Work with Vulnerability Maps

The Vulnerability Map is a separately licensed feature of Illumio Core. The licensing is based on the number of workloads. The license is required to import Qualys report data into the Illumio PCE.

For information about obtaining the Illumio Core Vulnerability Map license, contact Illumio Customer Support.

Enable the Vulnerability Map

When you obtain the license, you will receive information about how to apply the license on the PCE and enable the feature.

After the Vulnerability Map is enabled, access it from the App Group Map by clicking Vulnerability Map.

NOTE:

The Vulnerability Map is supported for VEN versions 16.9 and later.

Caveats

  • A maximum of 100,000 vulnerabilities can be detected per organization.
  • A maximum of 100 vulnerabilities can be detected per workload.
  • The Vulnerability Map is not supported in Supercluster implementations.
  • The exposure score is calculated on the first firewall sync for a given workload. When a PCE is restarted:
    • Vulnerability Score and Exposure Score are not available until the firewall sync occurs.
    • The scores are not available when a workload is offline.
  • Vulnerabilities can only be imported using the PCE CLI Tool.

View and Mitigate Vulnerabilities

The Vulnerability Map in your PCE is disabled by default. Vulnerability information is available for traffic flows, workloads, roles, and App Groups.

To view and mitigate vulnerabilities:

  1. In the PCE web console menu, in the upper left corner click on Choose an App Group.

  2. From the pop-up list, select the App Group you want to work with

    The command panel shows the different vulnerability exposure scores for the selected App Group, because of the port and to which workloads it is exposed. It is overlayed with the App Group Map. You see the Providing and Consuming App Groups and the vulnerable applications that are being accessed.

  3. NOTE:

    The Cloud icon denotes Northern Exposure.

  4. To refine how you view the vulnerabilities for the selected App Group, select the Filter in the top-right corner of the map.

    The Filter contains settings to view Vulnerability Exposure Score and Traffic. Based on your preference, you can set the slider to view only critical or high vulnerabilities or all of them.

  5. After identifying the vulnerabilities, you can constrain them to reduce the risk to your datacenter by writing a security policy.

    1. Click Policy Generator in the menu in the left to open the Policy Generator.

    2. In Policy Generator, select Auto level to automatically generate policy and set the Severity (slider) to the level of vulnerabilities that you want to constrain to.

      NOTE: To see the Auto Level option, you must first import the vulnerability license and vulnerabilities.

      Using Auto Level, you can write broad rules while minimizing the vulnerability exposure:

      • Roles with no vulnerabilities: Role < All Services < All Workloads
      • Roles with traffic to vulnerabilities: Role < All Services < Role
      • Roles without traffic to vulnerabilities: Role < Specified Services < Role

      You can also see the number of vulnerabilities for each workload:

      • Eliminated: The port is not exposed to any other workload

      • Reduced: Exposure to the port is minimized to a reduced set of workloads, which still keep your applications up and running.

      You can pick and choose the flows for which you want to include the policy.

    3. Complete the fields in the Policy Generator wizard.

      The Preview page shows the before and after Vulnerability Exposure Scores, where:

      • Before includes: Current provisioned policy
      • After includes: All draft policy
  6. Click Save after reviewing your policy.

Vulnerabilities Tab for Workload Details

The Workloads list page is enhanced to display risk due to vulnerabilities. The workload with the most vulnerabilities is listed at the top.

The Workload detail page includes a Vulnerabilities tab. You can click the V-E score column to sort the vulnerabilities based on the vulnerability score. You can then define your patch priority based on the most critical score.

You can see the highest severity type for the workload and the total number of vulnerabilities associated with the workload. The port and protocol is mapped to a vulnerability (if it exists). Under the Vulnerabilities tab, all the vulnerabilities for the workload are sorted in order of severity. You can see the following information for each vulnerability:

  • Total V-E score of the workload
  • V-E score of the highest accessible network port of the workload
  • Vulnerability score of the most severe network accessible vulnerability on the workload
  • East-West exposure
  • Internet exposure
  • Type of traffic on that port
  • Name of the vulnerability

Under the Processes tab, you can see V-E score of each process that is communicating over the network port. The East-West Exposure Score is recalculated whenever the rules associated with the workload are changed.