Learn About Cloud Vulnerability Management (VM)

Agentless assessment requires that InsightCloudSec has a way to scan a host or image without running anything in your cloud environment. InsightCloudSec ensures that we recommend only the minimal possible permissions for completing assessments of your hosts or containers. See Configuring Host Vulnerability Assessment (HVA) or Configuring Container Vulnerability Assessment (CVA) for more information on setting up your cloud environments for assessments of hosts or containers, respectively.

All assessed vulnerabilities are contained within the unified vulnerability dashboard (Security > Vulnerabilities in the InsightCloudSec navigation menu). See Reviewing and Managing Vulnerabilities for details.

The Active Risk score rating in InsightCloudSec uses a variety of factors to determine the rating of a vulnerability. Threat Feeds, Exploit Databases, and the vulnerability CVSS score are combined to produce a Risk Score to help prioritize vulnerabilities. When viewing the risk score for a vulnerability there are details about the reason for the score produced: vulnerabilities with published exploits and vulnerabilities that threat feeds have marked as actively exploited will have scores that are higher than other vulnerabilities within the product that have similar CVSS scores.

For example, CVE-2022-0318 has a CVSS score of 9.8. This vulnerability is not actively exploited and does not have published exploits. This vulnerability has a risk score of 810 (if there are threats and/or exploits published in the future this risk score will change accordingly). On the other hand CVE-2020-15999 has a CVSS score of 6.5 and is a known exploited vulnerability according to the CISA KEV Catalog. The active exploitation of the vulnerability raises the risk score to 1000. This calculation enables you to quickly identify vulnerabilities that need to be addressed in order to reduce the risk of your cloud environment.

The following workflows gather and store the inventory from the host instances harvested by InsightCloudSec and assess them for vulnerabilities. Host instances are discovered and harvested based on your Assessment Scope. They also continuously monitor and refresh the inventory and vulnerability data based on changes to the instances and for newly disclosed vulnerabilities.

As InsightCloudSec harvesting discovers new host instances, HVA triggers the collection step, which creates and downloads a snapshot of the instance from a customer's cloud account to InsightCloudSec. When HVA is initialized, all host instances already harvested are treated as new, triggering the first collection.

The snapshot is then assessed for vulnerabilities in InsightCloudSec and its inventory (versions of the operating system and software packages, OSS dependencies, and other select file types) is saved. InsightCloudSec discards the snapshot once the assessment is complete.

Existing host instances are reassessed and potentially recollected based on the following triggers.

• Automated recollection - a proprietary algorithm determines the need to collect a new snapshot using environmental events indicating the instance changed since the last collection
• Automated reassessment - when new vulnerabilities are reported, InsightCloudSec reviews the host instance inventory and reassesses those with the imaged packages
• Manual recollection and reassessment - you can trigger a recollection and reassessment of a specific host instance using an action in the InsightCloudSec console or an API call

Assuming you have completed the onboarding process successfully and fully configured HVA, hosts will begin appearing in the Vulnerabilities dashboard with regularly scheduled harvesting. Assessments occur as soon as a new host is discovered in InsightCloudSec. If the dashboard is not updating as you would expect, host assessment status can be found on the Vulnerability Settings page.

Snapshots are created:

1. When a new host is discovered
2. When a new vulnerability is discovered
3. When you manually trigger an assessment

• Regional assessments are currently only supported for AWS.
• We support running assessments in seven AWS regions: us-east-1, us-east-2, us-west-2, eu-central-1, ap-northeast-1, ap-southeast-2, and ca-central-1.
• Any resources located outside of those regions will be mapped to a supported region.
• If a mapping does not exist, the assessment will be sent to us-east-1 by default.

Snapshots taken of an AWS instance that uses the default AWS-managed key will automatically have the same encryption. This encryption method cannot be changed and these snapshots cannot be directly shared or accessed. As a workaround, InsightCloudSec automatically copies and encrypts default key-encrypted snapshots using the Rapid7 customer-managed key. This key is stored and managed internally by Rapid7. For this process, a grant is created for the Rapid7 key with the AWS cloud account's role ARN as the grantee and retiring principal. This key grant applies the permission to use the Rapid7 key to copy and encrypt their snapshots and then retire the grant after the assessment is completed.

