Asset Profiles
Asset profiles provide information about each known asset in your network, including what services are running on each asset.
Asset profile information is used for correlation purposes to help reduce false positives. For example, if a source attempts to exploit a specific service running on an asset, then JSA determines if the asset is vulnerable to this attack by correlating the attack to the asset profile.
Asset profiles are automatically discovered if you have flow data or vulnerability assessment (VA) scans configured. For flow data to populate asset profiles, bidirectional flows are required. Asset profiles can also be automatically created from identity events. For more information about VA, see the Juniper Secure Analytics Managing Vulnerability Assessment Guide.
For more information about flow sources, see the Juniper Secure Analytics Administration Guide.
Vulnerabilities
You can use JSA Vulnerability Manager and third-party scanners to identify vulnerabilities.
Third-party scanners identify and report discovered vulnerabilities using external references, such as the Open Source Vulnerability Database (OSVDB), National Vulnerability Database (NVDB), and Critical Watch. Examples of third-party scanners include QualysGuard and nCircle ip360. The OSVDB assigns a unique reference identifier (OSVDB ID) to each vulnerability. External references assign a unique reference identifier to each vulnerability. Examples of external data reference IDs include Common Vulnerability and Exposures (CVE) ID or Bugtraq ID. For more information on scanners and vulnerability assessment, see the Juniper Secure Analytics Vulnerability Manager User Guide.
JSA Vulnerability Manager is a component that you can purchase separately and enable using a license key. JSA Vulnerability Manager is a network scanning platform that provides awareness of the vulnerabilities that exist within the applications, systems, or devices on your network. After scans identify vulnerabilities, you can search and review vulnerability data, remediate vulnerabilities, and rerun scans to evaluate the new level of risk.
When JSA Vulnerability Manager is enabled, you can perform vulnerability assessment tasks on the Vulnerabilities tab. From the Assets tab, you can run scans on selected assets.
For more information, see the Juniper Secure Analytics Vulnerability Manager User Guide.
Assets Tab Overview
The Assets tab provides you with a workspace from which you can manage your network assets and investigate an asset's vulnerabilities, ports, applications, history, and other associations.
Using the Assets tab, you can:
View all the discovered assets.
Manually add asset profiles.
Search for specific assets.
View information about discovered assets.
Edit asset profiles for manually added or discovered assets.
Tune false positive vulnerabilities.
Import assets.
Print or export asset profiles.
Discover assets.
Configure and manage third-party vulnerability scanning.
Start JSA Vulnerability Manager scans.
For information about the Server Discovery option in the navigation pane, see the Juniper Secure Analytics Administration Guide.
For more information about the VA Scan option in the navigation pane, see the Juniper Secure Analytics Risk Manager User Guide.
Viewing an Asset Profile
From the asset list on the Assets tab, you can select and view an asset profile. An asset profile provides information about each profile.
Asset profile information is automatically discovered through Server Discovery or manually configured. You can edit automatically generated asset profile information.
The Asset Profile page provides the information about the asset that is organized into several panes. To view a pane, you can click the arrow (>) on the pane to view more detail or select the pane from the Display list box on the toolbar.
The Asset Profile page toolbar provides the following functions:
Options |
Description |
---|---|
Return to Asset List |
Click this option to return to the asset list. |
Display |
From the list box, you can select the pane that you want to view on the Asset Profile pane. The Asset Summary and Network Interface Summary panes are always displayed. |
Edit Asset |
Click this option to edit the Asset Profile. See Adding or Editing an Asset Profile. |
View by Network |
If this asset is associated with an offense, this option will allow you to view the list of networks that are associated with this asset. When you click View By Network, the List of Networks window is displayed. |
View Source Summary |
If this asset is the source of an offense, this option will allow you to view source summary information. When you click View Source Summary, the List of Offenses window is displayed. |
View Destination Summary |
If this asset is the destination of an offense, this option will allow you to view destination summary information. When you click View Destination Summary, the List of Destinations window is displayed. |
History |
Click History to view event history information for this asset. When you click the History icon, the Event Search window is displayed, pre-populated with event search criteria: You can customize the search parameters, if required. Click Search to view the event history information. |
Applications |
Click Applications to view application information for this asset. When you click the Applications icon, the Flow Search window is displayed, pre-populated with event search criteria. You can customize the search parameters, if required. Click Search to view the application information. |
Search Connections |
Click Search Connections to search for connections. The Connection Search window is displayed. This option is only displayed when JSA Risk Manager is been purchased and licensed. For more information, see the Juniper Secure Analytics Risk Manager User Guide. |
View Topology |
Click View Topology to further investigate the asset. The Current Topology window is displayed. This option is only displayed when JSA Risk Manager is been purchased and licensed. For more information, see the Juniper Secure Analytics Risk Manager User Guide. |
Actions |
From the Actions list, select Vulnerability History. This option is only displayed when JSA Risk Manager is been purchased and licensed. For more information, see the Juniper Secure Analytics Risk Manager User Guide. |
Click the Assets tab.
