Security Vision
We present Security Vision Next Generation Vulnerability Management (Security Vision NG VM), a comprehensive vulnerability management product that includes the detection of vulnerabilities on assets, providing the most detailed information on identified vulnerabilities and recommendations for their elimination (including update automation functionality), a confirmation control process, timing monitoring and SLA. The updated product consists of three main blocks:
· Asset management, which builds an asset base, including scanning and detecting new assets, their automatic identification, inventory and lifecycle management, as well as performing automated administrative actions;
· Vulnerability scanning, which provides its own vulnerability detection engine with time-limiting capabilities and the use of scanning windows on Windows/Linux hosts, containerization environments, application software, network devices, databases, etc.;
· The process of eliminating detected vulnerabilities, including automatic confirmation of removal, autopatching, and integration with external Service Desks.
Asset management
As part of the Asset Management unit, the product provides functionality for automatically detecting and collecting asset data, categorizing and managing them in accordance with ITIL recommendations, as well as performing a wide variety of pre-configured actions on the assets themselves. Assets are automatically combined across subnets. The system builds a network map that is also available graphically.
In addition to scanning, assets can be automatically obtained or enriched from a large number of pre-configured external sources (with the ability to add your own sources and integrations): directory services (Active director, Open LDAP, FreeIPA, Astra Linux Directory, etc.), various SPIs (antiviruses, SIEM, DLP), infrastructure services, files of various formats, etc. Assets can also be created manually.
Various types of assets are pre-configured in the product: servers, armas, network devices, databases, printers, VoIP devices, etc. Each type of device has its own unique attribute composition, cards for visually displaying characteristics and working with the object, as well as its own unique set of actions that can be performed with the asset, both to collect data and to make changes to the device configuration. Each of the preset asset types can be customized: add new attributes, change the display on cards, in tabular lists or trees, adjust the lifecycle process, add new actions for each type of asset.
Part of Asset Management is a full-fledged resource and service model, which includes such objects as an Information System, a Business Process, an Application, Equipment, Suppliers, and Products. On place cards, you can fill in their data and build connections between the objects. All objects of the resource-service model can be created manually or downloaded from external systems.
A large number of new scripts for interacting with assets have been added, which allow you to perform typical actions for obtaining information, administering and changing configurations on Linux/Windows hosts, various types of network equipment and databases.
The product has built-in functionality for managing and monitoring the Software used with the ability to maintain white/black lists, lists of authorized and unauthorized software, as well as centrally manage its updates.
The ability to execute complex scripts with automatic patching is implemented, including the ability to undo changes made.
As part of regular vulnerability database updates, Security Vision additionally provides information about trending vulnerabilities and performs additional checks to detect the most relevant and critical vulnerabilities.
Vulnerability scanning
To find vulnerabilities, the system has its own engine, as well as a built-in vulnerability elimination process with the possibility of flexible customization for each Customer and its internal processes. Scanning can be performed remotely or through your own "agents". It is possible to scan remote segments without direct network access to the server: for this purpose, a separate system component is installed as a service (or a chain of such components) through which all requests are proxied and information is received.
When scanning for vulnerabilities, a large number of settings are available, including:
· Scanning modes (fast, file-based, scan depth, etc.);
· Scan time limits;
· the ability to specify scan windows with a separate option to wait for the desired window (scan windows can be configured individually for each asset);
· the ability to specify exclusion nodes for which vulnerability scanning will not be performed;
· and much more.
Using templates, you can perform regular button scans or scheduled scans.
It is possible to download the inventory results from a file and scan them. This is convenient in the case of geographically remote branches or assets that do not have network access. In this case, a script is provided (for different operating systems) that can be executed on the host. Based on its results, the system will perform a vulnerability scan.
It also supports processing scan results from other vulnerability scanners (both open source and proprietary) with downloading from file reports or via API.
The product is able to search for vulnerabilities in a large number of operating systems, system and application software, as well as network devices. These are Astra Linux, Alt linux, RedOS, Ubuntu, RedHat, CentOS, AlmaLinux, Oracle Linux, Debian, including all possible Debian-based systems, Windows desktop and server versions, application software (including MS Office with click-to-run versions, exchange, sharepoint), databases (MS SQL, PostgreSQL, MySQL, Oracle, Elasticsearch, etc.), network devices (Cisco, Juniper, CheckPoint, PaloAlto, Sun, etc.).
