→ 🚀What's New? Join Us for the Fall Product Launch! Register Now !

cancel
Showing results forĀ 
ShowĀ Ā onlyĀ  | Search instead forĀ 
Did you mean:Ā 
IainCaldwell
Lansweeper Employee
Lansweeper Employee

Lansweeper is delighted to announce new capabilities in the security vulnerabilities space. Building on the foundations of our world-class scanning technology Lansweeper has enhanced our software scanning to normalize and enrich with NIST standard naming and identification. This enables Lansweeper to offer value add capabilities matching clients' software against NIST vulnerabilities databases.

This is a preview feature and will be iterated frequently over the next few months before the official release. Please use this space to give suggestions +ve or -ve to help us improve the product.

78 REPLIES 78
IainCaldwell
Lansweeper Employee
Lansweeper Employee

Hi @Knut thanks for this, its thrown up an interesting question for us.  So yes it should be all OS's, and I've checked the NIST feed to see if they have vulnerabilities against Fortinet (they did).

We are checking internally around why we may not being seeing it.  No answer so far but

- We've checked that the os would bring back content from NIST

- Checked that our back-end engine would deal with it.

Now just checking to see if the scanning element of the product picks it up and then making sure our normalisation engine is dealing with it correctly.

Can I ask if the OS is being picked up correctly by the scanner? So if you open the device record on lansweeper cloud platform does it have the OS correct, or even does it have it correct on prem?

Any info would be helpful...just to make sure we are looking in the right place šŸ™‚

 

Cheers Iain

Hi @Knut,

I am glad you like our proposal to handle vulnerabilities in the product.

We are not limited to specific operating systems support, we will provide the vulnerabilities listed in the NIST database and matching any of the OS in your inventory. The reality is Windows is usually the OS with the highest presence in organizations, also the amount of vulnerabilities is relevant...this is probably why you perceive Windows as the predominant OS.

I got a quick example from a test environment for a Cisco iOS vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2022-20726). We support any device type considered by NIST and with presence in your asset inventory.

Regards! 

Knut
Engaged Sweeper II

Hi @edu_ayus,

Thank you for taking the time to reply.

I understand that the list of vulnerabilities you get covers all affected OS, however without the proper inventory information (FortiOS version for an Fortigate for example) it is not possible to match potential vulnerabilities.

(Today I get the FortisOS version by scanning specific SNMP OIDs, and I doubt that these fields are used to match FortiOS known vulnerabilities).

My questions is then: what OS/Systems do you officially support regarding vulnerability matching ?

Also I assume you are already aware of that and working on it, but here are the top missing feature for me:

- CSV Export (either by vulnerable assets, or by vulnerabilities)

- Viewing matching vulnerabilities from an asset page and display the reason for matching each vulnerability with this asset

- Possibility to add alerts when new vulnerabilities (with specific severity score) are found

 

Thanks!

Hi @Knut ,

I got confirmation from engineering we do not have the proper information defined in our recognition flow to report vulnerabilities affecting Fortinet devices. We are researching how to incorporate the information appropriately, probably using the SNMP OIDs you mentioned. To be sure we are handling the same ones, I would like to ask you to send me (can be on a private message) the OIDs you were discovering for the FortiOS in your assets.

Regarding the manufacturers list we are confidently providing vulnerabilities information for their hardware and OS are: ā€œMicrosoft, Cisco, Dell, HPE, Aruba, Red Hat, Western Digital, HP, Brother, Control4, Synology, Canon, Juniper, Oracle, Netgear.ā€

Thanks!

Regards

abowman_s1
Engaged Sweeper

I have deleted several devices and have several marked as non-active and they still show up in Lansweeper Security Insights almost 24 hours later.  

Also, how long should it take for remediation to sync from a local Lansweeper instance to Security Insights? =

Hi @abowman_s1 ,

As you can read below in some of our previous posts, the vulnerabilities recalculation is done once a week. Currently, we are in a preview stage, and one of the things we are working on is reducing the calculation cadence.

Regarding the assets marked as non-active, we will add filtering capabilities to the vulnerabilities view, allowing filtering by that condition and many others.

Finally, for remediation to be synced and effective in the Cloud, an asset scanning and vulnerability recalculation are needed. However, as I pointed out below, depending on the complexity involved in patching a vulnerability on an asset, it is not always possible to automatically detect the risk has been mitigated. Therefore, we are considering the possibility of reporting it manually on those cases.

Regards

Hi @abowman_s1 

I think you are encountering similar issues to @Brian_Landers .  @edu_ayus has tried to explain below.

Ultimately the key for us at the moment is getting the speed improved, even if that means we take processing way from the items with lower criticality and make sure the turnaround time is where it needs to be for the criticality 9 and 10 items.

Please keep coming back with feedback if your not seeing improvements in the next week or so

 

 

Brian_Landers
Engaged Sweeper

Are Security Vulnerabilities removed from list as they are resolved. I have number of  Vulnerabilities that are resolved and still appear in the list days later. My on-premises scans assets at least once a day. 

Hi @Brian_Landers ,

It is not a yes/no answer as it depends on some factors: 

- First, although you rescanned the asset, the vulnerability was still not recalculated against that asset, so this is the main thing that needs to happen to reflect a change in the vulnerabilities affecting it. Currently, we are triggering the calculation once a week, starting at the weekend.

- Secondly and less obvious, although the vulnerability is recalculated, that does not guarantee it will disappear from the list. This is because the changes the patch applies need to be reflected in the vulnerability definition we retrieve from the NIST (concretely updating the CPEs related to the vulnerability), and this is not always easy, depending on the patch's changes. For example, updating the version of a software/library is something easy to track, so if that is the case it will be reflected once it is updated in the CVE, but things like a change in a configuration or a combination of several actions can be complicated to track.

We are working to improve on the two aspects above:

- Reducing the calculation cadence.

- On one hand (more complicated), trying to improve our analysis capabilities of the CVEs and, on the other hand, providing users the ability to manage the vulnerability status in relation to an asset. 

Do not hesitate to contact me if you want to extend this information or with any other doubt on Security Insights.

licensing-gojo
Engaged Sweeper

Hello,
This extension is great news.

We were wondering if you were going to add buttons that would allow us to update software that might represent a vulnerability ?

For example: immediately update the software, click here, after which the .exe is sent to the vulnerable machine and fixes itself automatically.

This would allow us to greatly optimize our resolution time.

Thanks.