Applicable to Entuity v22.0 GA upwards
To enable vulnerability monitoring and edit vulnerability monitoring global settings
The processes of a vulnerability monitoring scan
To schedule a vulnerability monitoring job
To view the results of a vulnerability monitoring job
Introduction:
From the Summary tab of the Vulnerability Monitoring page, you can view a summary of the following functionality. These settings are specified in the vulnerability monitoring settings.
-
Vulnerability Scan
- Online Sync - if online synchronization is enabled.
- NIST Data - if online synchronization for NIST data is enabled.
- MSRC CVRF Data - if online synchronization for MSRC CVRF data is enabled.
- Scan Deprecated CPEs - if deprecated CPEs are set to be scanned during the next scan.
-
Vulnerability Monitoring Status
- Job Progress - which step is currently in progress for the job, or if the job has succeeded/failed once complete: Preparing Job; Importing Data Files; Syncing CVE API Data (if enabled); Syncing CPE API Data (if enabled); Syncing Match Criteria Data (if enabled); Syncing MSRC CVRF API Data (if enabled); Retiring Deprecated CPEs (if not 'Never'); Discovering CPE Candidates; Scanning for Vulnerabilities
- Vulnerability Scan - progress of the current scan of the local CVE data files.
- Last Run - timestamp of when the vulnerability scan was last completed.
- Next Run - timestamp of when the vulnerability scan is next scheduled to run.
-
Online Auto Sync
- NIST CVEs - progress of the current online auto synchronization for the NIST CVE API data (if enabled and running).
- NIST CPEs - progress of the current online auto synchronization for the NIST CPE API data (if enabled and running).
- NIST Match Criteria - progress of the current online auto synchronization for the NIST Match Criteria API data (if enabled and running).
- MSRC CVRF - progress of the current online auto synchronization for the MSRC CVRF API data (if enabled and running).
-
CPE Settings
- Retire Deprecated CPEs - how long Entuity will wait before retiring deprecated CPEs (based on their NVD Last Modified value).
- Minimum Candidate Criteria - minimum attributes required for a CPE candidate
-
CVE filters
- Included CVSS Base - range of which CVSS Base Scores to be included/considered during scans. CVEs not within this CVSS base score range will be ignored.
- Included Severities - which severities to be included/considered during scans. CVEs not matching any of the selecting severities will be ignored.
- Last Modified - timeframe to be included/considered during jobs. CVEs not within the specified timeframe will be ignored.
You can also edit global settings for the above functionality, and schedule, resume or suspend vulnerability monitoring jobs of your network.
This tab is applicable only to servers, not configuration sets.
To enable vulnerability monitoring and edit vulnerability monitoring global settings:
- Navigate to the Summary tab of the Vulnerability Monitoring page, and click Edit Global Settings at the top of the tab (or via the Overflow Menu).
- The Edit Global Settings form will open on the right of the window.
- Specify your preferences in the following sections:
Vulnerability Monitoring Settings
-
Enable Online Sync - specify whether to enable or disable automatic download from enabled APIs recent CVE data, match criteria, CPE dictionary changes, and Microsoft hotfix data.
-
Download NIST Data - (available if Enable Online Sync above is enabled) - specify whether to collect recent CVE data, match criteria, and CPE dictionary changes. Please see the following notes pertaining to downloading data for Entuity Vulnerability Monitoring:
- before downloading NIST Data, ensure you have at least 2.5GB of disk space available, and allow a few hours for the initial download.
- vulnerability monitoring requires CVE data to raise vulnerabilities.
- vulnerability monitoring should have the match criteria to match CVEs to the specific CPEs that are applicable, otherwise matching CVEs and related CPE Names may be inaccurate.
- vulnerability monitoring requires the CPE Dictionary for detecting and updating deprecated and/or modified CPEs. It is also used for CPE Name/Attribute suggestions when adding CPE Names, thereby streamlining the process of finding suitable CPE Names.
-
Download MSRC CVRF - (available if Enable Online Sync above is enabled) - specify whether to collect recent Microsoft hotfix data, which is required to check if a raised vulnerability has been fixed. This is only applicable to Windows OS Server devices.
- Note, you can also manually download MSRC CVRF data files using MSRC CVRF API's 'Get Security Updates' operation.
- The endpoint for this operation is: https://api.msrc/microsoft.com/cvrf/v2.0/cvrf/{CVRF document ID}.
- The CVRF document ID is in the format: yyyy-mmm, e.g. '2022-aug' to retrieve the security updates for August 2022.
