Staying Ahead of New Vulnerabilities
The security threat landscape is constantly shifting and there are a multitude of solutions for managing threats. An unfortunate effect of having a large toolbox is, the more tools and vendors you have in your toolbox, the more complex your management task becomes. When one facet of your security infrastructure becomes aware of risks, how can you most effectively utilize your full security ecosystem to combat them? With Nexpose’s Adaptive Security, integration with DXL and TIE from McAfee (formerly Intel Security) allows your security team to gain insight in to your assets and automatically prioritize assets when compromises are detected – meaning your team does more with less time and effort.
Sharing Knowledge with DXL and TIE Integration
Nexpose is able to speak over the DXL communication layer, which allows everyone on the fabric to share knowledge with the vulnerability management solution. This means communication across different vendors’ solutions, enabling you to go after threats with the proper tool or tools and maximizing your security investment.
One of the most powerful new features of this integration is vulnerability discovery reporting. Nexpose can automatically report vulnerabilities (including title, Nexpose vulnerability ID, CVSS score, detection time, and ePO agent ID) as they are found, enabling other solutions like firewalls and monitoring tools to take actions dependent on those discoveries. Additionally, Nexpose can increase your insight into these vulnerabilities by dispensing expanded vulnerability details over DXL.
In addition to publishing vulnerability discoveries, Nexpose can now consume TIE file reputation events as a trigger for automated actions. One particularly powerful use of TIE triggered events is tagging assets. TIE triggered events are capable of applying a criticality tag to assets to automatically adjust the risk score of assets, raising their visibility within Nexpose. This means malicious file events detected by TIE are seamlessly passed along to Nexpose and affected assets bubble to the top of your vulnerability reports, so you automatically fix potentially compromised assets first.
DXL Integration Setup and Usage Guide
As a prerequisite, a site with ePO assets has been created.
First, create a DXL discovery connection. Go to the “Administration” tab > find the “Discovery Options” card > find the “Connections” section > click the “Create” link.
Name and configure your connection. Be sure to check the Publish Vulnerabilities box and test your configuration before saving.
Start a scan.
When Nexpose sees undiscovered vulnerabilities it will publish messages on the /rapid7/event/nexpose/vulnerability/detection topic of the DXL fabric.
Furthermore, Nexpose is listening on the /rapid7/event/nexpose/vulnerability/details topic of the DXL fabric. If you request vulnerability details there, Nexpose will respond with them.
Automated Actions using TIE File Reputation Events
Turn on risk score adjustment by going to the “Administration” tab > find the “Global and Console Settings” card > and selecting “Manage.”
From the “Risk Score Adjustment” tab, check the “Adjust asset risk scores based on criticality” and save.
After the “Automated Actions” panel appears, click “New Action.”
In the “Trigger” panel, select “TIE File Reputation Event” and the DXL connection.
In the “Action” panel, pick the “Tag” and select the “Very High” tag.
Now, when TIE detects malicious file events assets will be tagged “Very High” and their risk scores will be scaled appropriately.