Unified Security Management (USM) 5.2 Vulnerability Assessment Guide

AlienVault Unified Security Management (USM) 5.2 Vulnerability Assessment Guide

USM 5.2 Vulnerability Assessment Guide, rev 1 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM, and OSSIM are trademarks or service marks of AlienVault, Inc. All other registered trademarks, trademarks or service marks are the property of their respective owners. Revision to This Document Date October 2, 2015 October 28, 2015 Revision Description Original document based on the 5.2 release. Changes in the format. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 2 of 47

Contents Contents About Vulnerability Assessment... 5 What Is Vulnerability Assessment... 5 Vulnerability Assessment in AlienVault USM... 5 Vulnerability Ticket Threshold... 5 Performing Vulnerability Scans... 7 Running a Vulnerability Scan from Assets... 7 Running a Default Vulnerability Scan... 8 Running an Authorized Vulnerability Scan... 12 Creating a Credential for the Authorized Scan... 12 Running the Authorized Scan Using a Credential... 14 Scheduling a Vulnerability Scan... 15 Viewing Vulnerability Scan Results... 16 Vulnerability Overview... 16 Current Vulnerabilities - Asset Vulnerability Details... 19 Reports - Scan Reports Detail... 21 Viewing the Scan Results... 23 Viewing the Scan Results in HTML... 23 Viewing the Scan Results in PDF... 25 Viewing the Scan Results in Excel... 26 Viewing the Scan Results from an NBE File... 26 Comparing Scan Results between Two Scans... 27 Customizing Vulnerability Scans... 28 Customizing Vulnerability Profiles... 29 Creating a Custom Scan Profile... 29 Modifying a Custom Scan Profile... 31 Enabling/Disabling Plugins... 32 Checking the Threat Database... 34 Changing the Vulnerability Ticket Threshold... 36 Changing Other Vulnerability Scanner Options... 38 October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 3 of 47

Contents Generating Reports Based on Vulnerability Scans... 41 Updating the Vulnerability Scanning Rules... 42 Appendix A - Configuring a Vulnerability Scan Job: a Practical Example... 44 October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 4 of 47

About Vulnerability Assessment AlienVault Unified Security Management (USM) delivers vulnerability assessment as part of a complete package of security monitoring and management capabilities for efficient threat detection. In order to improve the security posture of your network, you first need to know what is vulnerable. Using AlienVault USM you get a simple and reliable way to stay on top of what is connected to your network and maintain visibility into its vulnerabilities. What Is Vulnerability Assessment Vulnerability Assessment is a functionality used for defining, identifying, classifying and prioritizing the vulnerabilities in your system. The Figure 1 shows an overall architecture: Figure 1. Overall Architecture. The USM Server controls vulnerability scanning on USM Sensors. It scans assets in specific networks. You can either select which sensor scans which network, or you can specify that the first available sensor in the AlienVault USM deployment performs the scanning. Vulnerability Assessment in AlienVault USM AlienVault USM comes with a built-in vulnerability scanner, that can be used to detect vulnerabilities in critical assets in your organization. You can use discovered vulnerabilities in crosscorrelation rules, and when creating compliance and auditing reports. The USM Sensor component performs this functionality. It is controlled from the SIEM console (USM Server), that allows running and scheduling vulnerability scans; generating and examining reports; and updating vulnerability signatures. Vulnerability Ticket Threshold Discovering a vulnerability is important, but being able to estimate the associated risk to an asset is just as important. AlienVault USM assigns a threshold to each vulnerability found in the system. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 5 of 47

USM has two ways of displaying the threshold of vulnerabilities. Table 1. How the USM displays the thresholds of vulnerabilities. Vulnerability Scanner Values 1 Settings Values 2 Serious 1 High 2 Medium 3, 4 and 5 Low 6 Info 7, 8, 9 and 10 Although USM displays the vulnerability threshold shown in Table 1, internally, USM makes the correspondence shown in Table 2 between internal thresholds of vulnerabilities. Table 2. Internal correspondence between the thresholds of vulnerabilities. Severity Internal Value Serious 1 High 2 Medium 3 Low 6 Info 7 In this way, USM normalizes the values using this formula: 1 Values from Configuration > Administration > Main > Vulnerability Scanner. 2 Values from Environment > Vulnerabilities > Overview > Settings. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 6 of 47

