Example: Responding to Vulnerability Announcements with Due Diligence
New network attacks and exploits are discovered every day. When new security patches are issued, use the Profiler to quickly identify which systems are running the affected software version, then patch them appropriately.
For large networks, it is difficult to patch everything immediately. Plan your patching process by prioritizing based on the importance of the resources. Critical, high-risk, and heavily used resources should be patched first, while less important, minimally used resources might be able to wait.
For example, suppose Microsoft announces a vulnerability in version 6.0 of the Microsoft Internet Information Services (IIS).
To quickly identify all network components running the vulnerable version:
- In the NSM navigation tree, select Investigate > Security Monitor > Profiler to display the Profiler viewer.
- Click the Protocol Profiler tab and review the Profiler logs keyed to protocols running on the network.
- In the Context column, right-click a value and select Edit Filters to display the Context Filters dialog box.
- Set a filter for HTTP Header Servers, for example.
The filtered view highlights the Web servers in your network. Suppose the table lists the following Web servers:
- Apache (two versions)
- Microsoft IIS, version 6.0
- Select the Microsoft IIS 6.0 value to display your Microsoft IIS 6.0 destination server IP addresses.
- Patch the vulnerable IIS server by using the information supplied with the Microsoft Security Bulletin.
