Vulnerability Management – What Are Vulnerability Group Rules, How Do They Work, and Why Are They so Important?

Vulnerability Management

When it comes to Vulnerability Management, Vulnerability Group Rules can be powerful when configured correctly. However, they may not work the way that you’d expect. I’ve had several situations in which the subject of Vulnerability Group Rules has come up, but the conversation has gotten sidetracked over confusion about how a Vulnerability Group Rule functions. First, a Vulnerability Group Rule is NOT a condition-based filter. You cannot create a Group Rule for just “Windows Server Patches for the Northeast region”, for example (in this case you would want to create an ad-hoc Vulnerability Group). Instead, Vulnerability Group Rules function more like “clubs” in the sense that a Vulnerable Item can belong to many “clubs” based on its attributes.

 

For example, suppose you have 4 Vulnerable Items with the following attributes:

  1. VIT001
    1. Vulnerability: QID001
    2. CI Class: Server
    3. CI: QWERTYASDF
  2. VIT002
    1. Vulnerability: QID001
    2. CI Class: Computer
    3. CI: 12345678
  3. VIT003
    1. Vulnerability: QID002
    2. CI Class: Server
    3. CI: QWERTYASDF
  4. VIT004
    1. Vulnerability: QID002
    2. CI Class: Server
    3. CI: 00000001

And suppose you have 2 active Vulnerability Group Rules:

  1. Vulnerability – Class
  2. CI

These 2 Group Rules, when applied to the above 4 Vulnerable Items, will result in 6 Vulnerability Groups:

  1. Vulnerability – Class: QID001 – Server
VIT001
  1. Vulnerability – Class: QID001 – Computer
VIT002
  1. Vulnerability – Class: QID002 – Server
VIT003
VIT004
  1. CI: QWERTYASDF
VIT001
VIT003
  1. CI: 12345678
VIT002
  1. CI: 00000001
VIT004

Looking at the above Groups, you can see that Vulnerability Items are not confined to one Group – the relationship between Vulnerability Items and Vulnerability Groups is many-to-many. Thus, as is shown in this example, you can have more Groups than Items, depending on how you create your Group Rules.

Because Group Rules will create Vulnerability Groups based off Vulnerability Item columns, and because many organizations do not understand this, a common mistake that many organizations make is trying to create too many Vulnerability Group Rules. Moreover, due to that confusion over how Group Rules work, most initially created Rules tend to function differently than expected.

My recommendation is to create a few “targeted” Group Rules, with one “catch-all” Group Rule. For the catch-all Group Rule, I like ones that focus on either the CI or the Vulnerability, as these tend to enable Change requests that are easier to assign for fulfillment from an organizational perspective (generally speaking).

2018-08-09T15:38:50+00:00

About the Author: