Reviewing and Managing Vulnerabilities

Vulnerabilities provides a focused view of the impact vulnerabilities have on your environments that are connected to InsightCloudSec, including:

  • A table/list display with vulnerabilities, packages, and resources that were scanned during assessments
  • Search functionality and filtering to narrow the list of resources to only the most critical or vulnerable

Explore Vulnerabilities

In InsightCloudSec, navigate to Security > Vulnerabilities to start viewing high risk vulnerabilities and their impact on your environment.

Filter

Vulnerabilities has filtering functionality to effectively narrow the scope of and navigate the data.

Filter Containers or Instances

You can use the Resource Type filter to only display Containers or Instances

Add Filter

Filtering allows for narrowing the scope of the resources list using properties like cloud accounts, clusters, resource groups, etc. Some things to note about filtering behavior:

  • Each selected Filter updates dynamically with options appropriate for the property selected.
  • After selecting an initial property, click + Add Filter to add an additional filter and further narrow the scope.
  • If filtering on a Resource Tag:
    • Searching for a tag is case insensitive.
    • New tags are harvested every 12 hours by the ResourceTypeTrigramsProcess background job (see System Settings for more information).

To add a filter:

  1. Click the Add Filters button to open the side panel.
  2. Select and configure a property to get started.
  3. After configuring your desired filters, click Apply to update the scope for the feature.
Save Filters (Optional)

After Adding a Filter, you can save it so that can easily be reused the next time you access the feature. Saved filters are feature-specific (since options vary between features), i.e., a saved filter in Feature "A" will only be available in Feature "A" and will not be available in Feature "B".

To save a filter:

  1. Once filter(s) have been applied, ensure the filters list is expanded by clicking the arrow (>)
  2. Click the ellipsis (...) button, then click Save Filter.
  3. Provide a name for the filter and an optional description.
  4. Select the checkbox for Set as Default Filter to set this filter as the default for the feature.
  5. Select the checkbox for Make this a Public Filter to allow other users to see the filter.
  6. Click OK.

Once a filter has been successfully saved, it can be accessed (along with other saved filters) or edited from the same ellipsis menu.

Data Display

The data display includes the main table of data as well as the total scanned vulnerabilities/packages/resources, but this value will update to reflect the number of items scoped by any configured filters. Details of the data reflected here are explored in the Frequently Asked Questions (FAQ).

This display contains all of the data analyzed within the Vulnerabilities feature. The data display is split across three tabs: Vulnerabilities, Packages, and Resources. For organizations with large and complex cloud environments, these scopes provide the ability to evaluate a high priority vulnerability, a prominent package in your environment, or a particularly vulnerable resource, respectively. When combined with filtering, these scoping capabilities enable you to quickly navigate to specific areas that you want to evaluate for risk. There is some common functionality across the tabs:

  • Search - Type into the search bar and the data will automatically filter to match the criteria.
  • Download (Vulnerabilities, Resources only) - To save a copy of the data, click Download next to the search bar and select either CSV or JSON. The file will be prepared in the background until it is ready to be downloaded by your web browser. If the file preparation takes longer than 10 minutes, it will timeout, so it's best to narrow the scope prior to downloading.
  • Column Sort - To sort the data by a particular column, click the column header.
Vulnerabilities
FeatureDescription
RiskThe assessed risk value (0-1000) for the particular resource based on internal InsightCloudSec calculations
  • A shield designates that the CVE has known exploits
  • Crosshairs designate that the CVE has be exploited in the wild
CVE IDThe unique ID for the vulnerability.
  • Click the CVE ID to open the Vulnerability Details blade
CVSS ScoreThe CVSS Score given to the particular vulnerability
  • Click the filter icon in the column header to filter the results CVSS categories
Impacted ResourceThe total number of resources affected by the vulnerability
First DetectedThe date the vulnerability was first detected to have impacted your environment
Last DetectedThe date the vulnerability was last detected to have impacted your environment
ActionOffers a context menu with links to:
  • View vulnerability details
  • View impacted resources
Packages
FeatureDescription
RiskThe assessed risk value (0-1000) for the particular package based on internal InsightCloudSec calculations
NameThe name of the package.
  • Click the Name to open the Package Details blade
VersionThe version of the package as of the last assessment
VulnerabilitiesA summary of the Vulnerability findings for the resource.
  • Point to the value with your cursor to expose a detailed summary
Impacted ResourcesThe number of resources using the package
Last DetectedThe date the package vulnerability was last detected
Resources
FeatureDescription
RiskThe assessed risk value (0-1000) for the particular resource based on internal InsightCloudSec calculations
Resource NameThe name of the resource.
  • Click the Resource Name to open the Resource Properties blade
Resource TypeThe type of resource
AccountThe name of the Account the resource is associated with
Public AccessDenotes whether the resource is publicly accessible using the Internet.
  • Select the column value to open the Public Access details panel
VulnerabilitiesA summary of the Vulnerability findings for the resource
  • Point to the value with your cursor to expose a detailed summary
Image IDThe ID for the image associated with the resource
Last AssessedThe time the resource was last scanned for risk factors
ActionOffers a context menu with links various actions related to your vulnerable resources, including viewing resource details, triggering a reassessment for the resource, or downloading the resource’s data or vulnerabilities

