Technology is continuously advancing at an increasing pace. New software and hardware needs to be created to accommodate for leaps in technology and novel ideas. With the advent of every new application and platform, new attack vectors become available to malicious parties. Every increase in the attack surface of an organization results in larger overhead for administrators and device owners since they are forced to pay attention to an increasing amount of websites, partner portals, blogposts, RSS feeds, and other sources of valuable information. The need arises for a solution that can collect pertinent data for specific products in order to reduce overhead and to supply interested parties with vulnerability notifications in real time.
This is why CVE-Strainer aims to provide a centralized platform where any software can be onboarded and monitored for newly discovered vulnerabilities.
The CVE-Strainer tool consists of five main modules:
- Query module – The tool sends periodic requests to a list of pre-configured sources in order to check if any new information (vulnerability, patch) has been provided.
- Parser module – Since different sources provide information in different formats, data needs to be normalized in a standardized format. The parser module ingests data from the query module and transforms it into a common data schema.
- Database module – Depending on the type of information, different actions may need to be taken. The database module receives interesting data in a normalized format and writes it to the tool’s local database.
- Correlation module – Once the query module has detected a new finding and it has been saved to the database, the data can be analyzed in order to determine if any relevant data has been ingested. The correlation module performs periodic checks on the database in which it attempts to match data between the findings table, where all queried data is stored, and the cmdb table, where all onboarded devices are located.
- Notification module – In cases when the correlation module detects a match, that means that there is a new vulnerability/patch. The notification module receives all necessary information regarding the match and sends an e-mail notification based on a list of pre-configured PoCs.
Furthermore, the tool provides a web interface which allows administrators to onboard new clients, change configuration settings, and display statistics. Additionally, an interface for the insertion or update of cmdb entries is available as well.
In order to facilitate data reliability, the inter-module communication is performed by leveraging a message broker. This solution works to prevent data loss by keeping transmitted data in buffers until it is received by the intended module, while also providing profiling capabilities by means of a web interface.
If you wish to know more about CVE Strainer, watch the demonstration video on ECHO's YouTube channel here: