Host Vulnerability Management - User Guide

A User Guide for Working with the InsightCloudSec Host Vulnerability Management Feature

After configuration and running an initial assessment(s) you can navigate to "Security --> Host Vulnerabilities" to see the capabilities HVM contains including:

  • Visualizations that provide a snapshot of risk
  • A table/list display with resources that were scanned during your assessment
  • Search functionality and filtering to narrow the list of resources to only the most critical or vulnerable
  • A tab of Known Vulnerabilities with details like the associated CVE ID, CVSS Score, and associated risk.
2480

Host Vulnerability Management - Feature Landing Page

Navigating Host Vulnerability Management

General Options

Add Filter
Filtering allows for narrowing the scope of the resources list using cloud accounts, regions, resource risk score and other useful properties. Click the “Add Filters” button to open the panel, and “Select a property” to get started. After choosing your desired filters, select “Apply” to update the page to reflect the results of your specified filters.

Search
Type into the search bar and the list of resources will automatically filter to match the criteria. Currently, search is limited to the resource name and type metadata attributes.

Download
The "Download" menu provides two options, the option to download a "Resource Vulnerability Report" or the option to download the "Resource Data", which will be generated in a CSV format.

Data Visualizations

The top of the page includes three individual data visualizations. These collapse with the "Hide" option to the right of the Overview.

2448

Host Vulnerability Management Overview

Vulnerabilities by Severity - displays discovered vulnerabilities by severity (Critical, High, Medium, Low). Hovering over a segment displays a count for the selected severity.

Vulnerabilities Criticality by Detection Date - displays a count of vulnerabilities grouped by severity and detection date.

Riskiest Packages by Prevalence - displays the riskiest packages discovered based on how often they appear within the analyzed hosts.

All Resources Table

Below the data visualizations is the main table/list display of all of the resources analyzed for Host Vulnerability Management. Details about the data reflect here is explored in more detail in the Feature FAQ.

The default columns that display for All Resources are:

  • Risk: The Risk score assigned to the resource
  • Resource Name: The name of the resource
  • Account: The Cloud account the resource is associated with
  • Public Access
    • Public: Reflects resources with public accessibility based on the specified system checks. Click “Public” to navigate directly to the "Context Details → Public Access" tab.
    • Not Public: Reflects resources that are not publicly accessible based on system checks.
  • Vulnerabilities: summary count(s) of vulnerabilities by severity for the selected resource
  • Image ID: ID for the image associated with the resource
  • Last Assessed: The time and date of the last successful scan
  • Action: a drop-down menu of actions available for the resource
275

All Resources - Action Menu

Packages

This tab provides a list of packages used in the host analysis. Selecting an individual package displays details for the package including scanned resources and vulnerabilities.

1476

Host Vulnerabilities - Package Details

The default columns that display for Packages are:

  • Risk: The Risk score assigned to the resource
  • Name: displays the name of the selected package
  • Impacted Resources: count of impacted resources for the package
  • Version: version of the package
  • Vulnerabilities: summary count(s) of vulnerabilities by severity for the selected resource
  • Assessment Date: date of the last assessment performed
  • Assessment Status: status of the last assessment performed

Vulnerabilities

This tab provides a list of Vulnerabilities used in the risk scoring of the resources. Selecting an individual CVE ID provides details of the selected CVE ID.

2480

Host Vulnerability Management - Example CVE ID

The default columns for Known Vulnerabilities the display are:

  • Risk: The Risk score assigned to CVE ID
  • CVE ID: The CVE ID associated with the vulnerability
  • CVSS Score: CVSS Score for the CVE ID listed
  • Impacted Packages: count of impacted packages for the CVE ID listed
  • Impacted Instances: count of instances impacted for the CVE ID listed
  • First Detected: time of the first detection for the CVE ID listed
  • Last Detected: time of the last detection for the CVE ID listed
  • Action: a drop-down menu of actions available for the CVE ID selected
339

Known Vulnerabilities - Actions Menu

Feature FAQ

How Do I Know if Assessments are Completing Successfully?

Assessment progress, errors, and issues are tracked on the Cloud page. An assessment typically completes in about 10 minutes. You can view the status page for an individual cloud account in order to understand what types of issues are occurring including:

  • Issues that are preventing assessments from completing successfully
  • The number of assessments that have occurred for a cloud account with information about the assessment completions over time

When do Assessments Occur?

Assessments happen as soon as a new instance is discovered in InsightCloudSec either through normal harvesting or Event Driven Harvesting. Once an instance is discovered the snapshot is taken, assessed, and cleaned up as a part of the assessment process.

How Do I Start a Manual Assessment?

Assessments can be manually triggered by taking the ‘Assess for Vulnerabilities Using InsightCloudSec’ action on an Instance. This can be done by navigating to the Host Resource and viewing the Actions that can be taken against the Host or executed through the InsightCloudSec API. A manual assessment can also be performed directly from the Host Vulnerabilities page in the user interface.

Triggering an assessment starts the snapshot immediately and the progress of the Assessment can be viewed on the Host Vulnerabilities progress page. The timing for an assessment to complete depends on the size of the image and can take anywhere from 5 minutes to 20 minutes.

Where Can I View the Host Vulnerabilities Assessment Results?

The assessment results can be seen on the Resources Page in the details blade of the Host and in the Host Vulnerabilities page in InsightCloudSec.

In order to report on Vulnerabilities across multiple Hosts, the Host Vulnerabilities page can be used. The Vulnerability Assessment page in the InsightCloudSec product allows for filtering, searching, and prioritization of Vulnerabilities across multiple Vulnerability sources consumed by InsightCloudSec.

What if InsightVM is Assessing the Same Host Using the Rapid7 Agent?

You don’t need to remove the InsightVM agent. InsightCloudSec Host Vulnerability Management will snapshot instances with an existing agent and conduct the collection and assessment with no issues.

Most vulnerabilities will be reported identically between the two; however, InsightCloudSec has a larger scope of detection and may report more vulnerabilities than InsightVM.

This allows time to evaluate the new feature before removing the agent and transitioning Host instance vulnerability management from InsightVM to InsightCloudSec.

What Bot Actions Are Available?

A new category of Bot Actions has been added to support HVM, this new category allows for Bots to execute reactively after new vulnerabilities or packages are discovered on an instance or container image.

Some common use cases for Bot Actions are: “Notify Users that un-allowed packages have been deployed” or “Shut down instances that have Log4J vulnerabilities”. The combination of Event Driven Harvesting and Bot Actions allows for security administrators to respond to infrastructure and deployment changes within minutes.

How is "Risk Score" Calculated?

The Vulnerability Risk Score rating in InsightCloudSec uses a variety of factors to determine the rating of a vulnerability. Threat Feeds, Exploit Databases, and the vulnerability CVSS score are combined to produce a Risk Score to help prioritize vulnerabilities.

When viewing the risk score for a vulnerability there are details about the reason for the score produced: vulnerabilities with published exploits and vulnerabilities that threat feeds have marked as actively exploited will have scores that are higher than other vulnerabilities within the product that have similar CVSS scores.

For example, CVE-2022-0318 has a CVSS score of 9.8. This vulnerability is not actively exploited and does not have published exploits. This vulnerability has a risk score of 810 (if there are threats and/or exploits published in the future this risk score will change accordingly). On the other hand CVE-2020-15999 has a CVSS score of 6.5, and is a known exploited vulnerability according to the CISA KEV Catalog. The active exploitation of the vulnerability raises the risk score to 1000.

This calculation enables you to quickly identify vulnerabilities that need to be addressed in order to reduce the risk of your cloud environment.