DeepSurface: Vulnerabilities

Documentation
Installation Guide
Overview
Let DeepSurface Host For You
Getting Started
System Requirements
Self Hosted Quick Start - Installing to Cloud Platforms
Self Hosted - Installation Using an OVA
Registration, Package Installation, and Initialization
First Steps After Initialization of the Console
Deployment Options
Main and Subordinate Consoles
Agent-Based Deployment
User Managed Scan Deployment
Credentialed Scanning Deployment
Mixed Environment
Deployment Tools
Active Directory Group Policy
Microsoft Endpoint Configuration Manager (part of InTune)
Tanium Deploy
HCL BigFix
Ivanti
Virtual Machines
VMWare
Virtual Box
VirtualBox Guest Additions
AWS EC2 (BYOL)
AWS EC2 (Usage Based)
Azure Cloud
Google Cloud
Additional Items to Consider
Main Console Server Certificates
LDAP
TOFU
Clock Sync
DeepSurface Commands
Multiple Vulnerability Sources
API Documentation
User Guide
Reporting
Dashboards
Exports
Risk Insight
Hosts
Patches
Vulnerabilities
Vulnerability Instances
Users
Remediation Workflow Manager
Plans
Settings
Integrations
Workflow
Exporting
Accepted Risk Plans
Accepted Risk Workflow
Explore
Model
Paths
Activity
Tasks
Configuration Alerts
Scan Logs
Notification Settings
Scanning
Status
Agents
User Managed
Credentialed Scanning Settings
Credentials
Scan Groups
General Settings
Cloud Scanning
Network Connectivity
Subordinates
Vulnerability Sources
Setup
Sensitive Assets: Polices
Sensitive Assets: Manual
Admin Settings
SMTP Settings
Certificates
Outbound Proxy
Authentication Providers
Users
Tags
Integrations Guide
Vulnerability Sources
CrowdStrike Spotlight
SentinelOne
Carbon Black Cloud
Microsoft Defender for Endpoint
Wazuh
Lansweeper Cloud
Nessus API
Tenable.io API
Security Center/Tenable.sc API
Rapid7 InsightVM API
Qualys API
Nozomi Guardian
Eclypsium
AWS Inspector
Remediation
Jira Software
Tanium (BETA)
Authentication Providers
LDAP (Active Directory)
SAML (Azure Active Directory)
SAML (Google)
SAML (Okta)
PAM
CyberArk
Delinea (Thycotic)
Microsoft LAPS
Security Guide
Firewall Configuration
Base Network Requirements
Agent Network Requirements
Credentialed Scanning Network Requirements
API Network Requirements
How DeepSurface Scans Work
Domain (LDAP) Scanning
Host Scanning Routine
Reasons for the Administrative Access Requirement
Endpoint Protection Considerations
Other Items
Scope of Data Storage and Retention
IPS/IDS Considerations
Logging
Resetting the DSADMIN password
Product Information
Changelogs
Open source Licenses
End User License Agreement (EULA)

vulnerabilities 1

The vulnerability analysis report answers the question, what vulnerabilities pose the greatest risk to my environment? By default, the main page of the vulnerability analysis report shows the top 100 vulnerabilities that carry the most risk in your environment. This can be filtered down to your liking (as described in the previous section) and clicking on any of the vulnerability items in the report will bring you to the detail page for that vulnerability.

Vulnerabilities 2

Filtering

Each report offers various filters to help narrow down the results that are visible. At the very least, you can narrow down the number of results you are viewing (100, 50, 25, and 10) But most reports have much greater filtering capability. Some filters are present on the screen at all times, but most of the more advanced filters for a report can be accessed by clicking the "filters" button in the top bar of the screen. Doing so will open up the advanced filter form and depending on the report, it will look something like the following:

Filtering 1

Altering any of the values in the filter form and clicking "Apply" will refresh the data and show the applied filter at the top of the screen in the applied filters bar.

Filtering 2

The applied filters will stack and can be removed en masse or one at a time.

The vulnerability Instances report has some other clever ways of adding and removing filters as well. Because the visual on the page is an icicle chart, clicking on any of the categories within the chart, will also apply that category as a filter that can be removed by clearing it out of the applied filters bar. Additionally, it is possible to group your results in the instances report by host, patch, vulnerability, or scanner signature and then further filter your results by clicking on the green filter button in the far right of any result row in the table below the icicle chart.

In the following example, the results were grouped by patch and then filtered down further by clicking on the add filter button on a specific row of the table. Once clicked, the data refreshed and the patch was added to the applied filter bar at the top of the screen. The resulting table also changed, the specific row that was added as a filter now shows a red remove filter button (clicking on it will remove the filter) and in this case, any rolled up patches that also include the patch that you are filtering on.

Filtering 5

Saving Filters: If at any time you would like to be able to easily get back to a particular filtered state, it is very easy to save a currently filtered report. Simply open up the filter form by clicking the "+ Filter" button and click on the "Saved Filters" dropdown in the top right. Select the "Save Current Filters" option and give the filters a name. The filtered report will now be saved in the saved filters list until it has been cleared out.

Filtering 9 Filtering 10

Exporting

Any report can be exported as an Excel spreadsheet or PDF. For more information on exporting, see the Reporting Exports Section of the help documentation.

