This document discusses the deployment of a vulnerability management solution using QualysGuard. It proposes a strategy of collaboration, integration, and automation (CIA). The solution would integrate QualysGuard vulnerability assessments with existing IT systems and processes. This would allow vulnerabilities to be detected and remediated efficiently while minimizing new infrastructure. Authoritative data sources would be used to map assessments and allow QualysGuard data to refine asset tracking over time. The solution is intended to provide vulnerability management while reducing costs and integrating with IT operations.

1. © 2013 Host Integrity Systems, Inc. VMS
All rights reserved. Host Integrity Systems and the Host Integrity Systems logo are service marks of Host Integrity Systems, Inc.
All other trademarks are the property of their respective owners. Classification: //Host Integrity Systems/Confidential - Limited External
Distribution. Any unauthorized review, use, disclosure or distribution is prohibited.
White Paper:
Deployment of Vulnerability Management
Host Integrity Systems
April 2013
For the full content of this white paper, contact :
info@viateres.com OR info@hostintegritysystems.com

2. © 2013 Host Integrity Systems, Inc. 1 VMS
Table of Contents
INTRODUCTION ................................................................................................................... 2
THE IT SECURITY AND VM CHALLENGE ............................................................................ 2
IT SECURITY PROCESSES AND INTEGRATION OBJECTIVES .................................................. 4
THE QUALYSGUARD BENEFIT ............................................................................................ 5
QualysGuard UI ............................................................................................................ 6
THE DEVELOPMENT PROCESS ............................................................................................. 7
Deliverables................................................................................................................... 8
THE VM PROCESS............................................................................................................... 9
IT INTERFACES AND INTEGRATIONS ................................................................................. 10
Authoritative Data Sources.......................................................................................... 10
QUALYSGUARD VM SERVICE CONFIGURATION ............................................................... 12
Other Configuration Items........................................................................................... 13
CO-MANAGED VM SERVICE............................................................................................. 13
CONCLUSION .................................................................................................................... 15

3. © 2013 Host Integrity Systems, Inc. 2 VMS
Introduction
IT Vulnerability Management (VM) is one of the key functions within enterprise IT Security. VM
monitors and mitigates certain risk vectors affecting the integrity, performance, and purposeful
application of IT computing and communication facilities to proprietary operation of the
business. Some level of VM is applicable to IT Security within almost every size and type of
organization.
This VM solution overview is focused particularly to an architecture and implementation
integrating external vulnerability assessment services, internal IT computing facilities systems
management, and internal IT process aligned vulnerability monitoring and remediation
management. The overall strategy for VM design and implementation is centered around
Collaboration, Integration and Automation .
The characteristic challenges of this IT environment and the benefits of the designed solution
are:
Large enterprise with many data centers and thousands of IT deployment sites in a
multi-national scope.
Significant internal and external pressures to reduce IT operational costs.
Use of a leading vulnerability assessment service (QualysGuard) for features, ease of
deployment, and support.
Interoperation with existing platform management systems (server, desktop,
infrastructure).
VM process integration and IT process alignment via a rich user interface automation
system.
The described VM solution allows the IT department to deliver expected levels of IT risk
management, regulatory compliance, and cost effectiveness to the business.
The IT Security and VM Challenge
Organizations of every size and in every business environment face some common IT
Security challenges in terms of operational needs, threats, and resources:
1. Need for reliable, highly available, secure transaction capabilities for communication
and commerce1
.
Customers, business partners, and governments universally demand2
this.
2. An almost infinite variety and behavior of IT platforms, communication protocols,
applications, system configurations, use modes.

4. © 2013 Host Integrity Systems, Inc. 3 VMS
3. Rapidly and constantly evolving technology and threat profiles coupled with the variable
landscape of defensible entry points and perimeters3
.
4. Specific business sector and customer community requirements
Ex : Payment Card Industry (PCI) Data Security Standards (DSS) Compliance.
The PCI Security Standards Council provides guidance for technology and process to
meet requirements for secure and reliable financial transactions.
And, finally, IT Security challenges must be addressed with solutions that integrate and
support cost effective (profitable) business operations, flexibility, continuity contingencies, and
value offered in the market.
The IT Security solution set most effectively comes together as an organically engineered and
deployed IT Security ecosystem aligned and integrated with overall enterprise IT and business
operations. Vulnerability Management and its associated technology enablers automation -
is one very key facet of the IT Security solution set. VM automation must be rationalized
within enterprise IT operations and integrated into the IT Security ecosystem ; see .
Figure 1 - IT Security Ecosystem

