QVM Search Criteria Overview
advertisement
Search criteria Brief description Customer value Prerequisites Access complexity The complexity of the process of exploiting vulnerability. Low complexity are very easy to exploit and don’t require any end user actions (e.g. clicking on a link) Vulnerabilities with a low access complexity are VERY easy to exploit, and should be remediated quickly. None Network exploitable vulnerabilities are very easy to exploit. When combined with access complexity and authentication (see below), really easily exploitable vulnerability can be identified that should be remediated quickly None This is a CVSS Base metric, see http://www.first.org/cvss for further details Access Vector Used to identify vulnerabilities that can be exploited remotely, i.e. the attacker does not have have physical access to the vulnerable asset. This is a CVSS Base metric, see http://www.first.org/cvss for further details Asset saved search Only returns vulnerabilities that are on assets returned by an asset saved search in created in the Asset tab Useful for limiting the assets returned by more complexity criteria (e.g. assets in a specific location) Asset saved search must exist Assigneduser Only returns vulnerabilities assigned to users where the user name meets the specified criteria To generate reports about vulnerabilities assigned to specific users or groups of users as part of a vulnerability remediation process Vulnerabilities must have been assigned. This can be done manually or my setting up asset owners in ‘vulnerability assignment’ Authenticatio n Returns vulnerabilities that either required no authentication or for the attack to authentication (i.e. logon) to the a system ‘No authentication required’ vulnerabilities are very easy to exploit and should be remediated ASAP None to exploit the vulnerability This is a CVSS Base metric, see http://www.first.org/cvss for further details Availability Impact Determines if the vulnerable system can be made unavailable (e.g a DDOS vulnerability) if the target system is exploited Can easily find DDOS vulnerabilities None Determine what vulnerabilities can lead to data leakage None This is a CVSS Base metric, see http://www.first.org/cvss for further details Confidentialit y Impact Determines if the vulnerability when exploited has the potential to enable a of leak confidential information This is a CVSS Base metric, see http://www.first.org/cvss for further details CVE ID Returns vulnerabilities with a specific CVE ID CVE ID is the most common method user to reference vulnerabilities. Virtually every vulnerability published now has a CVE ID None CVSS Base Score Enables vulnerabilities to be filtered based on their CVSS score see http://www.first.org/cvss CVSS is the most common and widely recognise vulnerability risk scoring mechanism None Days since asset found Only returns vulnerabilities on assets based on when QRadar (i.e. from logs, flows, and/or vulnerability scans) first discovered the asset Very useful to only report on vulnerabilities on assets that have been added to a network recently as these are ones that typically have a lot of nasty vulnerabilities (e.g. default configuration) None Days since associated vulnerability service traffic Only returns vulnerabilities where there has been L7 network traffic in or out of the asset (detected by Qflow) where the L7 application correlates with the L7 application of the vulnerability. The L7 application associated with a vulnerability can be seen in the vulnerability details screen under ‘Associated service’ Very useful to only report on vulnerabilities where there has been associated traffic that indicates the product is in use and that the traffic could be carrying exploit attempts. A lot of servers are installed with vulnerable software that is never actually used. So applying this filter criteria is a great way to focus on vulnerabilities that have a much high probability of exploitation QFlow installed Days since exploit attempt Only returns vulnerabilities that have had an exploit attempt against them in the last X days. Obviously it is very important to remediate such vulnerabilities ASAP QRadar SIEM with IPS/IDS events Days since vulnerability discovered Only returns newly discovered vulnerabilities Very often it is useful to focus on only vulnerabilities that have been newly discovered and remove all the vulnerabilities that are already known about None Days since vulnerability published Only returns vulnerabilities that have been published in the last X days. Very useful to focus on None newly published vulnerability. E.g. MS publishes new vulnerabilities each month. After a scan it is useful to only report on those new ones, and not ones that are many years old External reference of type In QVM vulnerabilities can have numerous external references (e.g. CVE ID, MS Bulletin, x-Force ID). This search parameter only returns vulnerabilities where a specific external reference exists for a Easy to filter on MS vulnerabilities, e.g. were external reference is of type ‘MS Bulletin’. Or for example where a patch exists to fixed the