Applicable to Entuity v22.0 GA upwards
To manage, view and monitor vulnerabilities
Acknowledged CPEs tab
Device Management tab
CPE Management tab
CPE Search tab
CPE Mapping Rules tab
Data Files tab
Configuring vulnerability monitoring for the first time, and example workflow
Schedule a vulnerability monitoring job
Enable devices for vulnerability monitoring
Run a vulnerability monitoring job
Results of a vulnerability monitoring scan
Notes for CPEs
Vulnerability incidents and events
Viewing vulnerability monitoring data (dashboards and reports)
Introduction:
From Entuity v22.0 GA upwards, you can monitor your network devices for security vulnerabilities as published in the NIST National Vulnerability Database (NVD)'s list of Common Vulnerabilties and Exposures (CVEs).
Entuity scans local CVE Data files to find potential vulnerabilities that are matched against the Common Platform Exposure (CPE) configurations assigned to the devices on your networks. Incidents and events can then be raised against any matched CVEs, thereby alerting you when new vulnerabilities are identified.
Entuity Vulnerability Monitoring requires internet connection, and online syncing and enabled downloads from NIST. Please see the Edit Global Settings part of the Summary tab section below for further help and information on this. Vulnerability monitoring supports any type of device, including custom devices.
Use cases:
Vulnerability monitoring provides the following benefits:
- alerting when your network devices are running a firmware version with known vulnerabilities, servers are running with vulnerable packages or software, or if your server VMs are running an OS with known vulnerabilities.
- discovery of potential vulnerabilities to a customizable schedule.
- assignment of CPEs to devices as suits your network requirements.
- raising incidents and events with severities appropriate to the risk of the vulnerability.
- view CVE number and URL to the corresponding NIST webpage from the Event Details of a raised vulnerability event.
- visibility of vulnerabilities from a View and device context.
Performance:
For best performance when running this functionality, Entuity recommends vulnerability monitoring should be run on a server with a minimum 16GB of RAM. If you have a lesser specified system, you can amend vulnerability monitoring settings in entuity.cfg.
Before downloading NIST data, ensure that you have at least 2.5GB of disk space available.
Terminology:
- NIST - National Institutes of Standards and Technology
- CVE - Common Vulnerability and Exposure
- CPE - Common Platform Exposure
- CVSS - Common Vulnerability Scoring System
- NVD - National Vulnerability Database
- MSRC - Microsoft Security Response Center
- CVRF - Common Vulnerability Reporting Framework
To manage, view and monitor vulnerabilities:
You can manage, view and monitor vulnerabilities from the Vulnerability Monitoring page, which is accessed from the Administration page.
Management functionality can be found under the tabs accessible at the top of the Vulnerability Monitoring page. These are as follows:
- Summary - configure the settings and schedule of the vulnerability scan, specify online data synchronization (to download the files required to run the vulnerability scan), and view the progress of running processes and vulnerability scanning.
- Acknowledged CVEs - view, add and remove CVEs that are acknowledged or ignored during scans.
- Device Management - configure devices for vulnerability monitoring, including assigned CPEs.
- CPE Management - add, replace and delete CPE Names on your network.
- CPE Search - search the local database for appropriate CPE Names using keywords, CPE attribute values and/or CPE Names.
-
CPE Mapping Rules - specify and manage mapping rules and groups used to discover potential/candidate CPEs.
-
Data Files - view a local repository of NIST data, and manually import and edit data files.
Use the server dropdown box in the top left to select the server on which you would like to view details of and manage vulnerability monitoring. If you are on the CPE Mapping Rules tab, you can use the dropdown to select servers or configuration sets - please see the Multi-server configuration section below).
Configuring vulnerability monitoring for the first time, and example workflow:
Setting up vulnerability monitoring scanning:
- Ensure you are managing some devices on your network via Asset Management. Vulnerability monitoring supports any type of device, including custom devices.
