Neurons for Patch Intelligence

The risk-based vulnerability management in Ivanti Neurons Patch Intelligence protects your organization from security threats, and evolving risks, by reducing time to patch and prioritizing the most critical patches for deployment. Ivanti Neurons for Patch Intelligence helps you prioritize vulnerabilities based on active risk exposure, reliability, and compliance.

Use Patch Intelligence data to gain a deeper level of vulnerability insight with:

  • Risk-Based Prioritization: Understand your adversarial risk with Vulnerability Risk Rating (VRR), threat-context for exploit and malware insights from RiskSense. RiskSense VRR is designed to decipher cybersecurity risk, using an algorithm that intelligently separates and elevates the highest risk weaknesses. It takes in the highest fidelity vulnerability and threat data, together with human validation of exploits from penetration testing. Insight into denial of service, privilege escalation, remote code execution, web application, ransomware, and exploit kit vulnerabilities support the risk-based prioritization of the greatest risks in your environment.

  • Patch Reliability: Achieve faster SLAs for vulnerability remediation efforts, with patch reliability and trending insight to focus testing efforts and reduce time to patch. Reduce your research efforts with crowd-sourced insight from a variety of sources, including social media trending data, reported known issues from vendor, user, and Ivanti sources in one centralized view. The patch downvote gives a quick indicator of a negative experience.

  • Patch Compliance: Use the SLA data to see how compliant the devices are within your environment to identify which devices and patches need prioritizing based on your specific SLA timescales and dates.

To access Ivanti Neurons for Patch Intelligence, navigate to Software > Patch Intelligence.
Some of the Patch Intelligence features are available only to users with the appropriate role. For further details see Managing members and roles

Add a Connector

To add an Ivanti Endpoint Manager (EPM), Security Controls, Patch for MEM connector, or IES Connector select Add Connector at the top of the dashboard, the Help panel Get Started with Connectors slides out, select Go To Connectors which walks you through the steps required.

Alternatively you can use the Ivanti Neurons platform > Connectors menu option.

  1. Open the Admin menu.
  2. Select Connectors. See the Setting up connectors topic for further details.
  3. Select Add Connector for the desired server.
    The connector tiles display.
  4. Select the required connector tile.
    The connector form displays. For more information on how to complete the form see the relevant connector Help topic.

Dashboard

The default dashboard tab is All Patches, once a connector has been added the My Environment tab becomes available. Select the My Environment tab to restrict the data to only the devices in the connected environment. For both of these tabs you can customize the data that displays to relate to All Patches, Latest Patches (excludes patches that have been superseded) or those Revised within 60 days.

The dashboard is made up of two parts; the charts and the data table. The charts change depending on whether you have All Patches or My Environment selected. You can use the charts to filter the data that displays in the table by clicking on any of the colored segments in a pie or bar chart, re-click the colored segment to remove the filter from the table.

All Patches Charts

When the All Patches tab is selected the following charts display:

Top Vendors: This chart displays the top 5 vendors that have released the most patches within the last 14 days.

Patch Types: This chart displays the number of each type of patch across all vendors, released within the last 14 days.

Why 14 Days? - Research has shown that patching vulnerabilities within 14 days of identification is the optimum period to reduce risk of exploitation.

MS Patch Tuesday: All of the Microsoft Patch Tuesday patches, categorized by vendor and severity. This chart also includes Third Party vendors which have at least one CVE associated with an MS patch. Select the ellipsis to export the chart in .png format.

My Environment Charts

When the My Environment tab is selected the following charts display:

Devices Exceeding SLA chart: This chart replaces the Top Vendors chart if you have My Environment selected. It allows you to easily see how many devices within your environment are nearing or exceeding your service level agreement (SLA) and the percentage of devices that are compliant, and not. Click on either of the device numbers in the chart to filter the table, and hover over a number to see how many patches have been identified as missing from the devices.

