Vulnerability Assessment with Cisco Secure Endpoint

Cisco Secure Endpoint (CSE) is integrated with Cisco Vulnerability Management. You can use it to access all the capability and functionality of your CSE assets.

Note: This article refers to the integration of Cisco Secure Endpoint with Cisco Vulnerability Management and not the Cisco Secure Endpoint agent installed on the assets in your environment.

Data Flow 

The following diagram shows how data flows between CSE assets and Cisco Vulnerability Management and how they are processed during a run. The Orbital endpoint agent sends asset data to the Orbital Server. The Orbital Server consolidates the data within a twelve-hour window. The CSE retrieves and processes the data every hour from the Orbital server. Vulnerability and asset data is then collated to create the Cisco Security Risk Score, and you see the vulnerabilities and the risk score in Cisco Vulnerability Management.

8176529abfcdefe1fdd05f20178b591d9c467d158cb13479145a85ca32ced305.png

Supported Operating Systems and Applications

For the following lists of operating systems and applications, the Cisco Secure Endpoint returns verified data for vulnerabilities, and if there are issues, the data quality might be investigated and fixed, based on your Service Level Agreement.

Supported Operating Systems

The following operating systems have data quality that is supported:

  • Alma Linux 9
  • Amazon Linux 2
  • CentOS 6.x (6.10 only)
  • CentOS 7.x (7.2 and later)
  • CentOS 8.x
  • CentOS 9.x
  • Debian 10, 11, 12
  • macOS 10 (10.15 only)
  • macOS 11
  • macOS 12
  • macOS 13
  • macOS 14
  • macOS 14.1
  • RHEL 6.x (6.10 only)
  • RHEL 7.x (7.2 and later)
  • RHEL 8.x
  • RHEL 9.x
  • Ubuntu 18.04
  • Ubuntu 20.04
  • Ubuntu 22.04 LTS
  • Windows 8
  • Windows 8.1
  • Windows 10 (1803 or later; IOT enterprise also supported)
  • Windows 11
  • Windows Server 2012/2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

Supported Applications

The following applications have data quality that is supported.

Note: Inference returns vulnerabilities for many other applications, however their data quality is unverified and might not be supported by Service Level Agreements.

  • Adobe Acrobat
  • Adobe Acrobat DC
  • Adobe Flash Player
  • Cisco AnyConnect Secure Mobility Client
  • Cisco AnyConnect Start Before Login Module
  • Cisco Webex Meetings
  • Citrix Work App
  • Docker
  • Evernote
  • Filezilla (MacOS only)
  • Git (Windows Only)
  • Google Chrome
  • Intel Chipset Device Software  
  • intelliJ IDEA
  • Logiciel Intel PROSet/Wireless
  • Microsoft Edge
  • Microsoft Excel
  • Microsoft Internet Explorer (Windows Only)
  • Microsoft Office
  • Microsoft OneDrive
  • Microsoft Outlook
  • Microsoft PowerPoint
  • Microsoft Silverlight
  • Microsoft Teams
  • Microsoft Word
  • Mozilla Firefox
  • Notepad++ (64-bit x64)
  • Oracle Java Platform SE
  • Oracle JRE
  • Postman (MacOS only)
  • PyCharm
  • Safari
  • Visual Studio 2010 Tools for Office
  • Visual Studio Code (MacOS only)
  • VLC 
  • VMWare Fusion (MacOS only)
  • VMWare Remote Console
  • VMWare Tools
  • Wireshark
  • WhatsApp
  • XCode
  • Zoom
  • Zoom.us (MacOS only)

Configuration of Orbital and Cisco Vulnerability Management

Before you can configure Orbital and Cisco Vulnerability Management, you must have a Cisco Secure Endpoint Advantage or Premier account. For information about licenses, see License comparison.

