AnsweredAssumed Answered

What's the best way to manage patches with information provided by QualysGuard?

Question asked by Abner Almeida on Apr 29, 2015
Latest reply on May 6, 2015 by downinej

Hello, guys. This is my first question here in the Community.

One of my functions here in my job is manage the patches that were applied along the weeks and months.

It takes, usually, a long time, because, as far as I know, QualysGuard doesn't provide us with a specific tool for doing this.

What I have to do, every week, is the following:

  1. I download a Patch Report (which is scheduled for every Monday) in CSV;
  2. Then, I organize all data, separate by Customer, OS and Severity in Excel
    1. This takes quite a long time to be done, since the amount of data for each customer is different, so I can't use Macros to do this part of the job.
  3. After separating all, I create a column named "Identifier". An identifier is a concatenation of an IP with a QID.
    1. With this, each identifier is unique, since there's only one host with an IP.
  4. Then, I compare (with a VLOOKUP function) the identifiers of the current week with the identifiers of the last week, and with this I find how many (and which ones) patches are available on the current week and and how many (and which ones) weren't available befor. This tells me which patches are NEW, since they showed up along the week
    1. I also do the reverse of that, which is: I take last week's identifiers and (with a VLOOKUP) I compare them to current week's identifiers. This tells me how many (and which ones) patches were applied along the week
  5. With all this numbers, I have: The amount of PENDING patches on each week, the amount of NEW patches and the amount of APPLIED patches.
    1. Whit that data I plot charts at the end of the month. These charts are kinda like KPI's (Key Performance Indicators). With them, all operational teams can, for example, follow up their progress, see which customers are priorities and more things like that.

The problem: By comparing only these identifiers, the only information I get is that a specific host (IP) had a specific "patchable" vulnerability in some week and it doesn't have it anymore. But this doesn't mean the patch were applied. It's possible that either the Operational System was change, and the new OS is not vulnerable to that vulnerability, or the server went down for a period of time, or it was removed from our network... there're plenty of possibilities.

My question: Does Qualys provides some sort of Patch Management tool that can make this job easier? Or is there some kind of report or scan setting that can be useful for this?

I've been developing a web application that does exactly what I've been doing: I download data from Qualys, upload it to a database and some PHP and JavaScript codes do the job (including the charts). But an "official" tool for that would be great =D

 

Thanks for reading!

 

Best regards,

 

Abner Muniz

Outcomes