Skip to main content

Tenable Integrations

Waratek has created a reporting tool that will ingest Tenable vulnerability scan data, and correlate it with any Waratek patches that are in place

Overview

This reporting tool is used to calculate the risk and adjust the CVSS v3 risk score; showing vulnerabilities that have been fully or partially patched. This report can then be used as a supplement to the Tenable-produced reports to give a more accurate and comprehensive view of your application security posture.

This feature requires that you have a Tenable account and have conducted scans of machines containing Waratek-protected applications.

Producing Reports

Producing a report consists of 3 steps:

  1. Connecting the Portal to Tenable and gathering information
  2. Selecting the asset that the report will be based upon
  3. Calculating the score and producing the report.

A. Connecting the Portal to Tenable

  • First, navigate to the cog settings icon settings icon at the top right corner of the Portal, click on it, and select Reports from the menu
  • From the Integrator drop-down list of report types, select Tenable.io
  • Input the Tenable Access Key and Secret Key
  • Click on Next

At this point the Portal will:

  • Download a list of asset IP addresses that have been scanned by Tenable
  • Cross-reference that with the IP addresses of assets on which Waratek Agents are installed and providing protection
  • Present you with the list of intersecting IP addresses

B. Selecting the Asset that the report will be based upon

The Portal will produce a list of intersecting IP addresses.  You can then select the IP address to run the report on and click Next.

IP address limitations: It is possible that you could have a Tenable Agent and a Waratek Agent on the same machine and are unable to find any correlation between Tenable’s IP data and the Waratek Portal’s IP data. There are a number of scenarios where this may happen:

  1. The host has multiple network cards:  Tenable could register the vulnerabilities to one network card while Waratek reads the IP address of the other network card.
  2. IP address sources may differ: Tenable gets the IP address from their Agent or Sensor. The Portal gets its IP address information not from the Agent, but from the IP headers in the TCP/IP communications between the Agent and Portal.  If there is a (Layer 3) router between the Portal and the Agent, then it is possible that the IP address that the Portal will see is not the IP address of the machine that the agent is installed on, but rather the IP address of the router’s interface.  The router will replace the IP address of the Host with its own as it passes the packets along the network.

C. Calculating the score and producing the report

As the report loads on screen, the Portal will:

  • Download the scan report for the selected asset from Tenable and parses out the CVE information
  • Correlate that data with the list of CVEs that are currently being protected by Waratek via applied Virtual Patches
  • Re-calculate the CVSS scores and produce a report

The Report Interface

The top of the report will include the following information:

  • Report Header detailing IP Address. The back button will return you to the previous page and the list of intersecting IP addresses available
  • The total count of each Severity category, based upon the Tenable scan results
  • An Export button to download the report as .csv file
  • The number of Waratek Agents running on the asset
  • An expandable list detailing each Agent name and their protected processes

Above: Top of report with contracted Agents list. Below: Expanded Agents List and their protected processes

The report body provides details on:

  • The Tenable Severity for the vulnerability line item

  • The Tenable Overall CVSS (v3) score for the vulnerability line item

  • The Tenable Plugin ID number for the vulnerability line item

  • The Name of the Tenable Vulnerability line item

  • The Java Version of the line item

  • The Waratek Adjusted Severity (see the page section below on Score Calculations)

  • The Waratek Adjusted Score (CVSS v3 format)

  • The Patched Status for the line item (see the blue information card below for Patch Status terms)

  • The View dropdown to display the list of individual CVEs that make up the single Tenable line item, and their CVSS score (CVSS v2 format). This expanded view shows:

    • The number of Waratek-mitigated/total CVEs for the parent Tenable line item
    • A list of all Waratek-Remediated CVEs including their CVE number, and their CVSS (v2) score
    • A list of all Not Remediated CVEs including their CVE number, and their CVSS (v2) score

Above: The full report screen. Each table column has a filter that allows you to remove/hide some of the values displayed to refine the table results.

Waratek Patch Status Glossary Terms:

Remediated - a particular CVE has been patched.

Mitigated - a partial fix, used in the context of a Tenable line item. Only some of the CVEs contained within the line item have been remedied.

Unpatched - If none of the line item’s CVEs have been remediated

Patched - If all of the line item’s CVEs have been remediated

Score Calculations

Tenable’s scoring system and Waratek’s scoring systems are not a one-to-one match, there are variances between the two and how they align with each other.

Tenable Scoring

Each line item in a Tenable report is comprised of multiple CVE vulnerabilities. Tenable assigns each individual CVE found a CVSS score based on CVSS v2. It then finds the CVE with the highest v2 score, finds that item's CVSS v3 score, and assigns that value to the overall line item

This can be confusing as CVSS v3 scores can be higher or lower than their corresponding CVSS v2 score.  For example, if a Tenable line item contains 5 CVEs, the highest-rated CVSS v2 score might be 8.2, and the second-highest might have a score of 8.1. When the 8.2 CVSS v 2 score is converted to CVSS v3, the new score might be 7.8. Therefore each line item can appear to have a lower severity than the CVEs contained within.

Waratek Scoring

Waratek finds the CVEs that it is NOT protecting against, and assigns to each of them a CVSS v3 score.  Of all of these vulnerabilities, the highest CVSS v3 score becomes the Waratek score for that Tenable line item.  This means that while most of the time the result will be a lower Waratek score than the Tenable score, there are times when even though items have been mitigated, the Waratek score will be equal to or higher than the Tenable score, as can be seen in the examples below:

When the Adjusted Waratek score is HIGHER than the Tenable score:

Individual CVEsTenable CVSS v2 scoreTenable CVSS v3 scoreWaratek Adjusted Score (CVSS v3-based)
CVE 18.37.9Mitigated
CVE 28.18.28.2
CVE 37.57.5Mitigated
Tenable Line Item Score7.98.2