Security Vision Vulnerability Management (VM) is a comprehensive vulnerability management product that includes detection of vulnerabilities on assets, providing the most detailed information on identified vulnerabilities and recommendations for remediation (including functionality to automate updates), a follow-up process with confirmation of remediation, monitoring of timelines and SLAs. The updated product consists of three main blocks:
- Asset Management, which builds the asset base, including scanning and discovery of new assets, their automatic identification, inventory and lifecycle management, and automated administration actions;
- Vulnerability Scanning, which provides a proprietary vulnerability scanning engine with time-limited and windowed scanning capabilities on Windows/Linux hosts, containerisation environments, application software, network devices, databases and more;
- Process for remediation of detected vulnerabilities, including automatic confirmation of remediation, auto-patching and integration with external Service Desk and auto-patching.
Asset Management
As part of the Asset Management block, the product provides functionality to automatically discover and collect data on assets, categorise and manage them in accordance with ITIL recommendations, and perform a wide variety of preconfigured actions on the assets themselves. Assets are automatically aggregated into subnets. The system builds a network map, which is also available in graphical form.
In addition to scanning, assets can be automatically obtained or enriched from a large number of preconfigured external sources (with the possibility of adding their own sources and integrations): directory services (Active director, Open LDAP, FreeIPA, Astra Linux Directory, etc.), various protection systems (antivirus, SIEM, DLP), infrastructure services, files of various formats, etc. You can also create assets manually.
Various types of assets are configured in the product: servers, workstations, network devices, databases, printers, VoIP devices, etc. Each type of device is configured with its own unique attribute composition, cards for visual display of characteristics and work with the object, as well as a unique set of actions that can be performed with the asset to collect data and make changes to the configuration of devices. Each of the preconfigured asset types can be customised: add new attributes, change the display on cards, in tabular lists or trees, adjust the lifecycle process, and add new actions for each asset type.
Part of Asset Management is a full-fledged resource and service model, which includes such objects as Information System, Business Process, Application, Equipment, Suppliers, Products. On the cards of the objects you can fill in their data and build links between the objects. All objects of the resource-service model can be entered manually or loaded from external systems.
A large number of new scripts for interacting with assets have been added, which allow performing typical actions for obtaining information, administering and changing configurations on Linux/Windows hosts, various types of network equipment and databases.
The product has built-in functionality of management and control over the used software with the ability to maintain white/black lists, lists of allowed and unallowed software, as well as to centrally manage its updates.
Implemented the ability to execute complex scripts during automatic patching, including the ability to undo changes made.
As part of regular updates of vulnerability databases, Security Vision additionally provides information on trending vulnerabilities and additional checks to detect the most relevant and critical vulnerabilities.
Vulnerability scanning
To search for vulnerabilities, the system has its own engine, as well as a built-in vulnerability remediation process with the possibility of flexible customisation for each Customer and its internal processes. Scanning can be performed remotely or through its own ‘agents’. It is possible to scan remote segments without direct network access to the VM server: for this purpose, a separate system component in the form of a service (or a chain of such components) is installed, through which all requests are proxied and information is received.
When scanning for vulnerabilities, a large number of settings are available, including:
- scanning modes (fast, file, scan depth, etc.);
- scanning time limits;
- the ability to specify scanning windows with a separate option to wait for the required window (scanning windows can be configured individually for each asset);
- the ability to specify exclusion nodes that will not be scanned for vulnerabilities;
- and much more.
Using templates, you can perform regular scans on a button or schedule.
It is possible to load inventory results from a file and perform scans based on them. This is convenient in case of geographically remote branches or assets to which there is no network access. In this case, a script is provided (for different OS), which can be executed on the host. Based on its results, the system will scan for vulnerabilities.
Processing of scan results from other vulnerability scanners (both open source and proprietary) with downloading from file reports or via API is also supported.
The product can search for vulnerabilities on a large number of operating systems, system and application software, as well as network devices. These are Astra Linux, Alt linux, RedOS, Ubuntu, RedHat, CentOS, AlmaLinux, Oracle Linux, Debian, including all possible Debian-based systems, Windows desktop and server versions, application software (including MS Office with click-to-run versions, exchange, sharepoint), databases (MS SQL, PostgreSQL, MySQL, Oracle, Elasticsearch, etc.), network devices (Cisco, Juniper, CheckPoint, PaloAlto, Sun, etc.).
Additionally, the product provides the ability to search for vulnerabilities in Docker containers (both running and stopped) and in container images, including Kubernetes environments.
The results are provided in detail both for each object (IT asset) and for the entire scanning procedure. For each vulnerability, the scores, description, tags and objects on which it was detected are reflected. Recommendations are also reflected, the implementation of which will provide a fix for the detected vulnerabilities. Additionally, recommendations for installing security updates and information on operating systems that have been removed from support are provided.
The vulnerability card reflects a full description of the vulnerability obtained from various sources (including expert analytical Internet services), including estimates, attack vector, methods of vulnerability remediation (for different operating systems), the presence of an exploit and much other information.
Various scanning modes
- Pentest - detects and verifies the possibility of exploiting network vulnerabilities, the possibility of using the most serious exploits, weak passwords, checks for outdated/vulnerable encryption algorithms, etc.
- Web-application scanning - scanning for XSS, CSRF vulnerabilities, SQL injection, RFI, Code injection, disclosure of internal information and site settings, weak passwords, user brute force, as well as checking the exploitation of specific Web vulnerabilities, etc.
- Retro-scan - search for vulnerabilities based on previously obtained data from assets, without connecting to them and waiting for scanning windows. This is the fastest scanning mode, which is convenient to use for frequent checks for new vulnerabilities and urgent threats, as well as for spot checks of individual vulnerabilities based on internal and external requests. If containers are present, scans will also be performed on them.
Vulnerability remediation process
Several vulnerability management policies (based on CVSS and CIAT asset metrics, custom ‘Decision Tree’, etc.) are built into the product, specifying remediation SLAs in business or calendar days and the ability to fully customise them for the Customer's internal processes. Users can choose different scenarios for creating tasks and groupings: for example, to create separate tasks for certain vulnerabilities and objects, to group all vulnerabilities for one asset in other tasks, and for individual vulnerabilities to create one task for each vulnerability for all assets where it is detected, etc.
The created remediation tasks provide complete information on remediation objects, detected vulnerabilities, their criticality and other characteristics. Tasks for vulnerability remediation can not only be created inside Security Vision, but also automatically transfer information to external Service Desk / ITSM systems (Naumen SD, Jira OTRS, Redmine, etc.) with subsequent automatic tracking of execution statuses for all tasks.
It is worth noting separately the mechanism of task confirmations built into the product. If a task has been completed, this is not its final status. During subsequent scans, the system will automatically check whether everything specified in the task has been eliminated. If everything has been eliminated, the system will put the task in the ‘Confirmed’ status. But if some of the vulnerabilities remain unaddressed, the system will return the task to work and flag that the task has not been resolved.
When eliminating vulnerabilities, you can use the mechanism of automatic ‘patching’ - at the click of a button or fully automatically the system can update the vulnerable software to the current version. Also available are settings for automatic ‘rollback’ of changes in case of their unsuccessful application.
The product provides the ability to add vulnerabilities to exceptions, which allows you to remove them from the statistics and not create remediation tasks for them as part of future scanning procedures.
.jpg)
.jpg)
