Overview


Purpose

Use the Clusters feature to view, prioritize, and take unified action on vulnerabilities grouped by the same Affected Software. In other words, the Clusters feature provides a high-level summarized overview of your vulnerabilities clustered by the same software component. This allows you to take action in bulks on vulnerabilities that are tied by the same mitigation/upgrade operation.

Highlights

  • Get a high-level view of your most vulnerable software components and identify the most efficient course of action with the highest impact on remediation

  • Get a summarized view of your vulnerabilities from the most to the least impacting and prevalent

  • Get the vulnerabilities organized by the same required mitigation/upgrade operation

  • Achieve faster remediation results, lower the risk mass and improve the SPR

Currently Supported Connectors

  • Tenable

  • Qualys


What do VM and CISOs get out of it?

  • For the VM (Vulnerability Manager), the main benefit is to provide decision-supporting information while spending less time drilling into huge amounts of data.

  • For the CISO, the main benefits are:

    • Understand where the most organizational software risk lies

    • Identify software components that are most prevalent or have the most risk mass tied around them

    • Drive remediation actions with less effort

    • Drive unified remediation action by choosing to "Separate tickets per unique vulnerability", or to "Aggregate all contents to a single ticket (Up to 200 vulnerabilities per ticket)".

Let's look at the new "Clusters" view and put things into context

As we all know by now, when it comes to Cyber Security and vulnerabilities remediation, prioritization is everything. As a VM, you would want to prioritize the next group of vulnerabilities/assets that require remediation and that can be grouped by a common remediation action, which is usually a software upgrade or patch. This is exactly what the Clusters view delivers. It is a dedicated view that:

  • Clusters the vulnerabilities by "Affected software". For example, kernel, firefox, windows, bind, python, etc.

  • Sorts out the vulnerabilities by Risk Mass (by default) - from the highest to the lowest. This helps you understand what software components have more risk mass (AKA, most amount of vulnerabilities)

  • Allows you to focus your clustered results by using the Search and filter by parameters such as Threats, Tags, Vuln-tags, specific assets search, etc.

  • Allows you to sort your view by any other parameters you find relevant and important. Examples:

    • Filter by Business Groups to focus on specific business areas that are more important than others

    • Filter by Vendor to focus on vulnerabilities that are part of a team's focus, such as Windows or CentOS

    • Filter/Sort by number of Assets linked to the vulnerabilities to focus on where you have more affected assets


What has changed in the UI?

When you go to the Vulnerabilities page, you'll notice that you now have two main tabs:

  • "Clusters": The new clustered vulnerabilities view this article is about

  • "Unique Vulnerabilities": The known and familiar all vulnerabilities view which contains the sub-tabs (statuses) "Vulnerable", "Fixed", and "Ignored".

Old view:

New view:


Take a unified remediation action on vulnerabilities affecting the same software component

As VM, you can "Take Action" to drive unified remediation action in bulks. This means that you can trigger an immediate remediation campaign (or more) on all vulnerabilities related to a specific software package and assign it to the person or team responsible for that software.

To take a remediation action on clustered vulnerabilities:

  1. Go to Vulnerabilities > Clusters

  2. Click on the cluster that is relevant to you (you can use the Magic Search and the filters to narrow down the results)

  3. Review the vulnerability cluster details and see all the related vulnerabilities and assets

  4. Select all or only a subset for remediation

  5. Click on "Take Action" and select your remediation method (Jira ticket, Service Now, Email, etc.)

  6. You can click the "Edit" next to the vulnerability to modify the content of the ticket, such as "Remedies to apply", and "Asset to patch":

  7. Select whether to:
    "Separate tickets per unique vulnerability";
    or to
    "Aggregate all contents to a single ticket (Up to 200 vulnerabilities per ticket)"

  8. Complete the ticket/email form as required

  9. Click "Open ticket" to set the remediation action into motion

  10. Once you "Open ticket", the remediation instructions are sent through the selected channel (JIRA, ServiceNow, Email, etc.,). The message sent contains simple package update instructions without remedy attachments - unlike the regular non-clustered tickets. The instructions should be applied to the grouped vulnerabilities to remediate them based on the affected software. The message does contain the package name and version you should upgrade the affected software to.

Did this answer your question?