Additionally, the product provides the ability to search for vulnerabilities in Docker containers (both running and stopped) and in container images, including in environments running Kubernetes.
The results are provided in detail for each object (IT asset), as well as for the entire scanning procedure. For each vulnerability, the ratings, description, tags and objects on which it is found are reflected. Recommendations are also reflected, the implementation of which will fix the detected vulnerabilities. Additionally, recommendations for installing security updates and information on operating systems that have been removed from support are provided.
The vulnerability card contains a full description of the vulnerability obtained from various sources (including expert analytical Internet services), estimates, the attack vector, ways to eliminate the vulnerability (for various operating systems), the presence of an exploit, and many other information.
Different scanning modes
· Pentest – detection and verification of the possibility of exploiting network vulnerabilities, the possibility of using the most serious exploits, selecting weak passwords, checking outdated/vulnerable encryption algorithms, etc.
· Web application scanning – checks for XSS, CSRF vulnerabilities, SQL injection, RFI, Code injection, disclosure of internal information and site settings, selection of weak passwords, user search, as well as checking the exploitation of specific Web vulnerabilities, etc.
· Retro scan - search for vulnerabilities based on previously obtained data from assets, without connecting to them and waiting for scanning windows. This is the fastest verification mode, which is convenient to use for frequent checks for new vulnerabilities and urgent threats, as well as for spot checks of individual vulnerabilities based on internal and external requests. If there are containers, the scan will also be performed on them.
The process of eliminating discovered vulnerabilities
The product has several vulnerability management policies built into it (based on CVSS and CIAT metrics of the asset, a custom "Decision Tree", etc.) indicating the SLA for elimination in business or calendar days and the possibility of their full customization for the internal processes of the Customer. Users can choose different scenarios for creating tasks and groupings: for example, create separate tasks for certain vulnerabilities and objects, group all vulnerabilities by one asset in other tasks, and create one task for each vulnerability for all assets where it is found, etc. for individual vulnerabilities.
The created elimination tasks provide complete information on the objects of elimination, detected vulnerabilities, their criticality and other characteristics. Vulnerability mitigation tasks can not only be created inside Security Vision, but also automatically transfer information to external Service Desk / ITSM systems (Naumen SD, Jira OTRS, Redmine, etc.), followed by automatic monitoring of the status of completion for all assigned tasks.
Separately, it is worth noting the built-in task confirmation mechanism in the product. If the task has been completed, then this is not its final status. During subsequent scans, the system will automatically check whether everything specified in the task has been eliminated. If everything is fixed, the system will switch the task to the "Confirmed" status. However, if any of the vulnerabilities remain unresolved, the system will return the task to work and flag that the task has not been solved.
When fixing vulnerabilities, you can use the automatic "patching" mechanism - by clicking on a button or completely automatically, the system can update the vulnerable software to the current version. Settings for automatic "rollback" of changes in case of their unsuccessful application are also available.
The product provides the ability to add vulnerabilities to exceptions, which allows you to remove them from statistics and not create elimination tasks for them as part of future scanning procedures.
Recent updates
Added the ability to upload the result of a node vulnerability scan in a machine-readable JSON extension.
Additional sections with pre-configured filtering have been added so that users can quickly analyze information, in particular:
a) The "Detected vulnerabilities" section has been added, which contains a list of only those vulnerabilities that were identified based on the results of the scans.
b) Added the "Exploit vulnerabilities" section, which contains a list of only those vulnerabilities that already have exploits to exploit.
The capabilities of the mechanism for adding vulnerabilities to exceptions have been expanded, in particular, only selected Common Platform Enumeration (CPE) can now be added to exceptions/Products.
The list of expert scripts of the Pentest mode has been expanded, the total number of which is more than 80 pieces.
All expert scripts of the Pentest mode are open. Users can edit them, as well as add any other scripts (without involving a developer).
 2 - копия.jpg)
.jpg)