On the navigation menu, click Asset Profiles
Double-click the asset that you want to view.
-
Use the options on the toolbar to display the various panes of asset profile information. See Adding or Editing an Asset Profile.
To research the associated vulnerabilities, click each vulnerability in the Vulnerabilities pane. See Table 10-10
-
If required, edit the asset profile. See Adding or Editing an Asset Profile.
Click Return to Assets List to select and view another asset, if required.
Adding or Editing an Asset Profile
Asset profiles are automatically discovered and added; however, you might be required to manually add a profile.
When assets are discovered using the Server Discovery option, some asset profile details are automatically populated. You can manually add information to the asset profile and you can edit certain parameters.
You can only edit the parameters that were manually entered. Parameters that were system generated are displayed in italics and are not editable. You can delete system generated parameters, if required.
Click the Assets tab.
On the navigation menu, click Asset Profiles.
Choose one of the following options:
To add an asset, click Add Asset and type the IP address or CIDR range of the asset in the New IP Address field.
To edit an asset, double-click the asset that you want to view and click Edit Asset .
Configure the parameters in the MAC & IP Address pane. Configure one or more of the following options:
Click the New MAC Address icon and type a MAC Address in the dialog box.
Click the New IP Address icon and type an IP address in the dialog box.
If Unknown NIC is listed, you can select this item, click the Edit icon, and type a new MAC address in the dialog box.
Select a MAC or IP address from the list, click the Edit icon, and type a new MAC address in the dialog box.
Select a MAC or IP address from the list and click the Remove icon.
Configure the parameters in the Names & Description pane. Configure one or more of the following options:
Parameter
Description
DNS
Choose one of the following options:
Type a DNS name and click Add.
Select a DNS name from the list and click Edit.
Select a DNS name from the list and click Remove.
NetBIOS
Choose one of the following options:
Type a NetBIOS name and click Add.
Select a NetBIOS name from the list and click Edit.
Select a NetBIOS name from the list and click Remove.
Given Name
Type a name for this asset profile.
Location
Type a location for this asset profile.
Description
Type a description for the asset profile.
Wireless AP
Type the wireless Access Point (AP) for this asset profile.
Wireless SSID
Type the wireless Service Set Identifier (SSID) for this asset profile.
Switch ID
Type the switch ID for this asset profile.
Switch Port ID
Type the switch port ID for this asset profile.
Configure the parameters in the Operating System pane:
From the Vendor list box, select an operating system vendor.
From the Product list box, select the operating system for the asset profile.
From the Version list box, select the version for the selected operating system.
Click the Add icon.
From the Override list box, select one of the following options:
Until Next Scan Select this option to specify that the scanner provides operating system information and the information can be temporarily edited. If you edit the operating system parameters, the scanner restores the information at its next scan.
Forever Select this option to specify that you want to manually enter operating system information and disable the scanner from updating the information.
Select an operating system from the list.
Select an operating system and click the Toggle Override icon.
Configure the parameters in the CVSS & Weight pane. Configure one or more of the following options:
Parameter
Description
Collateral Damage Potential
Configure this parameter to indicate the potential for loss of life or physical assets through damage or theft of this asset. You can also use this parameter to indicate potential for economic loss of productivity or revenue. Increased collateral damage potential increases the calculated value in the CVSS Score parameter.
From the Collateral Damage Potential list box, select one of the following options:
None
Low
Low-medium
Medium-high
High
Not defined
When you configure the Collateral Damage Potential parameter, the Weight parameter is automatically updated.
