[Update: Posted follow-up article on a Proof-of-Concept implementation]

Are you dealing with a growing number of endpoints outside your company network? That coupled with short-lived and fast-changing workloads? If so, your existing scheduled vulnerability scanning program may not be enough.

While most commercial vulnerability scanners do a good job of identifying vulnerabilities with high confidence, they do have some shortcomings. For one, your assets need to be present at a specific or predictable IP/CIDR that your vulnerability scanner can reach. Secondly, they need a substantial amount of compute time and network bandwidth to run a battery of tests against each asset to detect potential vulnerabilities - due to which we have scans of varying intensities scheduled at different (and often irregular) intervals across different parts of your network. So it is obvious when you consider mobile endpoints outside your network and ephemeral workloads in the cloud - that you are staring at major blind-spots.

The Solution

Complement your vulnerability scanners with osquery. Deploy it across all your endpoints. Embed it in your cloud workloads. osquery is an open-source cross-platform endpoint instrumentation framework that lets you query endpoint state and activity data in a SQL syntax using abstractions for operating systems, device hardware, installed applications, running processes, browser extensions, process network connections, WiFi networks, registry, file hashes and so on.

We can configure osquery queries tracking every minute change on your endpoints that could introduce a vulnerability - and ensure that differential changes are shipped to common logging or SIEM infrastructure. Once stored there, we can query and correlate these changes (an installed program for example) against vulnerability databases for matches (known vulnerabilities associated with installed version of said program). The entire osquery deployment can be managed as a fleet using custom-built remote management APIs - which as a bonus could be deeply integrated with your SIEM platform to provide for basic IOC threat hunting capabilities.

Vulnerability Management with IBM QRadar

Implementing the above described solution would widen the net for vulnerability detection and so, you will see a significant increase in known vulnerabilities - which can get pretty overwhelming. We would recommend integrating the vulnerability detection results of this solution with IBM QRadar Vulnerability Manager (QVM) using the AXIS import mechanism. QVM enriches your discovered vulnerability instances with additional context about exploit attempts, patch management, network topology, connections as well as X-Force Threat Intelligence to help your security team develop an optimized action plan to address security exposures in an efficient manner.