Rationale
Zero-day vulnerabilities pose a significant threat to your organization’s security. Addressing these vulnerabilities before they are detected by scanners can mitigate potential risks and ensure that your systems are protected as soon as new threats emerge. This guide outlines a proactive approach to managing zero-day vulnerabilities in Vulcan by leveraging manual processes to stay ahead of automated scanning tools.
Goal
The goal of this best practice is to empower your team to manage zero-day vulnerabilities effectively by introducing them into Vulcan before they are identified by scanners. This approach ensures that you can automate alerts and take corrective actions immediately upon the discovery of a zero-day vulnerability.
How To
Step 1: Receive Zero-Day Details
On the day a zero-day vulnerability is published, our research team will provide a comprehensive report, including the CVE, technical score, and vulnerability description.
Step 2: CSV File Distribution
The information will be sent to you by your Customer Success Manager (CSM) in a CSV file, which includes a dummy asset column to meet Vulcan’s requirement that all vulnerabilities be associated with at least one asset.
CSV file example - the file serves as a guide for how to format the CSV file to ensure compatibility with the Vulcan system. The template includes fields for both placeholder and actual data, which must be appropriately filled to process the vulnerabilities effectively.
Included information in the CSV file –
Step 3: Upload CSV to Vulcan
Your security team will upload this CSV file as a Vulcan Report connector file using Vulcan ConnectX (Vulcan Report) connector. Select "Mapping Hosts (Vulnerability Assessment)" for data mapping, this is how.
After the file is uploaded and processed in Vulcan, this action will create a new manual entry for the CVE.
Step 4: Set Up Automation
Once the CVE is in the system, you can create an automation rule with the condition "CVE = X" to send automatic alerts to your team. A dedicated template for zero-day alerts can be created, this is how.
Please note that this will be an alert only, indicating the creation of the zero-day CVE in the wild. Add a clarification in the alert template indicating that the CVE will be available in the organization’s real assets once the scanners complete the scan and the details will be provided in a subsequent alert.
Step 5: Transition to Scanner-Detected CVE
When the CVE is eventually detected by the scanners, the automation will continue to send alerts based on the actual affected assets rather than the dummy asset.
Step 6: Delete Vulcan Report Connector
After the CVE and affected assets are fully integrated into the system by the scanners, the Vulcan Report connector can be deleted, as it is no longer needed.
Summary
By following this best practice, your team will be equipped to handle zero-day vulnerabilities proactively. The manual introduction of CVEs allows for immediate automation of alerts, providing your team with timely information to address new threats. This approach ensures that no critical vulnerabilities are overlooked during the gap between publication and scanner detection.