Confidentiality Requirement
Configure this parameter to indicate the impact on confidentiality of a successfully exploited vulnerability on this asset. Increased confidentiality impact increases the calculated value in the CVSS Score parameter.
From the Confidentiality Requirement list box, select one of the following options:
Low
Medium
High
Not defined
Availability Requirement
Configure this parameter to indicate the impact to the asset's availability when a vulnerability is successfully exploited. Attacks that consume network bandwidth, processor cycles, or disk space impact the availability of an asset. Increased availability impact increases the calculated value in the CVSS Score parameter.
From the Availability Requirement list box, select one of the following options:
Low
Medium
High
Not defined
Integrity Requirement
Configure this parameter to indicate the impact to the asset's integrity when a vulnerability is successfully exploited. Integrity refers to the trustworthiness and guaranteed veracity of information. Increased integrity impact increases the calculated value in the CVSS Score parameter.
From the Integrity Requirement list box, select one of the following options:
Low
Medium
High
Not defined
Weight
From the Weight list box, select a weight for this asset profile. The range is 0 - 10.
When you configure the Weight parameter, the Collateral Damage Potential parameter is automatically updated.
Configure the parameters in the Owner pane. Choose one or more of the following options:
Parameter
Description
Business Owner
Type the name of the business owner of the asset. An example of a business owner is a department manager. The maximum length is 255 characters.
Business Owner Contact
Type the contact information for the business owner. The maximum length is 255 characters.
Technical Owner
Type the technical owner of the asset. An example of a business owner is the IT manager or director. The maximum length is 255 characters.
Technical Owner Contact
Type the contact information for the technical owner. The maximum length is 255 characters.
Technical User
From the list box, select the username that you want to associate with this asset profile.
You can also use this parameter to enable automatic vulnerability remediation for Juniper Secure Analytics Vulnerability Manager. For more information about automatic remediation, see the Juniper Secure Analytics Vulnerability Manager User Guide.
Click Save.
Searching Asset Profiles
You can configure search parameters to display only the asset profiles you want to investigate from the Asset page on the Assets tab.
When you access the Assets tab, the Asset page is displayed populated with all discovered assets in your network. To refine this list, you can configure search parameters to display only the asset profiles you want to investigate.
From the Asset Search page, you can manage Asset Search Groups. For more information about Asset Search Groups. Asset Search Groups.
The search feature will allow you to search host profiles, assets, and identity information. Identity information provides more detail about log sources on your network, including DNS information, user logins, and MAC addresses.
Using the asset search feature, you can search for assets by external data references to determine whether known vulnerabilities exist in your deployment.
For example:
You receive a notification that CVE ID: CVE-2010-000 is being actively used in the field. To verify whether any hosts in your deployment are vulnerable to this exploit, you can select Vulnerability External Reference from the list of search parameters, select CVE, and then type the following:
2010-000
To view a list of all hosts that are vulnerable to that specific CVE ID.
For more information about OSVDB, see http://osvdb.org/ . For more information about NVDB, see http://nvd.nist.gov/ .
Click the Assets tab.
On the navigation menu, click Asset Profiles.
On the toolbar, click Search >New Search.
Choose one of the following options:
To load a previously saved search, go to Step 5.
To create a new search, go to Step 6.
Select a previously saved search:
Choose one of the following options:
Optional. From the Group list box, select the asset search group that you want to display in the Available Saved Searches list.
From the Available Saved Searches list, select the saved search that you want to load.
In the Type Saved Search or Select from List field, type the name of the search you want to load.
Click Load .
In the Search Parameters pane, define your search criteria:
From the first list box, select the asset parameter that you want to search for. For example, Hostname, Vulnerability Risk Classification, or Technical Owner.
From the second list box, select the modifier that you want to use for the search.
In the entry field, type specific information that is related to your search parameter.
Click Add Filter.
Repeat these steps for each filter that you want to add to the search criteria.
Click Search.
You can save your asset search criteria. See Saving Asset Search Criteria.
Saving Asset Search Criteria
On the Asset tab, you can save configured search criteria so that you can reuse the criteria. Saved search criteria does not expire.
Click the Assets tab.
On the navigation menu, click Asset Profiles.
Perform a search.