$risk = 8 - $internal_value USM assigns the value of $risk and cannot be modified. But, you can configure that the vulnerabilities generate a ticket. Use the Vulnerability Ticket Threshold field to make this configuration and set a value (see Changing the Vulnerability Ticket Threshold). Performing Vulnerability Scans A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses. USM has a number of simultaneous scans per sensor, that is five. If a new scan job enters a sensor when there are already five scans running, this last job is rescheduled to start 15 minutes later. Scan jobs are postponed in a 15 minutes frequency until the sensor is able to start with it. For further information about the scanner options, see Changing Other Vulnerability Scanner Options. Running a Vulnerability Scan from Assets To run a vulnerability scan from assets 1. Navigate to Environment > Assets & Groups. 2. Select the assets. 3. Click Actions > Run Vulnerability Scan. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 7 of 47

Figure 2. Assets & Groups: Run Vulnerability Scan. The Vulnerability Scan page appears. For further information about creating a scan job, see Running a Default Vulnerability Scan. Running a Default Vulnerability Scan This option displays the scans that are running at that moment, the jobs that have been scheduled and a summary of all scans. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 8 of 47

Figure 3. Scan Jobs main screen. Use this button to disable a scheduled job. See Table 3 for knowing the meaning of the scan job fields. Table 3. Scan Jobs: fields. Field Status Job Name Launch Time Scan Start Time Scan End Time Scan Time Next Scan Meaning Scan completed or failed. Name given to the scan job. Exact date when the scan job launched. Exact date when the scan job started. Exact date when the scan job ended. Length of the scan job, in minutes. Time when the scan job should start. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 9 of 47

Table 4 displays the possible actions related to the scans. Table 4. Scan Jobs: actions. Actions Meaning Changes the owner of the report and makes the scan job visible for a user or entity. Re-runs the scan job. Displays the results of the report in HTML within the same browser. Exports the results of the report in a PDF file. The browser, such as Chrome, may open it in a different tab if it recognizes the file extension. Exports the results of the report in an Excel file. Exports the results of the scan job in an NBE file. (n) Indicates the number of vulnerabilities found on that scan job. Deletes the scan job. To start a new vulnerability scan 1. Navigate to Environment > Vulnerabilities > Scan Jobs. 2. Click New Scan Job. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 10 of 47

Figure 4. Create a Scan Job. 3. In the Job Name field, type a name to identify the scan job. 4. In the Select Sensor listbox, click to expand it and select a sensor. 5. In the Profile listbox, click to expand it and select a profile. For guidelines, see Table 14. 6. In the Schedule Method listbox, click to expand it and select a schedule method (Table 5). Table 5. Vulnerability Scan: Schedule Method. Schedule Method Immediately Run Once Daily Day of the Week Meaning Launches the scan job without delay. Schedules a scan job at a specific date and time, and just at that time. Schedules a scan job every x days beginning on a specific day. Schedules a scan job on a specific day of the week. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 11 of 47

Schedule Method Day of the Month Nth weekday of the month Meaning Schedules a scan job on a specific day of the month. Schedules a scan job on a specific day and week of a month. The advanced options are for running authorized scans using a credential, see Running an Authorized Vulnerability Scan. 7. To speed up the scanning process, click Only scan hosts that are alive. 8. If you do not want to pre-scan from a remote sensor, click Pre-Scan locally. 9. If you do not want to resolve hostnames or FQDN, click Do not resolve names. 10. Select or type the assets you want to scan. If you wish to exclude a specific IP address, prefix your selection with an exclamation mark (! ), which means do not scan that IP address. For instance,!192.168.2.200 means you do not want to scan that IP address. 11. To create the vulnerability scan, click New Job. Running an Authorized Vulnerability Scan Creating a Credential for the Authorized Scan Use credentials to perform an authenticated scan. Authenticated scans yield better and more relevant results than unauthenticated scans. They are also more comprehensive and have fewer false positives than non-authenticated scans. Create a set of credentials is optional. To create a set of credentials 1. Navigate to Environment > Vulnerabilities > Overview, click Settings. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 12 of 47

