Python as an automation tool in IS. Monitoring the relevance of protection against malicious code

One of the necessary, periodically performed by information security (IS) department procedures is to assess the level of compliance of the actual state of any IS measure with the established requirements. These procedures involve a significant amount of manual work, which leads to a waste of time, human, technological resources. In this case it is not always possible to provide a high level of reliability of the results. To reduce costs, increase the degree of reliability and accuracy of the results of assessment of the IS state, and, accordingly, increase the level of confidence in the IS state assessment, it is possible by the use of “small automation” means when performing routine operations of collection, correlation, normalization, analysis of data sets. The most acceptable means of automation is the programming language python, which, in addition to convenience of use, powerful functionality, has an extensive analytical apparatus. This article discusses the use of python as a “small automation” tool for monitoring the relevance of antivirus protection system.


Introduction
One of the most important procedures in the field of IS is the periodic assessment of the current state of the level of protection of information assets against malicious code (control "Malicious Code Protection"). In this case, the verification requirement is expressed as follows: "all computers in the organization must have installed and functioning up-to-date anti-virus software". The main problem in assessing compliance with the verification requirement is the discrepancy between the information obtained when comparing the data downloaded from information systems and the actual state of the organization's computer assets.
For example, when comparing the data (hereinafter referred to as PC-array) obtained from the configuration management and control system (System Center Configuration Manager, SCCM), Configuration Management Database (CMDB), from other systems for collecting and recording information on computer assets with the data (hereinafter referred to as MW array) obtained from reports of antivirus software (AVPO) on computers, servers with AVPO installed, there is a difference in data arrays of up to 15%. The main reason for the discrepancy in the data arrays is the failure to install or incorrect configuration on computers, servers (hereinafter referred to as hosts 1 ) of agents, client programs to collect and record information about computer assets. Comparing the data from the PC-array, MW-array with the data on the actual installation and actual state of AVPO on the hosts of the organization, obtained by scanning the network infrastructure and hereinafter referred to as HOST- array, the mismatch of information in the data arrays increases to 30%.
Network infrastructure scanning allows creating a reference HOST array with proper completeness and reliability of information about the actual installation and up-to-date state of AVPO on hosts, provided that data collection is independent of other systems and repeatedly scans.
To create a reference HOST-array, formed independently of other systems, eliminating the influence of the errors of these systems and ensuring the completeness of information by repeatedly collecting it, it is possible to use specialized software -the so-called network scanners or security scanners. Freely distributed security scanners, such as LanSpy, NMAP do not provide accumulation, collation, analysis of data from multiple scans, which does not allow to obtain complete statistical information. Using a proprietary commercial scanner such as XSpider, which has powerful functionality and has a relatively high cost, to solve a particular private problem is financially unjustified.
The best option seems to be using the capabilities of the python programming language to create a "small automation" tool, which provides the formation of a reference HOST-array when controlling the relevance of the anti-virus protection system. Python is simple enough to learn, convenient for developing and debugging "small automation" programs. Python has a large number of libraries for various activities, has a developed functionality for data analytics, provides cross-platform, the ability to create executable files.
This article offers for consideration a "small automation" tool created in python and provides a solution to the above-mentioned problems that arise when controlling the relevance of the anti-virus protection system.

Realization
As a "small automation" tool, python 3 with the Anaconda development environment was chosen, as well as the fping program included in most Linux 2 distributions . Below is a brief description of the modules of the program in the form of a step-by-step execution.

append([[Count], [IP], [maska], [Command], [fileName]])
Step 4: Scanning subnets The scanning is performed by means of shell commands from the netControl list. Once the subnet scanning is finished and the results are written to a file, the latter is processed to identify responding hosts and to clean up hosts that are not computers. The results, via the Host list, are written to a spreadsheet file.  Step 5. Array processing Collecting data from all arrays (PC, MW, HOST) in a unified spreadsheet (Scan-array) is necessary for convenience. Gathering is carried out, for example, using the means of openpyxl library and is not difficult. It is important to ensure the presence of mandatory columns such as IP (Tables 2-4). Minor difficulty is the need to clean the HOST array of hosts that are not computers or servers (telecommunications equipment peripherals).  Step 6: Analyze Results Python makes it easy and convenient to analyze the results. The final analysis is shown in Table 5.