Vulnerabilities 2.0 (Beta)

The new Vulnerability Page offers an enhanced experience designed to streamline the management and mitigation of vulnerabilities. This feature is currently in beta and includes the following key components:

1. Action-Driven Insights: The new page offers actionable recommendations with deep links, making it easier to target and address the most critical vulnerabilities in your environment.
2. Enhanced Action Component: We’ve improved the action functionality to streamline how you handle vulnerabilities. Be sure to check it out!
3. CrowdStrike Spotlight and Microsoft Defender Integration: If your account includes CrowdStrike Spotlight data or Microsoft Defender vulnerability data (based on the associated SKUs), you’ll now see integrated insights right on the page.

To access the new Vulnerabilities 2.0 page, navigate to Risk Management --> Vulnerabilities, and activate the toggle shown in the image.

FAQ

What are the main differences between versions 1.0 and 2.0?

• Only open vulnerabilities are displayed.
• It does not provide visibility into what was available on specific dates.
• Introduces deep linking between vulnerabilities and hosts.
• Includes CS Spotlight and Defender vulnerabilities.

How are the recommendations determined?

Recommendations are calculated based on the highest CVSS score combined with the total number of affected assets. The logic is evolving and may incorporate EPSS scores in the future.

Please note: The severity tag displayed in the portal does not directly influence the order of recommendations.

How can I view all resolved vulnerabilities?

Risk Mitigated/Resolved vulnerabilities are currently not visible in the dashboard. However, future updates will include this functionality to display resolved vulnerabilities.

Have there been any changes to the monthly reports for the vulnerabilities section?

There are currently no changes to the reports; however, updates are scheduled for the GA version.

During the beta, if I make updates in version 1.0, will they reflect in version 2.0 and vice versa?

Yes, any updates made in version 1.0 will be reflected in version 2.0. However, changes made in version 2.0 will not be reflected in version 1.0.

Why is the status and type field empty on the Assets with Vulnerabilities page?

The status and type fields are populated based on the endpoint data we ingest. For some data sources, like Tenable, IP addresses are always available, but NetBIOS, DNS hostnames, and MAC addresses may only be present occasionally. Given that IP addresses are not always static and Tenable scans represent a snapshot in time, we cannot guarantee mapping every Tenable vulnerability to an endpoint with corresponding data. We strive to improve our ability to match IP addresses to specific hosts or assets by using a confidence score, which reflects how reliably we can make this association. This process is constantly evolving. Moreover, not all endpoints, such as network switches, firewalls, and VOIP phones, support EDR solutions like CrowdStrike or Defender, which further limits the information we can populate.

Why does the patch count in the endpoint page and assets with vulnerability differ for a given host?

The reason for this is similar to what was previously mentioned. Our system prioritizes IP addresses because hostnames and other identifying data are not always consistently available or reliable, but we are continually working to enhance the mapping through the Confidence Score system and the data will improve progressively as we see more scans.

Why does the portal primarily display IPs, even though my endpoint is set up with a hostname?

Same response as the previous question.

Do the KPIs on the overview page reflect all the action updates I make?

Yes, the action updates made to specific vulnerabilities are included in the KPI calculations.

Why is data missing after being updated?

Missing data can occur when a vulnerability is marked as remediated, which means it no longer appears on the portal. Occasionally, a vulnerability might be incorrectly flagged as remediated if the scan configuration is incorrect. For instance, if the initial scan focused on a certain set of IP addresses and the next scan targeted a different set, the previous set might be marked as resolved. This happens because the monthly scanner assumes that if a vulnerability doesn’t reappear for a specific IP, it’s resolved.

Why am I seeing duplicate entries of the same host in the portal, with varying status values of active and inactive?

This can happen if you're using CrowdStrike Spotlight. When the CrowdStrike agent is re-installed multiple times on the same asset, it generates a new agent ID with each installation. CrowdStrike does not deduplicate these entries, so the duplicates appear in our portal as well.

As a result, you may see multiple entries for the same host with different status values, such as active and inactive. Additionally, if a user updates the status of a vulnerability on one of the duplicate entries, it only affects that specific instance, which can be confusing when multiple entries exist.

If you'd like to avoid this issue, we'd love to hear how you're managing this in the CrowdStrike Spotlight portal. Your feedback can help us better understand your needs and make improvements to our portal. Currently, our portal's behavior mirrors how Spotlight presents the data.