Figure 5. Vulnerability Scans Settings. 2. In the Name field, type a name to identify the credential. 3. In the Available for listbox, click to expand it and select: a single user to have permission to utilize this credential or to allow its utilization to all users. an entity and allow the access to all users within the entity. 4. In the Login field, authenticate the credential: Type a password. Choose a file for a key pair or private key. 5. Click Create Credential. The new credential appears below the Credentials title, where you can find the available credentials. In this page you can (see Figure 6): Check a credential and make sure all data are correct by clicking the icon. Delete a credential if you click the icon. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 13 of 47

Figure 6. Available Credentials. Click the icon to check the credential. A new window appears where you must type a host. Then, click Check: Figure 7. Checking a Credential. Running the Authorized Scan Using a Credential To run an authorized scan using a credential 1. Navigate to Environment > Vulnerabilities > Scan Jobs. 2. Click New Scan Job (see Figure 4). 3. In the Job Name field, type a name to identify the scan job. 4. In the Select Sensor listbox, click to expand it and select a sensor. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 14 of 47

5. In the Profile listbox, click to expand it and select a profile according to the Table 14. 6. In the Schedule Method listbox, click to expand it and select a schedule method (see Table 5). 7. Expand Advanced to reveal the options of Table 6. Table 6. Vulnerability Scan: Advanced Options. Advanced Options SSH Credential SMB Credential Timeout Send an email notification Meaning SSH login is used to do a scan deeply on Unix systems. SMB login is used to do a scan deeply on Windows systems. Type the maximum number of seconds that the scan runs. After this time the job will be finished and marked as a timeout. Click No if you do not want to send an email notification; or click Yes to send an email notification then use the dropdown to select a single user or to send the notification to all users; or you can use the dropdown entity to select an. 8. To speed up the scanning process, click Only scan hosts that are alive. 9. If you do not want to pre-scan from a remote sensor, click Pre-Scan locally. 10. f you do not want to resolve hostnames or FQDN, click Do not resolve names. 11. Select or type the assets you want to scan. If you want to exclude a specific IP address, prefix your selection with an exclamation mark (! ), which means do not scan that IP address. For instance,!192.168.2.200 means you do not want to scan that IP address. 12. To create the vulnerability scan, click New Job. Scheduling a Vulnerability Scan To schedule a vulnerability scan job 1. Navigate to Environment > Vulnerabilities > Scan Jobs. 2. Click New Scan Job (see Figure 4). 3. In the Job Name field, type a name to identify the scan job. 4. In the Select Sensor listbox, click to expand it and select a sensor. 5. In the Profile listbox, click to expand it and select a profile according to the Table 14. 6. In the Schedule Method listbox, click to expand it and select a schedule method, see Table 5. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 15 of 47

7. To speed up the scanning process, click Only scan hosts that are alive. 8. If you do not want to pre-scan from a remote sensor, click Pre-Scan locally. 9. If you do not want to resolve hostnames or FQDN, click Do not resolve names. 10. Select or type the assets you want to scan. If you wish to exclude a specific IP address, prefix your selection with an exclamation mark (! ), which means do not scan that IP address. For instance,!192.168.2.200 means you do not want to scan that IP address. 11. To create the vulnerability scan, click New Job. Viewing Vulnerability Scan Results Vulnerability Overview This view examines the vulnerability statistics across all scans. You can also display the results, called scan reports in this view. You can view scanned reports as HTML or export them as a PDF or Excel file. To see the summary of vulnerabilities Navigate to Environment > Vulnerabilities > Overview: October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 16 of 47

s Figure 8. Vulnerabilities assessment: overview. This overview displays the following information: Table 7. Elements of the vulnerabilities assessment overview page. Element By Severity By Services-Top 10 Description A pie chart that displays, in percentages, all current vulnerabilities by severity along with the number of vulnerabilities found, indicated in square brackets. A pie chart that displays vulnerabilities from the top 10 services. You can click on a service to filter the vulnerabilities related to that service and the pie October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 17 of 47

