Learn About Vulnerabilities

The Vulnerabilities feature enables Security and DevOps teams to efficiently view, prioritize, and orchestrate the response to vulnerabilities (Common Vulnerabilities and Exposures (CVEs)) detected across their cloud environment. Hosts and container images are assessed and managed differently behind the scenes:

  • Hosts are automatically assessed when they are launched and detected by the InsightCloudSec harvesters without the use of traditional network scanning or an embedded agent. Using snapshots of the instances’ root volume, a thorough vulnerability assessment is performed on all packages in the guest operating system and installed software, on Open Source Software (OSS) dependencies, and on select file types. The snapshots are downloaded to your InsightCloudSec instance, their package inventory is assessed, stored, and then promptly deleted. The host instance inventory is continuously monitored for new vulnerabilities as long as they remain active in your cloud. Select changes to the host instance in the cloud will automatically trigger a fresh snapshot and assessment. Remediations are detected and recognized whether by host instance updates or removals and replacements by updating the base image (e.g., AMI) and relaunching.
  • Container image IDs are harvested from your configured cloud accounts and a copy is pulled from the source registry. The package inventory and vulnerabilities detected on each image are presented in the InsightCloudSec platform for review, prioritization, and response. Users can determine and evaluate the riskiest resources by focusing on business segments such as deployed workloads and applications. CVA also analyzes the configured Workload (Workload Definition) used while instantiating a new workload instance.

This feature offers the following capabilities:

  • Comprehensive assessment and visibility including:
    • All host instances (resources), plus their base image, metadata, and detected vulnerabilities
    • All packages plus their prevalence across the host instances
    • All vulnerabilities detected across the instances and packages in total plus their metadata and link to exploit references
    • A Vulnerabilities dashboard
  • Vulnerability Risk scores for each CVE calculated by a new, proprietary model leveraging intelligence about available exploits and their use by attackers in the wild
  • Advanced filters to narrow the focus on select resources and their packages and vulnerabilities for risk-based prioritization and remediation
  • Recommended solutions for each vulnerability as package and OSS version updates
  • Actions and automation that trigger alerts, ticketing, remediation workflows, and data exports
  • Assessment coverage and health monitoring to identify any errors or access issues impacting feature operations

Configuration

InsightCloudSec requires separate configuration to manage host and container vulnerabilities:

Feature Under Development

The CVA feature is currently unavailable due to improvements in progress. This documentation resource provides guidance for intended operations of the feature when it becomes generally available.

For questions or issues, reach out to your CSM or to support through the Customer Support Portal.

Frequently Asked Questions (FAQ)

Why does InsightCloudSec require AWS/Azure/GCP permissions to assess host vulnerabilities?

Agentless assessment requires that InsightCloudSec has a way to scan a volume/disk without running anything in your cloud environment. InsightCloudSec downloads a snapshot of a resource's root volume to our own cloud provider account (using the users/roles/policies you configured during onboarding), runs the assessment, and deletes the snapshot. We use the minimal required permissions for creating, downloading/exporting, and then removing the snapshot. See Configuring Host Vulnerability Assessment (HVA) for more information.

What is the frequency of snapshots being created and then deleted?

Snapshots are created:

  1. When a new host is discovered
  2. When a new vulnerability is discovered
  3. When you manually trigger an assessment
What regions do you assess host vulnerabilities in?
  • Regional assessments are currently only supported for AWS.
    • All Azure and GCP resources get assessed in us-east-1.
  • We support running assessments in seven AWS regions: us-east-1, us-east-2, us-west-2, eu-central-1, ap-northeast-1, ap-southeast-2, and ca-central-1.
  • Any resources located outside of those regions will be mapped to a supported region.
  • If a mapping does not exist, the assessment will be sent to us-east-1 by default
Can you assess host vulnerabilities using AWS default key-encrypted snapshots?

Snapshots taken of an AWS instance that uses the default AWS-managed key will automatically have the same encryption. This encryption method cannot be changed and these snapshots cannot be directly shared or accessed. As a workaround, default key-encrypted snapshots must be copied and encrypted using the Rapid7 customer-managed key. This key is stored and managed internally by Rapid7. For this process, a grant will be created for the Rapid7 key with the AWS cloud account's role ARN as the grantee and retiring principal. This key grant will apply the permission to use the Rapid7 key to copy and encrypt their snapshots and then retire the grant after the assessment is completed.

