Common Vulnerabilities and Exposures (CVEs) are publicly disclosed security flaws that threat actors can exploit to gain unauthorized access to applications, systems or networks. In cloud environments, they’re particularly concerning due to the complex and dynamic nature of cloud infrastructure. CVEs can persist in cloud-based applications, containers and operating systems until an organization actively identifies and remediates them.
For many organizations, a critical first step in securing cloud and containerized environments is to discover and patch CVEs before bad actors can exploit them.
Establishing a reliable cloud vulnerability management program is essential for timely risk identification and mitigation. But managing vulnerabilities at scale is an uphill battle. (That’s why a few weeks ago we laid out some vulnerability management best practices!)
A good metric to determine the accuracy of a vulnerability scan is to count the number of false positives and false negatives. Fewer false positives and false negatives indicate a more accurate scan.
- False positive (FP): When a scan result indicates a program and library is vulnerable to a CVE, but it’s not. FPs can lead to wasted resources as security teams investigate and address issues that aren’t actual threats.
- False negative (FN): When a scan result doesn’t indicate the software is vulnerable, and it is. This oversight can leave vulnerabilities unaddressed, posing a risk to security.
Intelligence Stream
The Prisma Cloud Intelligence Stream is a real-time feed that aggregates vulnerability data and threat intelligence from certified sources like vulnerability databases, vendor feeds and commercial providers. It includes both official feed data and additional insights from a dedicated research team that tracks and identifies new and quietly patched vulnerabilities. The stream automatically updates multiple times daily.
Aggregating data from more than 30 upstream providers, the Intelligence Stream combines open-source feeds, private threat intelligence and commercial sources to deliver the most accurate and comprehensive CVE data. By incorporating diverse data sources, further refining vulnerability accuracy, it significantly reduces the occurrence of false positives and negatives. This approach enables organizations to maintain a secure cloud environment with greater confidence.
National Vulnerability Database
The National Vulnerability Database (NVD) provides a comprehensive repository of standardized vulnerability information, including detailed descriptions and severity ratings. It offers a searchable database of known vulnerabilities and associated security metrics, helping organizations assess and manage risks. The NVD supports the cybersecurity community by providing up-to-date information for threat analysis and vulnerability management.
Many vendors use the NVD as their source data for detecting vulnerabilities. As discussed, this can generate many false positives and false negatives because the data lacks context into other risk factors associated with the application’s vulnerabilities. Because vulnerabilities don’t always affect operating systems similarly, what may be a critical vulnerability for Ubuntu may not affect Debian, for example.
Identifying FP and FN with Prisma Cloud
To determine if a vulnerability is a false positive or false negative using Prisma Cloud:
- Start with a single CVE.
- Determine the operating system of the container image or host operating system.
- Validate the CVE with the vendor’s official security site.
- Is this operating system affected by this CVE?
- Which versions of the packages are vulnerable to this operating system?
- Determine which version of the library was found using the Package Info tab.
- Ensure that Prisma Cloud’s CVE Viewer shows the same vulnerable versions as the vendor.
- Determine if it’s a false positive or false negative.
Example
1. Navigate to Monitor -> Vulnerabilities -> Vulnerability Explorer
2. Search for a CVE and click on the displayed result.
3. Select the image.
4. Navigate to the Package Info tab and search for library, libssh2.
5. Ensure that Prisma Cloud’s CVE Viewer shows the same vulnerable versions as the vendor.
6. Navigate to Monitor -> Vulnerabilities -> CVE Viewer
7. Search for the CVE ID. In this case, the CVE is associated with an Amazon package (Ref: CVE-2020-22218).
8. Compare the OS and package information with the vendor CVE. Everything should match on established CVEs. New CVEs not fully characterized may show a mismatch, as the vendor research is incomplete.
Learn More
For detailed guidance on optimizing vulnerability detection and management with Prisma Cloud, explore the Intelligence Stream Documentation. If you'd like to learn more about what Prisma Cloud can do, book a personalized demo.
The post Designing Prisma Cloud to See Beyond appeared first on Palo Alto Networks Blog.