Element Top 10 Hosts Top 10 Networks Current Vulnerabilities Reports Description chart will change to show the result of that filter. The Current Vulnerabilities part will change to show as well the result of that filter. Click Overview to refresh and view of all services. A horizontal bar graph that displays the top 10 hosts with the most vulnerabilities. You can click on a host to filter the vulnerabilities related to that host, the horizontal bar will change to the result of that host. The Current Vulnerabilities part will change to show as well the result of that filter. Click Overview to refresh and view of all hosts. A horizontal bar graph that displays the top 10 networks with the most vulnerabilities. You can click on a network to filter the vulnerabilities related to that network, the horizontal bar will change to show the result of that network. The Current Vulnerabilities part will change to show as well the result of that filter. Click Overview to refresh and view of all networks. It summarizes the vulnerabilities found in the scan jobs. The first line refers to all scans and the following lines refers to every host. Vulnerabilities are classified by importance (Serious, High, Medium, Low and Info). See Vulnerabilities Ticket Threshold. It displays the results from every scan (see Viewing the Scan Results). Vulnerabilities are classified by importance (Serious, High, Medium, Low and Info). See Vulnerabilities Ticket Threshold. The overview screen includes the following buttons: Table 8. Buttons on the Vulnerabilities Assessment Overview Screen. Element Profiles Settings New Scan Job Description This is a button to open the vulnerability scan profiles screen (see Customizing Vulnerability Profiles). This is a button to open the vulnerability scan settings screen (see Running an Authorized Vulnerability Scan). This is a button to create a scan job, see Running a Default Vulnerability Scan. You can also see the summary of vulnerabilities by going to Dashboards > Overview > Vulnerabilities. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 18 of 47

Current Vulnerabilities - Asset Vulnerability Details This part summarizes all current vulnerabilities found in the scan jobs ordered by number of vulnerabilities. The first line refers to all scans and the following lines refers to every host. Lines are ordered, being the first one the biggest number of vulnerabilities. Figure 9. Assets Vulnerability Details. Table 9. Asset Vulnerability Details. Field Host-IP Date/Time Profile Meaning Shows the hostname and IP of the host. The first line All summarizes all hosts. Shows the exact date and time that the scan occurred. Indicates the chosen profile to run the scan. Displays the number of Serious vulnerabilities found in the latest scan. Displays the number of High vulnerabilities found in the latest scan. Displays the number of Medium vulnerabilities found in the latest scan. Displays the number of Low vulnerabilities found in the latest scan. Displays the number of Info vulnerabilities found in the latest scan. Note: For further information about the threshold of vulnerabilities, see Vulnerabilities Ticket Threshold. To filter the data 1. Type in the empty box above the table the name of a service, a free text or an IP address of a host/network. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 19 of 47

2. Click the corresponding radio button. 3. Click Find. For instance, according to the following pie chart we can see that the https service has 18 vulnerabilities (between the square brackets): Figure 10. Example of a search by service. To know which hosts have these kind of vulnerabilities 1. Type https on the search field. 2. Click the Service radio button 3. Click Find. We also can click directly on the service. The result of this search is the following: October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 20 of 47

Figure 11. Example of a search by service: result. Figure 11 shows that the bat50 host has 44 vulnerabilities, 18 of which are https services. To check them you can view the HTML report or export a PDF or Excel file. The actions related to the results are the following: Table 10. Scan Reports Details: actions. Actions Meaning Results of the scan job in HTML within the same browser. Exports the results of the scan job to a PDF file. The browser, such as Chrome, may open it in a different tab if it recognizes the file extension. Exports the results of the scan job to an Excel file. Deletes the report. Reports - Scan Reports Detail This is a table that displays the reports that are generated in every scan. The reports appear in ascending order. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 21 of 47

