Using TrueSight Network Automation to remediate network issues detected in a vulnerability scan
This use case demonstrates how to use TrueSight Vulnerability Management to analyze and remediate the results of a vulnerability scan by performing corrective actions in TrueSight Network Automation. This topic continues the process of using TrueSight Vulnerability Management to remediate scan results. The initial steps in the process are described in Mapping vulnerability scan results to a server environment.
This topic includes the following sections:
The following video demonstrates how to use TrueSight Vulnerability Management to create a Remediation operation. The operation will use remediation content managed with TrueSight Network Automation to correct vulnerabilities detected in a scan.
You can use TrueSight Vulnerability Management to analyze the results of a vulnerability scan after those results have been imported into TrueSight Vulnerability Management. You can remediate (or correct) vulnerabilities by running a Remediation operation.
Before you can remediate vulnerabilities, you must first import results of a vulnerability scan from a tool such as Qualys, Nessus, or Rapid7 and then map those results to network devices and remediation content in TrueSight Network Automation. The process is demonstrated in Mapping vulnerability scan results to a server environment.
After those steps are complete, you can use the Security Dashboard to assess vulnerabilities from a security standpoint and the Operator Dashboard to identify and prioritize vulnerabilities that require attention. With filtering, you can limit the information presented on either dashboard. After you have refined the display to show a group of vulnerabilities that you want to correct, you can use the Operator Dashboard to launch the Remediation operation wizard, which lets you choose the specific vulnerabilities to address and configure the operation being created.
When you finish using the Remediation operation wizard, TrueSight Vulnerability Management launches a Network operation that appears on the home page. You can manage the operation as you do any operation in TrueSight Vulnerability Management. You can also view its results just as you do other operations.
What do I need to get started?
- You must have a user ID that can access and use TrueSight Vulnerability Management.
- You must import vulnerability scans and map their assets and vulnerabilities to network devices and remediation content in TrueSight Network Automation. For a demonstration of that process, see Mapping vulnerability scan results to a server environment.
How to remediate vulnerabilities detected in a scan
Example (click to enlarge)
Select TrueSight Vulnerability Management > Operator Dashboard.
The Operator Dashboard provides charts and filters that help you identify vulnerabilities that require attention. When you have narrowed the focus down to a set of critical vulnerabilities that require action, you can launch a remediation operation.
By default the dashboard shows data from the last 90 days.
Use filters to limit the number of items in the Actionable Vulnerabilities list. This is the list of servers and their vulnerabilities that you can potentially remediate by running a Remediation operation.
In this example we begin with seven items in the Actionable Vulnerabilities list. Applying the following filters limits the Actionable Vulnerabilities to two.
After selecting filtering options, click Apply Filters to activate your choices.
The Remediation operation wizard opens.
On the Definition page of the wizard, enter a name for the operation. If your user ID is assigned to more than one security group, you also must select a security group. Then click Next.
When the wizard generates an operation, it uses the name you enter and appends a TrueSight Network Automationjob ID. For example, if the name you enter is DisableLogging, when the wizard generates a TrueSight Network AutomationRemediation operation, it will be called something like DisableLogging_BNA0000007760.
On the Remediations page, review the list of remediations that the Remediation wizard will deploy. If you do not want to deploy one, select the check mark to deselect it. Then click Next.
If necessary, you can use filters to limit the number of remediations displayed. Bear in mind that filtering remediations does not remove them from the list of remediations to deploy. The only way to remove a remediation is to clear the check mark or to return to the Operator Dashboard and use filters there to control the list of remediations that you are going to remediate.
The Operation page lets you set a schedule for the operation or execute it immediately. In this example, we're going to define a schedule.
In the Planned Operations list, make sure the operation has a green check, indicating it is configured so its execution can launch correctly.
Click Finish. A confirmation message tells you the operation will appear on the home page when it is complete. In the meantime, the home page may display a message like the following while the operation you have defined is created:
When the operation has been generated, you can select Actions > Sync (at right on the same row as the operation) to refresh the home page. The operation appears. If you requested the operation to run immediately, it begins to execute. In this example the operation is ready to execute according to schedule.
Wrapping it up
In this topic you used the Operator Dashboard in TrueSight Vulnerability Management to filter vulnerabilities and then launch the Remediation Operation wizard. The wizard generates an operation that corrects vulnerabilities detected in the vulnerability scan.
Where to go from here
You can view the results of the operation that this procedure generates as you do any other operations in TrueSight Vulnerability Management.
If you want to learn more about using the options available in the Remediation Operation wizard, see Creating a Remediation operation for TrueSight Network Automation.