- Navigate to the Summary tab of the Vulnerability Monitoring page. From this tab, you can populate your server with the data required to run vulnerability monitoring scans. There are 4 types of data:
- NIST CVE Data
- NIST CPE Data
- NIST Match Criteria Data
- MSRC CVRF Data - this data is only necessary if you are planning to monitor Windows OS devices, and wish for patched vulnerabilities to automatically be closed.
-
online synchronization (via the Edit Global Settings button on the Summary tab).
These options mean that when the vulnerability monitoring job is next run, these data sets will automatically be synchronized to the most recent state. The initial download will require a few hours. Data downloads may fail. This is not usually a cause for concern, and can happen if there is a read or connect timeout on the API call. Running the job again will resume the download from where you left off. The default timeouts are both 1 minute. These values can be changed via the read_timeout and connect_timeout settings in [vulnMon] under entuity.cfg. -
manual import (via the Import Files button on the Data Files tab).
Schedule a vulnerability monitoring job:
- Specify when to run a vulnerability monitoring job via the Schedule Job button of the Summary tab.
You can specify the job to start immediately if you wish. The vulnerability monitoring job has the following steps:- Process Imported Data (if uploaded via Manual Import).
- Download NIST CVE Data (if enabled in Global Settings).
- Download NIST CPE Data (if enabled in Global Settings).
- Download NIST Match Criteria Data (if enabled in Global Settings).
- Download MSRC CVRF Data (if enabled in Global Settings).
- Retire Deprecated CPEs (if not "Never" in Global Settings).
- Discover CPE Candidates via CPE Mapping Rules.
- Run Vulnerability Scan.
- At this stage, none of your devices are enabled for vulnerability monitoring, so the job will just run for steps 1-5.
- If you automatically synced data via online synchronization, this data is downloaded and processed into the local database during steps 2-5.
- If you manually imported data, then the CPE, Match Criteria and MSRC data is processed into the local database in step 1.
You can track which step the job is at via the Vulnerability Monitoring Status section of the Summary tab:
Enable devices for vulnerability monitoring:
For devices to be included in vulnerability monitoring jobs, you must enable them for vulnerability monitoring.
For CVEs/potential vulnerabilities to be matched and raised against your devices, you must assign appropriate CPEs to the devices.
- Navigate to the Device Management tab, from where you can see all the devices on your network and choose whether to enable or disable them for vulnerability monitoring.
- Here you can set up some CPEs on your devices. CPEs are effectively the labels that are used to match the CVEs (vulnerabilities) against a device. You can assign any CPE you wish to a device.
- You can also manage CPEs and assign them to devices from the CPE Management tab. You can add CPEs individually or in bulk. and manage the devices to which they are assigned.
- If you do not already have a list of CPEs for your device(s), you can also find valid CPEs by searching for suggestions via the CPE Search tab. You can also find CPEs for your device, OS or application via a search engine.
- Navigate to the Acknowledged CVEs tab, where you can specify CVEs that will be acknowledged and therefore filtered out from (ignored by) scans. Acknowledged CVEs will not be matched against devices.
Run a vulnerability monitoring job
- At this stage, you should have the following:
- a local store of CVE, CPE, Match Criteria and MSRC CVRF data.
- device(s) enabled for vulnerability monitoring.
- CPEs assigned to enabled device(s).
- Navigate back to the Summary tab and run the vulnerability monitoring job via the Schedule Job button. Running the job will then go through all the steps mentioned above, including the Vulnerability Scan itself. You can check the progress of the scan under the Vulnerability Monitoring Status section of the Summary tab:
Results of a vulnerability monitoring scan:
- Once a scan has run, from the Device Management tab you can see the potential vulnerabilities matched against a device in the Potential Vulnerabilities column of the devices table. You can also view the potential vulnerabilities on devices within a View, and on specific devices themselves, via the Security Analysis dashboard for either context.