The following list shows the high-level steps required to configure Orbital and Cisco Vulnerability Management:

  1. Deploy the Cisco Secure Endpoint agent on the assets that you want to integrate.
  2. Enable the Orbital endpoint agent.
  3. Configure the Cisco Secure Endpoint module in Secure Client Cloud Management.
  4. Generate API credentials.
  5. Configure the CSE in Cisco Vulnerability Management.

Deploying the Cisco Secure Endpoint Agent

Install the Cisco Secure Endpoint agent on all the assets to be ingested into Cisco Vulnerability Management. For more information, see Deploying Connectors.

Enabling the Orbital Endpoint Agent

You must enable the Orbital endpoint agent in an existing CSE policy for your assets. The Orbital endpoint agent (node) is automatically downloaded and installed when you enable Orbital in your CSE policy. The asset where you deploy Orbital must comply with the Orbital System Requirements.

  1. Log into the Cisco Secure Endpoint console.
  2. Under Management, choose Policies.
  3. Click the policy you want to deploy for all the assets to be ingested.
  4. In the panel on the left, click Advanced Settings > Orbital.

  5. Check the Enable Orbital checkbox, and then click Save.

Integrating Cisco Secure Endpoint and Secure Client Cloud Management

If you are a new Cisco Secure Endpoint customer, you will only need to integrate Cisco Secure Endpoint and Secure Client Cloud Management once. After you complete the integration, the next time you log into the console the option won’t be available. If you ever want to disable the integration, you can do so in the console on the Administration tab. Note that if you remove the integration of Secure Endpoint to Secure Client Cloud management, the Orbital modules are not deleted in the process. Existing customers can enable the integration from the Administration tab in the Cisco Secure Endpoint console.

Note: The Cisco XDR integration (XDR license required) provides faster incident response through EDR to XDR detection sharing, Secure Client Cloud Management, and several other benefits. Non-XDR customers can integrate with Secure Client Cloud Management to access Orbital user and API management, manage Secure Client profiles and deployments, manage Secure Endpoint API credentials and more.

  1. Log in to Cisco Secure Endpoint.
  2. Do one of the following:
    * If you are a new Cisco Secure Endpoint customer, click the Integrate Now button in the top-right hand corner of the page.
    Integrate-now-button.png
    * If you are an existing Cisco Secure Endpoint customer, click the Administration tab in the Cisco XDR or Secure Client Management section, and click the Enable Now button.
    Enable-now-button-existing-users.png

 

Generating API Credentials

Note: You generate API credentials in Cisco Secure Client Cloud Management, and you then use the credentials when you configure Cisco Secure Endpoint in Cisco Vulnerability Management.

  1. Choose Administration > API Clients in the navigation menu and click Generate API Client.
    Add-new-client.png
  2. Enter a Client Name and optionally, choose a Client Preset from the drop-down list.

    Note: If you choose a Client Preset, all of the scopes are pre-configured for a particular function.

  3. If you did not choose a Client Preset, check the check boxes for the scopes for which you want to grant privileges to the client. You can also click Select All to grant all scopes to the client.
  4. Optionally, enter a description in the Description field and click Add New Client.

    The Client Id and Client Password are generated and are displayed in the Add New Client dialog box.
    Add-new-client-with-scopes.png

Note: The Client Password cannot be recovered after you close the window. Be sure to securely store it where you have access to it later, if needed. If you lose or disclose the client password, you must delete the API client and create a new one.

The API Client is tied to your user identity. If your user identity loses privileges, then your API Client will also lose those privileges. All actions taken by the API Client will be done in your name, and recorded as your actions. If your access to the application is revoked, then your API Client will no longer be valid.

Configuring Cisco Secure Endpoint

Cisco Vulnerability Management collects the asset data every hour through the runs. From the time you configure it, CSE usually takes at least one hour for a run to start processing assets.

Before configuring it, ensure you know the following values:

  1. In Cisco Vulnerability Management, click Connectors, and then click Add Connector.
  2. Scroll down to Vulnerability Management, and then click the Cisco Secure Endpoint icon. Type or select the values as shown in the following image:
  3. Click Save and Verify. You connector will now display in the connector list.

