Get ready for our new and more efficient Vulnerability catalog!
As the number and types of endpoint vulnerabilities have increased over the years, the number of profiles and scanning rules in our Vulnerability Scanner catalog has expanded accordingly. But with a record number of new CVEs published each year, it was time to make some major changes to our vulnerabilities catalog. Here’s some background to help you prepare for the all-new “Professional 2.0” catalog with much faster scanning speed and performance.
In short
- baramundi implements changes to the vulnerability catalogue: The new "Professional 2.0" profile replaces the old "Community" profile.
- Fewer rules does not necessarily mean fewer identified vulnerabilities. Rather, false-positive results are reduced.
- Framework vulnerabilities are detected more efficiently, with the focus on main applications.
- Important: The new catalogue requires conscious adaptation of existing jobs and deletion of old results. The "Professional" profile will then be frozen from April 2023.
Editor’s note: be sure to read a couple of important notices at the end of this article.
Expressions like, “If it ain’t broke don’t fix it,” and “Never touch a running system!” have been mantras in IT for decades. That’s ironic given that our industry thrives on innovation and
“the latest and greatest,” and because sysadmins who spend their days looking after users' end devices know full well that endpoint – and company network -- security and performance suffer
without a regular “touch.”
But sometimes systems need an entirely new approach to meet changing circumstances. That’s what’s we’re doing with our old, reliable vulnerabilities catalog used in our Vulnerability Scanner. Here’s some background to explain the new “Professional 2.0” catalog coming this Spring and
how to prepare to upgrade it.
Out with the old, in with the new
The first big change is the removal of the old “Community” scan profile that was the first and only catalog in the Vulnerability Scanner. Since then, this catalog was only
sporadically updated with rules by the community and so we added the “Professional” profile in 2016. For compatibility reasons, we kept the Community profile even though few rules were
added.
The catalog in the Professional profile has grown a lot in recent years. As the number of vulnerabilities has skyrocketed, so has the time needed to check all of the rules during scans,
sometimes drastically. It became clear that a new solution was needed.
That brings us to the new “Professional 2.0” profile! It uses a new catalog with an optimized set of rules that relies on modified techniques and logic to
detect open vulnerabilities in your network. The main focus is to detect and identify the existence of software installations to scan for relevant vulnerabilities, not just scan for the
existence of individual files, libraries, or components. It’s a little like having a doctor assess your physical condition based on gender, family history, lifestyle and other factors
specific to you, rather than go over every organ and system in your body looking for possible signs of every known disease.
Efficiency! – quantity doesn’t equal quality
A 60W conventional lightbulb and an 8W LED bulb generate about the same amount of light. But the LED is far more efficient, using much less energy to produce the same illumination with
little wasted heat energy. The new Professional 2.0 profile used in the vulnerability scanner is similar. It contains fewer rules and, in addition to the very good detection of
vulnerabilities, with optimized performance and fewer false positives.
But what exactly is a rule, and what effect does the number of rules have? A rule in the vulnerability catalog describes how and where a vulnerable component can be identified. The more
precisely the rule is defined, the more efficiently it can be checked. Essentially, it defines what to look for and where to look. For example, if you search for a file across the entire
file system and all existing drives, it takes a lot more time and resources than searching in specific directories. The check is even faster if the file system doesn’t need
to be searched at all. The existence of installed software packages based on specific registry entries leads to checking of files in related installation directories.
You might be tempted to think that fewer rules means that fewer vulnerabilities will be detected. But there is no 1:1 relationship between the vulnerabilities and the rules. In fact, you may only need a single rule to detect a vulnerability, rather than using multiple rules that don’t affect the outcome of the scan. This is where the new optimized catalog can cut average scan times by more than half!
Fewer finds, more precision
It was precisely the large number of rules that sometimes produced vast numbers of detected vulnerabilities – basically “false positives”. In particular, vulnerable frameworks such as OpenSSL or Microsoft .NET sometimes resulted in dozens of vulnerabilities being found without naming the application using the framework. For admins, this usually meant manual analysis, only to discover that the vulnerable framework could not be replaced in isolation. In most cases, the main application had to be updated entirely.
The new catalog provides for a much easier analysis by identifying the affected application, not just a vulnerable framework component.
This new scanning mechanism means that you don’t have to see and review every single instance of a detected framework vulnerability, only whether and to what extent the functions it
contains are used by applications.
Through intensive exchange with our customers, we have learned that a considerable amount of work is involved in finding framework vulnerabilities, especially at
security-sensitive companies. Simply put, a service request is opened with the vendor of each application with a connection to every vulnerability found in a library, seeking a
determination of whether the application is affected. That might mean that you have to apply an immediate update (if available) or even uninstall of the affected software. But if the
application is not affected by the vulnerability despite using the vulnerable framework component, an exception is defined in the baramundi Management Suite as a “false positive.”
Based on this feedback about framework-specific vulnerabilities, only the actual location of the main application is listed if the vulnerability has also been confirmed by the application
vendor with the relevant information (component, CVE ID, severity, attack vector, etc.). This approach significantly reduces the number of potential false positives and the
resulting extra cycles and workload for sysadmins.
In addition, this consolidated view reduces the number of elements to be analyzed, making it easier to find solutions. Often, the main application can be easily updated via the “Managed
Software” or “Deploy” modules in the bMS.
Prepare to switch now!
Since the new vulnerability catalog works with its own set of rules, it also creates a new entry in the database for each vulnerability found. For example, if the vulnerability
CVE-2022-41089 mentioned above was already detected with the "Professional" profile and has not yet been remediated, the "Professional 2.0" profile also will find it, i.e., the
vulnerability is shown twice on the corresponding endpoints and in dashboards and statistics.
Since this can cause confusion, your environment will not be automatically switched to the new profile.
To take advantage of the new “Professional 2.0” vulnerability catalog, you need to actively switch your existing jobs and delete the old results from the previous
"Professional" profile. The results can be deleted either specifically at individual endpoints or for entire groups. To delete at an endpoint, open it in a tab, select
“Compliance” from the menu on the left and “Scan status” below it to display the profiles scanned on that endpoint. Right-click on “Professional – DEPRECATED” and click on “Delete”. As soon
as you confirm, the results are removed from the database.
Similarly, to delete the results at the group level: Open the desired group as a tab and navigate to “Compliance (Windows)”, “Scan status of devices”. You’ll see a listing of all profiles used on the endpoints in the selected group and subgroups. To display the profile you want to delete, type “deprecated” in the filter box.
Now only the entries for the old profile should be listed. You can select and delete these – done!
GOOD TO KNOW: It’s possible to create a new job with the “Professional 2.0” profile and run it on selected endpoints without deleting the old results first. This
allows you to directly compare the results from the old and the new profile. However, we strongly recommend that you delete the old results before deploying the new
profile.
AN IMPORTANT TIME-SENSITIVE DEADLINE:
The“Professional” profile will be frozen as of April 1, meaning that no new rules will be added and existing rules can no longer be changed. Be sure that
you have completed the move to the“Professional 2.0” profile by this date.