Sample Use Cases

Assessing the Impact of a Specific Vulnerability

  1. From the Vulnerabilities page, click the Vulnerabilities category at the top of the page.
  2. Using the Search capability, search for a particular CVE ID or package name.
  3. Click the Action menu (...) and click View Impacted Instances, View Impacted Public Instances, or View Impacted Images.

All report categories will automatically filter to only include the selected vulnerability. You can now easily discern a vulnerability's impact on resources and packages by clicking the associated category at the top of the page. This will display only the entries that are associated with the selected vulnerabilities. In addition, the packages view and vulnerabilities view show only the associated packages and vulnerabilities based on the filter configurations selection (i.e., only packages that are part of the selected images and any associated vulnerabilities).

Assessing a Zero-Day Vulnerability

Often when a zero-day vulnerability occurs there is no CVE and the best way to determine surface area is a search by software and version. In these scenarios, you can focus on a specific package (like log4j) and see the impact of that package across your environment.

  1. From the Vulnerabilities page, click the Packages category at the top of the page.
  2. Using the Search capability, search for a particular package name or version.
  3. Click the Package Name to open the Package Details blade. The default tab for this blade is Resources, where you can see all of the resources that currently are associated with this package.

VM & Automation (Bots)

Once InsightCloudSec has collected details and provided analysis you have the ability to build automation around notifications through our Bot capability. In the example Bot below, the configuration is scoped to provide a summary of all workloads with a severity of critical or high from the past 100 days.

CVA - Example Bot
json
1
{
2
"resource_id": "divvybot:20:4615",
3
"name": "Container Vulnerability Assessment Summary Bot",
4
"description": "",
5
"notes": null,
6
"insight_id": null,
7
"source": null,
8
"insight_name": null,
9
"insight_severity": null,
10
"owner": "divvyuser:1:",
11
"owner_name": "Rapid7",
12
"state": "PAUSED",
13
"date_created": "2022-04-29 14:53:47",
14
"date_modified": "2022-04-29 14:53:47",
15
"category": "Security",
16
"badge_scope_operator": null,
17
"instructions": {
18
"resource_types": [
19
"ecstaskdefinition"
20
],
21
"filters": [
22
{
23
"name": "divvy.query.workload_severity_higher_than",
24
"config": {
25
"severities": [
26
"HIGH",
27
"CRITICAL"
28
],
29
"days": 100
30
}
31
}
32
],
33
"actions": [
34
{
35
"name": "divvy.action.mark_non_compliant",
36
"config": {},
37
"run_when_result_is": true
38
},
39
{
40
"name": "divvy.action.log_message",
41
"config": {
42
"message_text": "vulnerability"
43
},
44
"run_when_result_is": true
45
}
46
],
47
"groups": [],
48
"badges": [],
49
"hookpoints": [],
50
"schedule": null,
51
"schedule_description": null
52
},
53
"valid": true,
54
"errors": [],
55
"severity": "low",
56
"detailed_logging": false,
57
"scope": []
58
}

Creating a VM Bot From a Template

To use the template example above

  1. From your InsightCloudSec platform installation, go to Automation > BotFactory.
  2. On the BotFactory landing page, go to Templates.
  3. From the Templates tab under BotFactory select the Import Template option and paste the example featured above into the JSON window.
  4. Click Submit to verify and store the template for future use. Review Creating Bots for more information on next steps.