Vulnerability Deduplication

Vulnerability deduplication is a data analysis process that seeks to find overlapping and equivalent scan results across multiple vulnerability vendors and datasets.

The Vulnerability Deduplication Problem

Enterprises often have multiple security solutions that provide vulnerability data about assets.  These solutions have proprietary classifications for vulnerabilities and often the vulnerability scan results do not align between different vendors.  This leaves the organization with many duplicate vulnerabilities and no solid method for recognizing the overlap in results.

What is vulnerability deduplication?

Vulnerability deduplication is a data analysis process that seeks to find overlapping and equivalent scan results across multiple vulnerability vendors and datasets.  These duplicate datasets can be the result of a few different scenarios:

  • Multiple scan scopes from a single vulnerability scanner that target the same assets
  • Scan results from different vulnerability scanners that target the same assets
  • Different types of vulnerability scanners (network vs. agent) that target the same

Different vulnerability scanners also use different classifications and taxonomies that make correlation and deduplication difficult.  For example, a vulnerability scanner like Tenable could report findings along the lines of a proprietary system of “plugins”.  An XDR solution like Crowdstrike could report just CVE findings.  For many organizations, blending and deduplicating these data sets is a time-consuming manual effort that is often prone to human error.

Why is vulnerability deduplication hard to achieve?

There are several reasons why vulnerability deduplication is difficult:

  • Different vendors use different classification systems for the same vulnerability.
  • Vulnerability scan solutions often report on IP addresses which are not directly correlated with assets. This leads to confusion when trying to establish the “true” list of vulnerabilities for a given asset.
  • Depending on the definition of “vulnerability”, missing patches and configuration issues can also be part of vulnerability reporting. All the major vendors (Qualys, Tenable, Rapid7) can scan for these specific types of issues. This further adds to the complexity because these types of vulnerabilities often have a specific relationship with traditional vulnerability findings.
  • Organizations often do not have an automated and repeatable way to deduplicate these findings and frequently rely on manual efforts or attempt to build a solution internally.

How NorthStar can help with vulnerability deduplication?

NorthStar can help with a multipart approach to vulnerability deduplication.

  • Vulnerability Aggregation: NorthStar can automatically collect and process vulnerability scan data from multiple different sources and provide data translation and cleansing process to produce reliable and easy to work with data.
  • Asset and IP Aggregation: NorthStar can leverage existing security and management tools in your environment to provide an accurate and automatically updated list of assets and IP addresses to help with the vulnerability scan data correlation.
  • Simple Deduplication of Vulnerability Scan data: NorthStar automatically processes only the latest vulnerability scan data and removes any duplication at the individual source level.
  • Advanced Deduplication: NorthStar can automatically process the relationship between different vulnerability scan vendors and produce a deduplicated list of the real issues affecting your environment. This process is also applied to missing patch and configuration issues so the vulnerabilities being reported are representative of the true number of issues and risk.