Figure 12. Scan Reports Details. Table 11. Scan Reports Details. Field Date/Time Job Name Targets Profile Meaning Shows the exact date and time that the scan occurred. Name given to the report. Shows the hostname and IP of the host. Indicates the chosen profile to run the scan. Displays the number of Serious vulnerabilities found in that scan. Displays the number of High vulnerabilities found in that scan. Displays the number of Medium vulnerabilities found in that scan. Displays the number of Low vulnerabilities found in that scan. Displays the number of Info vulnerabilities found in that scan. Note: For further information about the threshold of vulnerabilities, see Vulnerabilities Ticket Threshold. To filter the data 1. Type in the empty box above the table the date, a name of the job or an IP address of a host/network. 2. Click the corresponding radio button. 3. Click Find. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 22 of 47

The actions related to the results are the following: Table 12. Scan Reports Details: actions. Actions Meaning Displays the results of the scan report in HTML within the same browser. Exports the results of the scan report to a PDF file. The browser, such as Chrome, may open it in a different tab if it recognizes the file extension. Exports the results of the scan report to an Excel file. Changes the owner of the report and makes the scan job visible for a user or entity. Compare reports, see Comparing Scan Results between Two Scans for further information. Deletes the report. Viewing the Scan Results You can view the scan results in HTML, PDF, Excel or from an NBE file. It is also possible to compare scan results between two scans. Viewing the Scan Results in HTML To view the results of the scan report in HTML within the same browser 1. Navigate to Environment > Vulnerabilities > Overview. 2. Click Reports if that part has not been yet deployed. Figure 13. Scan Reports Details. 3. Click the icon on the scan job that you want to see. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 23 of 47

The HTML report appears on the same screen. Figure 14. Scan Reports Details. The HTML reports display the following information: Table 13. HTML report: information displayed. Element Scan Time Definition Time in which the report was made. It has the following format: yyyy-mm-dd hh:mm:ss October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 24 of 47

Element Profile Generated Job Name Chart Pie Summary of scanned hosts Definition Profile name that was chosen when the job was created. Time it took to generate the report, in the format: yyyy-mm-dd hh:mm:ss Name given to the job. A pie chart that displays all found vulnerabilities by severity. It is in percentages and in colors It displays the following table: Click the icon to enable/disable the risk level view. Vulnerability Details This is a table, which includes the vulnerability name, the vulnerability ID, the service name and the severity of that vulnerability. The background color refers to the type of vulnerability being pink for Serious, salmon for High, gold for Medium, yellow for Low and light yellow for Info. Viewing the Scan Results in PDF When you export a report in a PDF file, you can see a logo and the name of the portal branding. This information is configured through the Settings option. To view the scan results in PDF 1. Navigate to Environment > Vulnerabilities > Overview, click Reports (see Figure 13). 2. Click the icon on the scan job that you are interested in and the result appears in a new tab. To change the site header logo and the portal branding in a PDF file 1. Navigate to Environment > Vulnerabilities > Overview, click Settings. 2. In the Site header logo field, type the path of the header logo that will appear on the report. 3. In the Portal Branding field, type the name of the portal branding the user wants to appear on the report. 4. Click Update. 5. Click the icon to close this window. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 25 of 47

Viewing the Scan Results in Excel When you export a report in an Excel file, you can see the name of the portal branding. This information is configured through the Settings option. To change the portal branding in an Excel file 1. Navigate to Environment > Vulnerabilities > Overview, click Settings. 2. In the Portal Branding field, type the name of the portal branding the user wants to appear on the report. 3. Click Update. 4. Click the icon to close this window. To view the scan results in Excel 1. Navigate to Environment > Vulnerabilities > Overview, click Reports (see Figure 13). 2. Click the icon on the scan job that you are interested in. 3. Depending on the browser, a new screen can appear to ask you if you want to open the file or to save it;; or the file will be downloaded directly. The name of the exported file has the following structure: ScanResult_yyyymmdd_.xls Viewing the Scan Results from an NBE File This option allows the user to import a scanning result from other scanners. This file is useful if you want to use a result from external scanners when creating reports or performing cross-correlation. To import an NBE File 1. Navigate to Environment > Vulnerabilities > Scan Jobs. 2. Click Import NBE File. Figure 15. Importing an NBE File. 3. In the Report Name field, type a report name. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 26 of 47

