Overview


Purpose

View and take unified action on vulnerabilities clustered by affected software or CVE

Use Affected Software Clusters and CVE Clusters to view, prioritize and take unified action on vulnerabilities grouped by the same affected software or by CVE. Vulcan Cyber will provide a high-level overview of your vulnerabilities grouped by the same software component collected from all relevant connectors. Take bulk action on clustered vulnerabilities via the same mitigation or upgrade task.

Feature Highlights

  • Aggregate unique vulnerabilities based on Affected Software (e.g., Windows, Linux, Python, etc.);

  • Aggregate unique vulnerabilities based on CVE;

  • View the most vulnerable software components and take action with the highest impact on remediation;

  • Open tickets at scale based on affected software or CVE;

  • Achieve faster remediation results, lower the risk mass and improve the SPR


What do VM and CISOs get out of it?

  • For the VM (Vulnerability Manager), the main benefit is to provide decision-supporting information while spending less time drilling into huge amounts of data.

  • For the CISO, the main benefits are:

    • Understand where the most organizational software risk lies

    • Identify software components and CVEs that are most prevalent or have the most risk mass tied around them

    • Drive remediation actions with less effort

    • Drive unified remediation action by choosing to "Separate tickets per unique vulnerability", or to "Aggregate all contents to a single ticket (Up to 200 vulnerabilities per ticket)".


What has changed in the UI?

When you go to the Vulnerabilities page, you'll notice that you now have 3 main tabs:

  • Software Clusters: Software-clustered vulnerabilities view

  • CVE Clusters: CVE-Clustered vulnerabilities view

  • Unique Vulnerabilities: The known and familiar all vulnerabilities view.

Old view:

New view:


Vulnerability Clusters

When it comes to Cyber Security and vulnerability remediation, prioritization is everything. As a VM, you would want to prioritize the next group of vulnerabilities/assets that require remediation that can be grouped by a common remediation action, usually a software upgrade or patch. This is exactly what the Software Clusters and CVE Clusters views deliver.

Software Clusters view

  • Clusters vulnerabilities by "Affected software". For example, kernel, firefox, windows, bind, python, etc.

  • Sorts out the vulnerabilities by what interest you most, such as:

    • Risk Mass (by default) - from the highest to the lowest. This helps you understand what software components have more risk mass (AKA, affects the highest amount of vulnerabilities).

    • Max Risk

    • Amount of affected assets

  • Allows you to focus your clustered results using the Search and filter by parameters such as Threats, Tags, Vuln-tags, specific assets search, etc.

  • Allows you to sort your view by any other parameters you find relevant and important. Examples:

    • Filter by Business Groups to focus on specific business areas that are more important than others

    • Filter by Vendor to focus on vulnerabilities that are part of a team's focus, such as Windows or CentOS

    • Filter/Sort by number of Assets linked to the vulnerabilities to focus on where you have more affected assets

CVE Clusters view

  • Clusters vulnerabilities by CVE.

  • Sorts out vulnerabilities by what interest you most, such as:

    • Risk Mass (by default) - from the highest to the lowest. This helps you understand what CVEs have more risk mass (AKA, impacts the most amount of vulnerabilities)

    • Exploit Prediction Scoring System (EPSS) - ESPP is an estimate of the likelihood (probability) that a software vulnerability will be exploited in the wild.
      The EPSS metric is a pre-threat intelligence. If there is evidence that a vulnerability is being exploited, that information should supersede the EPSS score.

  • Allows you to focus your clustered results using the Search and filter by parameters such as Threats, Tags, Vuln-tags, specific assets search, etc.


Take a unified remediation action on vulnerabilities affecting the same software component

As VM, you can "Take Action" to drive unified remediation action in bulks. This means you can trigger an immediate remediation campaign (or more) on all vulnerabilities related to a specific software package or CVE and assign it to the person or a team.

To take a remediation action on clustered vulnerabilities:

  1. Go to Vulnerabilities > Software Clusters or CVE Clusters

  2. Click on the cluster that is relevant to you (you can use the Magic Search and the filters to narrow down the results)

  3. Review the vulnerability cluster details and see all the related vulnerabilities and assets

  4. Select all or only a subset for remediation

  5. Click on "Take Action" and select your remediation method (Jira ticket, Service Now, Email, etc.)

  6. You can click the "Edit" next to the vulnerability to modify the content of the ticket, such as "Remedies to apply", and "Asset to patch":

  7. Select whether to:
    "Separate tickets per unique vulnerability";
    or to
    "Aggregate all contents to a single ticket (Up to 200 vulnerabilities per ticket)"

  8. Complete the ticket/email form as required

  9. Click "Open ticket" to set the remediation action into motion

  10. Once you "Open ticket", the remediation instructions are sent through the selected channel (JIRA, ServiceNow, Email, etc.,).

    The message sent contains simple package update instructions without remedy attachments - unlike the regular non-clustered tickets. The instructions should be applied to the grouped vulnerabilities to remediate them based on the affected software. The message does contain the package name and version you should upgrade the affected software to.

Did this answer your question?