vulnerability None vulnerability ‘Endpoint Manager Patch’ Found by scan profile Only returns vulnerabilities that were discovered by a specific scan profile. Often useful to only report on vulnerabilities that were found by a specific QVM scan profile e.g. “Daily DMZ Scan” None Found by Scanner Only returns vulnerabilities discovered by a specific scanner QVM can take scan data from multiple 3rd party scanners. It is often useful to only view vulnerabilities retuned by a specific scanned, e.g. AppScan to view all web application vulnerabilities, and Endpoint Manager to view those reported (and therefore remediable) by End point Manager A 3rd party scanner feed Hostname Only returns vulnerabilities on assets where the hostname matches the criteria Useful to only view vulnerabilities on a specific host or a series of hosts that have a common naming scheme (e.g. EXCH*) None Impact Only returns vulnerabilities, that if exploited, have a specific potential business impact Useful for building reports of None vulnerabilities were the impact could be one or more of, access control low, denial of service etc. Include early warnings Includes vulnerabilities discovered using QVMs early warning capabilities. These are hidden by default. QVM detects early warning vulnerabilities by correlating installed products (from the last scan) with product information in newly published vulnerabilities without needing a new scan. It is very useful to see new vulnerabilities very quickly, e.g. After the MS patch Tuesday vulnerabilities have been published A previous scan must have been run Include vulnerability exceptions This includes vulnerabilities that have had an exception marked against them. These are hidden by default. Useful to see completed vulnerabilit posture, including those that have been exceptioned. Often required by auditors Vulnerabilities must have been exceptioned Integrity Impact Only includes vulnerabilities that meet the CVSS integrity impact criteria Useful to view vulnerabilities that can impact business integrity None This is a CVSS Base metric, see http://www.first.org/cvss for further details IPv4address Only includes Common need to produce vulnerabilities on assets reports on specific IPs with a specific IP address or CIDR None Network Only includes vulnerabilities on assets in specific networks Common need to produce network reports for uses None Only include assets with risk Only includes assets that have passed or failed a specific QRM risk policy. Vulnerabilities on assets that are particularly ‘at risk’. E.g. those that have been talking to potentially malicious IPs, are at much higher risk of exploitation and should be remediated first. QRM policies are a very powerful way of determining what assets are most at risk QRadar Risk Manager risk managed policies defined and being monitored Only include early warnings Only includes vulnerabilities discovered by QVM’s early warning capability Often useful to only see early warning vulnerabilities and not those discovered by scanning, so that quick actions can be taken. None Makes for a good dashboard item. Only include vulnerability Only includes vulnerabilities that have an For auditing purposes it is often very important to be None exceptions exception able to view what vulnerabilities have been exceptions Only include PCI Failures Only includes vulnerabilities that have failed the PCI criteria For reporting and auditing purposes on assets that need to adhere to PCI compliance, it is important to view vulnerabilities that would cause failure, as not all vulnerabilities do None Overdue by days Only includes vulnerabilities that have been assigned for remediation and are now overdue by a number of days Every network has 1000’s of vulnerabilities, therefore a vulnerability management program needs to be in place were these are remediated. This criteria enables users to see what vulnerabilities are failing outside of that process and require escalation. For example ‘ Vulnerabilities must have been assigned for remediation ‘high risk vulnerabilities that are more than 10 day overdue’ Patch Status Only returns vulnerabilities on assets that a fixed with a patch with a specific status A lot of vulnerabilities (e.g. MS ones) are fixed by patch management systems such as IBM End point manager. This criteria allows users to report, or exclude those vulnerabilities before another scan is run to confirm the patch has been applied IBM Security Endpoint Manager installed PCI Severity Only returns vulnerabilities with a specific PCI severity status. PCI defined 5 severity levels, the top 3 being automatic failures None Quick Search Only returns vulnerabilities were the vulnerability details (i.e. that shown in vulnerability details) meets Enables more broad sets of vulnerabilities to be filtered on. E.g. (“default password” None the search criteria AND Microsoft”). Wild card characters can also be included. This is often used to only report on vulnerabilities from a specific vendor, or a quick, single point to enter an external reference (e.g. CVE ID, or IPS signature etc.). Risk Only returns vulnerabilities that