Click Save Criteria .
Enter values for the parameters:
Parameter
Description
Enter the name of this search
Type the unique name that you want to assign to this search criteria.
Manage Groups
Click Manage Groups to manage search groups. This option is only displayed if you have administrative permissions.
Assign Search to Group(s)
Select the check box for the group you want to assign this saved search. If you do not select a group, this saved search is assigned to the Other group by default.
Include in my Quick Searches
Select this check box to include this search in your Quick Search list box, which is on the Assets tab toolbar.
Set as Default
Select this check box to set this search as your default search when you access the Assets tab.
Share with Everyone
Select this check box to share these search requirements with all users.
Asset Search Groups
Using the Asset Search Groups window, you can create and manage asset search groups.
These groups allow you to easily locate saved search criteria on the Assets tab.
- Viewing Search Groups
- Creating a New Search Group
- Editing a Search Group
- Copying a Saved Search to Another Group
- Removing a Group or a Saved Search from a Group
Viewing Search Groups
Use the Asset Search Groups window to view a list group and subgroups.
From the Asset Search Groups window, you can view details about each group, including a description and the date the group was last modified.
All saved searches that are not assigned to a group are in the Other group.
The Asset Search Groups window displays the following parameters for each group:
Function |
Description |
---|---|
New Group |
To create a new search group, you can click New Group. Creating a New Search Group. |
Edit |
To edit an existing search group, you can click Edit. Editing a Search Group. |
Copy |
To copy a saved search to another search group, you can click Copy. Copying a Saved Search to Another Group. |
Remove |
To remove a search group or a saved search from a search group, select the item that you want to remove, and then click Remove. Removing a Group or a Saved Search from a Group. |
Click the Assets tab.
On the navigation menu, click Asset Profiles.
Select Search >New Search.
Click on Manage Groups.
View the search groups.
Creating a New Search Group
On the Asset Search Groups window, you can create a new search group.
Click the Assets tab.
On the navigation menu, click Asset Profiles.
Select Search >New Search.
Click Manage Groups.
Select the folder for the group under which you want to create the new group.
Click New Group.
In the Name field, type a unique name for the new group.
Optional. In the Description field, type a description.
Click OK.
Editing a Search Group
You can edit the Name and Description fields of a search group.
Click the Assets tab.
On the navigation menu, click Asset Profiles.
Select Search >New Search.
Click Manage Groups.
Select the group that you want to edit.
Click Edit.
Type a new name in the Name field.
Type a new description in the Description field.
Click OK.
Copying a Saved Search to Another Group
You can copy a saved search to another group. You can also copy the saved search to more than one group.
Click the Assets tab.
On the navigation menu, click Asset Profiles.
Select Search >New Search.
Click Manage Groups.
Select the saved search that you want to copy.
Click Copy.
On the Item Groups window, select the check box for the group you want to copy the saved search to.
Click Assign Groups.
Removing a Group or a Saved Search from a Group
You can use the Remove icon to remove a search from a group or remove a search group.
When you remove a saved search from a group, the saved search is not deleted from your system. The saved search is removed from the group and automatically moved to the Other group.
You cannot remove the following groups from your system:
Asset Search Groups
Other
Click the Assets tab.
On the navigation menu, click Asset Profiles.
Select Search >New Search .
Click Manage Groups.
Select the saved search that you want to remove from the group:
Select the saved search that you want to remove from the group.
Select the group that you want to remove.
Asset Profile Management Tasks
You can delete, import, and export asset profiles using the Assets tab.
Using the Assets tab, you can delete, import, and export asset profiles.
Deleting Assets
You can delete specific assets or all listed asset profiles.
Click the Assets tab.
On the navigation menu, click Asset Profiles.
Select the asset that you want to delete, and then select Delete Asset from the Actions list box.
Click OK.
Importing Asset Profiles
You can import asset profile information.
The imported file must be a CSV file in the following format:
ip,name,weight,description
Where:
IP Specifies any valid IP address in the dotted decimal format. For example: 192.168.5.34.
Name Specifies the name of this asset up to 255 characters in length. Commas are not valid in this field and invalidate the import process. For example: WebServer01 is correct.
Weight Specifies a number from 0 to 10, which indicates the importance of this asset on your network. A value of 0 denotes low importance and 10 is very high.
