Vulnerability Assessment with Cisco Secure Endpoint

The Cisco Secure Endpoint (CSE) is integrated with Cisco Vulnerability Management. Use it to access all the capability and functionality of your CSE assets.

Note: This article refers to the integration of Cisco Secure Endpoint with Cisco Vulnerability Management and not the Cisco Secure Endpoint agent installed on the assets in your environment.

Data Flow 

The following diagram shows how data flows between CSE assets and Cisco Vulnerability Management and how they are processed during a run. The Orbital endpoint agent sends asset data to the Orbital Server. The Orbital Server consolidates the data within a six-hour window. The CSE retrieves and processes the data every hour from the Orbital server.  Vulnerability and asset data is then collated to create risk scores, and you see the vulnerabilities and risk scores in Cisco Vulnerability Management.

8176529abfcdefe1fdd05f20178b591d9c467d158cb13479145a85ca32ced305.png

Supported Operating Systems and Applications

For the following lists of operating systems and applications, the Cisco Secure Endpoint returns verified data for vulnerabilities, and if there are issues, the data quality may be investigated and fixed, based on your Service Level Agreement

Important! Inference returns vulnerabilities for many other operating systems and applications that are not listed. However, their data quality is unverified and may not be supported by Service Level Agreements.

Operating Systems with Supported Data Quality

The following operating systems have data quality that is supported:

  • Alma Linux 9
  • Amazon Linux 2
  • CentOS 6.x (6.10 only)
  • CentOS 7.x (7.2 and later)
  • CentOS 8.x
  • macOS 10 (10.15 only)
  • macOS 11
  • macOS 12
  • macOS 13
  • macOS 14
  • macOS 14.1
  • RHEL 6.x (6.10 only)
  • RHEL 7.x (7.2 and later)
  • RHEL 8.x
  • Ubuntu 18.04
  • Ubuntu 20.04
  • Ubuntu 22.04 LTS
  • Windows 8
  • Windows 8.1
  • Windows 10 (1803 or later; IOT enterprise also supported)
  • Windows 11
  • Windows Server 2012/2012 R2
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

Supported Applications with Supported Data Quality

The following applications have data quality that is supported:

  • Adobe Acrobat
  • Adobe Acrobat DC
  • Adobe Flash Player
  • Cisco AnyConnect Secure Mobility Client
  • Cisco AnyConnect Start Before Login Module
  • Cisco Webex Meetings
  • Citrix Work App
  • Google Chrome
  • Intel Chipset Device Software  
  • Logiciel Intel PROSet/Wireless
  • Microsoft Edge
  • Microsoft Excel
  • Microsoft Internet Explorer (Windows Only)
  • Microsoft Office
  • Microsoft OneDrive
  • Microsoft Outlook
  • Microsoft PowerPoint
  • Microsoft Silverlight
  • Microsoft Teams
  • Microsoft Word
  • Mozilla Firefox
  • Notepad++ (64-bit x64)
  • Oracle Java Platform SE
  • Oracle JRE
  • Safari
  • Visual Studio 2010 Tools 2010 for Office
  • VMWare Tools
  • WhatsApp
  • XCode
  • Zoom

Configuration of Orbital and Cisco Vulnerability Management

Before you can configure Orbital and Cisco Vulnerability Management, you must have a Cisco Secure Endpoint Advantage or Premier account. For information about licenses, see License comparison.

The following list shows the high-level steps required to configure Orbital and Cisco Vulnerability Management:

  1. Deploy the Cisco Secure Endpoint agent on the assets that you want to integrate.
  2. Enable the Orbital endpoint agent.
  3. Configure the Cisco Secure Endpoint module in SecureX.
  4. Generate API credentials.
  5. Configure the CSE in Cisco Vulnerability Management.

Deploying the Cisco Secure Endpoint Agent

Install the Cisco Secure Endpoint agent on all the assets to be ingested into Cisco Vulnerability Management. For more information, see Deploying Connectors.

Enabling the Orbital Endpoint Agent

You must enable the Orbital endpoint agent in an existing CSE policy for your assets. The Orbital endpoint agent (node) is automatically downloaded and installed when you enable Orbital in your CSE policy. The asset where you deploy Orbital must comply with the Orbital System Requirements.

  1. Log into the Cisco Secure Endpoint console.
  2. Under Management, choose Policies.
  3. Click the policy you want to deploy for all the assets to be ingested.
  4. In the panel on the left, click Advanced Settings > Orbital.

  5. Check the Enable Orbital checkbox, and then click Save.

Configuring the Cisco Secure Endpoint module in SecureX

If you haven’t already, enable your SecureX account as explained in Getting Started before performing the following steps. If you don't have a SecureX account, contact your Cisco sales representative to get one. You must have a username and password that has admin privileges for SecureX.

  1. Log into Cisco SecureX with your username and password.
  2. Choose one of the following regions (based on the location of your organization):
    1. SecureX (APJC) 
    2. SecureX (EU) 
    3. SecureX (US)
  3. On the SecureX menu bar, click the Integration Modules tab .
  4. On the Available Integration Modules page, navigate to the Cisco Secure Endpoint module and click Enable.
  5. Fill in the fields, following the instructions under Quick Start.
  6. Click Save.
    A health check is performed to determine if the module was properly configured. A message displays in the upper portion of the form (the form changes to Edit Module since it’s been saved) indicating that the health check is running. When it finishes, a message displays indicating that there were no issues with the configuration or that errors were found.

