Purpose

This document describes Findings in the Unified View.

Introduction

Findings are the potential risks and recommended reconfiguration suggestions found during automatic and manual assessments of the target asset. These vary from security best practices which lower the attack surface of the target to exploitable vulnerabilities that were verified and confirmed as being present and relevant for the target.

Findings include their risk classification, risk score and information describing what it is, why it was found and how an attacker might be able to exploit the vulnerability as well as provide clear solutions to remediate the risk.

Accessing Findings

By clicking the Explore icon in the menu on the left hand side and selecting findings, an unfiltered list of vulnerabilities is displayed together with the Overall Risk card.


ColumnDescription
Age *Number of days since the findings are detected.
Asset UUIDThe unique identifier of the Asset the Finding belongs to.
CVSS V2CVSS V2 score ranging from 0 to 10.
CVSS V2 Severity

CVSS V2 severity in qualitative ratings.

  • Recommendation - 0
  • Low - 0.1-3.9
  • Medium - 4.0-6.9
  • High - 7.0-10.0
CVSS V3CVSS V3 score ranging from 0 to 10.
CVSS V3 Severity

CVSS V3 severity in qualitative ratings.

  • Recommendation - 0
  • Low - 0.1-3.9
  • Medium - 4.0-6.9
  • High - 7.0-8.9
  • Critical - 9.0-10.0
DateThe date of the last scan.
Farsight Score *Vulnerability score ranging from 0-100 according to Farsight.
First SeenDate and time when the finding has been seen for the first time
Grade *

Risk level on a scale from A to F where F represents the most critical risks.

An Asset's risk is calculated based on:

  1. Business criticality (priority)

  2. Exposure

  3. The single most critical finding (weakest link) on the asset

Last Seen *Date and time when the finding has been seen last time. The date is set after the scan is finished if the finding is still detected.
Name *Name of the vulnerability
PortThe IP communication port.
ProtocolTCP, UDP, ICMP, IGMP or GENERIC
Status

Indicates the different statuses for a finding. Can be marked as:

  • Present - (Default) Shows that a Finding is present after scanning.
  • Pending Verification - Shows if there is any pending verification request.
  • Fixed - Shows if the vulnerability has been fixed.
  • False Positive - The scanner is finding a risk that it is not supposed to pick up on.
  • Accepted - Displays if the risk is accepted or not.
  • Irreproducible - AppSec not able to reproduce finding.

UUIDThe unique identifier of the Finding.

*) Columns shown by default

By clicking and marking a vulnerability in the list, more information about the vulnerability is displayed in a card on the right hand side.

Italic and dimmed rows indicates the finding status to be "closed" on FIXED, ACCEPTED or FALSE_POSITIVE status.

Details

Selecting a Finding in the table displays a detailed report on the specific finding.

OptionDescription
Grade

Risk level on a scale from A to F where F represents the most critical risks.

An Asset's risk is calculated based on:

  1. Business criticality (priority)

  2. Exposure

  3. The single most critical finding (weakest link) on the asset

Status

Indicates the different statuses for a finding. Can be marked as:

  • Present - (Default) Shows that a Finding is present after scanning.
  • Pending Verification - Shows if there is any pending verification request.
  • Fixed - Shows if the vulnerability has been fixed.
  • False Positive - The scanner is finding a risk that it is not supposed to pick up on.
  • Accepted - Displays if the risk is accepted or not.
  • Irreproducible - AppSec not able to reproduce finding.

Farsight ScoreScore of the vulnerability according to Farsight.
AgingDays since first discovered.
Last ScanWhen was the last scan performed.
CVE-LinkFurther information about the vulnerability from the National Vulnerability Database.
DeltaIs the difference between the current and the former likelihood values.
Threat ActivityWhen was the threat active.
CVSS v3CVSS score ranging from 0 to 10.

Further details can be access in Vulnerability Management (Netsec) by clicking the View more details on Netsec link at the bottom of the frame.

Multi Select

When selecting more than one row using the check boxes, an average risk value for selected rows is displayed in the card to the right with the number of selected items at the top.

Configuring the Columns

The Columns can be configured in several ways. Columns can be added and removed and the order in which they are displayed can be changed.

Changing Column Width

All the columns are configurable in width by dragging the dotted area on the right side of the column head.

