Vulnerability Management Overview

Sysdig Secure now offers a landing page to identify, track, and initiate vulnerability management workflows. The landing page covers all the scanning capabilities for images, workloads and hosts, as collected by the installed scanners: vulnerability cli, registry, host, and runtime.

This document applies only to the Vulnerability Management engine, released April 20, 2022. Make sure you are using the correct documentation: Which Scanning Engine to Use

Introduction

The Vulnerability Management Overview page helps enable rapid identification of:

  • VM trends
  • Pervasive vulnerabilities and policy failures
  • New risks, and
  • Riskiest segments of your environment

The Overview provides reportable trend analysis that you can download as reports, export to create tickets, or share with team members. From the Overview, you can pivot into remediation workflows for specific CVEs, policies, architecture segments or coverage gaps.

Scan Data Timelines

Each panel reports on the behavior of scans for the past 30 days. Individual scan data from:

  • Runtime is retained for 14 days
  • Registry and Pipeline is retained for 90 days
  • Package Details in the the drill-down is available for 48 hours

Prerequisites

  • Sysdig Secure (SaaS) using current Vulnerability Management engine
  • Vulnerability CLI and Registry scanners installed (optional)

Usage

  1. Log in to Sysidig Secure (SaaS).

  2. Select Vulnerabilities > Overview . The Overview landing page opens with three phases (Runtime, Registry, and Pipeline) aggregated in the overview section.

  3. Select top-level filters to focus on a particular subset of vulnerability or policy data: phase, criticality, and/or CVE & package context (Has Fix, Has Exploit, and In Use).

    Phase

    Select the dropdown next to the page title to focus on a particular phase of scanning. Within a phase, you can further scope the content in specific ways:

    • [All]
    • Pipeline (scope by Image Name and Pull String)
    • Registry (Scope by Vendor Name and Repo)

    • Runtime (Scope by Namespace and Cluster)

    Severity

    Select any or all criticality level: Critical, High, Medium

    Package Context

    Select the package and CVE context variables: Has Exploit, In Use, and/or Has Fix

    Date

    The CVE trend chart displays data from the past 30 days. You can use the date selector or double-click on a day to see the Vulnerability panel results filtered for just that day.

    Note that runtime and pipeline scans are performed twice a day, while registry scans are only performed after an action.

    All of the context filters apply to the widget on the page, the drilldown drawers, and exports of data.

Vulnerability Management Usage

The top panel is designed to guide Vulnerability Management workflows.

This panel gives an overview of:

  • Trends of Unique Vulnerabilities in the environment over the past 30 days
  • Most Pervasive vulnerabilities
  • Recently Released vulnerabilities, and
  • Namespaces with the most vulnerability detections

These let you answer questions about their risk posture, such as:

  • Are my CVE detection trending down?
  • What are the most pervasive vulnerabilities?
  • What are the most recent vulnerabilities (log4j-type event)?
  • What is my most vulnerable application, segment or zone?

Each line item expands to a detail panel for further investigation.

The identified resources, vulnerabilities, or policies in the dropdown can be further filtered and exported via the Sysdig reporting or through a .csv file.

Policy and Risk Management Usage

The Compliance Manager asks three fundamental questions.

  • Which of my Compliance programs is struggling with control failures?
  • Which of the controls is failing the most?
  • Which of my applications, segments, or zones is failing the most policies?

The Policy Panel provides insight to all of these questions via the widgets:

  • Top Failing Policies
  • Top Failing Assets
  • Top Failing Rule Sets

Dropdowns provide for more information and Export.

Sample Flows

Identify Progress through Metrics

  1. Choose a Filters for Phase (if applicable).
  2. Choose CVE type filters.
  3. Filter on segments of the infrastructure (if necessary).
  4. Review the metrics graph to see trends.
  5. Click on days to identify the difference between them.
  6. Export any data to .csv from a subpanel.
  7. Export the page including the graph to PDF for reports to executive.

Identify a Problematic CVE

  1. Filter by Has Fix, Has Exploit, and possibly In Use.
  2. Filter by desired severity.
  3. Review the Top Recent or Top Pervasive widget.
  4. Identify a New or Particularly pervasive CVE.
  5. Click into the dropdown.
  6. View the assets and associated packages.
  7. Choose:
    • Create a Report
    • Export the list of assets and packages to CSV
    • OR click through to the results page of a single asset.

Reports and Exports

There are various ways that the Vulnerability Management Dashboard can support your workflows through data exports.

Executive Reports

The dashboard can be scoped and filtered to support a focused view of trending and critical issues. Once filtered, you can export the Dashboard to PDF for inclusion in executive reports, audit artifacts, or briefings.

Critical Vulnerability or Policy Tables

You can export data in tabular form from any of the widgets or panels on the VM Dashboard using the cloud download button on the panel. You can use this data in business intelligence or tracking tools.