Apr 23, 2015

Passive Vulnerability Scan & Early Notice for Non Remotely Scannables

Vulnerabilities such as MS15-034 are big deal for information security specialists who have to keep up with the critical security patches on high pressure business environments. In one hand they know that the cat is out of bag and they have to find out their vulnerable servers, however, on the other hand they can't find an early reliable scanner to find out what are those...

Plus, in some of the environments it's not at their leisure to perform non-planned mass scans. During planned NormShield scans, artifacts such as the versions (in form of CPEs) are collected.

NormShield also periodically gathers vulnerability and exploits information from sources like NVD as CVEs and Exploit-DB as exploit ids. These CPEs, CVEs and other exploit information are then related to each other, therefore, NormShield can passively find possible vulnerabilities in products that assets are using. The more granular the version information NormShield gathers the sharper vulnerability matching gets. So if a vulnerability pops-up that it's not possible to scan remotely, NormShield gives customers early alerts.

NormShield passive vulnerability scan - early alerts

The above figure shows Passive Scan tab under an asset panoramic view. The system matches the CPEs gathered with the CVEs and logs the matches.

Alarms are produced in two cases;
1.    A new CPE with existing CVE matches is found for an asset.
2.    A new CVE is published for existing CPE(s) of an asset.