Typical user journey

This page serves as an introduction guide to using Cyberwatch.

The aim is to highlight best practices for adding assets and scaling up the application once it has been deployed by our teams.

This guide can also be used as a working basis and guideline for testing during a POC (proof of concept) of the software, for example.

Deployment and user creation

In most cases, the deployment of the application is supervised by our teams.

Simple configurations, such as creating the first user account and registering your license, are also carried out during deployment.

The creation of local users can be done manually from the application, but we recommend configuring a centralized authentication method using an authentication provider (LDAP, SAML, OpenID Connect).

Configuring an SMTP server for sending emails and reports directly from the application is also possible.

These elements can be configured following deployment or can be configured later.

Specific and more technical documentation pages are available to help you configure these elements.

Discoveries

On a new instance, the first step usually involves launching discovery scans.

The aim of these discoveries is to get a first glance of the assets present in your information system.

These discovered assets will not be automatically scanned and registered in Cyberwatch without further action.

There are many types of discoveries that can be used depending on your information system.

Consult the assets discoveries documentation to start using them.

Practical case: Active Directory or VMware vSphere discovery scan

Show the practical case

Most information systems have solutions to manage and make an inventory of the local infrastructure elements that make up the information system.

For example, Cyberwatch will be able to connect to tools like VMware vSphere and Active Directory to bring up the list of assets known by these solutions.

To launch such a scan, follow the procedure below:

1. Create a stored credential whose type corresponds to the discovery you will launch later.
2. Also create a stored credential of type SSH with password/key or WinRM with HTTP Negotiate which will be used by Cyberwatch to connect to your assets to launch an authenticated scan.
3. Go to the discovery creation view and launch a VMware vSphere or Active Directory discovery scan.
4. Fill out the form with the desired options. Leave the “Agentless connection type” field to its default value: No agentless connection.
5. View the assets discovered by the discovery scan once it is completed.
6. Select the assets you want to scan with the left check, click on the “Bulk Actions > Scan with agentless connections” button.
7. Select the connection type and the previously created stored credential and confirm.
8. Cyberwatch will create the requested Agentless Connections and attempt to authenticate on the assets with the provided identifier. Working connections will display a green shield icon in the “Mode” column. A calendar icon will also be present, which can be green or yellow without impacting the analysis.
9. The assets created following these scans will automatically be present in the assets inventory of the application.

This practical case is a classic example of using a discovery scan to monitor assets from this discovery.

Many other methods exist and can yield similar results.

Adding assets

Once the scope of your assets is established by the discoveries, the next step is to scan the desired assets in an authenticated manner.

For this, Cyberwatch offers several supervision methods that can adapt to the constraints of your information system.

Consult the documentation for an overview of different scan modes to understand the features related to these scan modes.

These scans will be used by Cyberwatch to report vulnerabilities and security issues identified on your assets.

Implementing prioritization mechanisms

To better prioritize the results reported by the scans, Cyberwatch offers mechanisms to help define specific criteria for your environment, to determine which vulnerabilities will be considered priorities.

Cyberwatch allows you to define and associate a criticality with one or more assets. For details on how criticalities work, consult the documentation on using criticalities.

Practical case: Creating a criticality and associating it with assets

Show the practical case

This practical case describes how to create a new criticality and how to assign it to assets.

1. Go to the Settings > Criticalities menu.
2. Create a new criticality, for example, by entering the following elements:
   • Name: Critical;
   • CVSS threshold above: 6;
   • EPSS score above: 0.1%;
   • Check the CISA KEV and CERTFR-ALE catalogs;
   • Set the three requirements to High.
3. Once the criticality is created, go to the inventory.
4. Filter assets according to a criterion of your choice, for example, by typing prod in the search bar, which will filter all assets whose hostname contains this string.
5. Select the desired assets with the left check, click on the button “Bulk Edits > Update the criticality” and select the newly created Critical criticality.

Inventory and analysis of vulnerabilities identified on assets

Once your assets are monitored and prioritization mechanisms are in place, Cyberwatch will allow you to identify the most highest priority actions to be carried out.

From the assets inventory, you will be able to view all the monitored assets, sorted by default by the number of identified high priority vulnerabilities.

The inventory allows you to filter your assets according to different criteria, to sort them according to certain displayed columns and to select the displayed columns.

