About Vulnerability Sync

  • 13 December 2021
  • 0 replies
  • 131 views

Userlevel 1

 

Introduction

Vulnerability detection and remediation play critical roles in protecting your environment from the “easy” stuff, aka known issues. However, different teams often own detection of the vulnerability vs actually remediating it. 

 

Historically, the process of patching detected vulnerabilities is disjointed and arduous. That’s why we created Vulnerability Sync.

 

See it in Action

 

What is Vulnerability Sync?

Vulnerability Sync is an all new Automox feature that can consume vulnerability scan data from Crowdstrike, Rapid7, Tenable, and more to quickly remediate those detected vulnerabilities with Automox.

 

How does it Work?

Vulnerability Sync consumes vulnerability scan data from a number of vendors, which is used to create patching tasks that can be run against the vulnerable hosts (aka devices).

The workflow is simple and efficient, and seamlessly integrates IT and SecOps workflows. Visit our support page for step by step instructions.

qPAzEn4NCv1b2H0GgP5nVsX0PyJEbczOSXalAuNA-uBON5JvUR3xd6_DYyq32vwTaJKGx2A7UAu-whG8X_4PNnOQaCzP1dHH-0fFts8z-EACt0MGH4dQfIBA3F_gmvw_lCVxrUlm

 

How Does Automox Consume the Scan Data?

In order to consume vulnerability scan data from a 3rd party, the exported CSV file must be formatted correctly. The very first line of the export must read Hostname, CVE ID exactly, otherwise the import will fail. 

Next, each hostname must be listed and match the hostname in Automox exactly, keep in mind that this field is case-sensitive. Hostnames should be followed by the CVE ID, separated by a comma. The only special characters that should be included in the CVE ID are dashes. Optionally, in the third column severity can be included with the following keywords: Critical, High, Medium, Low. Your CSV file for import should look something like this:

 

Hostname, CVE ID, Severity

finance-laptop,cve-2021-1234,high

finance-laptop,cve-2021-6789

finance-laptop,cve-2021-5522,critical

sales_laptop,cve-2021-9944,medium

 

For more information on the requirements, and vendor-specific scan export steps, visit our support page.

 

How do I Patch the CVEs, are Reboots Automatic? 

Once a task is created for each CVE, “Run Now” will start the patching process immediately. Currently, it is not possible to delay or schedule patching for the future with tasks created from vulnerability sync. 

Keep in mind that users will not be notified that their device is patching, and Automox will not automatically reboot a device if a reboot is required after patching, though the device status will change to “Needs Reboot.”

 

What Errors may I see? 

There are several errors that may appear if there is a problem with the file itself, or its contents. “CVE not found” errors indicate that Automox doesn’t have data on a particular CVE detected via 3rd party scan. It could also indicate that the CVE is outdated or superseded by a newer CVE, or that the CVE is associated with an unsupported software or OS (more on that later).

“Hostname not found” indicates that Automox couldn’t find a device in the database that has the same hostname. It may be an issue with case-sensitive formatting, or it could mean that a device you scanned does not have the Automox agent deployed.

“Duplicate hostname” errors mean that two or more of the same hostnames were found for a particular vulnerability. Devices with duplicate hostnames may also be the result of incorrect imaging. We’ll patch all of the duplicated hosts by default.

 

What Does Each Task Status Mean?

Pending tasks indicate that the task has likely been recently uploaded, or has been in the Task List screen awaiting the user’s action.  A task will remain in this status until it is rejected or executed.  

In-Progress tasks have been started and commands are being issued to all impacted devices. Tasks will remain in this status until every command is issued and devices have reported back.  This may take up to 24 hours following the task execution since Automox will wait for disconnected or offline devices.  If the devices are still unresponsive after 24 hours, Automox will log a failed task for the device with the appropriate error code, and then move the status to complete for the device.  

Executed tasks have been completed. However, there may be failures that will need to be reviewed.  A full device-level report with error codes is available as a CSV export to help with troubleshooting, more on that here.  The summary card will reflect the total successes and failures. 

Rejected tasks are administrator-rejected tasks that were in a pending status.  Once rejected, tasks cannot be changed to a different status, but they’ll remain in the Task List screen for audit and review. 

 

What are the Technical Constraints?

Automox can consume scan data from files up to 1 GB in size with the CSV file format. Files larger than 1 GB should be split up, but remember that Hostname, CVE ID is the required header for each file, so you’ll need to add it to any new files created. If you are including severity data in your CSV file, your header should be Hostname, CVE ID, Severity

Today, Vulnerability Sync can consume and remediate vulnerabilities for Windows and Linux OSes only. CVEs for macOS and any third party software (including Windows and Linux 3rd parties) will show “CVE not found” errors at import.

 

Frequently Asked Questions

Can I stop in-progress tasks? Currently, tasks that are in-progress cannot be stopped.

 

Can I use other file formats, like JSON? Currently you must use CSV files delimited by a comma (,)

 

What if my vulnerability scan results aren’t from a supported vendor? The format of the file is what indicates compatibility with Vulnerability Sync. Administrators may be able to manipulate the file to match the requirements, and therefore work with Vulnerability Sync.

 

Can I schedule tasks from Vulnerability Sync to execute later? Currently, tasks executed in Vulnerability Sync will run immediately and cannot be scheduled.

 

Why are my tasks taking 24 hours to complete? If a device is offline or otherwise unreachable (and included in a task), Automox will wait 24 hours before marking the task as failed.

 

Conclusion

With the all-new Automox Vulnerability Sync, remediating thousands of vulnerabilities detected by 3rd parties has never been more efficient. You can now consume, remediate, and report on detected vulnerabilities faster than ever, and plug the gaps in your environment before the bad guys find them.


0 replies

Be the first to reply!

Reply