Description Specifies a textual description for this asset up to 255 characters in length. This value is optional.
For example, the following entries might be included in a CSV file:
192.168.5.34,WebServer01,5,Main Production Web Server
192.168.5.35,MailServ01,0,
The import process merges the imported asset profiles with the asset profile information you have currently stored in the system.
Click the Assets tab.
On the navigation menu, click Asset Profiles.
From the Actions list box, select Import Assets.
Click Browse to locate and select the CSV file that you want to import.
Click Import Assets to begin the import process.
Exporting Assets
You can export listed asset profiles to an Extended Markup Language (XML) or Comma-Separated Value (CSV) file.
Click the Assets tab.
On the navigation menu, click Asset Profiles.
From the Actions list box, select one of the following options:
Export to XML
Export to CSV
View the status window for the status of the export process.
If you want to use other tabs and pages while the export is in progress, click the Notify When Done link.
When the export is complete, the File Download window is displayed.
On the File Download window, choose one of the following options:
Open Select this option to open the export results in your choice of browser.
Save Select this option to save the results to your desktop.
Click OK.
Research Asset Vulnerabilities
You can double-click the vulnerability to display more vulnerability details.
The Research Vulnerability Details window provides the following details:
Parameter |
Description |
---|---|
Vulnerability ID |
Specifies the ID of the vulnerability. The Vuln ID is a unique identifier that is generated by Vulnerability Information System (VIS). |
Published Date |
Specifies the date on which the vulnerability details were published on the OSVDB. |
Name |
Specifies the name of the vulnerability. |
Assets |
Specifies the number of assets in your network that have this vulnerability. Click the link to view the list of assets. |
Assets, including exceptions |
Specifies the number of assets in your network that have vulnerability exceptions. Click the link to view the list of assets. |
CVE |
Specifies the CVE identifier for the vulnerability. CVE identifiers are provided by the NVDB. Click the link to obtain more information. When you click the link, the NVDB website is displayed in a new browser window. |
xforce |
Specifies the X-Force identifier for the vulnerability. Click the link to obtain more information. When you click the link, the Internet Security Systems website is displayed in a new browser window. |
OSVDB |
Specifies the OSVDB identifier for the vulnerability. Click the link to obtain more information. When you click the link, the OSVDB website is displayed in a new browser window. |
Plugin Details |
Specifies the JSA Vulnerability Manager ID. Click the link to view Oval Definitions, Windows Knowledge Base entries, or UNIX advisories for the vulnerability. This feature provides information on how JSA Vulnerability Manager checks for vulnerability details during a patch scan. You can use it to identify why a vulnerability was raised on an asset or why it was not. |
CVSS Score Base |
Displays the aggregate Common Vulnerability Scoring System (CVSS) score of the vulnerabilities on this asset. A CVSS score is an assessment metric for the severity of a vulnerability. You can use CVSS scores to measure how much concern a vulnerability warrants in comparison to other vulnerabilities. The CVSS score is calculated using the following user-defined parameters:
For more information about how to configure these parameters, see Adding or Editing an Asset Profile. For more information about CVSS, see http://www.first.org/cvss/ . |
Impact |
Displays the type of harm or damage that can be expected if this vulnerability is exploited. |
CVSS Base Metrics |
Displays the metrics that are used to calculate the CVSS base score, including:
|
Description |
Specifies a description of the detected vulnerability. This value is only available when your system integrates VA tools. |
Concern |
Specifies the effects that the vulnerability can have on your network. |
Solution |
Follow the instructions that are provided to resolve the vulnerability. |
Virtual Patching |
Displays virtual patch information that is associated with this vulnerability, if available. A virtual patch is a short-term mitigation solution for a recently discovered vulnerability. This information is derived from Intrusion Protection System (IPS) events. If you want to install the virtual patch, see your IPS vendor information. |
Reference |
Displays a list of external references, including:
Click the link to obtain more information. When you click the link, the external resource is displayed in a new browser window. |
Products |
Displays a list of products that are associated with this vulnerability.
|
Click the Assets tab.
On the navigation menu, click Asset Profiles .
Select an asset profile.
In the Vulnerabilities pane, click the ID or Vulnerability parameter value for the vulnerability you want to investigate.