How do you distribute vulnerability\solution information?

Hi,

Having used insightVM for a few years, I’m still having trouble finding the best way to distribute vulnerability and solution information to our teams and feel like I must be missing something.

I want to minimise the amount of time our teams need to go clicking around inside insightVM and make it as simple for them as possible - just supplying a list of ‘apply this solution on this asset’. I also want to minimise the time it takes me to manage this.

We have around 25 different teams (both sys admins and support, across geographical regions). Assuming the owner tag is set to one of these teams (which is a challenge in itself because of the inability to do AND and OR in tagging criteria, but we’ll ignore that for now) here’s what I’ve tried:

1. A single, large SQL export CSV report with everything on it. This is manually edited using Excel and Lookups to other data into individual, per team CSVs and distributed via multiple tickets. However, this takes a relatively long time to do and the data is out of date pretty much immediately anyway.
2. Scheduled reports\SQL exports to each team - this however requires maintaining 25 identical reports (if a change is required it requires changing it 25 times) and also doesn’t solve the issue with the data going out of date.
3. Remediation Projects - a query can be created to find all assets with vulns over a specific CVSS score. However, the solutions then shown are to resolve all vulns of the asset, not just the vulns over the specified CVSS score, so the teams end up resolving minor issues and prioritization can’t be done.
4. Goals - these show the assets that meet the CVSS criteria and show the vulnerabilities, but doesn’t show the solutions, so then the teams have to start clicking around insightVM for the less obvious solutions.
5. Asset groups - creating specific asset groups, but this requires a lot of clicking on assets individually, checking the list of vulnerabilities, checking solutions where required etc.

I did create an external system that pulled a scheduled report from the insightVM console daily, ingested it into a SQL database and then presented the data via a web service. However, this added more ‘moving parts’ to maintain, involved costs for the web service and my manager, rightly, pointed out that insightVM should be able to do this and to use the tools we already have (which I can’t get to work as I would like, hence this question).

Any ideas would be much appreciated!

Have you looked into the Data warehouse? It might make what you are doing less complicated with less moving parts

I did look at the data warehouse a couple of years and the hardware requirements made it unlikely to be possible at the time, plus I think that will just add more moving parts as it just moves the data from one place to another and I can already access the data I need. I’m just having trouble finding a way to distribute the information that doesn’t have any of the disadvantages I’ve mentioned.

I’ve spoken to Rapid7 support about this who have pointed something out to me that is obvious when you see it.

In case this helps anyone in the future, the Query Builder by default queries the assets only. If you enter a vulnerability query of cvss >=9 it will return all assets that have a least one such vulnerability, but a remediation project built off of that will show how to resolve ALL vulnerabilities on the system, not just the cvss >= 9 one. Instead, if you click the Switch to Expert option in Query Builder there are options to filter by asset AND vulnerability. Entering the cvss >=9 into the vulnerabilty resolves this issue.

Obvious when you see it and I felt stupid when it was pointed out to me, but all good now!

Been using IVM for over a year… wow, this is great to know! They should be telling all customers this (or perhaps I’m in the minority of people who really struggled with making this data more visible and reliable…)