Simple vs Advanced Vulnerability Deduplication

In a previous blog post, we highlighted the difficulties that vulnerability management teams encounter with deduplication and provide suggestions on how to approach the problem. In this follow-up post, we look further at the differences between simple vs. advanced vulnerability deduplication.  

Simple Vulnerability Deduplication

  • Typically contains data from a single vulnerability scanning source (Qualys, Rapid7, Tenable, etc.)
  • When aggregating vulnerability scan data, duplication of results can occur from the following:
    • Assets with multiple IPs being scanned from a network-based scanner
  • IPv4 vs IPv6 addresses, external public addresses vs. internal addresses
    • Multiple different scan jobs/types/scopes scanning the same assets during the same time interval
  • Discovery vs Vulnerability vs. Compliance scans
    • Multiple historical scan results of the same vulnerability scan job performed on the same set of assets
  • Scheduled vs ad-hoc scans

How can NorthStar assist?

NorthStar automatically correlates the relationship between assets and IP addresses as well as the relationship between assets/IPs and vulnerability scans. NorthStar deduplicates the vulnerability findings to allow for a single source of truth for assets, IPs, and vulnerabilities.  

Advanced Vulnerability Deduplication

  • Typically contains vulnerability data from multiple sources of vulnerability data scanning the same assets. These can include network-based scanning solutions as well as agent-based solutions. (Qualys, Rapid7, Tenable, CrowdStrike, Microsoft Defender, Tanium, etc.)
    • This has become more common as agent-based security solutions have been expanding functionality into the EDR/XDR space.
  • Data from these different scans solutions will likely be incompatible due to vendors using different vulnerability classification schemes and rating systems.
    • For example, Tenable and Microsoft Defender
      • Tenable uses Plugins for their vulnerability classification
      • Plugins may represent 0, 1, or more CVEs
      • Microsoft Defender uses CVEs for their vulnerability classification
      • A single issue on an asset may be represented by 1 Tenable plugin and 3 MS Defender CVEs

How can NorthStar assist?

NorthStar can process the different sources for data and match vulnerabilities across different scanning solutions based on several factors:
  • CVE association
  • Software affected
  • Known vendor references
  • Vuln Descriptions
  • Patch relationships and supersedence
This association can be used to deduplicate the raw vulnerability data into a consolidated list of "real" issues affecting a given asset. NorthStar automatically processes only the latest vulnerability scan data and removes any duplication at the individual source level. VIDEO: Advanced vulnerability deduplication case study