Actionable insights are insights that can be remediated directly through the Veriti platform (as opposed to informational insights, which cannot). In this article, we explain the different types of actionable insights that may be triggered by Veriti.
Note that only Administrators users have the ability to remediate insights, so the “Remediation” button will be grayed out for Read Only users.
Veriti uses certain terms to describe the operational modes of security products. Since terminology varies across vendors and product types, we’ve provided some common synonyms below (as well as a short definition of each).
|Operational Modes of Security Products|
|Veriti terminology||Definition||Vendor synonyms|
|Off Mode||A protection is not actively functioning, processing traffic or system activity, or providing protection.||Inactive Mode, Disabled Mode, Deactivated Mode|
|Detect Mode||A protection is passively monitoring network traffic in order to detect potential security threats, but is not actively blocking any traffic.||Monitoring Mode, Alert Mode, Allow Mode|
|Prevent Mode||A protection is actively blocking or restricting network traffic or system activity to prevent potential security threats (before they can cause harm.)||Block Mode, Enforcement Mode, Protective Mode|
Security vendors release new Intrusion Prevention System protections incrementally, due to low confidence in new signatures that may identify benign traffic as malicious. Most security profiles include thousands of protections in Off Mode by default (meaning they are not active or operational). Similarly, Veriti allows you to gradually switch protections from Off Mode to Detect Mode – so you can safely increase your security posture, ensure protections are functioning properly, and reduce CPU load on your security products.
The “Protection Activation” insight notifies you when a protection is not active on one of your firewalls, thus leaving you unprotected.
When you remediate this insight, you are turning on a protection by changing it from Off Mode to Detect Mode so it can actively monitor for potential threats or suspicious activity. This means protection will be fully operational, but it will not actively protect against malicious traffic.
Remediating this insight marks the beginning of the “protection lifecycle”. This means “Protection Hardening” will generally be the next insight to come, followed by one of these insights if and when potential security threats are detected: “False-Positive Detection”, “Under Attack”, and “CPU Utilization”.
At any given time, only a single protection is enabled per profile, per policy, per domain for all associated assets. This way, Veriti can continuously monitor and isolate any false-positive detections or abnormal CPU loads that may result from the process.
In Veriti, to ensure the most important insights are remediated first, protections are activated based on the following priority:
- A vulnerable host was detected. (Not only is the organization open to attack because the protection is not enforced, but one or more hosts or endpoints are exposed to this attack because an application with vulnerability is installed.)
- CVEs (Common Vulnerabilities and Exposures) with a CVSS Score of 9 or above
- CVEs listed in CISA’s Known Exploited Vulnerabilities Catalog
Most cyberattacks occur due to a misconfiguration in protections that could have blocked the attack before it occurred. This often happens because security vendors release new protections incrementally (due to low confidence in new signatures that may identify benign traffic as malicious.) Since protections may be in Off Mode or Detect Mode, this allows the possibility of network infiltration.
The “Protection Hardening” insight notifies you when a protection is in Detect Mode on one of your firewalls, and can be changed to Prevent Mode without impacting business continuity. Veriti determines this by inspecting 7 days of traffic and correlating logs and configurations to determine, per protection, whether there is a potential business impact in hardening protection.
If no problematic logs were detected, this insight will be triggered and you can perform remediation. Remediation hardens your security policy and actively prevents cyberattacks by pushing the relevant protection into Prevent Mode.
Note that within Veriti, protections are grouped into categories (e.g. Remote Code Execution, XSS, etc.)
The “False-Positive Detection” insight notifies you when there are false-positive detections that may impact business continuity because a firewall is blocking – or will attempt to block – legitimate traffic that’s detected as potentially malicious. The goal of this insight is to reduce the chances of a security product being unnecessarily disabled as a way to avoid this business disruption.
Veriti does this by automatically exporting all threat logs and feeding them into an AI model that detects whether the traffic is benign or malicious. If it is benign, you can perform remediation. Remediation adds an exception to exclude specific connections from being inspected by your intrusion prevention system.
Note: a potential false-positive occurs when a protection is in Detect Mode, so business impact has not yet occurred, but the potential for impact exists. A real false-positive occurs when a protection is in Prevent Mode, which means the business is already being disrupted.
Veriti proactively, periodically and automatically analyzes your threat prevention logs to identify potential attacks. Differentiating between real attacks and False-Positive Detections enables you to permit benign traffic while hardening your security policy.
The “Under Attack” insight notifies you when you can and should change a protection from Detect Mode to Prevent Mode, in connection to an attack that was not blocked. Veriti is able to provide this insight because, whenever potentially malicious traffic passes through your firewall policy, the activity is fed into an AI model (the same one used for False-Positive Detection) to determine whether it was indeed malicious.
