About
When it comes to Cyber Security and vulnerability remediation, prioritization is everything. As a VM, you would want to prioritize the next group of vulnerabilities/assets that require remediation that can be grouped by a common remediation action, usually a software upgrade or patch. This is exactly what the Software Clusters and CVE Clusters views deliver.
Purpose
View and take unified action on vulnerabilities clustered by affected software or CVE
Use Affected Software Clusters and CVE Clusters to view, prioritize and take unified action on vulnerabilities grouped by the same affected software or by CVE. Vulcan Cyber will provide a high-level overview of your vulnerabilities grouped by the same software component collected from all relevant connectors. Take bulk action on clustered vulnerabilities via the same mitigation or upgrade task.
Highlights
Aggregate unique vulnerabilities based on Affected Software (e.g., Windows, Linux, Python, etc.);
Aggregate unique vulnerabilities based on CVE;
View the most vulnerable software components and take action with the highest impact on remediation;
Open tickets at scale based on affected software or CVE;
Achieve faster remediation results, lower the risk mass and improve the SPR
What do VM and CISOs get out of it?
For the VM (Vulnerability Manager), the main benefit is to provide decision-supporting information while spending less time drilling into huge amounts of data.
For the CISO, the main benefits are:
Understand where the most organizational software risk lies
Identify software components and CVEs that are most prevalent or have the most risk mass tied around them
Drive remediation actions with less effort
Drive unified remediation action by choosing to "Separate tickets per unique vulnerability", or to "Aggregate all contents to a single ticket (Up to 200 vulnerabilities per ticket)".
Software Clusters
Clusters vulnerabilities by "Affected software". For example, kernel, Firefox, Windows, bind, python, etc.
Sorts out the vulnerabilities by what interests you most, such as:
Risk Mass (by default) - from the highest to the lowest. This helps you understand what software components have more risk mass (affects the highest amount of vulnerabilities).
Max Risk
Amount of affected assets
Allows you to focus your clustered results using the Search and filter by parameters such as Threats, Tags, Vuln-tags, specific assets search, etc.
Allows you to sort your view by any other parameters you find relevant and important. Examples:
Filter by Business Groups to focus on specific business areas that are more important than others
Filter by Vendor to focus on vulnerabilities that are part of a team's focus, such as Windows or CentOS
Filter/Sort by the number of Assets linked to the vulnerabilities to focus on where you have more affected assets
CVE Clusters
Clusters vulnerabilities by CVE.
Sorts out vulnerabilities by what interests you most, such as:
Risk Mass (by default) - from the highest to the lowest. This helps you understand what CVEs have more risk mass (AKA, impacts the most amount of vulnerabilities)
Exploit Prediction Scoring System (EPSS) - EPSS is an estimate of the likelihood (probability) that a software vulnerability will be exploited in the wild.
The EPSS metric is a pre-threat intelligence. If there is evidence that a vulnerability is being exploited, that information should supersede the EPSS score.
Allows you to focus your clustered results using the Search and filter by parameters such as Threats, Tags, Vuln-tags, specific assets search, etc.
Take Action on Software or CVE Clusters
Take a unified remediation action on vulnerabilities affecting the same software component
As VM, you can "Take Action" to drive unified remediation action in bulks. This means you can trigger an immediate remediation campaign (or more) on all vulnerabilities related to a specific software package or CVE and assign it to the person or a team.
Go to Vulnerabilities > Software Clusters or CVE Clusters
Click on the cluster that is relevant to you (you can search and filter to narrow down the results)
Review the vulnerability cluster details and see all the related vulnerabilities and assets
Select all or only a subset for remediation
Click on "Take Action" and select your remediation method (Jira ticket, Service Now, Email, etc.)
You can click the "Edit" next to the vulnerability to modify the content of the ticket, such as "Remedies to apply", and "Asset to patch":
Select whether to:
"Separate tickets per unique vulnerability";
or to
"Aggregate all contents to a single ticket (Up to 200 vulnerabilities per ticket)"Complete the ticket/email form as required
Click "Open ticket" to set the remediation action into motion
Once you "Open ticket", the remediation instructions are sent through the selected channel (JIRA, ServiceNow, Email, etc.,).
The message sent contains simple package update instructions without remedy attachments - unlike the regular non-clustered tickets. The instructions should be applied to the grouped vulnerabilities to remediate them based on the affected software. The message does contain the package name and version you should upgrade the affected software.
Every time you Take Action on an asset or a vulnerability, a campaign is created. This is a manual campaign because it is triggered manually by the user through the Vulnerabilities or Assets page.