- Example curl command:
curl https://api.msrc.microsoft.com/cvrf/v2.0/cvrf/2022-aug > ENTUITY_HOME/etc/msrc/2022-aug.json
- Once manually downloaded, you can then import this data into Entuity by moving the appropriate data files into ENTUITY_HOME/etc/vulnMon/msrcData. For further help and information on manually importing vulnerability monitoring data, please see this article.
-
Download NIST Data - (available if Enable Online Sync above is enabled) - specify whether to collect recent CVE data, match criteria, and CPE dictionary changes. Please see the following notes pertaining to downloading data for Entuity Vulnerability Monitoring:
Scan Filters
-
Scan Deprecated CPEs - specify whether to scan CVEs for configurations that include deprecated CVEs. Deprecated CPEs are typically updated automatically if an updated CPE can be found, therefore you may not wish scan deprecated CPEs because these are outdated. This is disabled by default.
- Any Potential Vulnerability incidents that are opened when this setting is enabled, will be closed when the setting is next disabled.
- Scan Unresolved Candidates - specify whether to scan unresolved CPE candidates. This option is disabled by default. If you are confident in your CPE mapping rules, you can enable this scanning of unresolved candidates, which means that CPE candidates do not need to be confirmed for their device(s) before being considered during scans. Note, CPE candidates discovered for a device via CPE mapping rules are automatically allocated 'Unresolved Candidate' status, meaning that they are unconfirmed. You can resolve/confirm or remove/decline unresolved CPE candidates via the Device Management tab under the Vulnerability Monitoring page.
CPE Settings
-
Retire Deprecated CPEs - specify whether to automatically remove deprecated CPEs from your devices, and/or clean up your local CPE Dictionary, either Never, Immediately, or After. If 'After', specify the time period after which to remove.
- By default, deprecated CPEs are retired after 1 year (which is the timeframe in which they are retired from the official NIST CPE Dictionary).
- If a CPE is retired with no updated CPE, it is deleted immediately.
- If the CPE has an updated CPE, each device with the deprecated CPE is automatically updated and the old CPE is deleted from the device and the local dictionary.
- Minimum Candidate Criteria - specify the minimum attributes required for a CPE candidate. By default, Entuity requires CPE candidates to specify at least the following three attributes: vendor, product, and version. Configure further minimum attributes via this field.
CVE Filters
-
Filter By - specify the parameter(s) by which you wish to filter vulnerabilities to display, either Severity or CVSS Base Score.
- Included Severities - available if Severity is selected for Filter By field above. Specify the severity of vulnerabilities that you wish to filter by. Choose one or more of Information, Minor, Major, Severe, and Critical.
- Included CVSS Base Scores - available if CVSS Base Score is selected for Filter By field above. Specify the CVSS base score by which you wish to filter vulnerabilities. Choose from All, In Between, Greater Than, or Less Than, and if one of the latter three, you can specify the values (between 0 and 10 inclusive).
- Filter By Last Modified - specify the date range by which to filter, either Any or After.
Once you have made your desired changes, click Done in the top right to save, otherwise click Cancel.
The processes of a vulnerability monitoring scan
Once any data is manually imported, and NIST and Microsoft MSRC data is updated (if enabled), a vulnerability monitoring scan executes the following:
- gets all enabled devices with their corresponding CPEs.
- scans against the NIST CVE data files (stored in ENTUITY_HOME/etc/vulnMon/cveData) and checks against each device's CPE configuration for a match. Note, the scan orders CVE data files by their index number (e.g., a file with the name 'cveData(567).json' would have an index number of 567). When importing data, it is recommended that you maintain this indexing system by giving your fiels an appropriate index number.
- if a new match is found, a Potential Vulnerability event is raised (and corresponding Potential Vulnerability incident is opened).
- if no match is found, but a matching CVE was previously raised on the device, a Potential Vulnerability Cleared event is raised to close the incident.
- performs a Windows Hotfix check for Windows OS Server devices (if MSRC CVRF data is enabled). The patch levels of Windows OS Servers are extracted from devices, and these matched against patched CVEs (if they have been raised against the device). If a match is found, a Potential Vulnerability Patched event is raised (and corresponding Potential Vulnerability incident is closed).
To schedule a vulnerability monitoring job:
Note, the initial download for online synchronization will require a few hours. Data downloads may fail. This is not usually a cause for concern, and can happen if there is a read or connect timeout on the API call. Running the job again will resume the download from where you left off. The default timeouts are both 60,000ms (or 1s). These values can be changed via the read_timeout and connect_timeout settings in [vulnMon] under entuity.cfg.
