DeepSurface

Documentation
Installation Guide
Overview
Let DeepSurface Host For You
Getting Started
System Requirements
Self Hosted Quick Start - Installing to Cloud Platforms
Self Hosted - Installation Using an OVA
Registration, Package Installation, and Initialization
First Steps After Initialization of the Console
Deployment Options
Main and Subordinate Consoles
Agent-Based Deployment
User Managed Scan Deployment
Credentialed Scanning Deployment
Mixed Environment
Deployment Tools
Active Directory Group Policy
Microsoft Endpoint Configuration Manager (part of InTune)
Tanium Deploy
HCL BigFix
Ivanti
Virtual Machines
VMWare
Virtual Box
VirtualBox Guest Additions
AWS EC2 (BYOL)
AWS EC2 (Usage Based)
Azure Cloud
Google Cloud
Additional Items to Consider
Main Console Server Certificates
LDAP
TOFU
Clock Sync
DeepSurface Commands
Multiple Vulnerability Sources
API Documentation
User Guide
Reporting
Dashboards
Exports
Risk Insight
Hosts
Patches
Vulnerabilities
Vulnerability Instances
Users
Remediation Workflow Manager
Plans
Settings
Integrations
Workflow
Exporting
Accepted Risk Plans
Accepted Risk Workflow
Explore
Model
Paths
Activity
Tasks
Configuration Alerts
Scan Logs
Notification Settings
Scanning
Status
Agents
User Managed
Credentialed Scanning Settings
Credentials
Scan Groups
General Settings
Cloud Scanning
Network Connectivity
Subordinates
Vulnerability Sources
Setup
Sensitive Assets: Polices
Sensitive Assets: Manual
Admin Settings
SMTP Settings
Certificates
Outbound Proxy
Authentication Providers
Users
Tags
Integrations Guide
Vulnerability Sources
CrowdStrike Spotlight
SentinelOne
Carbon Black Cloud
Microsoft Defender for Endpoint
Wazuh
Lansweeper Cloud
Nessus API
Tenable.io API
Security Center/Tenable.sc API
Rapid7 InsightVM API
Qualys API
Nozomi Guardian
Eclypsium
AWS Inspector
Remediation
Jira Software
Tanium (BETA)
Authentication Providers
LDAP (Active Directory)
SAML (Azure Active Directory)
SAML (Google)
SAML (Okta)
PAM
CyberArk
Delinea (Thycotic)
Microsoft LAPS
Security Guide
Firewall Configuration
Base Network Requirements
Agent Network Requirements
Credentialed Scanning Network Requirements
API Network Requirements
How DeepSurface Scans Work
Domain (LDAP) Scanning
Host Scanning Routine
Reasons for the Administrative Access Requirement
Endpoint Protection Considerations
Other Items
Scope of Data Storage and Retention
IPS/IDS Considerations
Logging
Resetting the DSADMIN password
Product Information
Changelogs
Open source Licenses
End User License Agreement (EULA)

Several of the risk insight reports share a lot of the same layout, visuals, and elements. The will be differences from one type to the next, but the following examples will give you an overview of some of the more common repeated elements.

The Record Detail Page

Clicking on the name of any of the records in the main visual or table for the Hosts/Patches/Vulnerabilities/Users Risk Insight Reports will bring you to a detail page for that given record. The detail page for a record, whether it is a host, patch, vulnerability, or user, will have the same layout. The page consists of 2 panels. The skinnier panel on the left is an informational overview/summary of a given record and the larger panel on the right will consist of anywhere from 1 to 4 tabs with deep-dive information of a given record. Here is an example of a host detail page:

The Summary Panel

The left summary pain will have different information in it depending on the record type, but in general can be thought of a quick way to see the high level information about a given record.

The summary panel will always show the risk rating and reduction score, any descriptive information, and may contain some additional DeepSurface analysis such as exploit status, CVSS score distribution, and vulnerability instance category breakdowns. The left panel can also be collapsed by clicking the collapse/expand button at the top (4 arrows). It may be beneficial to have the summary panel be collapsed in order to have the main panel on the right take up more of the screen. Here is an example of a collapsed vulnerability summary panel:

The Main Panel

The main panel on any detail page will consist of 1-4 tabs, with the "Risk and Remediation" tab opened by default. The possible tabs available could be"

• Risk and Remediation
• DeepSurface Scanning
• Third Party Status
• Vulnerability Evidence

The risk and remediation tab will show all of the risk-based evidence and analysis that DeepSurface has for a given record, followed by remediation instructions and evidence. An attack path visual will usually take up the bulk of the upper section of this tab. The attack path visual allows users to see a detailed step-by-step collection of attack paths that include a given host/patch/vulnerability/user.

Understanding Attack Paths

The attack path visual can also be interacted with to dive even deeper into the analyis and evidence that DeepSurface has gathered for a given record. An attack path will always consist of of several nodes and segments. Attack paths will always move from left to right, begin with a hypothetical attacker from the outside world, and end with a sensitive asset in your environment. Often one or more attack paths will have overlapping segments, but could split apart or join up again 1 or more times. A node on the attack path represents an asset, user, group, or other element in your environment. The connecting segments represent how an attacker could get from one node to another. The color of a segment corresponds with its severity and a grey dotted segment represents an implicit access or connection. To get more information about a segment or node, simply click and a card will appear. A node card may look something like the following:

The information will vary depending on the type of node clicked. An segment card will usually include a list of all vulnerabilities that make the connection between the nodes possible. Clicking on a given vulnerability in the list will give a brief summary of a vulnerability and any relevant third party vulnerability source information.

Clicking on one of the implicit grey segments will usually contain far less information given the nature of that connection, but sometimes the segment is made possible by a vulnerability and/or configuration setting that DeepSurface has identified as important and that information will be displayed accordingly.

Remediation Information

Below the attack path visual is the supporting remediation information for a given record. This will consist of lists of corresponding records that are affected by the record of the detail page that you are on, and buttons to view remediation instructions and add this record to a remediation plan

Third Party Status

To view all of the information that DeepSurface has gathered for this record from your configured vulnerability sources, open the "Third Party Status" tab. It will look something like this:

Here you can see a snapshot of all of the most current information DeepSurface has including associated ip addresses, associated identifiers and host names, as well as which of your vulnerability sources have identified this host/patch/vulnerability. You can also view all of the information as DeepSurface sees it from any of your configured vulnerability sources in the lower section. If there are more than one signatures that have reported on this record, use the selector to switch between the different signatures.

Vulnerability Evidence

Sometimes you may want to dive even deeper into everything that deepsurface has gathered from third party sources for a specific record, all in one place. If that is the case, the "Vulnerability Evidence" tab is where to look. Here you can view all of the evidence for a given host/patch/vulnerability just as DeepSurface received it, before any processing, analysis, and de-duplification has been done.