Limitations:

• This feature is currently only enabled for AWS instances in the following regions:
  • ap-northeast-1
  • ap-southeast-2
  • ca-central-1
  • eu-central-1
  • us-east-1
  • us-east-2
  • us-west-2
• Assessments for default key-encrypted instances in all other regions will fail with the DefaultEbsKeyException exception.
• Each customer managed key can have up to 50,000 grants. However, it’s unlikely that this quota will be reached since the grants are retired after assessments are complete. See the AWS Documentation for more information.

You don’t need to remove the InsightVM agent. InsightCloudSec Vulnerability Management will snapshot instances with an existing agent and conduct the collection and assessment with no issues. Most vulnerabilities will be reported identically between the two; however, InsightCloudSec has a larger scope of detection and may report more vulnerabilities than InsightVM. This allows time to evaluate the new feature before removing the agent and transitioning Host instance vulnerability management from InsightVM to InsightCloudSec.

After you have onboarded Cloud accounts and Kubernetes clusters or associated container repositories with InsightCloudSec, the platform will automatically scan container images (all layers) and workloads for vulnerabilities with regularly scheduled harvesting. Each container-related resource (ECS Task Definition, Kubernetes ReplicaSet, etc.) identified by InsightCloudSec will have an Image ID and SHA-256 hash (or manifest digest) associated with it. Each image or artifact, whether tagged or not, is identified by its digest. The digest value is unique even if the artifact's layer data is identical to that of another artifact. InsightCloudSec regularly updates the Vulnerabilities feature to match the state of the resources in your cloud environments. Once InsightCloudSec has harvested a particular SHA-256 digest, everything that is needed to track vulnerabilities over time is captured and stored.

Assuming you have completed the onboarding process successfully and fully configured CVA, images will begin appearing in the Vulnerabilities dashboard with regularly scheduled harvesting. Assessments occur as soon as a new image (layer) is discovered in InsightCloudSec. Any image that is on an account that is not visible to InsightCloudSec will not be scanned. If the dashboard is not updating as you would expect, there are two locations to begin your troubleshooting:

• Container visibility issues are tracked on the Kubernetes Clusters page.

• Image assessment status is surfaced on an image-by-image basis in the Security > Vulnerabilities > Resources table. If there was an issue assessing an image, a red icon will denote the particular issue. The following table includes details on the errors:

  Error	Troubleshooting
  Unable to pull an image with this name and digest.	Contact support.
  Unable to assess an image with this name and digest.	Contact support.
  Unable to pull this image due to its size. It is larger than our maximum supported size of 10GB.	We do not support image scanning for images larger than 10GB.
  Anything related to authentication or insufficient permissions, credentials, or logging in	Ensure that the harvesting role you set up during onboarding has the required permissions as described in Configuring CVA.
  Unable to pull an image with this name and digest. The image's tag may have been rewritten to use a different digest.	This error often occurs in containers running EKS Add-Ons. Amazon frequently removes old versions of images from these repositories. Work with the application or infrastructure team to ensure that Add-Ons are updated frequently. If this image is owned by your organization, work with the infrastructure or application team that owns the container to ensure this container is re-provisioned to use a new version of the image in the near future.
  Unable to pull an image from this registry due to rate limiting.	Wait. InsightCloudSec will automatically reschedule an assessment as appropriate.
  Unable to pull an image from this registry. This registry is not supported.	We do not support this particular private registry (see Configuring CVA for full support details). If this is a public registry, contact support and we can add this registry to our allowlist.
  Unable to assess this image. The scan timed out.	If this issue persists, contact support. This error can happen repeatedly if an image is too large.

A full list of supported images registries can be found on the CVA Configuration page. Note, however, that images hosted in publicly-accessible, unauthenticated registries are subject to rate limiting. Thus, we cannot guarantee full visibility into the vulnerabilities for these images at this time.

Yes! CVA can assess container images within Kubernetes clusters using the Kubernetes Scanner. Review the Kubernetes Scanners Overview for more details.