4. In the File field, choose the file to import. 5. In the Source field, select the source. 6. In the Assign to listbox, click to expand it and select a single user to assign the import or to assign it to all users;; or you can select an entity and assign the import to that the entity. 7. Click Import & Asset Insertion to import the vulnerabilities and add the new assets or click Import to import just the vulnerabilities. A message appears to inform you that the file has been imported successfully. 8. Click the icon to close this window. Comparing Scan Results between Two Scans Use this option to compare two reports. To compare two reports 1. Navigate to Environment > Vulnerabilities > Overview. 2. Click Reports. 3. Click the icon of the report you can compare with. Figure 16. Scan Reports Details. 4. Use the dropdown to select the other report to compare. 5. Click Compare. The result displays similar to the following: October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 27 of 47

Figure 17. Scan Reports Details. Customizing Vulnerability Scans When performing scans, you must select a scanning profile. This profile defines the type of scan to perform, and how thorough the scan is going to be. To view the vulnerability scan profiles Navigate to Environment > Vulnerabilities > Overview and click Profiles. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 28 of 47

Figure 18. Vulnerability Scan Profiles Screen. The three predefined profiles are explained in Table 14. Table 14. USM Built-In Vulnerability Scan Profiles. Profile Deep Default Ultimate Meaning A non-destructive full and fast scan. Use this scan if the scanned system breaks or crashes when overwhelmed with scanning requests. Full and fast scan, including destructive tests. Include dangerous stress tests that can crash the scanned system (for example, filling a network switch s memory with random MAC addresses). It is not possible to modify or delete these three profiles. The edit and delete buttons below the action column are disabled. But you can create new profiles and later use the buttons to modify or delete the profiles you created. Click the icon to close the vulnerability scan profiles window. Customizing Vulnerability Profiles It is possible to create and/or modify a custom scan profile. Creating a Custom Scan Profile You can create a custom profile and tailor it to the type of the target system you are scanning. To create a custom profile for vulnerability scans 1. Navigate to Environment > Vulnerabilities > Overview, October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 29 of 47

2. Click Profiles. 3. Click Create New Profile. Figure 19. Creating a Custom Profile for Vulnerability Scans. 4. In the Name field, type a name to identify the scan profile. 5. In the Description field, type a description of the scan profile. 6. In the Clone existing scan policy listbox, click to expand it and select an existing profile to use as a basis for the new profile or select None to create a new profile from scratch. 7. In the Make this profile available for listbox, click to expand it and select a single user to have access to this profile or to allow all users to access it;; or you can expand Entity to select an entity and allow the access to all users within the entity. 8. In the Autoenable plugins option listbox, click to expand it and select the auto-enable plugins option between by category or by family. The Autoenable by category option allows the user to use all plugins that belong to certain categories of vulnerabilities. For example, enabling all plugins from Denial category, will add all plugins that test targets for being vulnerable to the Denial of Service type of attacks. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 30 of 47

The Autoenable by family option allows the user to narrow a selection of plugins to match certain popular operating systems such as Debian, Solaris, HP-UX, and VMware; network devices such as Cisco; network services such as FTP or SNMP. 9. To add the new profile, click Create. After a few seconds, the vulnerabilities main screen appears. Click Profiles to see the created profile. Modifying a Custom Scan Profile To modify a custom profile for vulnerability scans 1. Navigate to Environment > Vulnerabilities > Overview, click Profiles (see Figure 18). 2. Click the icon of the profile you want to modify. Remember the Deep, Default and the Ultimate profiles have this icon disabled because it is not possible to modify these three profiles. Figure 20. Editing a Custom Profile for Vulnerability Scans. 3. Modify the needed data. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 31 of 47