Select the chart ellipsis to carry out one of these actions:

  • Configure: Configurable settings for the chart are:
    • Title and Description: The title and the description for the chart can be customized, up to a limit of 60 characters.
    • Patch type: The default for the chart is to include all patch types, but you can select to only include specific patch types based on security severity. For example, select Security Critical to only show the number of devices nearing or exceeding your SLA that are missing security critical patches.
    • Your SLA limit: Set the number of days for your SLA. This can be between 1 - 365.
    • Your SLA threshold: Set the number of days for your SLA threshold. This is the number of days before the actual SLA limit that you want to be notified about, it can be between 0 - 365, but not higher than the SLA value. You must have permissions to edit the SLA settings, to assign permissions to a role navigate to Admin > Roles > Permissions > Patch Intelligence > Edit SLA Config.
  • Export CSV: The data can easily be exported in CSV format, see the To export section for details on what gets exported.
  • Generate Report: Create a report to show each update, the release date, total devices affected, and the trend toward compliance compared to your defined SLA. You can define the scope of the report including time frame, vendors, and severity. You can also filter by Exploited or specific CVE IDs to report on high risk updates specifically. The report is saved to your browser default download location.

Patch Types chart: This chart displays the number of each type of patch across all vendors, released within the last 14 days.

Why 14 Days? - Research has shown that patching vulnerabilities within 14 days of identification is the optimum period to reduce risk of exploitation.

Known Vulnerabilities: This chart replaces the MS Patch Tuesday chart if you have My Environment selected. It allows you to easily see if there are any vulnerabilities in your environment. There are two levels of vulnerability:

  • Vulnerable: At least one CVE registered against a missing patch.
  • Exploited: At least one CVE that has a known exploit against a missing patch.

The patch scan results are used to provide this information. Click on either the Number of Devices or Number of Patches column to filter the table results to only show the list of patches that fix either the vulnerability or the known exploit.

For more detail on known exploits, see the Patch information CVE tab.

Patch Summary

The table contains a list of all the latest validated patches, listed in date order by default. The columns are grouped into categories so you can easily focus on the relevant data; Summary, Reliability & Social, and Threat & Risk. You can customize which columns are on show and the order of the data by filtering, sorting, or searching by keyword.

You can customize the table view using the Column Chooser column chooser icon. Available columns are:

Summary

Id: Click to open the Patch Details panel.

Name: Click to open the Patch Details panel.

Unpatched Devices: The number of devices that do not have the patch installed. Click to open the Unpatched Devices tab on the Patch Details panel. This column is only available when you have a connector setup.

Platform: The platform that the patch applies to; Windows or macOS.

Date Posted: The issue date for the patch.

Vendor: The name of the software vendor that issued the patch.

Reliability & Social

Reliability: Helps to determine the stability of the patch. Patch Intelligence gathers data from a variety of sources to provide a confidence score for updates to supplement your patch testing efforts. It is derived from the number of successful and failed installs, with other stability metrics, such as Reported Issues from vendors or users, to categorize the patch into one of the following:

  • Green: Excellent - this represents patches that have a 100% install success rate
  • Green: Very High
  • Green: High
  • Amber: Good
  • Amber: Medium
  • Amber: Low
  • Red: Very Low
  • Grey: n/a - too few installation attempts to categorize

My Reliability: Helps determine the stability of the patch. The patches are filtered to show just the devices in your environment, you must have at least one connector to use this column. The score is calculated using the formula successful deployments / total deployments * 10 for all devices in your environment.

Trending: Indicates the level of social media attention a patch is receiving. A higher trend is indicated with the bars; the higher the bars, the higher volume of social media posts. The content of the posts could be negative i.e. problems with installing, or positive i.e. fixes issued for any problems. To understand this further, go to the Reported Issues > Trending section in the Patch Details panel to see further detail on the most common trending topics or keywords.

Reported Issues: The number of reported issues plus any Trending comments. These can be official reported issues by the vendor, such as Microsoft, customer reported issues, or trending comments on social media. If the patch has received any downvotes the thumb-down icon displays blue thumb down icon indicating a down vote has been placedwith the number of votes next to it. Click the number or thumb icon to open the Reported Issues tab on the Patch information panel.