Detail View

With the exception of Vulnerability Instances, each report has a detail view of each item in the report. To view the details of a given host/patch/vulnerability/user you can click on either the line representing the item in the bar chart at the top of the screen or by clicking on the right arrow at the end of a row in the lower table. Regardless of the method of getting there, a detail view will look something like the following:

Detail 1

The previous example is of a host detail view, but a lot of the same elements and sections appear on the detail view for all report types. The detail view can be broken down into the following 4 main sections:

  1. The Overview Header
  2. Critical Paths and Sensitive Assets
  3. Remediation Information
  4. Additional Information

1. The Overview Header: At the top of the page you will see the header for the selected item. The header contains glanceable statitistics and information relevant to the item. This is meant to be a quick way to assess the item and not an exhaustive repository of all the information DeepSurface has on the item. Depending on the specific report, the overview header will contain slightly different information. For Hosts, Patches, and Vulnerabilities, the Overview header will contain a high-level breakdown of prioritized vulnerability instances, risk information, statistics related to associated host/patch/vulnerability counts and a high-level breakdown of all of the exploit status of all vulnerabilities associated with this item. The users report is a bit more sparser and will only contain the name of the given user, risk information and other relevant high-level statistics. For detailed information, refer to the following sections:

Detail 1

2. Critical Paths and Sensitive Assets: The most dominant element on the screen is the critical paths visualizer. The purpose of this section (along with the associated critical sensitive assets section on the right) answers the question What is the problem? On page load, the visualizer will show the top 3 critical paths associated with this item. If the item is a host, it will show the paths that pass through this host. This does not necessarily mean that the path begins or ends with a given host, but just that the host is part of the path. For vulnerabilities, the paths shown will show the top 3 paths that exploit the given vulnerability somewhere along the path. Likewise, for a patch, the top 3 paths show where a given path is possible becuase the patch has not been applied. Mousing over any section of the path visualizer will highlight the entire path to help really see a particular path easier and clicking on any segment or node in the path will bring up a modal with more information about that part of the path (discussed in a moment). To the right of the critical paths is a list of all critical sensitive assets that are exposed as a result of this item. If the item happens to be a host, this list will also show any sensitive assets that are directly on the given host in addition to any assets that are left exposed as a result of exploitable vulnerabilities on the host.

paths sensitive assets

As mentioned above, clicking on a given segment or node of a path will bring up a wealth of further information about the item clicked on. When clicking on a node of the path, a smaller modal will show anything interesting about the node, such as impact score, password information, user activity, etc.

Detail 1

Clicking on a segment is a much more detailed experience. If a given segment has a color-coding in the path, then this specific part of the path has some level of criticality that should be addressed. Clicking into an orange segment, for example, might show you something like the following:

Detail 1

At first, the interface shows you an overview of the segment that was clicked and a quick summary of what the segment represents in the path, followed by all of the known vulnerabilities that allow this segment to exist in the path. The vulnerabilities are ranked by risk criticality and clicking on any of the vulnerabilities in the list will expand the modal to full-width and show you all of the information that DeepSurface has about a given vulnerability. The first section of the expanded content will show all of the information that DeepSurface received from your vulnerability scanner, followed by additional vulnerability information and DeepSurface ratings. Clicking "More Information" in the Vulnerability Information section will open up a new tab and bring you to the details page for that vulnerability.

Detail 1

3. Remediation Information: Below the Path and Sensitive asset sections on the page is the Remediation Information section of the interface. The uppper section of the page answers the question What is the problem?, and this lower section answers the question What can I do to fix it?. For a given report (Host/Patch/Vulnerability), this section will show several collapsible sections, 2 of which will always be open by default on page load. If the report is a host, the open sections will be "Missing Patches" and "Vulnerabilities". For a patch the sections will be "Affected Hosts" and "Vulnerabilities Addressed", and for a vulnerability the sections are "Affected Hosts" and "Missing Patches". Below is what this section might look like for a host detail page:

Detail 1

Below these open sections will be other sections that may or may not be open by default on page load. The contents of these sections will vary depending on the report type and will be discussed in further detail below. Above these open sections are 2 buttons. The "View Instructions" button will bring up a modal showing all the things needed to remediate a given item. This modal will have a "Print/Save" button that will allow you to quickly export this information as a pdf and send it to whoever needs to take action.

Detail 1

The other button in this section is the "Add to Plan" button. Clicking on this will allow you to add the item to either a remediation or accepted risk plan. These choices are discussed in much greater detail in the respective sections of this documentation.

Related Scan Signatures: For Hosts, Patches, and Vulnerability detail pages, the remediation information section will always contain any related scan signatures from your configured vulnerability scanner(s). Clicking on any of the scan signature buttons will open up a modal that gives you all of the information that DeepSurface uses from your vulnerability scanner, as well as any additional analysis that DeepSurface provides (if available). The information and layout in this modal is nearly identical to the one that appears when clicking on a segment in the critical paths section above. This interface can be useful to see and compare all of the information that DeepSurface is able to gather, combine, and report back to you related to each signature from your scanner.

Detail 1

4. Additional Information: The final section on the page is the "Additional Information" section in the lower right of the screen. This section will include any additional information that will help you to understand what exactly this item is. For hosts and patches, a CVSS breakdown chart is included, along with any descriptions and/or pertinent information. A vulnerability will show the full description and any external links etc.

Detail 1

Remediation Information Sections

Each report type has additional sections in the remediation information area that are specific to a given report.

affected hosts

Affected Hosts: A list of all the hosts that this vulnerability effects. The top 200 are listed below, and clicking on any of them will bring you to the corresponding host detail page. If there are more than 200 hosts that this vulnerability effects, the interface will provide a link that will redirect to the hosts report, filtered down by this specific vulnerability so that you can page through all of the results.

affected hosts

Missing Patches: A list of all the patches available that could fix a given vulnerability that have not been applied. The top 200 are listed below, and clicking on any of them will bring you to the corresponding patch detail page. If there are more than 200 patches that this vulnerability could be fixed by, the interface will provide a link that will redirect to the patches report, filtered down by this specific vulnerability so that you can page through all of the results.