Vulnerabilities (CVEs) Analysis Using Prisma Cloud Compute

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L3 Networker
No ratings

By RD Singh, Senior Customer Success Engineer

 

Overview

 

Vulnerabilities or CVEs are publicly disclosed security vulnerabilities that threat actors can exploit to gain unauthorized access to systems or networks. CVEs are widely present in programs and operating systems until an organization works to remediate the known CVEs. For many organizations, one of the first steps with cloud and container security is to discover and patch vulnerabilities in their environments.

 

A good metric to determine the accuracy of a vulnerability scan is to count the number of false positives and false negatives. Fewer false positives and false negatives indicate a more accurate scan.

  • False positive (FP) - When a scan result indicates that a program and library is vulnerable to a CVE, when it is not. 
  • False negative (FN) - When a scan result does not indicate the software is vulnerable, when it is.

This article will show you how to detect false positives and false negatives in vulnerability scans to help objectively show that Prisma Cloud Compute’s vulnerability scans are more accurate.

 

Intelligence Stream

 

Prisma Cloud Compute stays up to date with the latest threat information through the Intelligence Stream (IS). Over 30 different upstream providers are aggregated to include the most accurate CVE data. This includes open source feeds, private threat data, and commercial feeds. Prisma Cloud Compute also consumes the operating system vendor’s official upstream data which improves vulnerability accuracy resulting in fewer false positives and negatives. 

Intelligence Stream Documentation

 

National Vulnerability Database (NVD)

 

Many vendors will use the NVD as their source data for detecting vulnerabilities. This approach generates many False Positives and False Negatives because the data is generic.  Vulnerabilities don’t always affect operating systems similarly, so what may be a critical vulnerability for Ubuntu may not even affect Debian. 

Here is an example of CVE information from NVD: CVE-2020-22218 Detail

 

Identifying FP and FN using Prisma Cloud Compute

 

To determine if a vulnerability is a false positive or false negative using Prisma Cloud Compute the process is as follows:

  1. Start with a single CVE
  2. Determine the operating system of the container image or host operating system
  3. Validate the CVE with the vendor’s official security site
    1. Is this operating system affected by this CVE?
    2. Which versions of the packages are vulnerable to this operating system?
  4. Determine which version of the library was found using the Package Info tab
  5. Ensure that Prisma Cloud Compute’s CVE Viewer shows the same vulnerable versions as the vendor
  6. Determine if it is a false positive or false negative

 

Example: 

 

1. Navigate to Monitor -> Vulnerabilities -> Vulnerability Explorer

2. Search for a CVE and Click on displayed result

figure 1.png

Figure 1: Vulnerability Explorer CVE Search_PaloAltoNetworks

 

3. Select the image

figure 2.png

Figure 2: CVE details_PaloAltoNetworks

 

4. Navigate to the Package Info Tab and search for library: libssh2

figure 3.png

Figure 3: Image packages_PaloAltoNetworks

 

5. Ensure that Prisma Cloud Compute’s CVE Viewer shows the same vulnerable versions as the vendor

6. Navigate to Monitor -> Vulnerabilities -> CVE Viewer

7. Search for the CVE ID. In this case, the CVE is associated with an Amazon package.

Ref: CVE-2020-22218

 

figure 4.png

Figure 4: CVE viewer_PaloAltoNetworks

 

8. Compare the OS and package information with the vendor CVE. Everything should match on established CVEs.  Brand new CVEs that are not fully characterized may show a mismatch as all the vendor research is not completed.

 

Conclusion

 

Prisma Cloud’s Intelligence Stream is a key differentiator for Palo Alto Networks Prisma Cloud. This allows Prisma Cloud to objectively prove and quantify that Prisma Cloud Compute’s vulnerability results are better than the competition. Many scanners use NVD data to fill in holes for data they don’t have. The Intelligence Stream data leads to fewer false positives and fewer false negatives giving a more precise scan result.

 

This article has reviewed the steps needed to take a CVE and confirm whether your specific distribution has this vulnerability.  This will allow you to reduce your false positives and false negatives. 

 

References

 

  1. Intelligence Stream Documentation
  2. NVD - CVE-2020-22218 Detail

 

About the Author

 

RD Singh is a Cloud security architect specializing in Prisma Cloud CNAPP platform, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. He uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage his multi industry knowledge to inspire success.  

Rate this article:
  • 1687 Views
  • 0 comments
  • 1 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎08-09-2024 04:29 PM
Updated by: