formatted into a SRAS policy under Policies and Controls. Putting these steps together, we end up with the following step by step process for utilizing XCCDF. SRAS/XCCDF process flow The end-user downloads XCCDF Checklist files and current CVE definitions from the NIST NVD website. The end-user runs the XCCDF import routine. XCCDF files are automatically read and parsed and the following updates are made to SRAS:? New CPE values and CPE updates are made to the SRAS CPE table,.? New OVAL tests are added to the SRAS configuration checks table.? A policy will be added or updated in SRAS Policies and Controls. 199

208 Chapter 8 - Secure Content Automation Protocol Configuration scans are executed through the normal automated scan scheduling process. Policy scores are automatically calculated using the normal policy measurement process. The XCCDF checklist results are exported from the SRAS portal into an SCAP compliant results file. Scans and policy measurement is made continuous through an automated recurring schedule. XCCDF import instructions 1. Download the desired SCAP checklist from the NIST NVD website: or for FDCC. Figure 8-h: NIST NVD & FDCC Download Web sites 200

209 Chapter 8 - Secure Content Automation Protocol Figure 8-i: Download page 2. Copy the downloaded checklist(s) to the folder C:/Program Files/Risk Automation Suite/SFpolicyevaluatoruator on the SRAS Portal. 3. Open a command prompt and navigate to C:/Program Files/Risk Automation Suite/SFpolicyevaluatoruator on the SRAS Portal. 4. Enter policyevaluator -h to view the import options and syntax. Figure 8-j: XCCDF Import Options 5. Execute the SCAP import commands for each XCCDF xml file in the following order. Note: If prompted whether to ignore errors during the import processes select the All option to ignore all errors. a. policyevaluator importcpe <platformname- CPE-dictionary.xml> b. policyevaluator importoval <platformname-oval-cpe.xml> 201

210 Chapter 8 - Secure Content Automation Protocol c. policyevaluator importoval <platformname-oval.xml> d. policyevaluator importoval <platformname-patches.xml> e. policyevaluator importxccdf <platformname-xccdf.xml> Upon successful importation of the OVAL definitions, CPE dictionary and XCCDF file, the XCCDF policy will be created in the SRAS Portal under Policies & Controls and configuration scans will now incorporated the imported OVAL definitions. Figure 8-k: XCCDF/SCAP Policies Resulting from XCCDF Checklists (Policies & Controls > Summary) XCCDF Results File - Export Instructions 1. Open a command prompt and navigate to C:/Program Files/Risk Automation Suite/SFpolicyevaluatoruator on the SRAS Portal. 2. Run policyevaluator exportxccdfresults analyzenow the XCCDF results file will created and added to the SFpolicyevaluatoruator directory. OVAL The Open Vulnerability Assessment Language is used by SRAS to define and test system vulnerabilities, patches and configuration values. OVAL content, consisting of configuration and patch definitions, can be imported into SRAS and included in the SRAS scanning processes. SRAS interprets OVAL definitions, executes scans remotely against target machines and returns the OVAL test results to the SRAS portal for measurement against XCCDF checklists and benchmarks. OVAL references including the definition can be viewed in the SRAS Control Detail Report and Edit Control dialogue for any imported OVAL definitions. 202

211 Chapter 8 - Secure Content Automation Protocol Figure 8-l: OVAL Definition Reference on Edit Control Dialogue (Policies & Controls > policy name > Controls > select control > Edit) 203

212 Chapter 8 - Secure Content Automation Protocol Figure 8-m: Edit Control window OVAL Results File - Export Instructions 1. Open a command prompt and navigate to C:/Program Files/Risk Automation Suite/SFPolicyEvaluator on the SRAS Portal. 2. Run policyevaluator -exportovalresults analyzenow to export OVAL thin results or run policyevaluator exportovalresults full analyzenow to export full OVAL results. The OVAL results file will be created and added to the SFPolicyEvaluator directory. 204