Data Mapping

The following table shows how Orbital fields (osquery) map to fields in Cisco Vulnerability Management.

Osquery table and fields Cisco Vulnerability Management field Notes
nodeinfo.id locators.external_id  
info.interfaces.ipv4 locators.ip_address Takes ipv4 from the first active interface
info.hostname locators.hostname  
system_info.hostname locators.fqdn Uses info.hostname if it is an FQDN (Fully Qualified Domain Name). Otherwise, it uses system_info.hostname.
system_info.hostname locators.netbios Uses the first part of info.hostname if it is an FQDN. Otherwise, it uses the first part of system_info.hostname.
info.interfaces.mac locators.mac_address Takes the mac address from the first active interface.
info.osinfo.os os_family  
os_version.version os_version If the os_version is missing, it falls back to info.osinfo.version. If osinfo is blank, it falls back to the registry data.
os_version.name os_vendor If the os_version is missing, it falls back to info.osinfo.version. If osinfo is blank, it falls back to the registry data.

CSE Locator Order

The CSE locator uses the following locator order to determine if an asset already exists in the environment:

  1. Container
  2. Image
  3. EC2 Instance Id
  4. Netbios
  5. Hostname
  6. URL
  7. File
  8. FQDN
  9. Mac Address
  10. External IP address
  11. IP address
  12. External Id
  13. Database
  14. Application

For more information about locator order, see Understanding Locator Order.

Orbital API calls

The following Orbital API calls are performed during a run to retrieve the asset information to be imported:

Asset Information

Here are some important clarifications about Cisco Secure Endpoint assets and how their data are processed.

  • For each asset seen in runs, its status is set to active. An asset is automatically set to inactive status if it is not seen for the duration specified in the Asset Inactivity Period.
  • If there is insufficient data for an asset to determine vulnerabilities, Cisco Vulnerability Management tags the asset to indicate that the vulnerability assessment is pending. No new vulnerabilities for the asset are created and existing vulnerabilities are unaffected. The asset is processed and updated when the missing data is received in subsequent runs. Insufficient data includes issues such as missing OS version and patches (Windows OS).
  • Cisco Vulnerability Management provides risk scoring only for assets that have Cisco Secure Endpoint installed and configured as described in this document. If you see a discrepancy between the number of assets in Cisco Vulnerability Management and Cisco Secure Endpoint, it might be a result of your policy configuration.

Known Issues List

Issue Description Suggested Workarounds/Progress
Cisco Secure Endpoint Integration
We have encountered instances of missing asset information (OS Version) on assets running Windows 10 and 11 versions. We are actively investigating this known issue in the integration. We have mitigation tactics in place to ensure accurate asset information is maintained to determine vulnerabilities.
Internet Explorer
Internet Explorer has End-of-Life status, so some CVEs have no fixes. Some vulnerabilities do have fixes. Microsoft recommends you change to Microsoft Edge.
The last CVEs date to 2021, and no more recent CVEs are available. Microsoft recommends you change to Microsoft Edge.
Microsoft Office
Microsoft Office 2013 and earlier versions have End-of-Life status. New CVEs, updates or patches are no longer available. Microsoft recommends upgrading to a newer version of Microsoft Office.
Some links in the Microsoft Knowledge Bases (for patches) are not available. Microsoft removes the download link for a specific Knowledge Base, usually when another replaces its functionality. The Inference team provides multiple KBs fixes for vulnerabilities affected by Microsoft Office.
The Inference team’s API fixes for MS Office 2016 C2R, 2019 and 2021 do not use Knowledge Base patches for vulnerabilities.

Microsoft stopped using Knowledge Bases for patches or upgrades for Microsoft Office after Microsoft Office 2016, V2. Microsoft now uses Click-to-Run technology. For more information see: Information about Office Click-to-Run installations.

 

Cisco Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

© 1992-2024 Cisco Systems, Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.