HP EnterpriseView Content Analysis: Not Magic, Just Technology

Summary:

This document outlines a comprehensive approach to enhancing security in IT environments by focusing on automating control points, managing data effectively, and aligning with management objectives. Key aspects include creating a continuous dynamic repository of Key Risk Indicators (KRIs), aggregating risks across assets, integrating intrinsic and extrinsic risks, using tools like ArcSight, Nessus Scanner, and Nexpose Scanner for vulnerability consolidation, and implementing the HP Unified Compliance Framework (UCF) to ensure compliance with regulatory standards. The document also discusses the use of machine learning for categorizing vulnerabilities, CVSS scoring, standardized naming with CPE, and mapping vulnerabilities back to specific regulatory controls. It emphasizes the importance of assessing risks through detailed vulnerability assessments and linking these findings to potential threats, aiming to enhance overall risk management in IT environments.

Details:

The HP EnterpriseView content highlights the challenges of security in modern IT environments, where fragmented data leads to too many silos, no actionable intelligence, mountains of unprioritized data, manual audits, reduced ROI on existing technology, limited and fragmented use of technology, misallocated IT spending, lack of automation, IT Operations / Security divide, and people as middleware prone to error and inefficiency. The content emphasizes the need for a holistic, enterprise approach that automates control points, manages data effectively, and aligns with management objectives. This includes continuously tying IT risk and compliance information to a business IT model, establishing a comprehensive framework for decision making, and creating a pragmatic, quality-driven solution. Key aspects of this approach include: 1. A continuous dynamic repository of Key Risk Indicators (KRIs) that accounts for external factors like earthquakes. 2. Aggregation of risks such as CVSS scores across the asset hierarchy to assess overall risk more accurately. 3. Integration of intrinsic and extrinsic risks, including policy configuration drift and vulnerability management to compute composite risk at every level. 4. Use of tools like ArcSight (collecting events from 350+ sources), Nessus Scanner, and Nexpose Scanner for vulnerability consolidation and source data unification. The goal is to create a more streamlined and aligned security framework that improves decision-making processes and enhances overall risk management in IT environments. Hewlett-Packard Development Company, L.P. outlines the process of consolidating vulnerabilities through classification and scoring systems in their information security framework. They use machine learning to categorize vulnerabilities, initially starting with predefined SQL queries for each category but later adopting a training set classifier approach to refine models based on existing Common Weakness Enumerations (CWEs). The CVSS standard is implemented to rate the severity of vulnerabilities according to factors such as exploit availability and system confidentiality. Additionally, they utilize the Common Platform Enumeration (CPE) for standardized naming of IT assets, facilitating vulnerability mapping and virtual scanning. Finally, Hewlett-Packard provides a unified compliance framework (UCF) that integrates various regulatory standards including PCI DSS v2.0 and NIST 80053 (FISMA), ensuring compliance through predefined policies and regular testing procedures. This text discusses various aspects of vulnerability management within an organization's IT infrastructure compliance framework. It covers the use of vulnerability scanning tools for identifying system vulnerabilities, updates thereof, and mapping these vulnerabilities to specific regulatory controls as required by different standards such as HIPAA (National Institute of Standards and Technology), PCI DSS v2.0, and FISMA (Federal Information Security Management Act). The text also addresses how open vulnerabilities on assets can affect their compliance scores, which are crucial for determining the effectiveness of security measures in place. It provides a method to map these vulnerabilities back to specific regulatory controls and suggests that if an asset has unaddressed vulnerabilities, it will negatively impact its compliance score. The document outlines mapping processes between vulnerability management data (such as Common Weakness Enumerations or CWE) and control requirements specified by standards like PCI DSS v2.0 and HIPAA, using tools like Lucy for text comparison to enrich the data analysis. Finally, the document touches on how vulnerabilities can be linked back to potential threats and their impact on overall risk probabilities, with thresholds set to assess residual risks post mitigation. This linkage helps in prioritizing actions according to the severity of identified weaknesses. The context is centered around enhancing security posture through detailed vulnerability assessments and mapping these findings back into actionable compliance frameworks that are tailored to specific regulatory standards (like PCI DSS v2.0, HIPAA, FISMA etc.), thus providing a comprehensive approach to managing vulnerabilities in an organizational setting. This document provides a summary of various tasks related to generating and managing reports using software tools such as Dashboard Builder, executing reports, writing Business Objects (BO) reports, and importing them into an Enterprise Vault (EV). It mentions specific actions like creating generic reports and utilizing the tool for report generation. The information is provided by Ronen Meiri, who can be contacted at ronen.meiri@hp.com. This document is part of a larger context related to cybersecurity and technological changes in the business environment as mentioned under the title "Security for the new reality."