A set of bulk edits and actions is also available to interact with the properties of assets in Cyberwatch or to interact directly with the assets.

Each asset has a detailed view, accessible by clicking on the asset’s hostname or on the magnifying glass button at the end of the line.

The asset view contains a set of tabs that present different information.

The “Summary” tab allows you to see the evolution of the number of vulnerabilities of the asset as well as general information concerning the security issues and compliance rules tested.

The “Vulnerabilities” tab lists all the vulnerabilities identified on the asset in question. These vulnerabilities are sorted by default according to the following criteria: High-priority Vulnerability > CVSS Score > Exploit Level.

This tab therefore allows you to identify the highest priority vulnerabilities for a given asset.

The analysis of an asset’s vulnerabilities is mainly based on the applications reported in the asset’s “Technologies” tab.

Assets also have an “Analyses” tab to consult the state of Cyberwatch analyses. This tab allows you to consult the raw results of the scripts, as well as to export these results in a text file.

It is this text file that you should send to our technical teams if you would like a verification of the results reported by Cyberwatch or additional explanations.

Practical Case: Analysis of an asset’s vulnerabilities

Show the practical case

This practical case describes how to analyze and understand the results reported by Cyberwatch on an asset.

1. Click on the hostname of an asset to study to go to the asset’s details.
2. Go to the “Vulnerabilities” tab of the asset.
3. We will analyze the first vulnerability in the list, whose CVE code is CVE-2020-1350 in our case.
4. This vulnerability, identified as high-priority on the asset, has a CVSS score of 10 (maximum score), an EPSS score of 94% and is linked to the technology KB5034119 at the time of writing this documentation. Cyberwatch indicates that the corrective action associated with this CVE is “2024-01 Cumulative Update for Windows Server 2016 for x64-based Systems (KB5034119)”. The CVE is therefore patched by deploying KB5034119, cumulative update for January 2024.
5. Click on the CVE code to go to the encyclopedia.
6. The detailed score and CVSS metrics are presented on the CVE-2020-1350 details.
7. The CVE details provide a description from the NVD, as well as a set of links to the different security advisories identified by Cyberwatch. Cyberwatch’s analysis is mainly based on these elements. In case of doubt, the NVD and vendor security advisories prevail in the analysis of the results.
8. All of these elements help to understand why a given vulnerability is reported on an asset.

If you have doubts about the vulnerabilities reported or the technologies identified, do not hesitate to contact our technical teams by sending us the export of the analyses of the asset(s) in question.

Analysis of vulnerabilities identified from the encyclopedia

The Vulnerability Encyclopedia allows you to consult all publicly listed vulnerabilities synchronized in the Cyberwatch database.

It also offers a set of filters to facilitate the identification of the highest priority vulnerabilities on your IT infrastructure.

Practical case: identifying vulnerabilities to prioritize

This practical case explains how to use the vulnerability encyclopedia to identify the most important vulnerabilities in the IT infrastructure and create an automatic alert informing of the presence of new vulnerabilities meeting certain criteria.

Show the practical case

1. Go to the Vulnerability Encyclopedia of the software.

2. Using the dynamic search bar, select the following filters:

   • Status: Critical vulnerabilities
   • Catalog: CISA KEV
   • Catalog: CERT-FR ALE
   • Severity: Critical
3. These filters highlight the most critical vulnerabilities identified in the IT infrastructure, based on their high CVSS score and their presence in known CVE catalogs that have had an impact.
4. It is possible to further refine the search by adding additional filters based on factors such as exploitability or presence in certain asset groups.
5. If these filters yield no results, it means that your IT infrastructure is protected against these most critical vulnerabilities. You can also broaden the search by removing criteria to focus on less critical vulnerabilities.
6. Once your filter is in place, click on “Bulk Edits > Create an Alert”. This will allow you to set up an automatic alert that sends information about vulnerabilities meeting these criteria via email.

Understanding and applying recommended patches

Cyberwatch includes a module that facilitates the deployment of certain patches on scanned assets.

The views presented below all offer the option to instruct Cyberwatch to deploy patches on assets. However, Cyberwatch does not support the deployment of all identified patches. To understand the functionality and limitations of this feature, refer to the documentation on patch deployment.

From the asset details page

In the case of an asset with a large number of vulnerabilities, the “Patch Management” tab for that asset is particularly useful as it displays patches associated with all the vulnerabilities of the asset.

