CAASM Use Case #13: Identifying and Prioritizing Vulnerabilities

CAASM Use Case #13: Identifying and Prioritizing Vulnerabilities

Watch where you’re steppin’!

vulnerabilities are like hidden landmines scattered across your digital terrain. You know they’re there, but finding and neutralizing them before they cause damage? That’s the real challenge.

Welcome back, cybersecurity sleuths! 🔍

Today, we’re embarking on a mission that’s all about identifying and prioritizing those pesky vulnerabilities lurking in your environment. Think of it as being the Sherlock Holmes of cybersecurity—piecing together clues and outsmarting the adversaries before they strike.

So, grab your magnifying glass and notebook. Let’s dive into the twelfth installment of our Cybersecurity Observability use cases series, where we’re tackling how to expose and deal with vulnerabilities in your network.

Table of Contents

The Vulnerability Maze: A Map to Navigating Threats

Imagine you’re managing a massive fleet of devices—workstations, servers, IoT gadgets, you name it. Now, picture that each of these devices could be hiding a vulnerability, like a secret passage leading straight to your organization’s crown jewels. Scary, right?

Your mission, should you choose to accept it, is to identify these vulnerabilities, understand their impact, and prioritize them for remediation. But how do you even begin to map out this complex network of potential threats?

Enter SJULTRA's Cybersecurity Observability Service

This is where SJULTRA’s CAASM services, becomes your incident response nitrous boost.

It’s like giving your security team a time machine and a crystal ball, all rolled into one.

CAASM pulls data from a smorgasbord of sources:

  • Endpoint Agents
  • Configuration and Patch Management Tools
  • Ticketing & Helpdesk Platforms
  • Networking Tools
  • Vulnerability Assessment Tools
  • IAM Solutions
  • Cloud Infrastructure

By correlating this data, CAASM creates a rich, unified view of your entire digital ecosystem. It’s like having a digital map of your entire IT landscape, with every device, user, and cloud instance clearly labeled.

Book your free CAASM trial now

Get visibility on all 14 cybersecurity observability use cases in less than 30 days with SJULTRA.

Seeing the Bigger Picture: Unified Vulnerability Management

Vulnerabilities come in all shapes and sizes, from software bugs to misconfigured firewalls. 

The key to managing them effectively is visibility. And not just any visibility—comprehensive visibility that gives you a bird’s-eye view of your entire digital ecosystem.

CAASM pulls data from a multitude of sources to create a single pane of glass for all observed vulnerabilities. 

Whether it’s a CVE (Common Vulnerabilities and Exposures) with a critical severity score or a low-risk issue that’s been festering for months, CAASM brings it all together. It’s like having a map that marks every potential hazard in your network.

With this unified view, you can see not only where vulnerabilities exist but also how they impact your business.

  • Are they on critical servers?
  • Do they affect devices with public-facing IPs?

These insights are crucial for prioritizing your response and mitigating risks before they explode into full-blown incidents.

Let the Hunt Begin: Data Sources for Vulnerability Management

Once we’ve got CAASM set up (remember, SJULTRA offers a free 30-day trial), we can begin the hunt!

To start the hunt, you’ll need to connect to the right data sources.

Here’s a quick rundown of the essential tools:

  • Vulnerability Analysis Tools: These tools help you identify, prioritize, and rate vulnerabilities across your environment.
  • Networking Tools: Monitor your network to catch unauthorized traffic or misconfigurations that could be exploited.
  • EDR/EPP Solutions: Protect your endpoints against various attack vectors.
  • Configuration and Patch Management Tools: Ensure your assets are properly configured and up-to-date.
  • Cloud Security Tools: Secure your cloud environments, from data to applications and infrastructure.
  • Application Security (AppSec) Tools: Identify and fix security flaws during software development.

Step 1: Find Known Vulnerabilities (CVEs) in your environment

CAASM lets you discover specific CVE IDs, as well as all known CVEs, their severity, and their impact.

To find a specific CVE ID, start from the Vulnerability Page; click the blue Query Wizard button to create a new query.

sjultra axonius caasm Show vulnerabilities Query(1)

Step 2: Find Crticial Vulnerabilities (CVEs) in your environment

To identify all CVEs with a critical severity, in the Vulnerabilities section of the query, include criteria where CVE Severity equals CRITICAL.

CAASM finds all critical vulnerabilities that exist in your environment, giving you data you can drill down into.

sjultra axonius caasm Show vulnerability severity Query

Step 3: Find critical vulnerabilities on public-facing devices

By building on the previous query, we can add a device parameter for Public IP to the query.

sjultra axonius caasm Show vulnerabiity severity on public IPs Query

Step 4: Find vulnerabilites by age

Using the Last Seen parameter of Vulnerabilities in the query wizard let’s you focus on new and old vulnerabilities. 

Step 5: Find Persistent vulnerabilites

Persistent vulnerabilities are those that have existed in our environment for an extended period of time, creating a longer window of vulnerability and opportunity for exploitation. This is especially true if the devices impacted by the vulnerability are missing security agents.

In the vulnerability section of the query, include vulnerabilities where First Seen, Last Days is 60. Then add Device criteria where the Saved Query is Windows devices missing CrowdStrike agent.

NOTE: This using the really handy Saved Query feature of CAASM, which means you can compose compound queries.

sjultra axonius caasm Persistent vulnerabilities Missing CrowdStrike

Step 6: Find Vulnerabilities by Asset Value or Exposure

This is perhaps one of the most important CAASM queries. 

You can’t and shouldn’t panic over every CVE. If a CVE is critical but it’s only on one device that is high value or accessible, then it’s not a high priority.

This is like the fire extinguisher step.

The idea is this:

  1. For high CVE criticality…
  2. Is the device accessible (e.g. public IP)…
  3. Is the device protected (e.g. by Crowdstrike).

Again, this is using composable compound queries.

sjultra axonius caasm Critical severity with open firewall

Taking action with CAASM enforcement actions

Great, we’ve uncovered these hidden digital fossils. What’s next? This is where the “action” part of our cybersecurity observability comes in. With CAASM, we’ve got four aces up our sleeves:

  1. Notify: Send alerts via email, Slack, or Teams (because who doesn’t love a good “we found a dinosaur” notification?)
  2. Create Incident: Generate tickets in systems like ServiceNow, Jira, or Zendesk
  3. Enrich Device Data: Use tools like Shodan or Censys to show what’s publicly known about the obsolete device
  4. Update Asset Database: Automatically update your CMDB with the newly discovered obsolete devices
sjultra axonius caasm Action library - notify
CAASM Notification Enforcement Action
sjultra axonius caasm Action library - create incident

Summary

And there you have it, new sleuthing tools and practices! 🏺

If you create these queries and automate enforcement, then you’ve got protection as you sleep.

And if something bad DOES happen, then you can quickly find the information to either soothe your brow or set a fire under your… you get it!

And don’t forget our no catch, no cost, no obligation, limited time free CAASM trial offer.

CAASM documentation and Videos

Read the CAASM documentation: Identifying and prioritizing vulnerabilities