Identifying and Prioritizing Vulnerabilities

Identifying and Prioritizing Vulnerabilities

Gain a unified view of your organization’s exposure to vulnerabilities. Identifying vulnerabilities is critical to understanding asset security in your environment, as well as your overall security posture. Axonius enables IT managers and security teams to identify, investigate, and prioritize vulnerabilities, improving the accuracy and effectiveness of vulnerability management, more efficiently meeting compliance and policy requirements, and lessening the burden on IT managers who are over-extended with routine management tasks.

Seeing and Managing Vulnerabilities Across the Entire Fleet

Understand the presence and impact of all observed vulnerabilities. Axonius allows you to easily identify all known vulnerabilities that exist in your environment. The Vulnerability Management module enables users to analyze a centralized view of vulnerabilities in a single pane, rather than through the lens of devices. Security and IT admins can track vulnerabilities across entire fleets of devices and automatically map those threats to their assets to reveal critical exposures.

Vulnerability data is aggregated, normalized, enriched, and contextualized allowing IT managers or security team members to understand the impact to the business, and to take appropriate action based on severity and asset criticality.

From the vulnerabilities page, you can gain extensive visibility into CVEs in your environment including CVSS score, severity, and attack vector. Through advanced queries, Axonius uncovers the relationships between unique vulnerabilities and devices looking at operating systems, installed software, last seen date, open ports, public IPs, and network interfaces, to deliver deep insights around vulnerabilities and the devices they impact.

Recommended Categories of Data Sources to Support Vulnerability Management

The following Adapter categories are recommended when managing vulnerabilities. Although not an exhaustive list, it provides guidance on the types of data that best support vulnerability management.

• Vulnerability Analysis (VA) Tool – vulnerability assessment tool to identify, prioritize and rate vulnerabilities
• Networking – monitor networks to discover unauthorized traffic, or IP or port misconfigurations
• EDR/EPP – detect and protect endpoints against a variety of attack types and vectors
• Config/Patch Mgt – for configuration and patch management of assets
• Cloud Security – secure cloud environments (data, applications, and infrastructure)
• AppSec – find, fix, and prevent security vulnerabilities in the software development lifecycle
• Cyber Intelligence – threat detection, potential exposure alerts, and cybersecurity performance

Discover if Known Vulnerabilities Are Present in Your Environment

Not sure if a particular vulnerability exists in your environment? Axonius lets you discover specific CVE IDs, as well as all known CVEs, their severity, and their impact.

To find a specific CVE ID, start from the Vulnerability Page; click the blue Query Wizard button to create a new query. In the Vulnerabilities section of the query, include criteria where CVE ID equals the unique CVE ID. In this case CVE-2019-7031 was used as an example. No entry is required in the Device section of the query and as you can see here, the field prompt appears but no data is entered.

To identify all CVEs with a critical severity, create a new query using the Query Wizard. In the Vulnerabilities section of the query, include criteria where CVE Severity equals CRITICAL. No entry is required in the Device section of the query. Axonius finds all critical vulnerabilities that exist in your environment, allowing you to see which vulnerability was identified, by which adapter and on which device it is present.

To see how critical vulnerabilities directly impact devices in your environment, add a device level criteria to the multi-level Query Wizard.

For example, to find critical vulnerabilities on devices with public-facing IP addresses, start with the example above using the Query Wizard to include criteria for both vulnerabilities and devices. Show vulnerabilities where CVE Severity equals CRITICAL. Then add Device criteria where Public IPs exist.

The results illustrate where vulnerabilities impact devices of public facing IP addresses, which could pose a critical security threat.

Discover New or Persistent Vulnerabilities

Not sure how long a vulnerability has existed? Find the first seen date of the vulnerability to determine whether it is a new threat or has been a persistent vulnerability. Then add additional device attributes that add device context and inform vulnerability prioritization.

From the Vulnerabilities page, select the blue Query Wizard button to create a new query using only the Vulnerabilities section of the query where First Seen includes last days equal to 7 (or whatever time you prefer). No entry is required in the Device section of the query.

Contextualizing vulnerabilities with device data helps prioritize the importance of threats to your environment.

For instance, to identify new vulnerabilities on Windows servers, create an advanced query using both vulnerability and device criteria. In the Vulnerability section of the query include criteria where First Seen includes last days equal to 7. In the Devices section of the query include criteria where the OS: Is Windows Server is true.

The results reveal any vulnerabilities that have been detected within the last seven days on critical Windows servers, which could pose operational security risks if exploited.

Persistent vulnerabilities are those that have existed in our environment for an extended period of time, creating a longer window of vulnerability and opportunity for exploitation. This is especially true if the devices impacted by the vulnerability are missing security agents.

To reveal these security gaps, create a new query including criteria for both vulnerabilities and devices. In the vulnerability section of the query, include vulnerabilities where First Seen, Last Days is 60. Then add Device criteria where the Saved Query is Windows devices missing CrowdStrike agent. In this case, we had previously created a device query that was saved as Windows devices missing CrowdStrike. Axonius can query devices on individual criteria, combined criteria, or previously saved queries, offering nearly endless combinations to track vulnerabilities and their potential impact.

The results immediately identify where the risk is greatest, helping IT and security teams to prioritize which vulnerabilities to remediate first.

A similar query would be equally effective at identifying persistent vulnerabilities where firewall rules allow access from the public.

Uncover Vulnerabilities with High Asset Criticality - Windows Server Vulnerabilities

Although critical vulnerabilities are alarming, when they exist on vital assets like servers and have a high exploitability and impact scores, they may pose a more significant risk and require immediate remediation.

From the Vulnerability page, create a new query using the Axonius Query Wizard. In this instance, the query will refer to v3.1 of the Common Vulnerability Scoring System (CVSS) by FIRST, which rates critical vulnerabilities with a numeric score of 9 or greater.

In the vulnerabilities section of the query, include vulnerabilities where CVSS is greater than 9, indicating a critical vulnerability. In the devices section of the query, include criteria where the Saved Query is AWS instances not scanned by a VA tool. As mentioned above, we can use individual or combined device criteria, or a previously saved device query to add context to the vulnerability, helping to prioritize the threat.

The results of the query reveal critical vulnerabilities where AWS instances may be open to exploit.

Similar queries use the advanced query capabilities of the Axonius Query Wizard to surface critical vulnerabilities where firewalls allow public access or Windows devices missing CrowdStrike agent. Both illustrate the powerful advanced query capabilities that uncover vulnerabilities that matter most.

Automate Responses

Close the gaps on vulnerabilities and monitor changes across your inventory via the Axonius Security Policy Enforcement Center. Choose from 120 enforcement actions to notify appropriate actors, enrich data in CMDBs or 3rd party sources; or respond to update vulnerability assessment (VA) scans, deploy files or isolate devices.

Find more details about how actions can be applied in our Action Library.