- When a vulnerability is found (i.e., a CVE is matched against a device), a Potential Vulnerability event (and a corresponding Potential Vulnerability incident) is raised, based on the CVSS severity.
- If a previously raised CVE event is now patched for a CPE, a new event will be raised (Potential Vulnerability Patched event), which will close the previously raised incident.
Notes for CPEs:
- You can assign any CPE you wish to a device. For example, if you know the libraries and applications a device is using, then you can curate the CPEs relevant to those libraries and applications and assign them to the devices.
- CPEs are not editable, but they can be replaced by new ones. CPEs can be managed per device (from the Device Management tab) or per the CPE itself (from the CPE Management tab).
- CPEs can be officially recognized by the local database (CPE Dictionary), or you can have unrecognized CPEs that do not necessarily match a CPE in the database. A CPE might also be part of a superset of CPEs, the name of which you can use to search for related CPEs via the CPE Search tab.
- CPEs might also become deprecated, and these will be automatically updated over time via the online synchronization. By default, deprecated CPEs are not scanned, but you can amend this in the vulnerability monitoring settings.
- From the CPE Mapping Rules tab, you can generate CPEs based on filtering conditions (specifying the devices to which the rules apply) and mapping actions.
Permission requirements:
Vulnerability monitoring functionality is for Administrators only, and therefore has no specific user tool permission.
For help and information on user access permissions in Entuity, please see this article.
Multi-server configuration:
You can sync CPE mapping rules across multiple servers using configuration sets (from the CPE Mapping Rules tab). All other Vulnerability Monitoring tabs are applicable only to the server to which you are logged in.
Please see this article for further help and information on managing server configuration sets in Entuity.
Vulnerability incidents and events
During a vulnerability monitoring scan, a CVE/vulnerability matched against a device raises a Potential Vulnerability event (and a corresponding Potential Vulnerability incident). The severity of the incident/event is determined by the CVE's CVSS Base Score, which is detailed as follows. Entuity supports CVSS v2.0, v3.0 and v3.1, but always shows the highest available version. The other version(s) are used as a fallback.
Note, this means that Potential Vulnerability incidents and events can have any Entuity severity. This is unlike other Entuity incidents and events that have a single fixed severity.
CVSS v2.0 Base Score | CVSS v3.x Base Score | CVSS severity | Entuity severity |
---|---|---|---|
n/a | 0.0 | none | information or cleared |
0.0 - 3.9 | 0.1 - 3.9 | low | minor |
4.0 - 6.9 | 4.0 - 6.9 | medium | major |
7.0 - 10.0 | 7.0 - 8.9 | high | severe |
n/a | 9.0 - 10.0 | critical | critical |
During a subsequent scan, if a CVE is no longer matched against the device, then a Potential Vulnerability Cleared event will be raised to close the incident. The same will also happen if a CVE is 'acknowledged' under the Acknowledged CVEs tab of the Vulnerability Monitoring page.
Any Potential Vulnerability incidents that are opened when the Scan Deprecated CPEs setting is enabled in the vulnerability monitoring settings will then be closed when that setting is disabled.
Viewing vulnerability monitoring data (dashboards and reports)
You can view the results of a vulnerability monitoring scan via the Security Analysis dashboard. This dashboard is available from the context of a View and a device. It displays vulnerability information such as open vulnerabilities, CPE status, and Potential Vulnerability incidents in the context of a View or device.
Potential Vulnerability incidents and events are also displayed on Incidents dashboards, Incidents List dashlets, Events dashboards and Events List dashlets.
You can also run reports on vulnerability monitoring data.
CPE Dictionary:
The CPE Dictionary is the local database that stores CPE data. This can be populated by manually importing files (see Data Files tab) or via auto sync (see Vulnerability Monitoring Settings on the Summary tab). If you cannot find a CPE Name in the CPE Dictionary, you can also manually add CPE Names via the Add CPEs functionality on the Device Management and CPE Management tabs.
Comments
0 comments
Please sign in to leave a comment.