Threat & Risk

RiskSense VRR Group: The RiskSense Vulnerability Risk Rating (VRR) is designed to decipher cybersecurity risk from the widest angle possible. Using an algorithm that intelligently separates, and elevates, the highest risk weaknesses. It takes in the highest fidelity vulnerability and threat data, together with human validation of exploits from penetration testing teams. VRR provides a deeper analysis of context that combats this problem. Subject matter expertise from penetration testers helps build data-driven models to inform the scoring algorithm. VRR represents the risk posed by a given vulnerability, provided as a numerical score between 0 and 10 (the VRR score can be seen on the Patch Details panel > CVE tab) it is then represented in one of the following groups:

  • 9.00-10 = Critical
  • 7.00-8.99 = High
  • 4.00-6.99 = Medium
  • 0.01-3.99 = Low

The vulnerability and threat components to determine the VVR score and group consist of the following:

  • Detailed scanner finding information.
  • CVSS base score.
  • Industry standard threat intelligence sources such as the National Vulnerability Database (NVD), Common Vulnerabilities and Exposures (CVE), Common Weaknesses Enumeration (CWE), and the OWASP Top 10.
  • Curated threat feeds that provide broad coverage and continuous updates on the most active trending exploits being used in the wild.
  • Direct input from industry leading penetration testing teams about newly validated exploits.

CVSS: Highest NVD (National Vulnerability Database) CVSS (Common Vulnerability Scoring System) v3 score taken from all CVEs associated with the patch. If v3 is not available the v2 score is taken. If no score is available No data displays. The score range is from 0.1 to 10.

NIST (National Institute of Standards and Technology) can take up to 2 weeks to update their website.

CVE Count: The number of CVEs the patch contains. If at least one CVE for the patch that has been exploited, a bug icon displays orange exploit bug icon. Click the icon to open the Patch Details panel for more details.

Vendor Severity : The patches are categorized to one of the following types:

  • Security: Critical, Important, Moderate, Low, Unassigned
  • Non-Security: Critical, Important, Moderate, Low, Unassigned

Filter, Sort, Search and Export

You can search, sort, and filter the data based on a number of attributes.

Select the filter iconFilter iconto refine the list using any of the predefined attributes. If a filter has been applied to a column, a red dot is seen on the iconFiltered icon. To remove an applied filter, click the clear filters icon funnel with a cross to indicate clear any applied filters.

Select the sort iconup arrow and down arrow to indicate the sort optionin any column header to sort into ascending (Ascending icon) or descending (Descending icon) order. To remove the sorting, right-click the column header and select Clear Sorting from the context menu.

Use the Search field to enter a keyword; the list will then only show patches that contain the keyword. The keyword is matched to any case-insensitive text found from within all of the patches, for example; CVE numbers, patch names, blue screen, and so on.

Example search use cases:

  • As a security engineer, I want to supply a CVE to Patch Intelligence to understand what patch I need to have my IT Ops team apply to mitigate the vulnerability. The searching functionality can be an asset to both the Security and Ops teams by allowing them to search for CVEs and see which patches are required.
  • As a support technician, I want to know whether a patch is available to fix an issue with PST corruption in Outlook 2016 occurring in conjunction with error 0x80040119. The ability to search benefits the support staff who can search for symptoms or issues around a particular patch.

To remove a search filter, click the clear filters iconfunnel with a cross to indicate clear any applied filters.

You can choose to export selected patches, selected CVEs or all CVEs, in CSV format to help with your patch reporting requirements. The CSV list of CVE IDs can be imported into other products, such as Ivanti Security Controls and Ivanti Endpoint Manager.

Any sorting or filtering applied to the patches will be retained in the exported output. All columns will be included regardless of what has been selected in the Column Chooser.

If the data is exported from the SLA chart, all devices that are missing patches that fall outside of the SLA window are included, this could mean that a device is listed multiple times if it is missing multiple patches.

Select the first column check box for the patches you want to export. Alternatively, select the check box in the header cell to select all patches.

Click Export CSV to create the CSV file and save it to your local downloads folder.

Patch Details

Click a patch ID or Name in the summary table to open the Patch Details panel, here you can view further details such as; any associated CVEs, a list of devices which do not have the patch installed and any reported issues with this patch.