5. © 2013 Host Integrity Systems, Inc. 4 VMS
Within the context of the IT Security challenges mentioned above and the goal of engineering
a VM component for the IT Security Ecosystem we rely on a strategy that combines
Collaboration, Integration and Automation CIA .
The CIA approach to VM is further detailed in the following sections.
IT Security Processes and Integration Objectives
Contemporary business environments are highly competitive with significant cost pressure
that trickles down to most every internal function and department. This coupled with the multi-
faceted ever evolving demands on the IT department lead to some evident requirements for
design, deployment, and functionality of the VM sub-function within IT Security. The CIA
approach to VM will specifically address these:
1) Collaboration
IT staff must be able to use and maintain the VM solution without additional specialized
personnel or resources. This boils down to a balance of head count / labor cost, staff
tasking load, competency, and availability + flexibility. A beneficial tactic to achieve the
balance is to uplift IT staff capability and effectiveness via expertise of an IT Security
partner coupled with integration and automation; C+IA.
2) Integration
Integrate with and leverage existing IT processes and functions. Maximize use of
existing IT computing platforms and services while minimizing implementation of new
-off; and some IT Security
infrastructure (VM automation) is necessary fo
architectures and processes conforming to and complementing the existing IT
environment will achieve the desired balance ; C+I+A .
3) Automation
Vulnerability problems are often long standing and are certainly ever growing, so a
robust VM solution was needed yesterday. We must minimize time to design and
implement with an eye to effectively supporting the other two legs of the CIA approach.
begin
detecting and remediating vulnerabilities real soon. Employing optimal commercial IT
security technology is a preferred tactic to minimize time to design & deploy as well as
being a capability multiplier for IT staff and processes ; CI+A .
Thus, Collaboration, Integration and Automation is the correct approach to leveraging and
enabling people + process + technology:
................... snip ......................

6. © 2013 Host Integrity Systems, Inc. 9 VMS
The VM Process
The VM solution is a composite mechanism centered around the QualysGuard vulnerability
assessment and reporting automation tool. Key integrations (inputs, outputs, feedback) with
other IT systems and tools make the overall VM solution a semi-automated (low hands-on
requirements) daily use tool contributing to IT security awareness and risk reduction.
Figure 4 - QualysGuard VM Process

7. © 2013 Host Integrity Systems, Inc. 10 VMS
IT Interfaces and Integrations
An effective VM solution for the enterprise requires careful consideration of interfaces and
integrations with other IT processes and systems. The key systems and interfaces must be
identified, accommodated, and usefully leveraged where possible. This VM solution
references important IT interfaces as shown in .
Figure 5 - VM Interfaces & Coordinations
Authoritative Data Sources
shows the type of authoritative data sources useful for development and maintenance
of QualysGuard (QG) assessment mapping, concurrency with IT network deployment,
regulatory reporting, and other business operations needs.
Table 2 - Authoritatave Data Sources

8. © 2013 Host Integrity Systems, Inc. 11 VMS
The results of QG map scans of the enterprise IP ranges as well as results from periodic QG
asset group scans offer opportunities for comparison of discovered hosts and sub-networks
with the corresponding known information of the authoritative data sources ( ) . Where
there are discrepancies between the QG discoveries and the authoritative data sources a
feedback of corrective updates to the authoritative data sources can be implemented.
Over time and consistent use of QG, enterprise IT asset and network information can be well
refined by the interoperation and feedback loop. QG will increasingly be relied upon as the
ground truth while the complementary IT authoritative data sources will become
correspondingly reliable due to the corrective feedback.
Illustrates the overall operational Vulnerability Assessment process with integrations
(inputs, outputs, feedback) to other IT systems. Most stages of this process are directed by
asset groups which define the vulnerability scan targets as well as reporting scope.

9. © 2013 Host Integrity Systems, Inc. 12 VMS
Figure 6 - VM Process Cycle
QualysGuard VM Service Configuration
The QualysGuard VM service uses various configuration data sets to produce the operational
behavior needed in the VM solution. These are generally one time created items by the VM
solution administrator(s) or products of the QualysGuard operations itself. All of this
information is both used by QualysGuard as well as reviewed and tuned by the VM solution
administrator(s) with continuing operational activities. lists these QualysGuard
configuration data sets.
................... snip ......................
For the full content of this white paper, contact :
info@viateres.com OR info@hostintegritysystems.com