USM Anywhere delivers vulnerability assessmentVulnerability assessment uses active network vulnerability scanning and continuous vulnerability monitoring to provide one of the five essential capabilities. as part of a complete package of security monitoringProcess of collecting all device status and event information and processing normalized events for evidence of vulnerabilities, possible attacks, and other malicious activity. and management capabilities for efficient threat detection — because in order to improve security in your network, you first need to know what's vulnerable.
Vulnerability assessment is a functionality of USM Anywhere used for defining, identifying, classifying, and prioritizing the vulnerabilities in your system. The universal open and standardized method for rating IT vulnerabilities and determining the urgency of response is the Common Vulnerability Scoring System (CVSS). This method assigns severity scores to vulnerabilities. Scores range from 0 to 10, with 10 being the most severe.
USM Anywhere works on CVSSOpen framework for communicating the characteristics and severity of software vulnerabilities that helps to prioritize actions according to their threat. version 2 (CVSSv2) for scoring.
About Vulnerability Assessment in USM Anywhere
USM Anywhere detects vulnerabilities in assetsAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. and controls the following scanning functions
- Running and scheduling vulnerabilityA known issue or weakness in a system, procedure, internal control, software package, or hardware that could be used to compromise security. scans, see Performing Vulnerability Scans
- Generating and examining reports, see Viewing Vulnerabilities Scan Results
USM Anywhere detects vulnerabilities using an authenticated scanAuthenticated scans are performed from inside the machine using a user account with appropriate privileges., where the USM Anywhere SensorSensors are deployed into an on-premises, cloud, or multi-cloud environment to collect log and other security-related data. This data is normalized and then securely forwarded to USM Anywhere for analysis and correlation. initiates a credentialed SSHProgram to securely log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another through SCP. (Linux) or WinRM (Windows) connection to the asset and remotely runs a series of commands for host-based assessment.
Vulnerability detection is based on an implementation of the Security Content Automation Protocol (SCAP) and the Open Vulnerability Assessment Language (OVAL) 5.11.2 schema version. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. The OVAL Schema is maintained by The MITRE Corporation and developed by the public OVAL Community website at http://oval.mitre.org.
OTX queries NVD and MITRE every hour looking for the latest vulnerabilities. Every time you run a vulnerability scan USM Anywhere queries OTX for updating the vulnerabilities information.
For Linux variants, USM Anywhere performs a series of generic UNIX and independent schema tests in addition to flavor-specific tests for AIX, FreeBSD, HP-UX and Linux. For Windows, USM Anywhere performs a series of Windows Schema and Independent Schema tests.
Commands Running in the Authenticated Vulnerability Scans
When you run an authenticated scan in USM Anywhere, there are lots of commands executing at the same time. These commands change constantly and there are new definitions released every day.
In spite of that, if you need it, you can check which commands have been executing at a precise moment.
Authenticated scans uses privilege escalation over ssh. Commands are logged in the audit log
Windows authenticated scans perform file and registry checks to determine the installed patch version.
Discovering a vulnerability by itself is important, but can be of little use without the ability to estimate the associated severity to an asset. For this reason, USM Anywhere assigns a severity to each vulnerability found in the system and according to the severity score of the Common Vulnerability Scoring System (CVSS).
|Severity||Base Score Range|
Important: There is also an Under Analysis severity. This severity displays when the National Vulnerability Database (NVD) has not assigned a CVSS base score to the vulnerability. OTX queries NVD and MITRE every hour looking for the latest vulnerabilities. Every time you run a vulnerability scan, USM Anywhere queries OTX to update the vulnerabilities information. If the NVD has updated the CVSS base score for that vulnerability, USM Anywhere will update the status after you run a new vulnerability scan.
To see the CVSS Score of a vulnerability
- Go to Environment > Vulnerabilities.
- Click the vulnerability to display its details.
In USM Anywhere you can find active vulnerabilities and inactive vulnerabilities.
When you run a scan on an asset and USM Anywhere finds a vulnerability, this vulnerability is active. If you later run a new scan over the same asset and USM Anywhere finds more vulnerabilities, but the vulnerability found in the previous scan has not been found in this new scan, this vulnerability is inactive and the new vulnerabilities are active. Inactive vulnerabilities are those who are not present in the latest scan but were in a previous one.
A Practical Example
USM Anywhere finds 15 vulnerabilities when you run a scan over an asset, so you will see 'active: 15, inactive: 0'. Then you fix these vulnerabilities. A week later, you run a scan over the same asset. This new scan finds 3 vulnerabilities, so you will have 3 vulnerabilities active out of 15 vulnerabilities found and USM Anywhere will display active: 3, inactive: 12.
Searching Active or Inactive Vulnerabilities
When you go to Environment > Vulnerabilities, USM Anywhere displays, by default, all active vulnerabilities. The filter Show Active is checked.
If you want to see the inactive vulnerabilities, click the filter Show Active to remove the check mark. USM Anywhere will display the list of your inactive vulnerabilities.
You can also see if a vulnerability is active or inactive from the full details screen of a vulnerability.