Remediation allows you to actively prevent future infiltrations by pushing a protection from Detect Mode to Prevent Mode. While in Prevent Mode, Veriti will monitor for false-positive detections to ensure there is no business disruption as a result of the change. This insight is profile-specific, so remediation will change only the specific policies and assets in the attacker’s path.
An Indicator of Compromise (IOS) is a piece of forensic information, such as data generated from security logs or network traffic or threat-intelligence feeds, that identifies potentially malicious activity on a system or network. Indicators can include various types of data, such as IP addresses, domain names, URLs and others, which you can use to detect, investigate and respond to security incidents, and prevent similar ones from happening in the future.
Veriti proactively, periodically and automatically analyzes your threat prevention logs to identify potential attackers, which are reflected as indicators that can be blocked on your firewalls and endpoint protection.
The “Automatic Indicators” insight enables you to detect and respond to security incidents quickly and effectively. To generate this insight, Veriti identifies when a connection is blocked by a firewall, feeds the activity into an AI model that determines whether it was a true attack, and extracts the indicator of the attacker. Remediation of this insight allows you to block that indicator.
Whereas the attack was attempted along a certain vector and blocked on a higher layer (the application layer), configuring an indicator allows you to block the attacker on a lower layer (the transport layer) so you can prevent them from trying to initiate additional attacks.
Most organizations use external vulnerability assessment (VA) tools to scan and identify vulnerabilities and flaws in their network or security policy. These centralized VA scanners, in most cases, trigger alerts on different security products due to their suspicious scan patterns. Since they are identified as potential attackers or malicious traffic, they cannot do their job.
The goal of the “Vulnerability Assessment Exception” (VAE) insight is to identify external VA tools that cannot complete their scan due to policy misconfigurations. Therefore, the insight is triggered when a scanner cannot run because a firewall protection is blocking it.
Veriti automatically identifies VA patterns by analyzing logs, and allows you to remediate the issue by creating an exception that allows it to scan your organization. By applying remediation, you allow the VA tool to perform a full scan, and thus enrich other insights with Vulnerable Hosts information.
When a firewall hits a CPU threshold, it will transition to one of two problematic states: Fail-Open or Fail-Close (configuration dependent). Fail-Open means that no inspection is being performed, so there is no security in the organization for a period of time. Fail-Close means traffic is not allowed to cross the firewall, which thus impacts business continuity.
High-CPU events can be caused by a wide variety number of issues, such as:
- A session between two hosts that include a unique protocol
- A long session between two hosts that are stored in memory
- A threat-inspection engine consuming lots of CPUs to perform deep packet inspection
- More parallel open sessions than a security product can support
The goal of the “CPU Utilization” insight is to help administrators detect CPU-savvy protections and connections. Veriti proactively, periodically and automatically analyzes high-CPU events. If a Fail-Open or Fail-Close threshold configuration is crossed, Veriti executes multiple commands on the target firewall to analyze the root cause for each CPU peak recorded. This is all done by communicating with firewalls using SNMP traps, assessing CPU levels, and constantly collecting connection and protection telemetries.
Remediating this insight will exclude all traffic from the protection or application that’s causing high CPU utilization on your firewall. Alternatively, remediation can create a firewall rule that drops the specific connection or session that is hogging CPU. This facilitates business continuity and will reduce your chances of falling into a Fail-Open or Fail-Close state.
“Vulnerable Hosts” is not an insight in itself, but rather, an enrichment layer for actionable insights that involve policy configurations: “Protection Activation”, “Protection Hardening”, and “Under Attack”. You can think of it as metadata for those insights, and its goal is to help you prioritize how to deal with them.This enriched data comes from the results of your Vulnerability Assessment (VA) scans, and it communicates that you have an exposed host that is vulnerable. It is expressed as a “Vulnerability Assessment” tag on the relevant insight (as illustrated below):
Veriti identifies vulnerable hosts by detecting active vulnerabilities across your organization (via EDR, VA, VMS), and by correlating that information with the current security policy enforced on your hosts. This produces a sort of matrix, in which Veriti intersects each relevant insight with information from your VA scans.
So, for example, if a protection is inactive and you have hosts vulnerable to an attack that would be prevented by that protection, a “Protection Activation” insight will be triggered (and be enriched with the “Vulnerability Assessment” tag).
Note that your total number of vulnerable hosts (labeled as “Exposed Vulnerabilities”) is displayed at the top-right corner of your “Overview” dashboard, as shown below:
Note: Veriti accounts for various network infrastructure elements, like interfaces, routing and NAT, by utilizing data collected from network firewalls. This results in customized enrichment that matches your network topology and reveals points where a firewall and host intersect – indicating, for example, where one is secure and the other is vulnerable.