Patches are sorted by the number of critical vulnerabilities they address. The patches at the top of the list are generally the ones that should be prioritized for deployment on the asset.

Cyberwatch also indicates the corrective action recommended by the editors to fix all CVEs associated with each patch.

From the corrective actions list

The Corrective actions page lists all the corrective actions available on assets scanned by Cyberwatch.

Each corrective action is linked to a technology it patches (or deploys in the case of Microsoft KBs). Items are sorted by default by the number of associated critical vulnerabilities.

This view also indicates the number of assets affected by each corrective action.

Practical case: authorizing Cyberwatch to deploy patches on a set of assets

If you want to automate the installation of deployable patches, Cyberwatch offers the option to configure automatic deployment policies.

The practical case below describes how to set up such a configuration.

Show the practical case

The practical case describes how to create a patch deployment policy. The approach to configuring a reboot policy is identical.

1. Go to the Administration menu and expand the “Patch management” box to check if the feature is enabled. Enable it if not.
2. Go to the Settings > Deployment and reboot policies menu.
3. Click the “+ Add” button to create a new policy.

4. Select:

   • Type: Deploying policy
   • Name: desired name, e.g., Weekly Deployments on Wednesdays
   • Period: Custom Recurrence; Frequency Weekly; and choose Wednesday
   • Start Time: 22:00; End Time: 06:00
   • Scheduling mode: Auto
5. Save. A policy for automatic deployment authorizing Cyberwatch to deploy patches on assets every Wednesday between 22:00 and 06:00 is created.
6. To take effect, this policy must still be associated with assets.
7. Go to the assets inventory.
8. Filter and select the desired assets.
9. Click on “Bulk Edits > Update the deploying period”.
10. Select the newly created deploying policy.

Be careful, this example policy allows Cyberwatch to attempt to automatically deploy all supported patches on assets associated with the deployment policy.

Generating Reports and Exporting Data

Subsequently, reports can be generated on this data to present it graphically and transmit it to other parties who may not necessarily have access to the application.

Cyberwatch offers several PDF and CSV report templates, as well as other formats for exporting data to third-party systems.

To generate a report, refer to the associated documentation.

Cyberwatch also sends data to a locally deployed Kibana instance within the software. This Kibana instance includes dashboards designed by Cyberwatch and allows the creation of custom dashboards.

Using the Compliance Module

The Compliance Module complements vulnerability analysis by verifying configuration best practices of assets against compliance repositories.

This module is optional and requires the association of compliance repositories to test on assets; otherwise, Cyberwatch will not launch an automatic compliance analysis.

Cyberwatch offers a set of default repositories, sourced from reference entities in the field of security, such as the CIS Benchmark and ANSSI.

For more advanced use, Cyberwatch allows the creation of custom repositories and rules to check policies described in the company’s information system security policy, for example.

Going further: customization, automation, and integrations

To further enhance your daily use of Cyberwatch, some actions can be automated to simplify the addition and classification of assets, integration with third-party tools, and the creation of custom elements.

Integrations

For specific integration needs, we recommend our customers use integrations to configure buttons to send certain Cyberwatch data to external tools.

Cyberwatch API

For more complex automation, customization, or integration needs, we recommend using the Cyberwatch API.

Asset Rules

Asset rules allow the implementation of rules to automatically assign properties to assets.

Example of using an asset rule

It is possible, for example, to create an asset rule automatically assigning a group to assets based on their hostname. Let us create a rule, for instance, assigning the Development group and Low severity to assets whose hostname contains the string dev.

1. Go to the assets inventory.
2. Enter the string dev in the search bar, without selecting any keywords.
3. Click on “Bulk Edits > Create a Rule”.
4. The interface redirects you to the rule creation form, with the dev filter already filled in. Name the rule.
5. For the “Add groups” action, select the Development group.
6. For the “Set the criticality” action, select the Low severity.
7. Save the rule, which should be enabled by default.
8. Notice that assets affected by the filter automatically receive the defined properties.

Future new assets monitored by Cyberwatch that meet the requirements of the rule will also be automatically modified by the asset rule.

Technical Support

Our team is at your disposal and will assist you throughout your testing or deployment.

For any technical questions, please contact Cyberwatch Support:

• via email at support@cyberwatch.fr
• by phone at +33 1 84 80 88 84