Vulnerabilities or CVEs are publicly disclosed security vulnerabilities that threat actors can exploit to gain unauthorized access to systems or networks. CVEs are widely present in programs and operating systems until an organization works to remediate the known CVEs. For many organizations, one of the first steps with cloud and container security is to discover and patch vulnerabilities in their environments.
A good metric to determine the accuracy of a vulnerability scan is to count the number of false positives and false negatives. Fewer false positives and false negatives indicate a more accurate scan.
This article will show you how to detect false positives and false negatives in vulnerability scans to help objectively show that Prisma Cloud Compute’s vulnerability scans are more accurate.
Prisma Cloud Compute stays up to date with the latest threat information through the Intelligence Stream (IS). Over 30 different upstream providers are aggregated to include the most accurate CVE data. This includes open source feeds, private threat data, and commercial feeds. Prisma Cloud Compute also consumes the operating system vendor’s official upstream data which improves vulnerability accuracy resulting in fewer false positives and negatives.
Intelligence Stream Documentation
Many vendors will use the NVD as their source data for detecting vulnerabilities. This approach generates many False Positives and False Negatives because the data is generic. Vulnerabilities don’t always affect operating systems similarly, so what may be a critical vulnerability for Ubuntu may not even affect Debian.
Here is an example of CVE information from NVD: CVE-2020-22218 Detail
To determine if a vulnerability is a false positive or false negative using Prisma Cloud Compute the process is as follows:
1. Navigate to Monitor -> Vulnerabilities -> Vulnerability Explorer
2. Search for a CVE and Click on displayed result
Figure 1: Vulnerability Explorer CVE Search_PaloAltoNetworks
3. Select the image
Figure 2: CVE details_PaloAltoNetworks
4. Navigate to the Package Info Tab and search for library: libssh2
Figure 3: Image packages_PaloAltoNetworks
5. Ensure that Prisma Cloud Compute’s CVE Viewer shows the same vulnerable versions as the vendor
6. Navigate to Monitor -> Vulnerabilities -> CVE Viewer
7. Search for the CVE ID. In this case, the CVE is associated with an Amazon package.
Ref: CVE-2020-22218
Figure 4: CVE viewer_PaloAltoNetworks
8. Compare the OS and package information with the vendor CVE. Everything should match on established CVEs. Brand new CVEs that are not fully characterized may show a mismatch as all the vendor research is not completed.
Prisma Cloud’s Intelligence Stream is a key differentiator for Palo Alto Networks Prisma Cloud. This allows Prisma Cloud to objectively prove and quantify that Prisma Cloud Compute’s vulnerability results are better than the competition. Many scanners use NVD data to fill in holes for data they don’t have. The Intelligence Stream data leads to fewer false positives and fewer false negatives giving a more precise scan result.
This article has reviewed the steps needed to take a CVE and confirm whether your specific distribution has this vulnerability. This will allow you to reduce your false positives and false negatives.
RD Singh is a Cloud security architect specializing in Prisma Cloud CNAPP platform, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. He uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage his multi industry knowledge to inspire success.