  7. Click Cancel.
    The module displays on the My Integration Modules page and shows whether it is integrated or if there are errors with the configuration.

Generating API Credentials

Note: You generate API credentials in Cisco SecureX, using the credentials when you configure it.

  1. In SecureX, click the Administration tab and choose API Clients > Generate API Client.
  2. In the Add New Client window, type a name for the client.
  3. Under Scopes, click the Orbital checkbox, and then click Add New Client. A Client ID and password display.
    Important! Save the Client ID and password in a secure location. After you close the window, you can't recover them.
  4. In the Add New Client... dialog box, click Close.

Configuring Cisco Secure Endpoint

Cisco Vulnerability Management collects the asset data every hour through the runs. From the time you configure it, CSE usually takes at least one hour for a run to start processing assets.

Before configuring it, ensure you know the following values:

  1. In Cisco Vulnerability Management, click Connectors, and then click Add Connector.
  2. Scroll down to Vulnerability Management, and then click the Cisco Secure Endpoint icon. Type or select the values as shown in the following image:
  3. Click Save and Verify. It appears in the connector list.

Data Mapping

The following table shows how Orbital fields (osquery) map to fields in Cisco Vulnerability Management.

Osquery table and fields Cisco Vulnerability Management field Notes
nodeinfo.id locators.external_id  
info.interfaces.ipv4 locators.ip_address Takes ipv4 from the first active interface
info.hostname locators.hostname  
system_info.hostname locators.fqdn Uses info.hostname if it is an FQDN (Fully Qualified Domain Name). Otherwise, it uses system_info.hostname.
system_info.hostname locators.netbios Uses the first part of info.hostname if it is an FQDN. Otherwise, it uses the first part of system_info.hostname.
info.interfaces.mac locators.mac_address Takes mac from the first active interface.
info.osinfo.os os_family  
os_version.version os_version If the os_version is missing, it falls back to info.osinfo.version. If osinfo is blank, it falls back to the registry data.
os_version.name os_vendor If the os_version is missing, it falls back to info.osinfo.version. If osinfo is blank, it falls back to the registry data.

CSE Locator Order

The CSE locator uses the following locator order to determine if an asset already exists in the environment:

  1. Container
  2. Image
  3. EC2 Instance Id
  4. Netbios
  5. Hostname
  6. URL
  7. File
  8. FQDN
  9. Mac Address
  10. External IP address
  11. IP address
  12. External Id
  13. Database
  14. Application

For more information about locator order, see Understanding Locator Order.

Orbital API calls

The following Orbital API calls are performed during a run to retrieve the asset information to be imported:

Asset Information

Here are some important clarifications about Cisco Secure Endpoint assets and how their data are processed.

  • For each asset seen in runs, its status is set to active. An asset is automatically set to inactive status if it is not seen for the duration specified in the Asset Inactivity Period.
  • If there is insufficient data for an asset to determine vulnerabilities, Cisco Vulnerability Management tags the asset to indicate that the vulnerability assessment is pending. No new vulnerabilities for the asset are created and existing vulnerabilities are unaffected. The asset is processed and updated when the missing data is received in subsequent runs. Insufficient data includes issues such as missing OS version and patches (Windows OS).
  • Cisco Vulnerability Management provides risk scoring only for assets that have Cisco Secure Endpoint installed and configured as described in this document. If you see a discrepancy between the number of assets in Cisco Vulnerability Management and Cisco Secure Endpoint, it may be a result of your policy configuration.

Known Issues List

Issue Description Suggested Workarounds/Progress
Cisco Secure Endpoint Integration
We have encountered instances of missing asset information (OS Version) on assets running Windows 10 and 11 versions. We are actively investigating this known issue in the integration. We have mitigation tactics in place to ensure accurate asset information is maintained to determine vulnerabilities.
Internet Explorer
Internet Explorer has End-of-Life status, so some CVEs have no fixes. Some vulnerabilities do have fixes. Microsoft recommends you change to Microsoft Edge.
The last CVEs date to 2021, and no more recent CVEs are available. Microsoft recommends you change to Microsoft Edge.
Microsoft Office
Microsoft Office 2013 and earlier versions have End-of-Life status. New CVEs, updates or patches are no longer available. Microsoft recommends upgrading to a newer version of MS Office.
Some links in MS Knowledge Bases (for patches) are not available. Microsoft removes the download link for a specific Knowledge Base, usually when another replaces its functionality. The Inference team provides multiple KBs fixes for vulnerabilities affected by MS Office.
The Inference team’s API fixes for MS Office 2016 C2R, 2019 and 2021 do not use Knowledge Base patches for vulnerabilities.

Microsoft stopped using Knowledge Bases for patches or upgrades for MS Office after MS Office 2016, V2. MS now uses Click-to-Run technology. For more information see: Information about Office Click-to-Run installations.

 

Cisco Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)

© 1992-2023 Cisco Systems, Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.