Changing Column Presentation

By dragging the dotted area on bottom of the column head, the order in which the columns are presented can be changed.

Selecting Columns

By clicking on the + sign in the upper right corner in the column head row, a column menu is displayed where columns can be selected and deselected to configure the findings view.

Reset To Default

  1. To reset to default column presentation, press the Reset icon .
  2. A confirmation box is displayed, click the red Reset button to confirm.



  3. This resets the number of column shown and the order in which they are shown to default.

Farsight

The Likelihood feature in Outpost24 Farsight provides an easier way to address vulnerabilities which are relevant and may impact an organization irrespective of the CVSS score or the presence of an exploit for a vulnerability.

By focusing on the likelihood, you are mitigating vulnerabilities that, based on the machine learning model, are predicting an increased risk even though it may not currently be exploited.

Note

Risk classification of assets and services serves a purpose and should be conducted to further distinguish where to focus most efforts. This task can be time-consuming and may not produce viable results in the first couple of iterations. Farsight enables you to filter out some unlikely vulnerabilities with little to no prior knowledge about the vulnerabilities or assets, getting you on track with your vulnerability program faster. 

Risk Score - Likelihood 

Likelihood is a risk indicator that shows how likely a vulnerability is to be exploited compared to average, where approximately 95% of all vulnerabilities are never exploited. This is displayed in the Farsight column in the assets Findings view.  The value can go from 1 to 100 where 100 is the equivalent of saying it will be (or has been already) exploited in the wild in the next 12 months. The benefit to the customer is the ability to drive more aggressive risk-based remediation, focusing on even fewer vulnerabilities that reach a particular likelihood.  It is also worth noting that any vulnerability already exploited in the wild will have the risk value of 100 as it has been exploited already. 

Note

Since risk score is machine learning driven, based on several factors the risk rating can decrease as well as increase based on activity in the wild.

Prerequisites

To use Farsight you need the function enabled in your subscription. Contact support for more information on how you can enable the Farsight function.

Farsight in Unified View

In the Unified View, Farsight scores are presented as Exploitation Likelihood together with CVSS scoring when selecting an asset. The Common Vulnerability Scoring System (CVSS) score provides a numerical value of the severity of vulnerabilities, whereas Farsight displays the likelihood for that vulnerability to occur and potentially affect the system. This provides you with data to prioritize the remediation efforts into key business assets.

Clicking the blue View Findings button takes you to the findings view, where the findings are listed. Farsight scores are presented as a column in the Findings view.

Selecting a finding displays a more detailed view in the panel to the right.


OptionDescription
Overview
NameVulnerability name
AgeShows how old the vulnerability is.
Likelihood

The Risk score shows the likelihood of a vulnerability being weaponized and exploited in the wild over the next 12 months. Ranges from 1 to 38.46. the higher value, the greater the risk.

CVSS V2 severity

Severity level of the vulnerability according to CVSS v2 score:

None - 0.0
Low - 0.1-3.9
Medium - 4.0-6.9
High - 7.0-8.9
Critical - 9.0-10.0

CVSS V3 severity

Severity level of the vulnerability according to CVSS v3 score:

None  -  0.0
Low  -  0.1-3.9
Medium  -  4.0-6.9
High  -  7.0-8.9
Critical  -  9.0-10.0

Farsight
ScoreRisk indicator that shows how much more likely a vulnerability is to be exploited compared to average. The risk indicator present the likelihood values in an 0-100% (0-1) format.
Threat ActivityLast time date when threat activity has been detected by the watcher community.
DeltaIs the difference between the current and the former likelihood values.
Delta update dateDate when the Delta value changed.
Exploit availableDetermines if there is a publicly available exploit present for this vulnerability.
Exploitation likelihood

Likelihood of exploitation depending on the Likelihood value. The Exploitation Liklihood use the likelihood values in an 0-1 (0-100%) format divided into four groups.

Rare  -  0-0.25
Unlikely  - 0.25-0.50
Possible - 0.50-0.75
Likely - 0.75-1

Scan details
Last ScanTime and date when this finding has been detected latest.
DetailsThe link View more details on NetSec takes you to the Findings tab in the Reporting Tool in NetSec.




Copyright

© 2023 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.