About Vulnerability Assessment


Role Availability	Read-Only	Investigator	Analyst	Manager

USM Anywhere delivers as part of a complete package of security and management capabilities for efficient threat detection. USM Anywhere does this to improve security in your network. To generate a vulnerability assessment, you first need to know what is vulnerable. Vulnerability assessment is a functionality of USM Anywhere used for defining, identifying, classifying, and prioritizing the vulnerabilities in your system. The universal open and standardized method for rating IT vulnerabilities and determining the urgency of response is the Common Vulnerability Scoring System (CVSS). This method assigns severity scores to vulnerabilities. Scores range from 0 to 10, with 10 being the most severe. USM Anywhere works on both version 3 (CVSSv3) and the previous version 2 (CVSSv2) for scoring.

About Vulnerability Assessment in USM Anywhere

USM Anywhere detects vulnerabilities in and controls these scanning functions:

Running and scheduling scans (see Performing Vulnerability Scans for more information)
Generating and examining reports (see Viewing Vulnerabilities Scan Results for more information)
Generating system events when a vulnerability is detected (see Events Generated When a Vulnerability Is Detected)

USM Anywhere detects vulnerabilities using an wherein the USM Anywhere initiates a credentialed connection to the asset ( in Linux systems or Microsoft Windows Remote Management (WinRM) in Windows systems), and remotely runs a series of commands for host-based assessment. Vulnerability detection is based on an implementation of the Security Content Automation Protocol (SCAP) and the Open Vulnerability and Assessment Language (OVAL) 5.11.2 schema version. The National Vulnerability Database (NVD) is the U.S. government’s content repository for SCAP. The OVAL schema is maintained by The MITRE Corporation and developed by the public OVAL community website at http://oval.mitre.org. LevelBlue Labs™ Open Threat Exchange® (OTX™) queries NVD and MITRE every hour to search for the latest vulnerabilities. Every time you run a vulnerability scan, USM Anywhere queries OTX to update vulnerabilities information. For Linux variants, USM Anywhere performs a series of generic UNIX and independent schema tests in addition to flavor-specific tests for IBM AIX, FreeBSD, Hewlett Packard Enterprise HP-UX, and Linux. For Windows, USM Anywhere performs a series of Windows schema and independent schema tests.

Warning: USM Anywhere removes vulnerabilities older than 90 days from the database.

About Vulnerability Severity

Discovering a vulnerability by itself is important but can be of little use without the ability to estimate the associated severity to an asset. For this reason, USM Anywhere assigns a severity to each vulnerability found in the system according to the severity score of the CVSS. The following table shows the CVSS v2.0 and v3.0 ratings. CVSS v2.0 and v3.0 Ratings

Severity	v2 Score Range	v3 Score Range
None	N/A	0.0
Low	0.0-3.9	0.1-3.9
Medium	4.0-6.9	4.0-6.9
High	7.0-10.0	7.0-8.9
Critical	N/A	9.0-10.0

Important: There is also an Under Analysis severity. This severity displays when the National Vulnerability Database (NVD) has not assigned a CVSS base score to the vulnerability. OTX queries NVD and MITRE every hour to search for the latest vulnerabilities. Every time you run a vulnerability scan, USM Anywhere queries OTX to update the vulnerabilities information. If the NVD has updated the CVSS base score for that vulnerability, USM Anywhere will update the status after you run a new vulnerability scan.

To see the CVSS score of a vulnerability

Go to Environment > Vulnerabilities.
Click the vulnerability to display its details.

About Active and Inactive Vulnerabilities

In USM Anywhere you can find active vulnerabilities and inactive vulnerabilities. When you run a scan on an asset and USM Anywhere finds a vulnerability, this vulnerability is active for that specific asset. Only vulnerabilities found in the most recent scan on a particular asset are considered active, while any vulnerabilities present in previous scans but not found in the most recent scan will be considered inactive.

A Practical Example

USM Anywhere finds 15 vulnerabilities when you run a scan over an asset, and your product shows “active: 15, inactive: 0”. After the scan, you remediate all of the vulnerabilities that were discovered. A week later, you run a scan over the same asset, and this new scan finds 3 vulnerabilities. Now, your product will show 3 vulnerabilities active out of 15 vulnerabilities found and will display “active: 3, inactive: 12”.

Searching Active or Inactive Vulnerabilities

When you go to Environment > Vulnerabilities, USM Anywhere displays all active vulnerabilities by default.

If you want to see the inactive vulnerabilities, select the Inactive filter. USM Anywhere displays the list of your inactive vulnerabilities.

You can also see whether a vulnerability is active or inactive by opening the full details screen of the vulnerability.

Events Generated When a Vulnerability Is Detected

You can configure your USM Anywhere to generate an event whenever a vulnerability is detected.

Note: Enabling this feature will generate system events for each newly discovered vulnerability. Be prepared for an influx of system events when enabling this feature. It is recommended to run a few initial vulnerability scans to get a baseline prior to enabling this feature.

To enable event creation upon vulnerability detection

Go to Settings > System and then select Vulnerability Settings.
Toggle Generate a System Event on Vulnerability Discovery to enable this setting. Toggle this off to disable event creation.

Important: This setting is only accessible to users in a Manager role.

USM Anywhere™

USM Central™

Automated Policy Manager

About Vulnerability Assessment