match the specific risk criteria QVM ranks vulnerabilities in to 4 risk categories. High being the highest risk. It is of really useful for users to focus only on high risk vulnerabilities in their remediation processes None Risk Score Only returns vulnerabilities based on a their risk score value QVM and QRM jointly calculate a risk score. This score is based on the CVSS score of vulnerability, but it can be modified upwards or downwards based on QRM risk policies. For example if vulnerability is on an asset that has been communicating with malicious IPs then its risk score can be automatically increased. If no QRM policies are defined then the risk score is the same as the CVSS score QRadar Risk Manager policies defined that adjust vulnerability scores otherwise the risk score is the same the CVSS score Status Only includes vulnerabilities were the associated remediation ticket has a specific status. Status values are If vulnerabilities are assigned to users, QVM creates an internal remediation ticket, with a status that can be modified by the user, but is also modified by QVM automatically as it detects status changes in vulnerabilities on Vulnerability assignment is being used Open = Ticket is opened Closed = Ticket has been closed by a user Auto-Closed = Ticket has been auto-closed by QVM because the vulnerability has been rescanned and no longer present subsequent scans (e.g. it determines vulnerability is fixed, or one that is marked as closed, is still open) Re-opened = Ticket has been re-opened by QVM because a vulnerability that has a status of closed or auto-closed, was again detected in the last scan Fixed = ticket has been set to fixed by a user, pending further process to set to closed. Technical Owner Contact Only includes vulnerabilities on assets where the technical owner contact field meets the specified criteria Enables vulnerability reports to be produced for specific technical owners, who are responsible for remediating vulnerabilities on their assets. Technical owners defined in QRadar QVM can automatically generate vulnerability reports to 100’s of technical owners Unassigned Only returns vulnerabilities that are either assigned or unassigned Enables reports on unassigned vulnerability posture to be viewed. This is important as unassigned vulnerabilities are ones where there is effectively no plan to remediated Vulnerability assignment is configured and being used. Vulnerability Only returns specific vulnerabilities defined in the search criteria Enables reports to be built that only return specific vulnerabilities None Vulnerability has external reference Only returned vulnerabilities that have a specific external reference value Useful for creating reports such as ‘Vulnerabilities in MS14-009’ were the external reference is MSBulletin and the value is None ‘MS14-009’ Vulnerability has a virtual patch from vendor Only returns vulnerabilities that have, or have not, map to a detection signature from the selected vendor(s) threat detection platforms (IPS/IDS) Very useful for in understanding what vulnerabilities can be mitigated, and not mitigated by threat platforms deployed None Vulnerability on open port Only returns vulnerabilities on an specific open port(s) Such vulnerabilities are typically really easily discovered and exploitable and should be remediated ASAP None Vulnerability on open service Only returns vulnerabilities on an open service Similar to the ‘vulnerabilities on open port’ accept the service the port is being used for can be specified, thus removing the need to know the specific port number as this can vary wildly on a network from asset to asset. Typically used for services such as ssh, http, https, vnc, ftp, dns. None Vulnerability reference Only returns vulnerabilities where their associated external reference value is in a reference set Really nice way to build a view of ‘must watch for’ vulnerabilities, where the list of vulnerabilities to watch for is held in a reference set, and therefore easily updated externally from QVM (e.g. via a file, or the reference data API) Reference set must be populated with associated Vulnerability external reference value Vulnerability state Retuns vulnerabilities based on their state value, which can be either, new, fixed, existing, or preexisting. QVM automatically maintains the state of vulnerabilities it discovers in a scan None By default only Existing Fixed = Found by a previous scan, and not reported in a New = Just found in the last scan vulnerabilities are shown subsequent scan Pre-Exisiting = Existed prior to the last scan Existing = Reported in the last scan This is really useful for reporting on vulnerabilities that are fixed, or new since the last scan. Vulnerability with risk Returns vulnerabilities that have failed a QRadar risk manager risk policy QRadar Risk Manager enables vulnerabilities to be detected that are, for example, exploitable from the internet, or exploitable from untrusted networks due to firewall and IPS rules. Utilizing these policies and this search criteria QVM can easily product reports on such vulnerabilities QRadar Risk Manager
