Getting more value from your endpoint security tool #5: Querying Tips for Vulnerability & Compliance

Thank you for tuning in to the fifth and final installment of this blog series. As I stated in my previous blog posts on orbital advanced search, my father was an automobile mechanic. More specifically, he was a “brakes and front-end mechanic”. On several occasions, Pops would point out the wear on a set of tires and would tell me that either the car was out of alignment, running with the tires over- or under-inflated, or simply that the tires were worn out and in need of replacement. He taught me the importance of checking your tires regularly, not just the air pressure, but also to see how the tire is wearing. These simple observations could save time and money, prevent on-the-road disasters, or more expensive repairs and replacements.

As an individual tasked with vulnerability and compliance assessments, the same concepts also apply to you. From a security vantage point, exploits keep coming, and vigilance and routine patching are vital. New people will be hired in your organization. Company and government policies and regulations will be changed. And ultimately, just like the continuous tire monitoring above, security is a process, not a product.

You need to make better decisions, faster, even when it comes to vulnerability and compliance assessments. Controlling and managing the explosive growth of endpoints, maintaining software management (updates and patches), and identifying vulnerable endpoints are just a few of the challenges you and your team are faced with. Exposing your endpoint environment as a high-performance relational database allows you to query system-level data, which then allows you to harden your environment, quickly.

As a feature in Cisco’s AMP for Endpoints Advantage, Orbital Advanced Search is one of the tools you use for vulnerability & compliance monitoring. Orbital Advanced Search has an entire category of queries dedicated to Posture Assessments to validate patch management, ensure endpoints comply with current policies, and more.

Whether you are controlling and managing the explosive growth of endpoints, maintaining software management, or identifying vulnerable endpoints Orbital Advanced Search will get you the answers you need to complete these tasks faster.

Let’s start with one Vulnerability & Compliance Catalog query that you can run daily.

YOU WANT TO: Check your endpoints for a remote code execution vulnerability that exists because of the way SMBv3 handles certain requests.

Orbital Catalog Query to run: CVE-2020-0796 Monitoring –The data returned on this query will show a list of endpoints that are vulnerable to CVE-2020-0796 and should have their configuration reviewed and patched to prevent potential breaches.

WHY IS THIS IMPORTANT: CVE-2020-0796 is a remote code execution vulnerability that exists due to the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it. The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.

STEPS:

  1. Select the endpoints you wish to query
  2. Search the Catalog for “CVE-2020-0796 Monitoring”
  3. Click the “+” to copy into your SQL query window
  4. Close the Query Catalog Window
  5. Click the Query button

QUERY RESULT: The query result delivers a list of the selected hosts and whether they are vulnerable. At this point, you can take action on a case by case basis to update the vulnerable hosts by applying the necessary patches and updates.

FREQUENCY TO RUN: Daily.

That’s it! It’s easy to get you started with your first vulnerability and compliance query using Cisco’s Orbital Advanced Search. Orbital Advanced Search’s Catalog has dozens of pre-built posture assessment queries to streamline your vulnerability and compliance audits.

If you don’t already have Cisco AMP for Endpoints and are interested in trying Orbital Advanced Search, sign up for our virtual Threat Hunting Workshop, or request a free trial.

Thank you for tuning into this blog series. I hope you enjoyed reading them and were able to take away something from them.