New Preview Capability - Security Vulnerabilities

Hi @Knut,

I am glad you like our proposal to handle vulnerabilities in the product.

We are not limited to specific operating systems support, we will provide the vulnerabilities listed in the NIST database and matching any of the OS in your inventory. The reality is Windows is usually the OS with the highest presence in organizations, also the amount of vulnerabilities is relevant...this is probably why you perceive Windows as the predominant OS.

I got a quick example from a test environment for a Cisco iOS vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2022-20726). We support any device type considered by NIST and with presence in your asset inventory.

Regards! 

Hi @edu_ayus,

Thank you for taking the time to reply.

I understand that the list of vulnerabilities you get covers all affected OS, however without the proper inventory information (FortiOS version for an Fortigate for example) it is not possible to match potential vulnerabilities.

(Today I get the FortisOS version by scanning specific SNMP OIDs, and I doubt that these fields are used to match FortiOS known vulnerabilities).

My questions is then: what OS/Systems do you officially support regarding vulnerability matching ?

Also I assume you are already aware of that and working on it, but here are the top missing feature for me:

- CSV Export (either by vulnerable assets, or by vulnerabilities)

- Viewing matching vulnerabilities from an asset page and display the reason for matching each vulnerability with this asset

- Possibility to add alerts when new vulnerabilities (with specific severity score) are found

Thanks!

Hi @Knut ,

I got confirmation from engineering we do not have the proper information defined in our recognition flow to report vulnerabilities affecting Fortinet devices. We are researching how to incorporate the information appropriately, probably using the SNMP OIDs you mentioned. To be sure we are handling the same ones, I would like to ask you to send me (can be on a private message) the OIDs you were discovering for the FortiOS in your assets.

Regarding the manufacturers list we are confidently providing vulnerabilities information for their hardware and OS are: “Microsoft, Cisco, Dell, HPE, Aruba, Red Hat, Western Digital, HP, Brother, Control4, Synology, Canon, Juniper, Oracle, Netgear.”

Thanks!

Regards

Hi @abowman_s1 ,

As you can read below in some of our previous posts, the vulnerabilities recalculation is done once a week. Currently, we are in a preview stage, and one of the things we are working on is reducing the calculation cadence.

Regarding the assets marked as non-active, we will add filtering capabilities to the vulnerabilities view, allowing filtering by that condition and many others.

Finally, for remediation to be synced and effective in the Cloud, an asset scanning and vulnerability recalculation are needed. However, as I pointed out below, depending on the complexity involved in patching a vulnerability on an asset, it is not always possible to automatically detect the risk has been mitigated. Therefore, we are considering the possibility of reporting it manually on those cases.

Regards

Hi @abowman_s1 

I think you are encountering similar issues to @Brian_Landers .  @edu_ayus has tried to explain below.

Ultimately the key for us at the moment is getting the speed improved, even if that means we take processing way from the items with lower criticality and make sure the turnaround time is where it needs to be for the criticality 9 and 10 items.

Please keep coming back with feedback if your not seeing improvements in the next week or so

Hi @Brian_Landers ,

It is not a yes/no answer as it depends on some factors: 

- First, although you rescanned the asset, the vulnerability was still not recalculated against that asset, so this is the main thing that needs to happen to reflect a change in the vulnerabilities affecting it. Currently, we are triggering the calculation once a week, starting at the weekend.

- Secondly and less obvious, although the vulnerability is recalculated, that does not guarantee it will disappear from the list. This is because the changes the patch applies need to be reflected in the vulnerability definition we retrieve from the NIST (concretely updating the CPEs related to the vulnerability), and this is not always easy, depending on the patch's changes. For example, updating the version of a software/library is something easy to track, so if that is the case it will be reflected once it is updated in the CVE, but things like a change in a configuration or a combination of several actions can be complicated to track.

We are working to improve on the two aspects above:

- Reducing the calculation cadence.

- On one hand (more complicated), trying to improve our analysis capabilities of the CVEs and, on the other hand, providing users the ability to manage the vulnerability status in relation to an asset. 

Do not hesitate to contact me if you want to extend this information or with any other doubt on Security Insights.