Now that your company has invested time and resources in gathering information about your entire installed base of software and equipment, how can we analyze and measure its level of security protection? Can we identify the vulnerabilities in your company’s software? Can we create a scoring function that measures security and how it changes over time?
To address these questions, Würth Phoenix has put together a solution that adds information about IT security to existing information about installed software, helping company staff manage IT security.
Recall in fact that each vulnerability represents an element of security risk and one possible avenue of attack against our data by hostile hackers.
The principle data source is the hardware and software inventory (SCCM, GLPI, etc.), where you can find an updated list of the software installed on the various PCs and servers the company runs.
We should add to this information the related vulnerabilities which can be found principally in the CVE (Common Vulnerabilities and Exposure) database. CVE is a publicly available dictionary of vulnerabilities and security gaps. It is maintained by The MITRE Corporation and is financed by the Department of Homeland Security in the United States.
CVE is internationally recognized and the level of detail it contains allows for the evaluation of security risks which a company is exposed to. The objective achieved by Würth Phoenix’s solution is to connect the vulnerabilities in this database to the software in your inventory, and we can do this using CPE!
CPE is a standard for describing and identifying classes of applications, operating systems and hardware devices. These entities are described mainly by the name and version of the software.
Once our installed software from CPE is correlated with the CVE vulnerability database, we have all the information necessary to qualitatively measure a company’s IT risk. This can also be quantitative thanks to the the fact that every entry in CVE has a Severity Rating. This risk level is a number between 0 and 10 that according to the CVSS 2.0 standard is distributed as follows:
|Severity||Base Score Range|
|Low||0.0 – 3.9|
|Medium||4.0 – 6.9|
All this information is inserted periodically into NetEye and is then further processed in Kibana with ad-hoc dashboards.
Everything described above from an architectural point of view can be represented by the Deployment Diagram below. In purple we can see all those systems that have inventory data, and in yellow the NetEye servers and the ABSC server for processing the information.
Thus in the end we can state that with our solution we can visualize the processing of security information over time, find vulnerabilities present server-by-server or PC-by-PC, find the software that numerically introduces the greatest risks for our company, and many more besides as meets your needs.