Limitations:

  • This feature is currently only enabled for AWS instances in the following regions:
    • ap-northeast-1
    • ap-southeast-2
    • ca-central-1
    • eu-central-1
    • us-east-1
    • us-east-2
    • us-west-2
  • Assessments for default key-encrypted instances in all other regions will fail with the DefaultEbsKeyException exception.
  • Each customer managed key can have up to 50,000 grants. However, it’s unlikely that this quota will be reached since the grants are retired after assessments are complete. See the AWS Documentation for more information.
How do I review the vulnerabilities found by InsightCloudSec?

All found vulnerabilities are contained within the unified host and container vulnerability dashboard (Security > Vulnerabilities in the InsightCloudSec navigation menu). See Reviewing and Managing Vulnerabilities for details.

How Do I Know if Assessments are Completing Successfully?

Assessment progress, errors, and issues are tracked on the Cloud Accounts page. An assessment typically completes in about 10 minutes. You can view the status page for an individual cloud account in order to understand what types of issues are occurring including:

  • Issues that are preventing assessments from completing successfully
  • The number of assessments that have occurred for a cloud account with information about the assessment completions over time
When do Assessments Occur?

Assessments happen as soon as a new instance is discovered in InsightCloudSec either through normal harvesting or Event Driven Harvesting. Once an instance is discovered, the snapshot is taken, assessed, and cleaned up as a part of the assessment process.

How Do I Start a Manual Assessment?

Assessments can be manually triggered by taking the Assess for Vulnerabilities Using InsightCloudSec action on an Instance (Resources > Compute > Instance) or by taking the Perform Vulnerability Scan action on a Container Image (Resources > Container > Container Image). This can be done by navigating to the desired resource, opening the Resource Properties panel, and navigating to the Actions tab and clicking the associated action. A manual assessment can also be performed directly from the Vulnerabilities page in the user interface.

Triggering an assessment starts the process immediately and the progress of the Assessment can be viewed on the Host Vulnerabilities progress page. The timing for an assessment to complete depends on the size of the snapshot/image and can take anywhere from 5 minutes to 20 minutes.

What if InsightVM is Assessing the Same Host Using the Rapid7 Agent?

You don’t need to remove the InsightVM agent. InsightCloudSec Vulnerability Management will snapshot instances with an existing agent and conduct the collection and assessment with no issues.

Most vulnerabilities will be reported identically between the two; however, InsightCloudSec has a larger scope of detection and may report more vulnerabilities than InsightVM.

This allows time to evaluate the new feature before removing the agent and transitioning Host instance vulnerability management from InsightVM to InsightCloudSec.

What Bot Actions Are Available?

A new category of Bot Actions has been added to support Vulnerabilities. This new category allows for Bots to execute reactively after new vulnerabilities or packages are discovered on an instance or container image.

Some common use cases for Bot Actions are: Notify Users that un-allowed packages have been deployed or Shut down instances that have Log4J vulnerabilities. The combination of Event Driven Harvesting and Bot Actions allows for security administrators to respond to infrastructure and deployment changes within minutes.

Take a look at our BotFactory & Automation documentation for additional details on these capabilities.

How is "Risk Score" Calculated?

The Vulnerability Risk Score rating in InsightCloudSec uses a variety of factors to determine the rating of a vulnerability. Threat Feeds, Exploit Databases, and the vulnerability CVSS score are combined to produce a Risk Score to help prioritize vulnerabilities.

When viewing the risk score for a vulnerability there are details about the reason for the score produced: vulnerabilities with published exploits and vulnerabilities that threat feeds have marked as actively exploited will have scores that are higher than other vulnerabilities within the product that have similar CVSS scores.

For example, CVE-2022-0318 has a CVSS score of 9.8. This vulnerability is not actively exploited and does not have published exploits. This vulnerability has a risk score of 810 (if there are threats and/or exploits published in the future this risk score will change accordingly). On the other hand CVE-2020-15999 has a CVSS score of 6.5 and is a known exploited vulnerability according to the CISA KEV Catalog. The active exploitation of the vulnerability raises the risk score to 1000.

This calculation enables you to quickly identify vulnerabilities that need to be addressed in order to reduce the risk of your cloud environment.