17 Replies Latest reply: Jun 16, 2017 9:45 AM by dmiller4 RSS

Graphing Trendlines that are stable until Mitigated?

dmiller4 Apprentice

Hello all,

 

Trying to build more of the pretty pictures for management, and getting fairly reasonable question.

 

Namely, is it possible to have the trendlines not 'dip' unless the actual host vulnerabilities have been removed?  Basically what appears to happen is that if discovery scans occur, they drop down the vulnerability trendlines, because few if any vulnerabilities are found. Additionally, we don't scan all parts of the enterprise each week, so there's less traffic some days versus others. 

 

Then what happens is this: 

 

Capture1.PNG.png

 

what I would like something like this that only shows a rise or dip when actual [in/de]creases of vulnerabilities. (beginning of chart would show release of new vuln data, and end of it showing decrease due to patching/config change to remediate.

 

Capture3.PNG.png

 

Anyone know of a report or graph or element?

 

Thanks!

  • Re: Graphing Trendlines that are stable until Mitigated?
    CodyDumont Master

    There are two date fields that we need to consider when making trend graphs, Vuln Last Observed and Vuln Discovered.  Both of these date have a default value of 30 days.  What this means is that at each data point in the graph, there value is a 30 day total.  In the trend graphs we put into dashboards and reports, we tend to want to show the different from one data point to the next.  So with line and area charts 25 days and less I set the value to 1 day.  This allows if you scan every day you can truly see the difference between each day.  However if you scan weekly you will see 4 spikes on a 25 day chart.  On a 50 day I set the value to 2, 3 month the value is 3, and I increase accordingly.  If you do a 25 day chart with a 30 value, the lines are more flat.  if you want to get more flat lines I would adjust the values in the Last observed field to be 1 - 7 days depending on your scanning methodology. 

    • Re: Graphing Trendlines that are stable until Mitigated?
      dmiller4 Apprentice

      So in the Tenable worldview, people are going full enterprise scans daily by default?  That seems... ambitious

       

      I'm working in the Executive Report Templates:

       

      Just to confirm, what I'm looking for is alterations to the Vuln Last Observed in the "Unnamed Vulnerability Series" and "Vulnerability Last Observed" as "0 and [value here to help reflect cadence of scanning]"

       

      and then to triple check, if within those 30 days, the vulnerabilities for specific sets of hosts have been remediated, those flattened lines WILL show a decrease, correct?  The would not buffer for whatever the "VLO" value is?  e.g. I patch everything on Monday, Scan on Tuesday, its going to show the decrease in those hosts as of Tuesday...

       

      Sorry for the nagging questions, but we have teams that "want credit" to show up quickly.

      • Re: Graphing Trendlines that are stable until Mitigated?
        zaneta22 Expert

        "Basically what appears to happen is that if discovery scans occur, they drop down the vulnerability trendlines, because few if any vulnerabilities are found."


        Take the Host discovery scan out of the filter. If you have a scan that all systems use for the vulnerabilities then use this scan policy in the filter.


        If you want use to graphs where the vulnerabilities go down and the mitigated goes up.

      • Re: Graphing Trendlines that are stable until Mitigated?
        CodyDumont Master

        The only data in the trending databases are the data in the cumulative database.

         

        Basically every night there is a snapshot of the cumulative database. These snap shots are queried for the line and area charts.

         

        So if you are scanning every 8 days, the your Vuln Last Observed should be set to 7, and you will have flatter lines, that will trend downwards until the next patch Tuesday. 

         

        Zaneta Green is suggesting using the Scan policy as part of the filter, this sounds great, but the issue is data is over written as the data base is cumulative.  So no that this is not valid filter to use, but if you  run the Credentialed scan on Monday...and the Uncredentialed on Tuesday, they the plugins use in the Uncredentialed will over write the Credentialed data.  some places put the Uncredentialed in a different repository, which is great, until you are using ARC and other things.  The data is queried by IP&Repo combination.  So just be care and make sure the data you are scanning and reporting is the same. 

        • Re: Graphing Trendlines that are stable until Mitigated?
          zaneta22 Expert

          Oh yea your right. Most people have the discovery scan in here. Makes sense.

        • Re: Graphing Trendlines that are stable until Mitigated?
          dmiller4 Apprentice

          So here's my mockup scenario:

          Capture5.PNG.png

          in this scenario, every 7 days we're performing scanning (host, vuln, custom) across the entire enterprise.

           

          On day 2-6, some vulnerabilities come out affecting the enterprise.  Day 8, the scan(s) see that impact.  However, due to hypothetical operational constraints, no patching is being done until day 21 (red line).