Table 15. Editing a Custom Profile: tabs. Tabs Autoenable Plugins Prefs View Config Meaning Allows the user to modify the description, the availability for a user or entity and the auto-enable options. Allows for detailed adjustment of plugins executed against your assets during vulnerability scan. You will see the number of plugins available and the number of plugins enabled in the current profile. See Enabling/Disabling Plugins. Allows the user to personalize a huge amount of configurations for each profile. These configurations are preferences on the server, such as the cgi path; or different kind of checking, such as file policy violations check; or nmap configurations. These preferences are generated dynamically and may change after a feed update. Shows the final configuration, actually you can view the preferences selected in the previous tab in text mode. 4. Click Update. 5. After a few seconds, the vulnerabilities main screen appears. Enabling/Disabling Plugins This tab allows the user to filter plugins by family or by CVE ID: Figure 21. Edit Profile: Plugins tab. This screen includes the total number of available and enabled plugins. Table 16. Edit Profile: available buttons in the plugins tab. Button Meaning Enable all plugins at the same time. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 32 of 47

Button Meaning Enable plugins less aggressive, which ensure your appliance can manage them. Disable all plugins at the same time. Use one of the dropdowns to select a plugin by its family or to select a plugin by its CVE ID. Once you make the selection, the list of vulnerabilities appears: Figure 22. Edit Profile: plugin by its family selected. The displayed data are explained in Table 17. Table 17. Edit Profile: displayed data after the selection of a plugin. Data Enabled Vulnid Vuln Name CVE ID Meaning Enable or disable vulnerabilities. Displays the identification of the vulnerability. Displays the name of the vulnerability. Displays the associated CVE ID, in case of having it. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 33 of 47

Data Plugin Category Check All Uncheck All Update Meaning Displays the category of the plugin. Enabling all vulnerabilities in the list. Disabling all vulnerabilities in the list. Updating changes. Checking the Threat Database This option allows the user to search the available plugins. To search a plugin 1. Navigate to Environment > Vulnerabilities > Threat Database. 2. Filter the search by date range, keywords, CVE ID and/or risk factor. Figure 23. Threat Database Main Window. 3. Click Search. The results are similar to Figure 24. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 34 of 47

Figure 24. Threat Database Main Window: result of search It is possible to display the details of a plugin when the mouse pointer hovers over the specific ID. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 35 of 47

Figure 25. Threat Database Main Window. All CVE fields are links that go to the vulnerability details of that reference. Changing the Vulnerability Ticket Threshold It is possible to add a value to vulnerabilities and generate a ticket from this value. This functionality is useful for having a better management and a rapid response in dealing with vulnerabilities. Use the Vulnerability Ticket Threshold field to enter the value that is going to generate a ticket. The vulnerability ticket threshold is a value that goes from 0 to 10, being 1 a critical situation and 10 an uncritical situation. The 0 value means you want this option disabled. There are two ways of changing the vulnerability ticket threshold: 1. Through the vulnerability screen: a) Navigate to Environment > Vulnerabilities > Overview, click Settings. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 36 of 47

b) Choose a value between 0 and 10. Any vulnerability with a higher risk level than this value will automatically generate a vulnerability ticket. See Vulnerabilities Ticket Threshold: Figure 26. Changing the Vulnerability Ticket Threshold through the vulnerability screen. 2. Through the administration screen: a) Navigate to Configuration > Administration > Main. b) Click Vulnerability Scanner. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 37 of 47

Figure 27. Changing the Vulnerability Ticket Threshold through the administration screen. c) Choose a value between Info, Low, Medium, High, Serious and Disabled. Any vulnerability with a higher risk level than this value will automatically generate a vulnerability ticket. See Vulnerabilities Ticket Threshold. d) Click Update Configuration. Changing Other Vulnerability Scanner Options To configure the vulnerability scanner 1. Navigate to Configuration > Administration > Main. 2. Click Vulnerability Scanner. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 38 of 47

Figure 28. Vulnerability Scanner Configuration. 3. Perform the needed modifications. Table 18. Vulnerability Scanner Configuration. Profile Scanner Login Scanner Password Scanner host Meaning Type a login for the scanner. Type a password to access the scanner. Type an IP that identifies the host (only for non-distributed scans) Scanner port The default port is 9390. Enable Pre-Scan locally Vulnerability Ticket threshold Choose between Yes or No but do not pre-scan from scanning sensor. Choose a value between Info, Low, Medium, High and Disabled. Any vulnerability with a higher risk level than this value will automatically generate a vulnerability ticket. See Vulnerabilities Ticket Threshold. 4. Click Update Configuration. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 39 of 47