The Name is followed by the option to place a downvote, to indicate if you have encountered any issues or problems with the patch. If you have not placed a vote you will see the white thumbs-down icon white thumb down icon to indicate a down vote has not been placed you are only allowed one vote, if this has been used you will see a blue thumbs-down icon blue thumb down icon indicating a down vote has been placed. Next to the icon is the number of down-votes received.

Lists all patch details, such as; patch name, number of unpatched devices, and number of failed installs, reliability, trending, any reported issues, RiskSense Threat, CVE count and CVSS threat scores.

Click Filter By Products to filter the list to display only the product version(s) you're interested in. Sort the list by any of the columns to prioritize the patches.

Click a patch to open the Patch Information panel, which includes information such as: details of any patch that this one supersedes or is superseded by, the CVEs contained within the patch, details of unpatched devices, and any reported issues.

Lists the CVEs associated with the patch, including; the RiskSense VRR Group, VRR score, CVSS score; v2 or v3 as applicable, and if there are any known exploits, together with the exploit published date and any known malware.

VRR score: A numerical score between 0 and 10, where higher is more severe. For further details see RiskSense VRR Group.

RiskSense real-time vulnerability intelligence provides known Exploit or Malware data per CVE. Exploit and Malware context provides a deeper level of vulnerability insight. Vulnerabilities become actionable via a thorough understanding of their full context, including any active exploits.
Exploits :

  • DoS: Denial of Service is an attack against a computer or network which reduces, restricts or prevents accessibility of its system resources to authorized users.
  • PE: Privilege Escalation vulnerabilities allow attackers to impersonate other users, or gain permissions they should not have. These vulnerabilities occur when code makes access decisions on the back of untrusted inputs.
  • RCE: Remote Code Execution attack happens when a threat actor illegally accesses and manipulates a computer or server without authorization from its owner. A system can be taken over using malware.
  • WA: Web Application vulnerabilities involve a system flaw or weakness in a web-based application. They arise because web applications need to interact with multiple users across multiple networks, and that level of accessibility is easily taken advantage of by hackers.

Malware :

  • Ransomware: Malicious software designed to block access to a computer system until a sum of money, or the ransom, is paid.

  • Exploit Kit: A toolkit used by cybercriminals to attack vulnerabilities in systems so they can distribute malware or perform malicious activities. They tend to be deployed covertly on legitimate websites that have been hacked, the site operators and visitors are often unaware of this exploit.

Lists the devices that do not have this patch installed. The device name, domain name, IP address, OS name version are shown. Click on a device to open the Neurons Platform > Devices to view further details, you can use the Patch Status tab to select devices and patches to install.

This tab is only available when a connector is added.

If a device is managed by both Ivanti Endpoint Manager and Ivanti Security Controls then it will remain in the unpatched devices list until both Ivanti Endpoint Manager and Ivanti Security Controls report that the patch has been applied.

Device Details

An overview and detailed view of the device displays.

The reported issues can help you understand why a particular patch may or may not have rolled out smoothly and any additional steps that may be required. The reported issues are categorized as follows:

Trending: This provides additional trending data for any patch that has a high or medium trending score. The top words or phrases are gathered from social media posts for the relevant KB number. If any of the top trending posts mention error codes they are listed here as hyperlinks which open a google search page to obtain further details.

Official reported issues: Any vendor reported issues, such as Microsoft Known Issues, which relate to the patch are automatically listed here.

Customer reported issues: Any issues can be submitted about a patch, which Ivanti will review and anonymize

Ivanti reported issues: Any issues reported by Ivanti.

New Issue: To add an issue to a patch, select New Issue. The section expands for you to complete the following:

  • Patches affected: Select all of the patches the issue relates to.
  • Issue description: Describe what the issue is in 500 characters or less. Include symptoms and remediation steps.
  • Number of endpoints affected: Select the number band of endpoints you have experienced this issue on in your environment.
  • I had to roll this patch back: Check this box if the issue caused you to roll back.
  • Add Issue: Select to submit the issue to the Ivanti moderators. If approved, the issue will be displayed in the Reported Issues, this can take up to 48 hours.

Related topics

Devices

Setting up connectors

Ivanti Endpoint Manager connector

Ivanti Security Controls connector

Ivanti Patch for MEM connector