Mapping vulnerability scan results to a network environment

This use case demonstrates how to map network assets and vulnerabilities detected in a vulnerability scan to the network devices and remediation content you are managing with TrueSight Network Automation. This mapping process is a prerequisite before you can use TrueSight Vulnerability Management to correct any vulnerabilities revealed in the scan.

This topic includes the following sections:

The following video demonstrates how to use TrueSight Vulnerability Management to map network assets and vulnerabilities detected in a scan to network rules and remediation content managed with TrueSight Network Automation.

https://youtu.be/XYaVKbUE-oI

Introduction

This use case describes how to associate network devices included in a vulnerability scan (known in TrueSight Vulnerability Management as assets) to network devices managed with TrueSight Network Automation(known as endpoints). It also describes how to associate vulnerabilities identified in the vulnerability scan to rules with corrective actions defined in TrueSight Network Automation. This process of associating—or mapping—must occur before you can perform any remediation based on a vulnerability scan.

TrueSight Vulnerability Management can perform an automatic mapping of assets based on their DNS server and IP address. However, after auto-mapping some assets may remain unmapped. When that occurs, you can manually find endpoints in your managed environment and associate them with assets in the vulnerability scan.

TrueSight Vulnerability Management can also perform an automatic mapping of vulnerabilities to rules defined in TrueSight Network Automation. Mapping is based on the Common Vulnerabilities and Exposures (CVE) number.

After assets and vulnerabilities are mapped, you can examine the Security-Dashboard and the Operator-Dashboard and then create a Remediation operation that corrects network vulnerabilities. That process is described in another use case.

What do I need to get started?

You must have a user ID that can access and use TrueSight Vulnerability Management.
You must have the results of a vulnerability scan in an XML format that can be imported into TrueSight Vulnerability Management. If you have access to a vulnerability management system, such as Qualys, Nessus, or Rapid7, you can export the results to XML. For more information, see Importing-scan-files.

How to map vulnerability scan results

	Procedure	Example screen
1	Using TrueSight Vulnerability Management, import a scan file exported from a vulnerability scanning product and automatically map assets in the scan to endpoints (that is, network devices) managed in TrueSight Network Automation. Auto-mapping matches the IP address and domain name server (DNS) of assets in the vulnerability scan to network devices managed by TrueSight Network Automation. Select TrueSight Vulnerability Management > Import. For Select Vendor, choose the type of vulnerability management system used to create the scan file you want to import. For Scan Report, click Browse and navigate to a scan file you want to import. The file must be in an XML format. Note that exports from Nessus must have a file ending of .nessus. For Import Filters, select the type of operating system data you want to import. Be sure to select Others, which is necessary when importing network assets. In IP Address (CIDR Format), specify the IP addresses in the Classless Inter-Domain Routing (CIDR) format, for which you want to import data. From the scan file, data only for the servers that belong to the specified IP address range is imported. Default value of this option is 0.0.0.0/0, which imports data for all the assets from the scan file. Click Import Scan.
2	To check the status of the import, click Activity Status, in the menu bar at top right. A window lists long running activities, such as scan imports, and shows their status. If the import is still running, its status says In Progress.
3	For assets that remain unmapped after auto-mapping, you can perform a manual mapping procedure. Select TrueSight Vulnerability Management > Assets to display a list of assets. Select one or more assets that require mapping. If necessary, use the filtering capability at the top of each column to find assets. For example, if you are looking for assets with names that include the string "cisco," enter cisco in the filter box at the top of the Scan Host column. At top right, click the Actions menu and select Map. The Map Endpoint to Scanned Hosts page opens. It provides two tabs: Selected Scanned Hosts and Endpoints. The asset(s) you selected in the previous step are listed on the Selected Scanned Hosts tab.	Select one or more assets that need mapping. When you click Map, the asset(s) you selected appear on the Map Endpoint to Scanned Hosts page.
4	Specify a network device managed in TrueSight Network Automation that should map to the selected asset(s). Select an asset on the Selected Scanned Hosts tab and click the Endpoints tab. Use the search capability to find the network device to be mapped. Click here to for a description of the search capability. Select a network device to map to the asset selected on the Selected Scanned Hosts tab and click Save. A message says that mapping has occurred. The Assets page shows the name of the mapped endpoint. In some situations you may need to map multiple scanned assets to a single network device. Or, you may need to map a single asset to multiple devices. Click here for details. Use the same procedure to map additional assets.	Select an asset to map and then click the Endpoints tab. Assets page shows name of mapped endpoint.
5	Display a list of vulnerabilities in the vulnerability scan. Then perform auto-mapping, which matches any vulnerabilities that can be remediated by applying corrective actions defined for network rules in TrueSight Network Automation. Select TrueSight Vulnerability Management > Vulnerabilities to display the list of vulnerabilities. Click Auto-map.
6	For vulnerabilities that remain unmapped after auto-mapping, perform a manual mapping procedure. Find a vulnerability that requires mapping. If necessary, use the filtering capability at the top of each column to find vulnerabilities. On the row for a vulnerability, click the Actions menu and select Map. The Map Remediation to Vulnerability page opens.
8	Using the search capability, identify remediation content. Select an item and click Save. Click here to see a page with detailed instructions for using using the search capability.
9	Click Save. A message says that mapping has occurred. The Vulnerabilities page shows details about the remediation content you selected. Repeat the same procedure to map additional vulnerabilities to remediation packages.

Wrapping it up

In this topic you used TrueSight Vulnerability Management to perform all the preliminary mapping necessary to remediate network vulnerabilities detected by an external vulnerability management system, such as Qualys, Nessus, or Rapid7.

Where to go from here

After all necessary mapping is complete, you can use the Security-Dashboard and Operator-Dashboard to analyze the vulnerabilities detected in a scan. Then you can use the Operator Dashboard to create a Remediation operation that corrects vulnerabilities in your network environment. Another use case describes that process.