          As luck will have it, patching goes flawlessly, and is then scanned to show the successful patching effort (Day 22).

           

          On the next trendline generation, will it show an immediately decrease to 0 (drop to Green line levels at blue line), or will it take several days for the results to register? (green line at "Day 28")

           

          Hopefully this makes sense.  Trying to synthesize a bunch of information from a lot of different stakeholders.

          • Re: Graphing Trendlines that are stable until Mitigated?
            CodyDumont Master

            My goal of setting the Vuln last observed was to show the different between scans, so in your case I would stick with 7 days.  

            • Re: Graphing Trendlines that are stable until Mitigated?
              dmiller4 Apprentice

              Capture7.PNG.png

              But if the changes were seen at day 22 by a scan, would that be reflected immediately in the trendline when it was next generated?

              • Re: Graphing Trendlines that are stable until Mitigated?
                CodyDumont Master

                You  want to track from one scan to another.  If you  do 21 days, at each data point you will have 21 days worth of results.  You  would never see a dip, you  would have to not scan for 2 weeks to see the dip.  So with 7 days you see the spike up, then continuous until the 3rd week.  If you want more over lap move to 8 days, but not much more than 8. 

                • Re: Graphing Trendlines that are stable until Mitigated?
                  dmiller4 Apprentice

                  Not meaning to be obtuse, let me walk through how I would normally think of a trendline:

                  ---

                  [Assumption A]

                   

                  "a historical snapshot of current vulnerability sets (critical, high, med, low, info) over a specified time frame [with the numbers only decreasing once positively confirmed that the vulnerabilities have been mitigated], with the absolute count of vulnerabilities per day"

                   

                  !!NOT!!

                   

                  [ASSUMPTION B]

                  "for each iterative day during this graph, somewhere during the preceding 7 days [VLO setting]  we observed up to XXX criticals, YYY highs, ZZZ mediums and AAA low vulnerabilities [and thus it will take {VLO setting} to show the full effects of a patching effort]"

                  ---

                  If assumption A is incorrect, and assumption B is how trendlines are calculated is there a line graph element or query I could generate that would create that?

                  • Re: Graphing Trendlines that are stable until Mitigated?
                    CodyDumont Master

                    SecurityCenter does take the historic snapshot everyday, of all data in the cumulative database, as suggested in your Option A. 

                     

                    The only question becomes is the value you want to query at each data point.  In the charts as you move the mouse over the chart you will see data points at such.

                     

                    Screen Shot 2017-06-07 at 8.42.31 AM.PNG.png

                    So the question is, do you want to value to be the last 1 day, 7 days, or more.  My understanding of a trend graph would be to show the trend from one data point to the other.  A 25 Day chart has 26 data points.  To show a trend I would like to see how the value is different from one day to the next, showing the daily trend.  However if you are scanning weekly, then the data will not change.  Thus a 7 day value would be more accurate, and the result would be more flatter graph.  However leaving the value unset, actually uses a 30 day value, which leaving chart much more flat. 

          • Re: Graphing Trendlines that are stable until Mitigated?
            zaneta22 Expert

            Trendlines may not be the best option. They have to understand your mitigation process in order to understand why the results look like this. I have never seen an organization where it didnt show this way. It will take a few days because some mitigations are instant without reboot and others have to have the system restart which would explain the decrease.

             

            For example if they know patch tuesday then they understand the spike, and if they know the process for which patches are applied to the environment meaning they have to be tested first so they do not break anything then they understand the scores at the day 8, 15, and 21 mark. Just put this in your report.

        • Re: Graphing Trendlines that are stable until Mitigated?
          snap326 Apprentice

          "" some places put the Uncredentialed in a different repository, which is great, until you are using ARC and other things."" What is ARC, is that ARCHER ?


          So by using ARC, how does it change or complicate things ? Just curious.... doing some late night reading....off..hours....hmmm

          • Re: Graphing Trendlines that are stable until Mitigated?
            CodyDumont Master

            ARC = Assurance Report Cards

             

            By using ARC and repos with same IP, the counts will be off.  All Queries are Repo + IP, so if the ARC is looking for 19506 and 20811 as a compliance match, and the IP add 192.168.1.1 is found in Repo A and Repo B.  But Repo B is authenticated, and A is not, then Repo B is likely to have 20811 and Repo A will not.  Therefore the ARC will show the 192.168.1.1 in repo A as compliant and 19.168.1.1 is repo B as non-compliant.