To modify the maximum simultaneous scans 1. Navigate to Configuration > Deployment > Components > Sensors. 2. Click on a sensor. 3. Drag the bar to adjust a value between 1 to 5. The maximum number of simultaneous scans per sensor is 5: Figure 29. Vulnerability Scanner Configuration. 4. Click Update. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 40 of 47

Generating Reports Based on Vulnerability Scans There are reports available through the USM Reports functionality. To access to USM Reports 1. Navigate to Reports > USM Reports > Overview. 2. Type Vuln in the search field: Figure 30. USM Reports: doing a search. 3. The available reports display. Table 19. USM Reports: meaning of the buttons. Actions Meaning Deletes the report. Exports the report in an avr file extension. You must enter a password to encrypt the report. Copies the report to another. Allows the user to modify the common options of the report: the report name, the date range, the layout, the user or entity available for the report and the item to include in the report. This button is active in reports that have been created or copied. Allows the user to modify the date range, the layout and the assets to include in the report before running it. Runs the report. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 41 of 47

Updating the Vulnerability Scanning Rules To update to the latest version supported by AlienVault 1. Navigate to Configuration > Deployment > Components > AlienVault Center and see if there are new updates pending. Figure 31. AlienVault Center: updating the Vulnerability Scanning Rules. 2. Click on the new update. Important: This update is not only for vulnerability rules. It includes a feed update, plugin update and even, sometimes, product update. 3. Check the package information to make sure the Vulnerability Scanning rules will be updated: October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 42 of 47

Figure 32. Updating the Vulnerability Scanning Rules: detail October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 43 of 47

Appendix A - Configuring a Vulnerability Scan Job: a Practical Example This appendix is a practical example where we are going to create a scan job for Windows hosts. 1. Navigate to Environment > Vulnerabilities > Overview and click Profiles. 2. Click Create New Profile. 3. In the Name field, type Windows Profile. 4. In the Description field, type This is the profile for scanning Windows hosts. 5. In the Clone existing scan policy listbox, select None. 6. In the Make this profile available for listbox, select admin user. 7. In the Autoenable plugins option listbox, select Auto-enable by family. 8. Disable all options except: Credentials, General, Service detection, Settings, Windows and Windows: Microsoft Bulletins. 9. Click Create to add the new profile. After a few seconds, the vulnerabilities main screen appears. 10. Navigate to Environment > Vulnerabilities > Overview, click Settings. 11. In the Name field, type WindowsCredential. 12. In the Available for listbox, select admin user. 13. In the Login field, type admin and its password. 14. Click Create Credential. 15. Navigate to Environment > Assets & Groups. 16. Click More Filters, then click the Operating System tab and select Microsoft Windows option. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 44 of 47

Figure 33. More Filters Screen: Microsoft Windows filter 17. Click Apply. 18. Select all hosts that have appeared and click Actions > Run Vulnerability Scan. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 45 of 47

Figure 34. Run Vulnerability Scan on Windows Assets. 19. The Vulnerability Scan window appears for creating the scan job. 20. In the Job Name field, type WindowsScan. 21. In the Select Sensor listbox, click to expand it and select a sensor. 22. In the Profile listbox, click to expand it and select Windows Profile. 23. In the Schedule Method listbox, click to expand it and select Immediately. 24. Click Advanced and select WindowsCredential (admin) in the SMB Credential field. 25. In the Send an email notification, select No. 26. Select the options Only scan hosts that are alive and Pre-Scan locally. 27. Click New Job. 28. Navigate to Environment > Vulnerabilities > Scan Jobs. 29. Our scan job appears under Running Scans : October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 46 of 47

Figure 35. Running Scan. 30. Click the icon to display the result of the scan. October 28, 2015 USM 5.2 Vulnerability Assessment Guide, rev 1 Page 47 of 47