- Navigate to the Summary tab of the Vulnerability Monitoring page, and click Schedule Job at the top of the tab (or via the Overflow Menu).
- The Schedule Vulnerability Monitoring form will open on the right of the window. Click the Schedule Vulnerability Scan field to open the Schedule form.
- Using the switch, specify whether to use a Predefined Schedule or a New Schedule.
Predefined Schedule:
-
Predefined Schedule - specify either Weekly or Daily. These are system schedules with the following parameters:
- Weekly - every 7 days from Monday at 00:00. E.g., if you specified a scan to be weekly on a Wednesday, the scan would first start at 00:00 on the following Monday.
- Daily - every 24 hours from 00:00.
New Schedule:
- Using the switch, specify whether to Start On Selected Date or Start Immediately. The form will update depending on your choice.
- If Start On Selected Date is chosen, specify the Start Time.
-
Recurrence - specify the schedule of the scan's recurrence, either None, Simple, or Calendar:
- None - no further parameters are required.
-
Simple - in the below example, the scan is set to recur 3 times, at an interval of every 6 hours, starting at 09:42 on 5th December, 2023:
- Calendar - specify the exact minutes, hours, days of the week, and months of the year in which the scan will run, and an end date if required. For example, you may wish to start the scan schedule at 11:25, 05 December 2023, and end it at 16:50, 12 February 2026, and run the scan on the 15th, 23rd, and 39th minute of the 4th, 10th, 16th, and 23rd hour of the day, on Tuesdays and Fridays, in March, April, July, and October.
Once you have specified your schedule, click Done in the top right to save your changes, otherwise click Cancel.
To start a vulnerability monitoring job immediately:
You can start a vulnerability monitoring job immediately:
- From the Summary tab of the Vulnerability Monitoring page, click Schedule Job.
- The Schedule Vulnerability Monitoring form will open on the right of the window. Click the Schedule Vulnerability Scan field to open the Schedule form.
- Using the Predefined Schedule / New Schedule switch, select New Schedule.
- Using the Start on Selected Date / Start Immediately switch, select Start Immediately.
To view the results of a vulnerability monitoring job:
You can view the results of a vulnerability monitoring scan via the Security Analysis dashboard. This dashboard is available from the context of a View and a device.
During a scan, a CVE/vulnerability matched against a device raises a Potential Vulnerability event (and a corresponding Potential Vulnerability incident). The severity of the incident/event is determined by the CVE's CVSS Base Score, which is detailed as follows:
CVSS v2.0 Base Score | CVSS v3.x Base Score | CVSS severity | Entuity severity |
---|---|---|---|
n/a | 0.0 | none | information or cleared |
0.0 - 3.9 | 0.1 - 3.9 | low | minor |
4.0 - 6.9 | 4.0 - 6.9 | medium | major |
7.0 - 10.0 | 7.0 - 8.9 | high | severe |
n/a | 9.0 - 10.0 | critical | critical |
-
Potential Vulnerability event - raised if a CVE is matched against a device. This opens the Potential Vulnerability incident. CVEs have three potential configuration types from which a match can be made. Potential vulnerability events are only raised where the CVE configuration matches the device's CPE configuration. Partial matches are not currently supported.
- Basic - only one CPE needs to match for a device to be considered potentially vulnerable, e.g. cpe:2.3:a:fusionpbx:*:*:*:*:*:*:*:*
- Running on/with - a combination of potentially vulnerable and non-vulnerable CPEs must be present, e.g. cpe:2.3:o:netgear:wnr3500u_firmware:1.2.2.44_35.0.53na:*:*:*:*:*:*:* running on/with cpe:2.3:h:netgear:wnr3500u:-:*:*:*:*:*:*:*
- Advanced - a complex enumeration of CPEs must be present, e.g. cpe:2.3:a:hm-print_project:hm-print:1.2a:*:*:*:*:*:*:* AND cpe:2.3:h:eq-3:homematic_ccu2:-:*:*:*:*:*:*:* AND cpe:2.3:o:eq-3:homematic_ccu2_firmware:2.47.20:*:*:*:*:*:*:*
- Potential Vulnerability Patched event - raised if patch levels of Windows OS Server devices are matched against patched CVEs. This closes the Potential Vulnerability incident.
- Potential Vulnerability Cleared event - raised if no CVE is matched against a device following an earlier match. This closes the Potential Vulnerability incident.
Comments
0 comments
Please sign in to leave a comment.